Should Businesses Worry About The Encryption and Security of Whatsapp?

There has been a huge discussion recently about a security vulnerability of Whatsapp, which some people quickly proclaimed as a "backdoor" for governments to snoop on users.

Teamwire, Jan 25 2017

A new analysis by a security researcher showed that WhatsApp could read some messages due to the way WhatsApp has implemented its end-to-end encryption protocol. Some security experts say that the vulnerability is a known “trade-off” due to the size of Whatsapp’s user base and can hardly be used for mass surveillance.


However, since Whatsapp always highlights its privacy and security, this raises some serious questions for its users. Enterprises and employees, which use Whatsapp for business purposes, ask themselves if they can rely on the encryption and security of Whatsapp?


Businesses Disclose Much More Information Than It Might Appear


Let’s have a look at the encryption of WhatsApp first. Let’s assume some security experts are right and this is a small vulnerability, which can only be exploited in exceptional cases. Does that mean overall the encryption of WhatsApp is still secure for businesses? The answer for most enterprises is clearly no. Whatsapp does only encrypt the messages, but not the meta data. Thus Whatsapp e.g. knows who you communicate with, how often you communicate with them, how long you interact with them, which 1:1 and group chats you are part of, etc. Normally this meta data is actually more important than the messages itself. That’s why intelligence agencies love the meta data. Meta data gives Whatsapp an excellent overview of your social and – in this case – your business relations and their importance.


In addition, in many cases the meta data easily gives a clue about the end-to-end encrypted content. For example, when you communicate with a specific supplier, it is clear that you are interested in a certain component. When you intensively exchange with a customer, it is obvious that he is interested in buying your product. When you talk to a certain consultant, you probably look for advise on a topic. When you consult a specific doctor, you probably need special medical aid. When you regularly connect with a competitor, you might contemplate a merger. And so on…


Another problem is that most users have enabled the backup of their Whatsapp messages. That means the messages get stored in the cloud of e.g. Apple or Google (depending on the device) as a backup. What only a few users know: The messages are stored there decrypted. This would allow not only Apple or Google but also authorities from the USA to access this data.


In summary it can be said, that by using Whatsapp businesses potentially disclose much more information then it might appear. And all this data will end up with and be used by Facebook.


Businesses Do Not Meet Their Security, Data Protection and Compliance Requirements


Now lets talk about the second part of the question: Does Whatsapp provide security, data protection and compliance for businesses? Again, the answer for most enterprises is clearly no. This can be easily shown by asking a list of questions:


  • Does Whatsapp provide strong data protection required by businesses? No.
  • Is the privacy policy of Whatsapp made for the requirements of European enterprises? No.
  • Does Whatsapp ensure minimal data usage and not storing address books? No.
  • Is Whatsapp hosted in a European data center (or ideally in the country of a business)? No.
  • Is Whatsapp compliant with the EU General Data Protection Regulation (GDPR), which enterprises have to fulfil? No.
  • Does the usage of Whatsapp ensure legal compliance required by businesses? No.
  • Can enterprises using Whatsapp prevent mixing private and business communications? No.
  • Can enterprises using Whatsapp prevent mixing private and business contacts? No.
  • Can businesses using Whatsapp prevent the distribution of confidential information to external people (e.g. data theft)? No.
  • Can an enterprise manage and control the access of its employees to Whatsapp? No.
  • Can a business block the access of an employee to Whatsapp in case of a data loss prevention scenario? No.
  • Can enterprises configure communication rules for its employees and units for Whatsapp? No.
  • Can a business control the data and content shared via Whatsapp? No.
  • Can an enterprise configure data protection and compliance policies for Whatsapp? No.
  • Can an enterprise archive the chats of Whatsapp for audit reasons? No.
  • Does Whatsapp support mobile device management or enterprise mobility management solutions? No.
  • Does Whatsapp provide mobile application management? No.


Actually there are even more questions on the security, data protection and compliance of Whatsapp, that businesses could ask. If you have a look at our blog posts on the disadvantages and damages of the usage of Whatsapp for business purposes, you will get a good idea what other topics are important for your enterprise.


Whatsapp does not provide the security, encryption, data protection and compliance required by businesses. For a secure, private, protected and compliant communication with colleagues and teams, businesses need a dedicated enterprise messaging app like Teamwire.