I’ve been trying to think through some privacy implications of using WhatsApp, in terms of Meta tracking of my general online activity, and I’ve realized I’m not as confident about how this all works as I thought I was. This feels like really basic stuff, but I’m not sure all the knowledge I’ve gathered over the years is still valid, and some of it may always have been wrong.
I’m not concerned with the privacy of my messages or their associated metadata here. I’m trying to understand the implications of merely having WhatsApp on my device, even if I never actually send or receive a message with it.
Can anyone please offer comments or corrections on the scenarios I’ve sketched out here? References to trustworthy (and ideally “modern”) web sites or videos with information on this would also be appreciated.
Let’s make some simplifying assumptions first:
I am using a brand new phone running a privacy-respecting OS, for which Meta (from some subset of the available properties they can observe) derive device fingerprint X.
The only account I have with Meta is my WhatsApp account, with phone number 1234. I don’t have a Facebook account.
Meta trivially knows (e.g. from my contacts’ contact lists) that the name SteveR is associated with phone number 1234.
Scenario:
I set up the phone using an always-on VPN, which gives me an IP address 1.2.3.4
I install WhatsApp on the phone (everything is in a single profile here) and set it up using phone number 1234.
Meta now know that SteveR is using IP address 1.2.3.4 (shared with other VPN users, of course), his device has fingerprint X and his phone number is 1234.
If my IP address changes, Meta get instantly notified because WhatsApp is running on my phone. So I will just assume my IP address is constant here.
I visit www.somerandomsite.com in my phone’s web browser, without logging in in any way - I’m just browsing.
Meta get to see that a device with fingerprint X accessed www.somerandomsite.com from IP address 1.2.3.4, because my browser is fetching data and/or executing Javascript code for the ad or “like” button.
Meta can now trivially infer, and record in my profile for all time, that SteveR visited www.somerandomsite.com at time T.
Is this correct? I suspect things like uBlock Origin and miscellaneous browser privacy protections may invalidate my assumptions in step 7 about what Meta get to see when I visit www.somerandomsite.com with their ad or “like” button on it, but I’m not too confident.
What about this variant scenario, where (starting from scratch again), I set up a separate “work” profile on the phone, using a different VPN, and install WhatsApp in there.
The device fingerprint is probably the same in both profiles.
The IP address is different, so it doesn’t help Meta tie my web activity in the main profile to my WhatsApp account in the work profile.
But the device fingerprint alone is probably enough to make a statistical connection, and they may therefore record a visit to www.somerandomsite.com at time T (perhaps with an associated probability <1?) in SteveR’s profile.
it should not track you across browsers and whatsapp app even if they are installed on the same phone.
Though your whatsapp activity should be restricted to your meta ecosystem. The phone number linked would be used for linking any related services or app.
Not to mention that all meta apps can talk to each other and share data , if they are installed on the same profile.
i feel in the current setup you are probably safe and don’t need to worry about the browser data with meta.
Thanks guys! So is the problem with my scenario analysis above entirely that step 7 is mitigated by things like browser or DNS blocking tracking, or have I got something else wrong?
I have to say that this feels pretty depressing. Unless my browser or DNS block list happens to hard-code Meta’s tracking server - and this is, I guess, the fabled “enumerating badness” problem, and is bound to fail sooner or later - they will see my IP address and device fingerprint and I’m identified.
If it were just the IP address I could handle this. Using a different IP address (or merely relying on the shared nature of the VPN IP address) would probably be good enough. But the device fingerprinting aspect means that even if I do something like:
main web browser running in owner profile, with VPN A
WhatsApp running in a work profile, with VPN B
they still get me, because of the device fingerprinting. Hell, the device fingerprinting means that if I install WhatsApp temporarily on the device for some reason, they get my device fingerprint, and can then track me forever even after I uninstall WhatsApp.
The only way round it would seem to be to maintain absolute device segregation. Which means that I have to pick one of three crappy options:
I carry two physical phones around with me, one for WhatsApp and one for miscellaneous web browsing
I flat out refuse to have WhatsApp on my daily carry phone in any form at all, meaning I can’t e.g. contact a friend who I am supposed to be meeting to tell them I’ll be late
I give up on any form of “anonymous” web browsing on my daily carry phone, because I have to assume anything I do is tracked by Meta.
I don’t know. Maybe I’m going nuts. I thought I understood this. I thought I was being clever running WhatsApp Web To Go in a separate profile using a different IP address to my main profile, but the more I think about it the more I realize the device fingerprinting means I’ve been tracked all the time anyway.
Maybe I just need to tell my friends to contact me via traditional text messages if it’s urgent. There might be no message or metadata privacy there, but for “sorry, running 10 minutes late” messages I can live with that, if the alternative is being tracked every time I look at a web page. I could keep WhatsApp on an old phone that never leaves home for general communication with WA-using friends.
Device fingerprint is just a bit of identifying information. While we want this to be as low as possible, you may want something saner. You dont need to cut out your WhatsApp contacts.
Thanks! I think I’ve seen so many references to how it’s so easy to identify devices by their fingerprint that I’ve maybe exaggerated the risk. It doesn’t help that a lot of the information on fingerprinting seems to be vague - probably because we don’t know precisely what any privacy-invasive actor is actually doing in terms of fingerprinting.
I suppose it may also help in this specific example that although WhatsApp-the-app can query all sorts of hardware properties for fingerprinting, in order to have a fingerprint which can be matched with that of the browser fetching ads/like buttons/tracking pixels on random pages, the fingerprint can only be based on something which is also exposed by the browser.
It might even be the case that some things useful for browser fingerprinting are not available to WhatsApp-the-app. For example, presumably WhatsApp-the-app can’t use canvas fingerprinting, as it will have access only to the system webview (on Android) which is not necessarily going to render things the same way as (say) Brave.