WhatsApp suddenly finds itself embroiled in a painful battle with Elon Musk. Unfortunately for the Meta mega-messenger, the battlefield is X, and it’s tough to beat Musk, who has 185 million followers.
The dispute between Musk and WhatsApp, which began this weekend, concerns whether WhatsApp exports user data to its own servers. Musk initially responded to a post that claimed “WhatsApp exports user data every night, analyzes it, and uses it to target ads, making users the product, not the customer.”
Musk’s response, as always, was short, vague and misleading: “WhatsApp exports user data every night. Some people still think it’s safe.”
For WhatsApp, this ambiguity is a major concern, as it seems to suggest that users’ content could be compromised by Meta’s world-class data-collection machine. “Many have said this already, but it’s worth repeating: this is not true,” WhatsApp head Will Cathcart responded to Musk. “We take security seriously, which is why we encrypt our users’ messages end-to-end – messages are not sent to us or exported to us every night.”
But these discussions have a tendency to escalate, so sometimes it’s best to leave them alone. Security researcher Tommy Mysk picked up on Cathcart’s response, explaining:
“WhatsApp messages are end-to-end encrypted, but user data doesn’t just extend to the messages. It also includes metadata like the user’s location, the contacts the user is communicating with, and patterns of when the user is online. According to the privacy policy, this metadata is actually used to target ads across Meta services. So @elonmusk is right.”
Still, it would all have been fine for WhatsApp. Mysk is well followed within the security community following high-profile reports of data vulnerabilities in TikTok, iPhones, and Facebook, but most people who follow Mysk understand the nuances between metadata and content, and this post would have raised little concern.
But unfortunately for WhatsApp, Musk went further, bestowing Miske’s post with a bullseye emoji. Now the stakes were up, because Miske’s post touched on WhatsApp’s biggest vulnerability, or Achilles heel: Meta, i.e., data sharing with Facebook.
We all know there is a messy data-based Faustian pact between WhatsApp and Facebook/Meta: WhatsApp shares as little as possible to balance a somewhat tricky ownership status with security credentials. Always lurking in the background are Signal (good) and Telegram (bad), picking up the flotsam and skids who get scared of data sharing and switch for no understandable reason or reason.
Tommy Misk told me: “Will Cathcart’s response only mentioned E2EE for WhatsApp messages, which we all know about by now. He completely ignored the data sharing between WhatsApp and other Meta products. While WhatsApp messages are end-to-end encrypted, there are other data points that are not encrypted that could give away a lot of information about the user… I understand Elon Musk’s concerns.”
WhatsApp is highly wary of anything that calls into question its integrity and security, as evidenced by its response last week to a report that its engineers had criticized the company for not taking steps to prevent government network analysis from building a map of WhatsApp user relationships.
Metadata is complex and poorly understood. It’s not a big deal compared to content leaks, but it’s still a concern for users. I’m not particularly concerned about WhatsApp’s actual message encryption, despite Telegram’s Pavel Durov suggesting otherwise earlier this month. But as I commented over the weekend, “Let’s keep this ridiculously simple: if you have reason to fear that any agency is tracking you, your location, or your contacts, then you should probably not use Meta, a platform owned and operated by Facebook.”
So should you be worried and consider switching from WhatsApp to something else? For most people, no. Metadata analytics is much less valuable if it doesn’t collect actual content. It can tailor ads to your location and device, and maybe…perhaps— reflecting the groups and people you’re connected to and some of the messages you send. It will also be linked to other data stored in your broader profile. But that’s probably less of a concern than analyzing your unencrypted content.
But as WhatsApp evolves, so do the risks of data sharing. Mysk explains: “With the introduction of Communities, WhatsApp has become much more than just messaging. The metadata collected from users’ interactions with Communities certainly expands the scope of unencrypted information WhatsApp holds about its users and their interests. WhatsApp’s privacy policy states that this data, or metadata, is used to show relevant offers and ads across Meta products.”
But for those who are concerned about user tracking even from metadata and want to use the most private, secure and clean platform, switching from WhatsApp to Signal is always a good idea.
This is Musk’s second spat with Messenger in just a few weeks, after he repeated serious allegations from Telegram about Signal and its ties to the US government. That spat was quickly resolved as it was based on a complete lack of evidence and false claims. But WhatsApp, Meta, and Metadata could be much harder to erase.
WhatsApp has not yet responded to my request for comment on Musk’s post.