AP Photo/Andrew HarnikSummary List Placement
Facebook-owned WhatsApp prides itself on its approach to privacy.
But the user data that the messaging app shares publicly is allowing dozens of outside apps to track aspects of WhatsApp users' online activity — including who they're likely talking to, when they're sleeping, and when they're using their devices.
These apps and services use the "online" signaling feature within WhatsApp to enable their users to monitor the digital habits of anyone using WhatsApp without their knowledge or consent, Business Insider has found.
These intrusive apps highlight how even services that strongly protect users' privacy in some ways — like WhatsApp's commitment to encryption — can still expose data that can be used to track their users.
WhatsApp's vulnerability stems from the feature that publicly indicates whether a user is "online" (i.e. using the app) at any given moment. In isolation, this is a relatively innocuous piece of information. But by harvesting this data constantly over days and weeks, it allows the services to aggregate and build detailed profiles of WhatsApp users' activity and interactions.
The apps don't expose the content of WhatsApp users' messages, or otherwise reveal what the users are sharing or receive.
But they advertise themselves to potential customers as helping them determine when other people are sleeping, when they're using WhatsApp, and even who they're talking to on the app — which they do by comparing multiple people's activity logs and seeing which ones match up.
The invasive apps resemble a less-severe version of "stalkerware" — covert software that people use to spy on people's messages and devices, and which is sometimes used for controlling purposes in abusive relationships.
"You can imagine what an abuser might do with that information, or say, an employer using this to track if their employees are talking on WhatsApp during the workday, or somebody in law enforcement seeing if people are talking on WhatsApp during a protest," said Cooper Quentin, a senior security researcher at the Electronic Frontier Foundation (EFF), about the WhatsApp-tracking apps. "I can't think of a single good, legitimate use of this."
In a statement, a WhatsApp spokesperson said: "WhatsApp provides privacy controls to users to protect their profile photo, 'last seen' and 'about' status. We maintain automated anti-abuse systems that identify and prevent abuse by apps that attempt to detect information from WhatsApp users, and we are constantly working to improve our systems over time. We also request that app stores remove apps that abuse our brand and violate our terms of service."
BIThe apps attempt to monitor who you're talking to
WhatsApp-tracking apps have proliferated on both Google and Apple's mobile app stores.
There are dozens of them available on the Google Play Store and Apple's iOS App Store — raising questions as to what checks the two tech platforms are conducting to monitor its platform for invasive apps.
A Google spokesperson didn't provide comment in time for publication, but pointed to the company's rules prohibiting "spyware," and many of the tracking apps were removed from the Google Play Store on Thursday morning. An Apple spokesperson did not respond to Business Insider's request for comment, and as of Thursday WhatsApp-tracking apps continue to be available in its App Store.
So how, exactly, do the apps work?
When someone has the WhatsApp app open, they are displayed as "online" to their contacts — indicating that they're actively using the messaging service and may reply to a message more promptly. The user of a tracking app enters the phone number of the person they want to track, and the app then constantly checks to see if the target is "online" or not, creating a 24/7 record of their activity. This data can then be displayed visually, allowing the user to monitor their target's online habits, including the times they use their device regularly, and when they're sleeping, over a period of days and weeks.
Some of the apps allow users to enter multiple phone numbers, and then compare their activity automatically to see if they're online at the same times — and thus likely talking to one another.
In some cases, the apps market themselves as helpful tools for parents keeping tabs on children. Others, however, are more explicit about their potential for snooping on spouses, colleagues, and others without their knowledge. "Our WhatsApp online checker and tracker has plenty of potential uses," one website boasts. "Think tracking teenagers who are staying up all night to chat before a big test, coworkers who are spending more time on WhatsApp than they should, or even family members and friends who are up to something suspicious. If you desperately need to know, we're here to help."
Another said in its Google Play description: "You can guess whether your lover is talking to someone else by looking online. You can compare the online time of two people. With the timeline, you can see exactly when it enters and exits. You can receive notifications instantly when online or offline. You can analyze by seeing the time spent on various charts online."
The apps are typically free to download, and some have millions of downloads of Google's Play Store. They typically only offer restricted or time-limited functionality until the user spends money via in-app purchases, and it's not clear exactly how many people have used all the services.
There doesn't appear to be any way for ordinary WhatsApp users to avoid being tracked. One online tool was able to track this reporter's online activity on WhatsApp even after the account was locked down to prevent read receipts and disable the "last seen" feature. A WhatsApp spokesperson confirmed there is no way to disable the "online" feature.
Business Insider reached out to a dozen of the app developers to ask whether they believed the app violated users' privacy, if there was a way to opt out, and if they believe their tools violated WhatsApp's rules. None replied.
BIWhatsApp is focused on privacy
WhatsApp has long made privacy a key part of its product offering.
All messages on the services are end-to-end encrypted, meaning nobody else can read them apart from the sender and the recipient, including WhatsApp itself.
"Our mission is to connect the world privately by designing a product that's simple and private. So whether you're sending a message to your loved ones, or video calling a friend, your communications remain secure and you're always in control. Here, your conversations stay just between you," the company's website says.
Its terms of service stipulate that users must not "use (or assist others in using) our Services in ways that ... violate, misappropriate, or infringe the rights of WhatsApp, our users, or others, including privacy."
The WhatsApp spokesperson confirmed that the apps violate its terms of service. They said that it has anti-abuse systems to detect these apps and has blocked similar apps in the past.
It's not clear, however, why the company didn't do more to crack down on these apps before they were flagged by Business Insider. The apps advertise their services openly on app stores and websites, with no attempt to hide their purpose. Similarly, Facebook's automated monitoring tools, which are designed to detect and ban bots and data-scraping, seemingly did not detect the apps' activity.
The EFF's Cooper Quentin called on WhatsApp to do more to fix the "flaw" that allowed the apps to harvest user data. "Facebook and WhatsApp are taking a reactive approach, which failed to stop these apps until it was brought to their attention," he said. "This is clearly not the best solution, what they need to do is take a proactive approach and make it so no app can exploit this functionality.
"If there were 12 apps on the Play Store, certainly there are more than that that aren't on the Play Store, are being distributed privately."
Parent company Facebook has long-struggled with third-party developers misusing users' data. Political firm Cambridge Analytica infamously misappropriated tens of millions of Facebook users' data, prompting a $5 billion fine and years of upheaval for the company. And more recently, marketing firm Hyp3r was able to take advantage of lax privacy protections in Facebook-owned Instagram to obtain data on millions of users and track their locations.
Got a tip? Contact Business Insider reporter Rob Price via encrypted messaging app Signal (+1 650-636-6268), encrypted email (email@example.com), standard email (firstname.lastname@example.org), Telegram/Wickr/WeChat (robaeprice), or Twitter DM (@robaeprice). We can keep sources anonymous. Use a non-work device to reach out. PR pitches by standard email only, please.
- Alphabet salaries revealed: From Verily to Wing, here are the six-figure salaries that employees at Google's moonshots are making
- Apple gave the FBI access to the iCloud account of a protester accused of setting police cars on fire
- We got an exclusive look at the pitch deck that payments startup Veem used to raise $31 million from VCs