Multiple incidents of leaked WhatsApp messages making it to prime-time news in recent months has triggered concerns about the security of the messaging application.
WhatsApp, the Facebook-owned platform, has end-to-end encryption. Meaning, messages shared between the sender and the recipient can’t be read by anyone. No even WhatsApp.
Neither can the law enforcement agencies get those messages. Even if a court orders WhatsApp to provide your chats, it won’t be able to. Essentially because messages are protected and WhatsApp itself has no way to access them.
So how come the chats were leaked?
The other way is through chat backups. WhatsApp has a feature of backing up messages and media periodically. This is optional and can be turned off from the settings.
The messages are backed up locally on your device and on cloud services—Google Drive or iCloud—based on the phone used. This backup file can’t be opened outside the WhatsApp app. Whenever a user installs WhatsApp on a new phone, there’s an option to import the backup on the new device.
The problem is that messages stored on the cloud are not encrypted. Which, in theory, means this backup file can be accessed. Several legitimate software are available online to read such backup files. And without encryption, the backed-up messages are vulnerable to hacking and data breaches.
Law enforcement agencies can, through court orders, gain access to the messages backed up on Google or iCloud. That happened in case of U.S. President Donald Trump’s former campaign chief Paul Manafort. He was convicted based on incriminating WhatsApp messages that investigators acquired from his iCloud account.
There is also no way to edit the backups. Neither can you selectively delete messages from there. That wouldn’t have worked anyway since messages can also be accessed from the recipient’s phone. And WhatsApp’s “delete for everyone” feature works for the first one hour of sending a message.
BloombergQuint awaits a response to queries emailed to WhatsApp about further clarity on the backup feature.
There are limited options to protect chat backups from leaking. And even those aren’t foolproof.
The nuclear option is to disable chat backups completely. That means your chat is only stored on devices of the sender and the recipient. But that also means if a user changes the phone or deletes WhatsApp and then reinstalls it, all messages will be lost except for the media saved in the gallery.
The delete and turn off backup option on Google Drive.
Users can also manually select when the chats are backed up. Then copy the backup file onto a secure physical storage device, and delete the backup file from the phone.
But neither of these methods guarantee that the chat backups are never leaked. That’s because if the recipients are not as privacy-savvy as the senders, then the deleted chats can be accessed from their WhatsApp backups.
Using disappearing messages is another way. The feature that automatically deletes chats within seven days, however, will have to be activated for each contact. Moreover, chats can be backed up within those seven days.
Telegram and Signal also offer the chat backup feature. All chats on Telegram, except for a “secret chat” option, are stored on Telegram’s own native cloud. Signal allows you to store backups on the phone which is secured by a password.
Telegram and Signal also encrypt chat backups, making them inaccessible through ordinary means.