WhatsApp

Popular but not Private

With over 3 billion active users worldwide, WhatsApp is the most popular messaging application.

However, a closer examination of WhatsApp reveals that end-to-end encryption does not guarantee complete privacy, nor does it provide absolute protection.

What’s Encrypted on WhatsApp Using E2EE?

Text Messages - Voice Messages - Photos and Videos - Calls - Status Updates - Location Sharing - Documents

These contents are encrypted using the Signal Protocol, and according to Meta, can only be decrypted by the sender and recipient.

Most users assume “end-to-end encrypted” means all activity on the app is secure.

But that’s far from the case.

But Here’s What’s Not Encrypted

1. Metadata

Metadata can create an extremely detailed picture of your behaviour, contacts, and habits, without ever needing to read the actual message content. 

This metadata can be logged and stored on servers, and often is. While WhatsApp say they “limit” this data, it's still collected, and it’s not protected by E2EE and includes:

Who you messaged.

When the message was sent.

How frequently you communicate.

Device information and IP address.

Your phone number.

The recipient's phone number.

2. Backups

If you back up your WhatsApp messages to Google Drive or iCloud, those backups are not protected by WhatsApp’s end-to-end encryption unless you explicitly enable encrypted backups, which is off by default.

You must manually enable encrypted backups and choose a password or 64-digit key. Even then, this feature is only as secure as the cloud platform’s own protections and users often don’t realise they’re using default, unencrypted backups.

3. Payments and Transactions

WhatsApp Payments, available in certain regions (currently India, Brazil and Singapore, but other countries are due to be added through Meta Pay), allow users to send and receive money. Keep in mind that even in a private chat, your financial activity could be visible to external services and potentially vulnerable to compromise.

However, and here’s the really bad news:

Transaction details (sender, recipient, amount, timestamps) are not end-to-end encrypted.

WhatsApp may share data with third-party financial institutions.

All payment activity is subject to the platform’s data sharing policies with Meta.

4. Business Messaging

End-to-end encryption no longer applies once your data enters external systems or business tools. This surprises many business users.

When you message a business on WhatsApp:

Messages may be stored outside WhatsApp’s servers.

Businesses can use third-party vendors to manage and respond to messages.

These messages might be stored unencrypted by the business or vendor.

5. Group Information and Profile Data

The following information may shock many users.

Group membership (who’s in the group) is not encrypted.

Profile photo, about info, and online status are public by default.

WhatsApp groups are discoverable if added via invite links, sometimes even indexed by search engines if mishandled.

WhatsApp is Not Safe for Work

This is a critical warning!

WhatsApp (and many other messaging apps) are not built for business purposes, but rather for consumer use. 

They lack essential capabilities that are essential to keep corporate and government data private, protected, and compliant. 

Even messaging apps that describe themselves as fit for enterprise and government may have significant deficiencies. Some even leave end-to-end encryption off by default in certain group settings, which means that it’s easy to forget to turn it on, leaving communications unprotected. 

The lesson is that if you’re looking for secure communications that will keep your organisation’s sensitive data well-protected, you need a solution that is built from the ground up to directly address that goal. 

Many businesses and even banks (especially in South Africa) use WhatsApp to communicate with customers.

The question is, how is a customer's personal bank information at risk when banks use WhatsApp to communicate?

What is the Solution?

If you’re looking for secure communications that will keep your organisation’s sensitive data well-protected, you need a solution that is Privacy-built from the ground up to directly address that goal.