Is your data safe on online chat platforms?

Earlier this year, Facebook-owned instant messaging platform WhatsApp landed in hot water after announcing a new update to its privacy policy. Users began to abandon the app, sighting reasons that the app has access to their private information and conversations. Shortly after the announcement, millions of users around the world claimed to have switched to other more secure messaging platforms.

Following the confusion, WhatsApp issued clarifications reassuring users, and also postponed the update to later this year. Dr. Mashael Al-Sabah, a Senior Scientist at Qatar Foundation’s Hamad Bin Khalifa University’s Qatar Computing Research Institute, spoke to us about what the updates mean, why the confusion, and how secure our data really is.

“The business model of the internet is based on our data. Companies online aggregate, store, process, and even sell our data to other entities for profits and successful targeted advertising,” she said. With the goal of maximizing profit by presenting users with tailored advertising suiting their preferences, advertisers require logs of user searches and preferences from networks like WhatsApp and Facebook.

That then raises the question – was the uproar about WhatsApp warranted? Should people really be worried?

People should always be alert and cautious when it comes to data privacy and security, Dr. Al-Sabah said. “The backlash among WhatsApp users is a healthy sign demonstrating increased awareness among average users. Ultimately, it’s the users who want to have control over their data, and making informed decisions about how to use which apps while consenting to their policies can result in better control over their data.”

One app that seemed to be gaining popularity as an alternative to WhatsApp was Signal. When asked about a difference in privacy policies between the two apps, Dr. Al-Sabah said that both WhatsApp and Signal guarantee confidentiality of communication using end-to-end encryption. That is, a message you type is encrypted using keys stored in your device. Then, the message is sent to the other end (contact) through the app servers. However, the app servers do not see the contents because only the receiving end has the shared decryption key.

“Signal appears to be more secure than WhatsApp because it is open source. That is, its source code is public and available for anyone to verify that it provides and implements the privacy or security it claims to implement,” she added.

Despite some apps seeming or claiming to be safer, there are no guarantees of privacy as they can change their privacy policies and business models at any time. Signal, for instance, currently uses donations to operate. But if it needs to accommodate thousands of users in the future, it may have to shift to a subscription model.

According to Dr. Al-Sabah, the advantage of a subscription model is that apps can still monetize and profit without introducing privacy-invasive targeted and behavioral-based advertisement campaigns.

WhatsApp hacks and breaches of privacy have also recently been on the rise – once again raising eyebrows over the safety of users’ data on these apps. According to Dr. Al-Sabah, most common attacks are carried out using social engineering techniques – sending messages with malicious links urging victims to click on them, or impersonating friends and requesting verification pins to access WhatsApp accounts.

However, recent attacks have also become stealthier and more sophisticated – often targeting journalists and human rights activists by using vulnerabilities within WhatsApp to install spyware on victims’ devices. “In order to prevent attacks like these, users should always update their devices and apps, so as to install patches fixing these vulnerabilities. They should also be alert to social engineering tactics and never share sensitive information or pins received through messages to friends or family over WhatsApp without calling and verifying the source of the messages,” she said.

Addressing the concern of whether our information is really private and secure given that we are all living in a highly digitized age, Dr. Al-Sabah said: “Evidence has shown time and again that personal data loss and leakage is extremely common. Fortunately, Qatar is one of the first countries in the region to introduce a data protection and privacy law. But it is still always the responsibility of users to stay vigilant, and ensure their privacy is maintained by making informed decision about where their data is stored and possible consequences of data aggregation and loss.”