WhatsApp Encryption Won’t Keep Your Messages Secret Unless You Also Do This

WhatsApp made waves yesterday with its decision to switch on end-to-end encryption for all its billion-plus users. “End-to-end” means the communication is encrypted before it leaves your phone and decrypted only after it reaches the other person’s phone, so nobody else, not even WhatsApp itself, can read or listen to it.

Predictably, privacy activists are delighted and law-enforcement types are worried (though ironically, U.S. government money helped fund the encryption technique WhatsApp uses).

But before you start using WhatsApp to plot your overthrow of the global capitalist regime, bear in mind that intercepting your messages in transit is just one—indeed, possibly the least likely—of the ways a hostile party might try to snoop on you. Encryption alone isn’t much help unless all the following things are happening as well.

You’re not storing messages on your phone

If you really need a message to stay secret, delete it after it’s read. If someone gets hold of your phone (e.g. by stealing it) and can get into it—as the FBI has now done with the iPhone used by the San Bernardino shooter—everything that’s on there will still be accessible.

Some messaging apps, such as Telegram, have an “auto-destruct” feature that deletes messages from the phone after a set period of time. WhatsApp currently doesn’t. (Telegram, on the other hand, doesn’t use end-to-end encryption by default; you have to choose it.)

You’re not backing up messages to the cloud

WhatsApp doesn’t store your messages on its servers. But in an iPhone, for instance, you can tell WhatsApp to keep a backup of messages in iCloud, Apple’s cloud storage service. Once the information is in the cloud, it could be subpoenaed by a government.

@csoghoian Here's the flaw, the average user will enable this - putting the other side at risk pic.twitter.com/3qU8vNbfIo

— Justin Cauchon (@Cauchon) April 5, 2016

Signal is an app popular with privacy activists, and its encryption technology is the same used in WhatsApp. It doesn’t back up to the cloud.

Way to go WhatsApp, but I'm not ready to give up Signal. I fear that many of my WhatsApp friends have enabled unencrypted cloud backups.

— Christopher Soghoian (@csoghoian) April 5, 2016

And it should go without saying, but if you take a screenshot of a message exchange for safekeeping before deleting it from the app, that too will be vulnerable if your phone backs up its photo gallery to the cloud or falls into the wrong hands.

Nobody’s looking at your screen

If somebody can see your screen while you’re sending messages, encryption is pointless. And given the rapid spread of high-quality cellphone cameras, the only way to be sure is to be out of any possible line of sight and with no reflecting surfaces anywhere near your screen—which could include glasses and perhaps even 

The person you’re communicating with is taking all the same precautions

Obviously.