WhatsApp has come a long way in terms of security. End-to-end encryption is now the default for chats and calls, and the app has also introduced two-step verification, encrypted backups, and scam-detection tools. It deserves credit for all this, but as one of its many users, I still don’t trust it.
5
Cloud Backups Are Not Encrypted by Default
WhatsApp’s end-to-end encryption is often highlighted as proof of its security, but it only applies while the data stays on your device or in transit. When you back up your chats, it doesn’t encrypt them by default. For years, WhatsApp backups to Google Drive (on Android) and iCloud (on iOS) were completely unencrypted, meaning your supposedly private conversations could be accessed if those accounts were compromised.
WhatsApp eventually introduced encrypted backups as an option, but that’s the key issue: it’s optional, not automatic. Many users likely don’t know the feature exists or never bother enabling it. If WhatsApp wanted all backups to be secured, it should’ve enabled encryption by default.
Encryption is crucial for your data backups and shouldn’t be considered optional. If the platform had the best interests of its users in mind, then such a feature should be enabled by default. Making such an important feature optional doesn’t look good for a platform trying to market itself as one that respects user privacy.
When Meta (then Facebook) bought WhatsApp for $19 billion in 2014, the app initially operated independently as part of the acquisition terms. However, in contradiction to its promise, WhatsApp has been gradually integrated into Meta’s larger ecosystem by merging both infrastructure and data practices.
We’re still in the integration phase, but you can already link your WhatsApp account with your Facebook and Instagram accounts, allowing you to log in to one account using another or share status and posts across platforms. You can also chat with Meta AI on WhatsApp after the company added the chatbot early in 2024. If you’re a business user, you can link your WhatsApp Business account with your Facebook page and manage customer chats from WhatsApp, Messenger, and Instagram in one place.
While these additions are handy and make WhatsApp more convenient and versatile if you use other Meta apps, they unfortunately blur the lines between private messaging and Meta’s profit-driven services. Every new integration increases the potential for data sharing. Now, when businesses communicate with customers through WhatsApp, those interactions can be linked to Facebook’s advertising tools. Suddenly, your supposedly private messaging app becomes part of a larger marketing machine.
That’s why it’s tough to trust WhatsApp, because it looks to monetize every chance it gets, even when new features are framed as user-friendly upgrades. The pattern suggests that convenience is rarely the end goal—instead, it’s about pulling more of your activity into Meta’s data-driven ecosystem. For instance, when you interact with Meta AI on WhatsApp, Meta can log your chats and use them to finetune its AI models. And, unlike some AI chatbots, you can’t opt out, which is why I don’t use Meta AI on WhatsApp.
3
It’s Closed Source
Another reason I struggle to trust WhatsApp is that much of its infrastructure is closed source. While its encryption protocol is based on the same protocol used by Signal, WhatsApp’s server-side code isn’t open for public review. This means you have to take Meta’s word that the app works exactly as promised, with no hidden mechanisms for data collection or surveillance. But given the company’s history, it’s hard to take its word at face value, especially for someone like me who follows and writes about technology.
In the world of security, transparency matters. Open-source projects allow independent researchers to inspect the code, verify claims, and quickly spot vulnerabilities or potential backdoors. This creates accountability because flaws or shady practices can’t be easily hidden.
By far, the biggest reason I can’t fully trust WhatsApp is that Meta, the parent company of Facebook and Instagram, owns it. Meta has one of the worst reputations when it comes to protecting user privacy. From the Cambridge Analytica scandal to repeated fines over mishandling personal data, the company’s history shows a pattern of prioritizing growth and profits over user protection. That legacy inevitably casts a shadow over WhatsApp, no matter how secure the company makes the app.
Meta’s entire business model revolves around monetizing user information. It thrives on collecting, analyzing, and selling insights about its massive user base to advertisers. Even if WhatsApp messages are encrypted, Meta has every incentive to find other ways to squeeze value from WhatsApp users.
End-to-end encryption is often marketed as the gold standard of secure messaging, but it only takes you so far. It only protects the content of your conversations and does nothing to hide the metadata around those conversations. In many ways, this information can be as revealing as the actual messages themselves.
WhatsApp collects and retains a staggering amount of metadata. It collects metadata such as who you talk to, the time and duration of chats and calls, and message timestamps. It also gathers device information, profile information (including status messages and profile pictures), group and broadcast list memberships, location data, and more.
That’s why, despite WhatsApp using the same Signal protocol for end-to-end encryption, it’s not regarded as one of the best privacy apps. Signal does this because, in addition to end-to-end encryption, it collects a minimal amount of metadata.
WhatsApp is one of the best instant messaging apps. I use it daily to communicate with friends and family, but despite that, I don’t trust the app for the shared reasons. I’d switch if I could, but it’s impossible since everyone around me relies on the app.