Soo Hyun Chin

Information Privacy Law

Professor Ira Rubinstein

March 29, 2017

WhatsApp and Metadata Overlooked

On the website of the most popular mobile messenger, WhatsApp, the company states that “privacy and security is in our DNA, which is why we have end-to-end encryption in the latest versions of our app. When end-to-end encrypted, your messages, photos, videos, voice messages, documents, status updates and calls are secured from falling into the wrong hands.  . . . WhatsApp’s end-to-end encryption ensures only you and the person you’re communicating with can read what is sent, and nobody in between, not even WhatsApp.”

This encryption keeps the content of the user’s messages private as mentioned above, but not metadata like date, time, duration of communications, or location and contact information. Unlike the Signal messaging application that does not store metadata, WhatsApp retains metadata. Thus, WhatsApp needs to take more measures to protect the users’ privacy.

Most people do not think about metadata much and overlook the importance of metadata. Nevertheless, the role that metadata can play in privacy area is not smaller than the content of the communications itself.

For example, the court can order WhatsApp to install a pen register device to help the ongoing investigation. This kind of order is not rare. In May 2006, an Ohio court ordered WhatsApp 1) to track numbers calling and messaging, 2) to record the date, time and duration of communications, and 3) to provide details on any SMS text messaging WhatsApp had access to.

Those data do not include the content of the messages but as Neema Singh Guliani, legislative counsel with the American Civil Liberties Union mentioned in the article, “metadata is often enough to draw an informative map of a target’s life.” We already saw this in Smith v. Md., 442 U.S. 735, 99 S. Ct. 2577 (1979) where the police used the number dialed from the target’s telephone and other evidence to reveal that the target was the criminal. Metadata itself has a great importance. And with the combination of other evidence obtained, metadata can have even more power.

Unlike Facebook which is the parent company of WhatsApp, WhatsApp’s responses to the police requests were veiled in secrecy. Facebook has a transparency report which provide information about its response to law enforcement requests and has opened law enforcement guideline outlining how and when users’ information can be retrieved. However, we cannot find those information of WhatsApp from the transparency report, guideline or other materials.

Given the importance of metadata and growing attention to privacy, WhatsApp might want to consider the stance like Google’s active response to Guardian’s news on Prism program which tried to keep the users trust by publishing relevant information in the company’s transparent report.


(About Google’s response to Prism news: