Hello Privacy Community. I have been using GrapheneOS for more than a year now, and I have tried some setups but now I thought it through and I decided that I am going to change things.
I used to not touch the owner profile at all, but then I realized that I have no problem on doing so as long as I install open source and privacy respecting apps. The problem is that I want to have everything that I use on my daily basis on the owner profile, because from experience, I’ve concluded that switching profiles is not that comfortable. The problem is that all the people I know uses WhatsApp, and I would be using it several times every day, so it has to be on my owner profile.
I have been thinking about what are the implications of doing so and so far I think that the only problem is that WhatsApp will have access to my unique device identifiers, but as long as all the other apps that I install are privacy respecting and I don’t install any other “bad" app, then I’m fine.
I also thought that WhatsApp may “talk” with other apps, but that’s not going to happen since the other apps are trustworthy. So, what can I be missing here? Can WhatsApp perhaps access some stuff that I most likely don’t want it to access? Besides system identifiers and tie it to my identity. Is it worse than I think that WhatsApp has access to that?
There is a lot possible in theory but what would be my main concern is your contacts. WhatsApp like to have the data of your phone contacts.
The way I set it up was to use a contact group named WhatsApp and I add everyone who wants to use with me WhatsApp to that. So that obly those contacts are contributed to Meta’s social graphing. I went for the group as I can keep backups of that more easily and won’t have to reconfigure it on reset or a new device.
WhatsApp (WA) won’t have access to hardware identifiers no matter what profile it’s installed in, as per the GrapheneOS documentation. Though do be mindful that if you grant WA the Phone permission, it’ll see your currently active phone number, which may or may not be an issue depending on what number you used to register to WA.
WA can only access what you give it access to. It’s bound by the Android app sandbox just like all other apps. If you don’t give it access to something, it can’t access it. You can check what you’ve granted WA access to from Settings > App > See all apps > WhatsApp > Permissions.
On the same note, be mindful that if you grant WA full Gallery and/or Contacts access, then nothing will stop it from scanning everything you have in there. I recommend looking into both Contact scopes & using the built-in case-by-case limited Gallery access when you’re sending photos or videos.
Assuming that you’re using WA with people who know you personally, it’s very likely that those people have saved your information in their contacts under your proper name. And since WA (most likely) has contacts access on those peoples’ phones, Meta can see your information from their phones. Your WA account is most likely already linked to your identity, even if you’ve done everything right on your end. Meta doesn’t need to access your hardware identifiers to track you in this regard.
I also second this response if you want the extra safety with the Gallery & Contacts access to prevent yourself from accidentally giving more access than you aim for.
I didn’t take the time to read about private spaces’ documentation yet. What are the benefits of using a private space if I am not going to give WhatsApp any permissions that I don’t want to?
Thanks a lot for your response. Are you sure that apps don’t have access to the Android ID? I recall that apps can access it, but it changes from one profile to the other. Anyway, it’s not that important in my case, but just to be sure.
About contacts and gallery, yes, I definitely don’t want to give it full access. And I have also thought through the fact that WhatsApp will completely now my identity, I shouldn’t have mentioned that.
The only thing that really sucks about WhatsApp is that you have to give it phone permission in order to just do phone calls on the app, and I realized the other day that, as you also said, WhatsApp can see other phone numbers on the device, so that definitely sucks.
Again, thank you for your response. I am much more confident now.
Oh nvm looks like you can’t enable phone calls & SMS permissions in private space I think you need it for WhatsApp.
“A drawback of private spaces, compared to full secondary user profiles, is that it’s not possible to grant it access to ‘phone calls & SMS’. This prevents verification via SMS from working and prohibits using some apps within private spaces.”
Android ID isn’t a persistent hardware identifier. It has a dedicated paragraph in the GOS documentation about what it is, it what it isn’t, and why it might not be as much of an issue as it might appear as.
On the same note, WA doesn’t need Android ID to track you. In fact, it doesn’t even need persistent hardware identifiers at all. It already has everything it needs: your phone number. Even better, it (most likely) has access to the phone books of the people you’re messaging with. Your device identifiers are irrelevant when WA can track you despite of them. Android ID will change between profiles & phones, but your number will stay the same between devices.
Yup. That’s WA for you. “Give us your data or we won’t let you use the app.” Nothing much we can do about it. If that’s what the app demands, then the only choice we the users have is to either accept it or to refuse & use something else.
I feel you.
I’m much in the same position. I know the “correct” solution to stopping WhatsApp from collecting data is to stop using it in the first place. Yet there are people in my social circle who simply refuse to use anything other than WA. Some I’ve managed to move over onto Signal, but there’s still a long way to go.
All I can say is keep on advertising Signal to the people you’re actively messaging them. Maybe one day they’ll finally move on over & you can get away from the data-hungry tracking platform known as WhatsApp.
Thank you very much. I trully hate WhatsApp, I’m hopeful that one day Signal will be much more popular and we’ll be able to ditch WA, Signal is just very good, it’ll just take some time and unfortunately a lot of privacy violations from companies for people to see it, but I think it’s inevitable.
