End-to-end encryption: secure or deceptive?

What are the most significant security risks with WhatsApp & Co.

1. Metadata as a source of danger

Metadata – i.e., data about data – often reveals more than many users realize. This includes information such as

• Who communicates with whom?
• When and how often does the communication take place?
• How long are the messages?
• Which group memberships exist?

Metadata can also reveal locations and other things. For example, when IP addresses are tracked or push notifications are analyzed, even online status or read confirmations are metadata that allows sensitive conclusions about working methods, availability, and internal processes.

US IT security expert Bruce Schneier puts it like this:

“Collecting metadata on people means putting them under surveillance.”

This is fatal for authorities and organizations with critical communication needs.

Let’s take two everyday scenarios as an example:

1. A man chats with another woman more than with his actual wife. This could indicate an affair …
2. A man regularly talks to a urologist during the day. He probably has a medical problem.

Similar examples can also be derived for critical infrastructures, authorities, etc.:

1. Police:
   An officer in a special unit regularly communicates with the same colleagues in a chat at night. This would allow conclusions to be drawn about deployment patterns, on-call times, and shift changes from the times, frequencies, and group affiliations. It could potentially be valuable for attackers or criminals to be aware of planned access or covert operations.
2. Municipal utilities and energy suppliers:
   An employee in the IT department of an energy supplier regularly chats with an external service provider, always shortly before maintenance work is carried out on a substation. Attackers could recognize when certain systems are vulnerable, e.g., in order to plan attacks or acts of sabotage, simply by looking at the communication pattern recorded in the metadata.
3. Healthcare:
   A doctor in oncology chats remarkably frequently with a particular specialist laboratory. The frequency of communication can allow conclusions to be drawn about serious diagnoses and internal processes, which could affect data protection and trust.
4. Authorities:
   A Ministry of the Interior department communicates rapidly with a crisis team and external communication consultants. The intensity and timing of the messages could lead observers to assume that a political crisis or an imminent security situation (e.g., terror warning, demonstration, cyber attack) is imminent, even before official information is made public.

Such information can be worth its weight in gold for attackers, who can use it to identify vulnerabilities, spy on internal structures, or launch targeted disinformation campaigns. WhatsApp and similar services, which are often part of big data companies such as Meta (Facebook), have an inherent interest in collecting and analyzing such metadata, for advertising purposes or to improve their services.

The assurance that E2EE encrypts content often distracts from this far-reaching data collection.

2. Shadow IT

Another closely related problem is the emergence of shadow IT. Employees often resort to private devices and consumer messengers if official communication channels are perceived as too cumbersome or user-unfriendly.

This use is beyond the control and administration of IT managers. There is no centralized management of users and rights, no way to control data outflow, and no way to enforce compliance requirements.

Sensitive official information thus ends up uncontrolled on private end devices and third-party servers, often outside the EU, without any guarantee of data protection and security in accordance with the GDPR.

The “SignalGate” scandal in the USA, in which high-ranking government representatives exchanged sensitive information via a consumer messenger that was inadvertently also accessible to a journalist, is a drastic example of the dangers of uncontrolled shadow IT.

This is an unacceptable risk for organizations bound to secrecy or that must meet strict compliance requirements.

Shadow IT is also encouraged when employees leave companies or organizations, or an end device is lost or stolen. This is precisely when you need to be able to block the user or device centrally immediately to prevent the uncontrolled use of sensitive data.

By the way, you may also be interested in the article “Why WhatsApp, Signal & Co. are not an option for secure communication between authorities”.

3. Hidden functions and backdoors

Backdoors are hidden access options to systems. They bypass standard protection mechanisms and are often used to gain unauthorized access to a computer, a program, or a network.

Here are some – still utopian – scenarios, which would, however, be technically possible:

Scenario 1

Let’s assume you can add a third person to WhatsApp chats without displaying him or her in the chat group.

This is reminiscent of the SignalGate case in the USA. Except that in such a scenario, third parties can read along without the other users noticing.

Scenario 2

Let’s assume that the provider forwards the preview from the push notifications and uses it to analyze the user’s location to read messages and track the user’s location.

Scenario 3

Let’s assume the provider always forwards the last five messages of each chat to a surveillance server to monitor a user. Or let’s assume that the provider forwards the user’s private keys to decrypt the app to decrypt messages.

Three unpleasant use cases that are technically possible. If providers pursue particular objectives or have legal obligations, such scenarios can quickly become a reality.

4. Legal hurdles and risks due to US laws

In addition to technical aspects such as metadata and shadow IT, the legal framework represents a massive hurdle for consumer messengers from the USA or other third countries. (Read also: Remain Capable of Action: Why Alternatives to Us Cloud Solutions Are Essential)

The GDPR, as a European guideline, is no friend of US laws

The EU’s General Data Protection Regulation (GDPR) sets strict standards for the processing of personal data. These apply to all organizations that process the data of EU citizens, regardless of their location.

Core principles such as purpose limitation, data minimization, transparency, and accountability often conflict with US providers’ business models and legal obligations.

The US CLOUD Act – a key problem for European data protection

In a nutshell:

The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act) obliges US companies to grant US authorities access to stored data – even if this data is stored on servers outside the USA, for example, in the EU.

This fundamentally undermines the data sovereignty principle and the protection mechanisms of the GDPR.

The assurance that data is “hosted in Europe” loses considerable value if the provider is nevertheless subject to US law and can be forced to hand it over.

Attempts to make transatlantic data transfers legally secure have failed several times so far:

The “Privacy Shield” agreement, which, as the successor to “Safe Harbor”, was intended to guarantee an appropriate data protection standard for data transfers to the USA, was declared invalid by the European Court of Justice (ECJ) in 2020 in the so-called “Schrems II” ruling.

In particular, the ECJ criticized the US security authorities’ far-reaching surveillance powers and the lack of legal protection for EU citizens.

The latest developments surrounding the Privacy and Civil Liberties Oversight Board (PCLOB) in the USA, whose ability to act has been weakened by political decisions, are also increasing uncertainty. The PCLOB was supposed to be an independent supervisory authority for US surveillance practices. Its weakening represents a further setback for protecting European data from US services.

For public authorities, critical infrastructure operators, healthcare organizations, and other security-critical institutions, this means a significant compliance risk:

The use of WhatsApp & Co. can result in severe fines under the GDPR and the loss of control over sensitive, critical, or even secret information.

The temptation of the ease of use of typical consumer messengers should not obscure these profound legal and security implications.

Choosing a European provider that is fully compliant with the GDPR and guarantees genuine data sovereignty is not just an option but a necessity.

What does absolute EU data sovereignty mean?

EU data sovereignty is becoming increasingly important in the face of legal uncertainties and aggressive legislation in the USA.

But why is the “EU server location” label alone insufficient in this context?

Many organizations believe they are on the safe side by choosing a provider that guarantees server locations within the European Union. But this assumption is deceptive.

Although the EU as a server location is an essential first step, it is by no means a panacea and certainly no guarantee of genuine data sovereignty. Especially if the provider or parent company has its headquarters in a third country, such as the USA.

The core problem remains the aforementioned US CLOUD Act. It allows US authorities to access data controlled by US companies, regardless of where it is physically stored.

Therefore, servers in Frankfurt, Amsterdam, or Dublin are not protected from access if the service operator is accountable to the US authorities.

Therefore, a US hyperscaler’s much-vaunted “European cloud” can quickly become a sham when protecting against non-European access.

Genuine EU data sovereignty goes far beyond the mere storage location. It includes complete control over all data (including metadata!), the technical infrastructure, and the legal framework.

This means:

• European provider: The communication solution provider must have its headquarters and legal jurisdiction entirely within the EU and not be subject to third-country legislation such as the CLOUD Act.
• Transparent data processing: It must be clear how, where, and for what purposes data is processed. Hidden data flows or unclear subcontractor chains are unacceptable.
• Metadata economy: The software may only access the most necessary metadata sparingly and may not perform or write any hidden analyses of this data.
• No backdoors: The software must not contain any hidden backdoors for secret services or other unauthorized third parties.
• Compliance with European standards: The solution must be GDPR-compliant and fulfill relevant European and national security certifications (e.g., BSI C5 in Germany, ISO 27001).

The discussion surrounding GAIA-X, an initiative to create a secure and sovereign European data infrastructure, has underlined the urgency of these requirements. And was one of many original initiatives. Even if implementing GAIA-X is seen as a de facto failure in specialist circles, it demonstrates the clear political will to reduce Europe’s digital dependency.

For organizations in critical infrastructure, public safety, authorities, and the healthcare sector, choosing a provider that consistently implements these principles of EU data sovereignty is not just a question of compliance. Rather, protecting their critical information and maintaining their ability to act is a strategic necessity.

By the way, our resources page has many useful guides and checklists. The case studies show how Teamwire is used in various industries.

What requirements apply to organizations with critical tasks?

The aforementioned weaknesses of consumer messengers such as WhatsApp are particularly serious for organizations in critical infrastructures, authorities, and organizations with security tasks, as well as in the healthcare sector. These sectors have specific, often legally enshrined communication requirements that go far beyond what standard solutions can offer.

The question arises:

What exactly must a professional and secure communication solution do to meet these challenges?

It’s about far more than just encryption. A bundle of technical, organizational, and legal features characterizes a truly sovereign and future-proof solution.

7 key aspects that a secure communication solution needs to offer

1. Central access management

You always need complete control over your communication channels, the data exchanged via them, and the authorized users.

This requires a central administration to manage user accounts, assign granular authorizations, and enforce security guidelines.

Such centralized access management is also essential, for example, if an employee leaves a company or authority, or an end device is stolen. You must be able to block the user or the device centrally immediately so that confidential data cannot be accessed further.

Consumer apps, which are primarily designed for private use, generally do not offer such comprehensive control and management functions.

Your IT department has no control, which poses a significant security and compliance risk.

2. Role-based communication

Closely linked is the need for precise roles and rights management distribution.

In hierarchically structured organizations or complex operational situations, you must be able to control communication flows in a targeted manner. Not every employee should have access to all information.

Clearly defined user roles with different authorizations are required, for example, for reading, writing, or managing groups and channels. Such differentiated rights models can hardly be mapped in standard messengers.

3. Audit security

Another critical point is audit security, i.e., traceability.

Many processes in public authorities and companies are subject to strict documentation requirements. In case of doubt, communication processes must be archived in a traceable and audit-proof manner, for internal audits, legal disputes, or to fulfill transparency requirements.

This requires technical mechanisms for secure storage, transparent processes, and guidelines for accessing archived data. A solution must ensure that this archiving is GDPR-compliant and that, for example, the “right to be forgotten” or requests for information from data subjects can also be considered.

WhatsApp & Co. do not offer adequate solutions for this. Exporting chat histories is often difficult or impossible, and audit-proof, GDPR-compliant archiving is not guaranteed.

4. Data control

Another key issue is data control. In addition to the above-mentioned points on audit security, this involves transparent processes and guidelines on retention periods.

The following questions need to be clarified and appropriate measures implemented:

• How long will data be stored in the app?
• Should it be deleted automatically after a specific time to protect sensitive data better?
• Can users share data with other apps?
• What data can users access in the apps?
• Should data be regularly deleted from the servers?

These crucial considerations also apply to metadata!

5. Compliance

Finally, compliance plays an overriding role. In addition to the GDPR, you must comply with industry-specific laws, regulations, and standards.

Consider, for example, IT security laws for critical infrastructure operators such as NIS-2, specific requirements for police communication, or the duty of confidentiality and data protection in the healthcare sector in the context of patient data.

Non-compliant communication tools can result in severe penalties, liability risks, and considerable reputational damage.

The temptation to communicate quickly and easily via WhatsApp must not lead to the neglect of these fundamental requirements. A professional, secure, and confident communication solution is not an option but an absolute necessity for these sectors.

6. Integration capability

A decisive factor is integration capability (e.g., Active Directory, MDM, LDAP). Modern workflows are networked. A communication solution must not be an isolated silo, but must be able to integrate seamlessly into existing IT landscapes and specialist applications.

These can be connections to document management systems (DMS), CRM systems, operations control systems, or even industry-specific software in the healthcare sector. API interfaces and standardized connectors are essential to avoid media disruptions and enable efficient, end-to-end processes.

Think about starting a secure chat directly from a specialist application or sharing relevant documents directly in a protected channel.

7. Sovereign hosting

Finally, GDPR-compliant hosting in a certified data center within the EU, ideally in Germany, is a basic requirement. As already explained, a server location in the EU alone is insufficient if the provider is subject to US laws.

The key here is a European provider with complete legal and technical control over the infrastructure. Certifications such as ISO 27001 or the BSI C5 certificate from the German Federal Office for Information Security provide additional security and prove compliance with high security standards.

To summarize:

A secure communication solution for professional requirements is a complex system that goes far beyond transmitting messages.

It must guarantee controllability, integration capability, audit security, and genuine data sovereignty. This is the only way authorities, critical infrastructure, public safety, and healthcare organizations can effectively counter the diverse threats and requirements of the digital world.

It’s about more than encryption: time for absolute sovereignty

The widespread assumption that end-to-end encryption on WhatsApp & Co. is synonymous with comprehensive security is a dangerous fallacy on closer inspection.

It’s time to rethink.

As we have seen, the real risks often do not lurk in the encrypted content itself, but in the unprotected metadata, the uncontrolled shadow IT, the complex legal pitfalls caused by US laws such as the CLOUD Act and the associated lack of EU data sovereignty.

Therefore, consumer messengers are not viable, especially for public authorities, critical infrastructure companies, public safety, and healthcare organizations that work with highly sensitive information and are subject to strict compliance requirements.

Standard messengers cannot meet the specific requirements of these sectors. Simply referring to a server location in the EU is not nearly enough to guarantee true data sovereignty as long as the provider is subject to non-European laws.

It’s time to critically examine your communication strategy and focus on genuine digital sovereignty.

Today, a professional communication solution must do far more than just transmit messages:

It must integrate seamlessly into existing systems, offer comprehensive management and control options, enable audit-proof archiving, and be based on a GDPR-compliant solution with sovereign hosting from a trustworthy European provider.

What does this mean for you and your organization?

• Check your current communication channels:
  • Do your employees use consumer messengers for work-related matters?
  • Are you fully aware of the associated risks?
• Define your requirements:
  • What data must your organization be able to protect at all times?
  • Which users, groups, and end devices do you need to be able to control and lock centrally?
  • What specific security and compliance requirements does your organization have?
  • Which integration scenarios are relevant for you?
• Demand real sovereignty:
  • Don’t be blinded by superficial promises of security.
  • Question the provider, the legal framework, and the technical details.

The security of your communication is not a luxury but a strategic necessity. Protect sensitive data, ensure compliance with legal requirements, and strengthen your organization’s digital resilience.

A truly secure and confident communication solution for your specific needs

Take the next step and request a free demo today or try Teamwire without obligation to experience what modern, secure, and confident business communication can look like for your organization.

Or take a look at our case studies.

We look forward to advising you!

➡️ Here are the case studies.

➡️ Book a demo here.