I know you’re messaging at work!

Image: WhatsApp
Image: WhatsApp

Computer scientists at FAU highlight how WhatsApp threatens privacy

You see it everywhere, on the bus or the train, on the street or in a café: every few minutes, people turn their attention to their smartphones, type something and quickly receive a reply. The instant messaging service WhatsApp has around 600 million users worldwide, is firmly integrated into everyday life and is used on smartphones more often than the telephone function, but what about the security of its users’ privacy? The Chair of Computer Science 1 (IT Infrastructures) at FAU has investigated exactly this – with some rather unsettling results.

When a user opens WhatsApp, they are automatically shown as ‘online’ in the network; when they close it again their status is set to ‘offline’. This function is an inherent part of the program which means that it cannot be switched off. In addition, a user’s online status is visible to everyone who has their phone number. Authorisation from the user is not required for this, meaning that this information can easily be accessed by third parties. Researchers at the Chair of Computer Science 1 observed 1000 randomly selected users from across the globe around the clock for a period of nine months in order to find out which information could be gathered from their online status and whether WhatsApp is doing anything to prevent its users’ data being accessed.

To do this, the research group developed a special program that is constantly online in the network and records users’ online status. The data showed, for example, that users log on 23 times and spend a total of 35 minutes reading and writing messages per day on average. In this respect, German users come in slightly above the average – they open the app 26 times and use it for an average of 41 minutes per day, with the most frequent use being between 1 p.m. and 9 p.m.

User data treated carelessly

‘If it is possible to observe when a user uses the app over an extended period of time, the data collected can be used to reconstruct sensitive information about their habits, such as when they go to bed, when they get up, whether they were out longer at the weekend, or how often they use WhatsApp at work,’ explains Andreas Kurtz from the Chair of Computer Science 1. Furthermore, third parties can always see whether or not a user is available. Given the threat that this poses to privacy, it is worrying that WhatsApp so far seems to have done very little to solve this problem and implement appropriate security measures. ‘As our program does not send any messages itself, has contact with many users at the same time and is connected to the network around the clock, it contrasts strongly with the typical user behaviour and should be easy for WhatsApp to identify and shut down,’ says Kurtz. However, nothing like this has happened. ‘With this project we want to make people aware of how careless WhatsApp is with the data regarding its users’ online status,’ he explains.

The results of the project and a description of the extent of the information which can be deduced from the data collected are available at www.onlinestatusmonitor.com. Naturally all of the data which was recorded has been fully anonymised and the exact times when users were online have not been published. The data the researchers were able to request anonymously from the WhatsApp servers has only been published in aggregated form.

Further information:

Prof. Dr. Felix Freiling
Andreas Kurtz
Phone: +49 9131 8570218 (Press Office)
andreas.kurtz@cs.fau.de