Have you seen the latest message from WhatsApp about their end-to-end encryption?
It links to their Help Center, where they claim that privacy and security are “in their DNA.” Sounds reassuring…maybe too reassuring.
But what does WhatsApp’s end-to-end encryption really cover? And more importantly, what does it leave exposed?
Let’s unpack the fine print and highlight the key things users should watch for when it comes to protecting their data and privacy.
Let’s start from the beginning. End-to-end encryption is a security method that ensures messages and calls are protected from unauthorized access. This means that no-one, not even the app provider, can read your messages.
A closer look at WhatsApp’s own documentation reveals a more nuanced truth: end-to-end encryption doesn’t mean total privacy, and it certainly doesn’t mean total protection.
According to WhatsApp’s own FAQ on encryption source, here’s what is covered by E2EE:
These contents are encrypted using the Signal Protocol, and can only be decrypted by the sender and recipient. So far, so good.
Most users assume “end-to-end encrypted” means all activity on the app is secure. But that’s far from the case. The following data is not encrypted:
This metadata can be, and often is, logged and stored on servers. While WhatsApp says they “limit” this data, it's still collected, and it’s not protected by E2EE.
Keep in mind: Metadata can paint an extremely detailed picture of your behavior, contacts, and habits, without ever needing to read the actual message content.
If you back up your WhatsApp messages to Google Drive or iCloud, those backups are not protected by WhatsApp’s end-to-end encryption unless you explicitly enable encrypted backups, which is off by default.
You must manually enable encrypted backups and choose a password or 64-digit key. Even then, this feature is only as secure as the cloud platform’s own protections and users often don’t realize they’re using default, unencrypted backups.
WhatsApp Payments, available in certain regions, allow users to send and receive money. However:
Keep in mind: Even in a private chat, your financial activity could be visible to external services and potentially vulnerable to compromise.
When you message a business on WhatsApp:
Keep in mind: End-to-end encryption no longer applies once your data enters external systems or business tools.
End-to-end encryption is a critical tool, but it’s not a blanket guarantee of privacy. In WhatsApp’s case, encryption only applies to the message content, not the ecosystem around it.
If you're relying on WhatsApp for sensitive communication, whether personal, professional, or even financial, you need to understand what is exposed:
Understanding what isn’t encrypted is just as important as what is.
If you’re serious about data protection, dig beyond the marketing and ask: What else is being collected? Where is it stored? Who else has access?
The answers might surprise you.
A critically important reminder is that tools such as WhatsApp and Signal are not built for business purposes, but rather for consumer use. They lack essential capabilities that are essential to keep enterprise and government data private, protected, and compliant. Try to use these sorts of tools for securing work communications and you might end up with your very own version of Signalgate.
Consumer-style encrypted communication is not just the domain of Signal and WhatsApp. Even tools that describe themselves as fit for enterprise and government may have significant deficiencies that put them more on par with consumer tools. For example, Element leaves end-to-end encryption off by default in certain group settings, which means that it’s easy to forget to turn it on, leaving communications unprotected. And Matrix is somewhat (in)famous for the level of spam that users encounter, due to a somewhat lax approach to enforcing security standards across accounts.
The lesson is if you’re looking for secure communications that will keep your organization’s sensitive data well-protected, you need a solution that is built from the ground up to directly address that goal. And it’s also why you should learn more about Wire, the industry’s most advanced and scalable secure communications platform, built for and used by the world’s leading enterprises and government agencies.