WhatsApp’s encryption: What it actually covers
WhatsApp uses end-to-end encryption, meaning only you and the recipient can read the messages. This protects content from being read by hackers, telecom companies, or even WhatsApp itself.
However, this encryption only covers the message content, not the metadata around it. End-to-end encryption doesn’t stop WhatsApp from logging the time and recipient of your messages, or from storing some data about your contacts and account activity.
Even though WhatsApp can’t read your messages, it still collects metadata: information like who you talked to, when, and for how long. This can paint a detailed picture of your communication patterns.
Metadata can be as revealing as message content. With it, surveillance entities can track your social network, frequency of contact, and geographic movement over time.
One big downside to WhatsApp is that the app is not fully functional unless you grant WhatsApp access to your contacts. Users report that when denying the app access to their contacts, WhatsApp does not allow the sending of messages via adding phone numbers. Effectively, a user must wait to be contacted before being able to use the app. Nym considers this to be a coercive way of gaining access to personal data on people’s devices, even if for functionality’s sake.
WhatsApp and cloud backups
Messages are encrypted in transit, but if you back them up to the cloud, they’re stored without end-to-end encryption. That means platforms like iCloud or Google Drive could access them, and potentially hand them over to governments.
To protect your conversations, avoid enabling cloud backups or use tools that encrypt your data before uploading it.
Is WhatsApp open source?
No. Unlike Signal, WhatsApp is not open-source. This means users and developers can’t verify the code to ensure there are no surveillance backdoors.
Open-source software offers greater transparency and trust. Without access to WhatsApp’s source code, users are left to rely on the company’s word about how the app works.
Network-Level privacy gaps
Even with encryption, using WhatsApp still exposes your IP address and other network metadata. Governments or ISPs can monitor this to infer usage patterns like who you talk to, how often, and from where.
This exposure can be especially risky in regions with strict surveillance. Masking your IP address is crucial for maintaining digital anonymity, so learn more in Nym’s IP address privacy guide.
To protect against this kind of surveillance, consider using a decentralized VPN like NymVPN to mask your IP and traffic metadata.
WhatsApp Business Accounts: A privacy weak spot
While regular WhatsApp chats are end-to-end encrypted, conversations with WhatsApp Business accounts often aren't held to the same standards. These accounts may use third-party customer service tools that can store and analyze your messages. Even if encryption is in place, metadata — including your phone number, interaction history, and time stamps — can still be collected.
If you're messaging businesses or customer support via WhatsApp, treat it like a semi-public interaction. Avoid sharing sensitive personal or financial data, and assume the conversation might be stored outside of WhatsApp's own servers.
WhatsApp status updates and privacy risks
WhatsApp’s “Status” feature allows you to share images and messages for 24 hours with your contacts. But many users don’t realize these updates can reveal patterns about your behavior: when you’re online, your location (via geotagged images), and who views your posts.
You can restrict who sees your Status under Settings > Privacy > Status, but these updates are still stored and synced across your linked devices. To reduce exposure, avoid posting anything that could reveal identifying details and consider using WhatsApp’s built-in audience controls, or skip Status updates altogether.
Enhancing your privacy on WhatsApp
While WhatsApp encrypts your messages, the app alone isn't enough to guarantee full privacy. To guard against metadata leaks, backups, and network surveillance, you’ll need to take a few additional steps:
- Turn off cloud backups
- Use two-step verification
- Keep your app up to date
- Limit group invite links
- Disable auto-saving media to your gallery
- Use a privacy-preserving and decentralized VPN to mask network metadata
Nym’s verdict: Is WhatsApp enough?
WhatsApp provides strong message encryption, but it doesn’t fully protect you. Metadata, backups, and network surveillance still pose privacy risks.
To stay truly anonymous, pair a more privacy-focused messenger like Signal with a decentralized VPN (dVPN).
Downloading NymVPN connects you to a decentralized Noise Generating Mixnet that hides your traffic patterns and IP address so you don’t have to worry about all the third parties monitoring your traffic.
Surveillance is everywhere and sophisticated. So the more layers you add, the more protection you’ll have.
