Freedom of the Press Foundation
Show Navigation

WhatsApp now supports messages with third-parties

Martin Shelton
Dr. Martin Shelton

Principal Researcher

Electronic Frontier Foundation. (CC BY 2.0)

It’s the Digital Security Training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone has shared this newsletter with you, please subscribe here.

In the news

Under the new European Union law, the Digital Markets Act, Meta is required to allow interoperability between third-party chat software and its WhatsApp and Facebook Messenger apps. These tools offer end-to-end encryption using the Signal protocol, the strong encryption specifications pioneered by the Signal encrypted messaging app. According to Meta, this will be an opt-in feature to help mitigate against receipt of spam and scams from third-party integrations.

In its announcement, the company promoted the security benefits of the Signal protocol, preferring third parties use this protocol, but allowing other protocols besides Signal if they demonstrate they offer the same security guarantees. “To interoperate, third-party providers will sign an agreement with Messenger and/or WhatsApp and we’ll work together to enable interoperability,” Meta added. It is currently unclear if Signal will sign such an agreement. Read more here.

What you can do

  • In my experience, WhatsApp — with a user base of over 2 billion — suffers from a much bigger problem with spam and scams than Signal. And because it's unlikely third-party developers besides Signal can offer equivalent or better security guarantees (at least for now), we think this primarily makes a difference for users of Signal who may want to talk to people on WhatsApp. This might be handy if, say, you have a source or colleague who doesn't want to use Signal and spends a lot of time on WhatsApp.
  • While WhatsApp does use the Signal protocol, there are a lot of ways to inadvertently leak data from WhatsApp beyond the app. For example, WhatsApp has a fun habit of encouraging you to back up your conversations to Meta in a format legible to the company. Likewise, you might be inadvertently leaking photos received through WhatsApp outside of the app. This potentially affects anyone you talk to on third-party apps as well. So if you are a WhatsApp user and want to maximize protections, read our guide to upgrading WhatsApp security.
  • Compared to WhatsApp, Signal users by default can be more certain that they are not leaking data beyond the app. But you can still tighten its settings even further. Read our guide to locking down Signal.

Updates from our team

  • We’re working to improve the usability of our website. The purpose of this study, created by our design partners at Wide Eye, is to understand how we can make the FPF website easier to use and improve content organization. The study itself is a series of tasks where you choose links that you think answer the question. There are no wrong answers, and you’ll have the opportunity to provide additional feedback at the end. If you want to help us improve, participate in the short study survey here.

Our team is always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.

Best,

Martin

Donate to support press freedom

Your support is more important than ever.
Donate now

Read more about Digital Security Digest

Header image with a graphic of Signal's "speech bubble" logo, with a pattern of silhouettes of phones in the background.

Crossfire over messaging security

Johns Hopkins cryptography professor Matthew Green explains that “the cryptography behind Signal (also used in WhatsApp and several other messengers) is open source and has been intensively reviewed by cryptographers. When it comes to cryptography, this is pretty much the gold standard.” By comparison, Telegram does not provide end-to-end encryption protection by default and only offers it as an option in one-on-one “Secret Chat” mode.

57fe4d8e-3f52-ea6d-d840-5e8dd6dca412

Google Docs locks out writer

While it’s powerful and convenient, Google Docs might not be right for all documents, including those that you consider sensitive, private, or that you can’t risk losing. Read more about newsroom privacy and security considerations when using Google Workspace.

Google details app violations

According to its security blog, Google prevented 2.28 million — yes, million — Android apps from being published on its Play Store in 2023. The company says it also removed 333,000 accounts for attempting to deliver malware through the Play Store, as well as for “repeated severe policy violations.” These numbers have grown substantially since 2022, when the company disclosed it prevented 1.43 million apps from being published on the Play Store.

More posts