What WhatsApp Gives Away About You – No Matter What
I have already pointed out several times in previous posts that WhatsApp offers a number of “loopholes” for authorities from repressive countries. These include, for example, the Google Drive backup without sufficient encryption or the WhatsApp web application, which may be vulnerable. This article is about the metadata that WhatsApp stores about you and will definitely pass on.
Registration information – last device change
WhatsApp collects some data during registration (i.e. the last time the account was transferred to a phone), such as the platform used (operating system), the network, the network name, the device, the account type and also the exact time of registration.
This means that if a mobile device is changed, the country or network in which the change took place can be determined at any time, even retrospectively. The device used is also known at all times.
Usage information – location can be determined
In addition to the registration data, WhatsApp also diligently collects data during use:
This includes phone number, email address and device activity data. Even the exact time at which your profile picture was saved is stored. What is initially inconspicuous but relatively critical is the storage of the “previous IP connection”. WhatsApp obviously also stores the previous IP address here, even stating how long the user has been using the IP.
This storage is not technically necessary and is highly likely to be illegal.
However, this opens up a wide range of possibilities for law enforcement agencies. This makes it very easy to determine the provider and therefore the approximate location of a person. Even when switching to a supposedly secure VPN (note: a VPN is not automatically secure), the previous IP remains visible in the inventory data.
Further information – group names and contacts visible
WhatsApp also stores a lot of other information in plain text on its servers, including a complete list of contact numbers and, much more seriously, a list of all groups in plain text:
Account settings – Blocked contacts and status privacy
The account settings are also stored on the WhatsApp servers (and not locally on the device) and are easily passed on to unwanted parties.
Not only are “settings” revealed, but also which contacts you have allowed to share your status with and which numbers you have blocked.
In addition, all devices are saved, including the time of registration.
Possibilities – What does this mean for investigating authorities?
The metadata described in the previous sections are not just technical side effects – they give investigating authorities comprehensive access to your digital profile. This is particularly problematic in repressive countries – or in the case of very far-reaching interpretations of police investigative powers.
1. Use in criminal proceedings in Germany:
Metadata such as registration times, IP history, device constellations and group affiliations can be integrated into investigations in accordance with Sections 100j, 100g, 100k of the German Code of Criminal Procedure. The clear distinction between inventory data (e.g. telephone number, last IP address), usage data (e.g. device changes, activity times) and traffic data (e.g. time and duration of connections) is crucial because there are different legal hurdles depending on the category.
2. Data retention through the back door:
Even if general data retention is not permitted, services such as WhatsApp voluntarily store metadata over long periods of time. This data can be retrieved as part of a TKÜ or by means of disclosure orders in accordance with EU law (e.g. E-Evidence Regulation or Digital Services Act) – often without a court order in the country of origin.
3. Location determination despite VPN:
Even when using VPNs or TOR, the “previous IP address” will be read from the WhatsApp log data. Authorities could thus reconstruct a precise movement profile with a simple comparison of old IP addresses, as roaming and provider data also allow conclusions to be drawn about countries and regions (Sections 100g, 100k StPO).
4. Access to group structure and contacts:
As already mentioned, group names, contacts and blocked users are stored in plain text. As part of investigations, authorities could use this to analyze entire networks – similar to the Encrochat or SkyECC procedure. Although the content of the communication is encrypted, group membership and contact structure are often sufficient for an initial suspicion (Sections 100a, 100j, 129 StGB – criminal association). Even a like or meme in the wrong context can trigger an investigation, as numerous examples show.
5. Automated profiling:
The information extracted from WhatsApp metadata can be integrated into modern analysis platforms such as hessenDATA or Palantir. This allows patterns to be recognized as part of predictive policing, contacts to be linked and risk profiles to be created – even without a court order.
6. Criminal defense and exploitation problems:
The legal problem lies in the fact that much of this data is collected without a specific catalog crime. The data can only be used if there is a concrete initial suspicion (Sections 160a, 100a et seq. of the German Code of Criminal Procedure). If data is only collected on the basis of vague indications – for example through TOR use or membership of a group with a critical name – prohibitions on exploitation may apply if these are asserted by the defense at an early stage.
Metadata is the real treasure trove of data
While many users rely on WhatsApp’s end-to-end encryption, they overlook the fact that states have long been using an alternative attack vector: metadata. This is not encrypted, is often stored for long periods of time and is legally more easily accessible.
If you want to protect your privacy, you need to think not only about the content, but above all about the “surrounding data”. As the example of WhatsApp shows, metadata is now often enough to create complete social, spatial and temporal profiles – without ever having to read a message.
None of your business? You haven’t done anything wrong?
This is a common reflex: “I have nothing to hide, so everything can be saved.” But this thought falls short – and overlooks how easily harmless information can become suspicious in the wrong context. Mere membership of a group with a provocative name, contact with a blocked person or the use of a VPN service can be considered “conspicuous” in automated evaluations – even if no crime has been committed. As already mentioned, an initial suspicion – often based on metadata – rather than evidence is sufficient for many investigative measures. Anyone who believes that innocence is a protective shield is misjudging the dynamics of modern surveillance: it’s no longer about what you do – but with whom, when, where and how often. And your metadata reveals all of this. Even if you haven’t done anything wrong. Not yet.