WhatsApp prides itself on its approach to privacy.
But the user data that the Facebook-owned messaging app shares publicly is allowing dozens of outside apps to track aspects of WhatsApp users’ online activity — including whom they’re likely talking to, when they’re sleeping, and when they’re using their devices.
These apps and services use the “online” signaling feature within WhatsApp to enable their users to monitor the digital habits of anyone using WhatsApp without their knowledge or consent, Business Insider has found.
These intrusive apps highlight how even services that strongly protect users’ privacy in some ways — like WhatsApp’s commitment to encryption — can still expose data that can be used to track their users.
WhatsApp’s vulnerability stems from the feature that publicly indicates whether a user is “online” (i.e., using the app) at any given moment. In isolation, this is a relatively innocuous piece of information. But when these apps harvest this data constantly over days and weeks, the services are able to aggregate and build detailed profiles of WhatsApp users’ activity and interactions.
The apps don’t expose the content of WhatsApp users’ messages or otherwise reveal what the users share or receive.
But they advertise themselves to prospective customers as helping them determine when other people are sleeping, when they’re using WhatsApp, and even whom they’re talking to on the app — which they do by comparing multiple people’s activity logs and seeing which ones match up.
The invasive apps resemble a less-severe version of “stalkerware” — covert software people use to spy on others’ messages and devices that is sometimes used for controlling purposes in abusive relationships.
“You can imagine what an abuser might do with that information or, say, an employer using this to track if their employees are talking on WhatsApp during the workday, or somebody in law enforcement seeing if people are talking on WhatsApp during a protest,” Cooper Quintin, a senior security researcher at the Electronic Frontier Foundation (EFF), said of the WhatsApp-tracking apps. “I can’t think of a single good legitimate use of this.”
In a statement, a WhatsApp spokesperson said: “WhatsApp provides privacy controls to users to protect their profile photo, ‘last seen’ and ‘about’ status. We maintain automated anti-abuse systems that identify and prevent abuse by apps that attempt to detect information from WhatsApp users, and we are constantly working to improve our systems over time. We also request that app stores remove apps that abuse our brand and violate our terms of service.”
The apps attempt to monitor whom you’re talking to
WhatsApp-tracking apps have proliferated on both Google’s and Apple’s mobile-app stores.
There are dozens of them available on the Google Play store and Apple’s iOS App Store — raising questions as to which checks the two tech platforms are conducting to monitor for invasive apps.
A Google spokesperson didn’t provide comment by the time of publication but pointed to the company’s rules prohibiting “spyware,” and many of the tracking apps were removed from the Google Play store on Thursday morning. An Apple spokesperson did not respond to Business Insider’s request for comment, and as of Thursday, WhatsApp-tracking apps continued to be available in its App Store.
So how, exactly, do the apps work?
When someone has WhatsApp open, they are displayed as “online” to their contacts — indicating that they’re actively using the messaging service and may reply to a message more promptly. The user of a tracking app enters the phone number of the person they want to track, and the app then constantly checks to see if the target is “online” or not, creating a 24/7 record of their activity. This data can then be displayed visually, allowing the user to monitor their target’s online habits, including the times they use their device regularly and when they’re sleeping, over a period of days and weeks.
Some of the apps allow users to enter multiple phone numbers and then compare their activity automatically to see if they’re online at the same times — and thus likely talking to one another.
In some cases, the apps market themselves as helpful tools for parents keeping tabs on children. Others, however, are more explicit about their potential for snooping on spouses, colleagues, and others without their knowledge.
“Our WhatsApp online checker and tracker has plenty of potential uses,” one website says. “Think tracking teenagers who are staying up all night to chat before a big test, coworkers who are spending more time on WhatsApp than they should, or even family members and friends who are up to something suspicious. If you desperately need to know, we’re here to help.”
Another said in its Google Play description: “You can guess whether your lover is talking to someone else by looking online. You can compare the online time of two people. With the timeline, you can see exactly when it enters and exits. You can receive notifications instantly when online or offline. You can analyze by seeing the time spent on various charts online.”
The apps are typically free to download, and some have millions of downloads of Google’s Play store. They typically offer only restricted or time-limited functionality until the user spends money via in-app purchases, and it’s not clear how many people have used the services.
There doesn’t appear to be any way for ordinary WhatsApp users to avoid being tracked. One online tool was able to track my online activity on WhatsApp even after the account was locked down to prevent read receipts and disable the “last seen” feature. A WhatsApp spokesperson confirmed there was no way to disable the “online” feature.
Business Insider reached out to a dozen of the app developers to ask whether they believed the apps violated users’ privacy, if there was a way to opt out, and if they believed their tools violated WhatsApp’s rules. None replied.
WhatsApp is focused on privacy
WhatsApp has long made privacy a key part of its product offering.
All messages on the services are end-to-end encrypted, meaning nobody can read them apart from the sender and the recipient, including WhatsApp itself.
“Our mission is to connect the world privately by designing a product that’s simple and private. So whether you’re sending a message to your loved ones, or video calling a friend, your communications remain secure and you’re always in control. Here, your conversations stay just between you,” the company’s website says.
The WhatsApp spokesperson confirmed that the apps violate its terms of service, adding that the company has anti-abuse systems to detect these apps and has blocked similar apps in the past.
It’s not clear, however, why the company didn’t do more to crack down on these apps before they were flagged by Business Insider. The apps advertise their services openly on app stores and websites, with no attempt to hide their purpose. Similarly, Facebook’s automated monitoring tools, which are designed to detect and ban bots and data scraping, seemingly did not detect the apps’ activity.
EFF’s Quintin called on WhatsApp to do more to fix the “flaw” that allows the apps to harvest user data.
“Facebook and WhatsApp are taking a reactive approach, which failed to stop these apps until it was brought to their attention,” he said. “This is clearly not the best solution. What they need to do is take a proactive approach and make it so no app can exploit this functionality.
“If there were 12 apps on the Play store, certainly there are more than that that aren’t on the Play store, are being distributed privately.”
Got a tip? Contact Business Insider reporter Rob Price via encrypted messaging app Signal (+1 650-636-6268), encrypted email (email@example.com), standard email (firstname.lastname@example.org), Telegram/Wickr/WeChat (robaeprice), or Twitter DM (@robaeprice). We can keep sources anonymous. Use a nonwork device to reach out. PR pitches by standard email only, please.