Freely subscribe to our NEWSLETTER

Richard Cassidy, cyber security evangelist at Alert Logic:

“Full preservation of privacy can be obtained for data in transit; that is to say
when your messages are sent from your computer/phone to another user, the encryption
that they are sent with can provide the highest levels of privacy possible, which is
great news if you are worried about your messages being intercepted by a 3rd party.
That said, however, it’s the messages that reside on your iPhone or computer that
pose the biggest risk to privacy. Leaving the issue of gaining access to your
phone/computer through nefarious techniques aside, if you delete conversations,
traces are still evident on the disk and with the correct search tools can be
recovered. Naturally disk encryption on a computer is a good place to start, so that
even if the disk is recovered, getting access to the data will be more of a
challenge, if not impossibly difficult and as such will maintain privacy past data
usefulness. Unfortunately, less capable solutions exist for handsets.

Any offenders will be affected if they use certain types of database software to
store chat messages. SQLite is affected, given how data is stored and then chat
records deleted, which means that traces of specific chats will always remain
(albeit broken, but certainly legible in some cases) until overwritten, but
unfortunately overwrites can take months in some cases. This is a common issue
across how many applications handle purging of data.

To increase using preservation of privacy when using WhatsApp or other messaging
apps, encryption is always key. But if you really want the chat data to be deleted
permanently, then it’ll be case of deleting the application entirely removing the
database records that could be searched (through app deletion) and restarting again.
I suspect we’ll see some tools develop in the near future that can search for
these records and remove them correctly, but I the onus has to be on the application
developers to offer users a specific delete function that will indeed perform this
for them, regardless of how much extra time is required; the user should always have
the choice or be given the details of the risk.”

Stephen Gates, chief research intelligence analyst at NSFOCUS:

“Individuals who use these types of apps must understand that any encryption can
be broken. There is no bullet proof encryption, only “stronger encryption”. In
addition, there is no such thing as full privacy when using electronic devices. If
you want to insure your communications are completely un-hackable and untraceable,
use smoke signals. They dissipate moments after they are sent, and the
conversations can never be reconstructed.”

Mark James, security specialist at ESET:

"When looking at any process for sending or receiving sensitive information your
number one goal has to be its ability to keep said messages away from prying eyes.
What people fail to realise is there are many avenues and stops to moving data from
one location to another, we often focus on the app in front of our nose and forget
all the other factors that form its makeup. That’s what we are seeing here, of
course as with any data route its only as strong as its weakest link and you have to
take this into account if you are indeed going to use WhatsApp or indeed any other
messaging app for sending sensitive or private data around to others both business
or personal. Unfortunately these days you have to assume that if it’s on the
internet in any way shape or form then it’s not 100% private.

Trying to ascertain a program’s integrity or its ability to do exactly as
advertised for most of us is no more than reading reviews, speaking to experts and
doing as much research as humanly possible before committing and then buying that
product. For most software that’s not a big deal but tools that offer security or
are solely designed to keep your data private you often only get one chance, a
program called Signal by Open Whisper Systems supposedly does just that, but as with
any program you should do your own research and totally understand what the
application is and is not capable of doing.

If WhatsApp is your app of choice then make sure you are aware of its current
failings. That’s not to say it’s always going to be the case; most manufacturers
are always trying to improve their offerings and work very hard to do things right.
Look at the type of messages you’re sending and understand what’s involved to
actually be able to see the remnants of these messages. Having the ability to
remotely wipe your device if it falls into the wrong hands should be a factor in
securing your device.”

Lee Munson, security researcher at Comparitech.com:

“In theory full encryption, whether it relates to messaging apps or any other type
of communication, is entirely secure and capable of protecting the privacy of
whoever is using it.

In practice, however, the problem with full encryption is that it is just a phrase
used to described complex mathematical computations that are extremely hard to
crack, thus making the act of decryption too time-consuming and hence too costly.

The thing is, though, computational power is always on the increase so the ability
to crack any given type of encryption is only likely to increase with time. For that
reason, no-one should ever fall into the trap of believing any system is completely
infallible.

The implementation used by WhatsApp is still plenty good enough for the typical
consumer, at least in terms of the protection it offers data as it is transmitted
from one device to another. Given many apps do not encrypt data in any way
whatsoever, I still wholeheartedly recommend WhatsApp for secure and private
communications.

Anyone who feels alarmed by the fact that WhatsApp leaves message traces on the
sending and receiving devices should ensure that their phones, tablets or other
machines are suitably secured themselves.

That means strong passwords and possibly the avoidance of authentication that relies
upon biometrics as in some countries, such as the US, a court can order a suspect to
use something they have (a fingerprint, for example) but not give up something they
know (a password or passcode).”