EFF: 4 big security concerns for WhatsApp

whatsapp icon

The Electronic Frontier Foundation (EFF) has been on WhatsApp‘s case this year, taking the platform to task over its new data-sharing policy with Facebook.

Now, the US watchdog has hit out at WhatsApp, listing four major security concerns it should tackle.

Unencrypted backups

The first issue raised by the EFF was the way WhatsApp handles backups to the cloud.

“In order to back messages up in a way that makes them restorable without a passphrase in the future, these backups need to be stored unencrypted at rest,” the watchdog noted.

The watchdog says users should never back up their WhatsApp data to the cloud “since that would deliver unencrypted copies of your message log to the cloud provider”.

Key change notifications

“If the encryption key of a contact changes, a secure messaging app should notify you and prompt you to accept the change,” the EFF explains.

However, WhatsApp disables these so-called security notifications by default, forcing you to visit settings, account and then security to enable these.

As one of the world’s most popular communication tools, the EFF reckons WhatsApp could offer better privacy and security

“Key verification is critical to prevent a Man in the Middle attack, in which a third party pretends to be a contact you know,” the watchdog wrote. But a key change could also be due to a contact getting a new phone.

The web app

The foundation also took issue with the web app.

“As with all websites, the resources needed to load the application are delivered each and every time you visit that site. So, even if there is support for crypto in the browser, the web application can easily be modified to serve a malicious version of the application upon any given pageload, which is capable of delivering all your messages to a third party.”

The foundation said that a more secure solution would be to offer desktop support in the form of browser extensions.

That sharing deal with Facebook

Easily the most prominent concern is the new data sharing deal with parent company Facebook. In fact, the EFF said it marked a shift in WhatsApp’s privacy stance.

“While existing WhatsApp users are given 30 days to opt out of this change in their Facebook user experience, they cannot opt out of the data sharing itself. This gives Facebook an alarmingly enhanced view of users’ online communications activities, affiliations, and habits.”


The watchdog suggested several ways for WhatsApp to better support privacy, starting with a simplified interface for privacy settings.

The EFF suggested a simple slider mechanic for gradually tweaking privacy settings across the board. This could go from merely opting out of information sharing to disabling backups and more.

It also called for WhatsApp and Facebook to publicly disclose what kind of user data they’ll be sharing.

“WhatsApp needs to take certain future uses of its data permanently off the table by defining what it will — and, just as importantly, will not — do with the user information it collects.



Sign up to our newsletter to get the latest in digital insights. sign up

Welcome to Memeburn

Sign up to our newsletter to get the latest in digital insights.