How can WhatsApp share information with Facebook if the messages are encrypted end-to-end? [closed]

WhatsApp is enforcing a new controversy privacy policy that, as far as I understand, shares data from your chat messages with Facebook to provide you with "tailored ads" on Facebook.

How can WhatsApp share this information with Facebook, if the messages are encrypted end-to-end?

Does it mean that the messages are encrypted in my phone, sent encrypted (with the key to decrypt) to Facebook for targeting Ads, and another message is sent with the key to decrypt to the cellphone of the person I'm having a chat with?


  1. End-to-end encryption means that your message is encrypted and decrypted locally on your and your recipient's devices, using an encryption key that is known only to you and your recipient.

  2. WhatsApp claims to have implemented the "open-source Signal encryption protocol" (which works as described above), but since WhatsApp's actual source code is closed, there is no way to verify that claim. It's like putting a transparent fish bowl in a wooden crate: could be a goldfish, could be a piranha. There is no way of knowing.

  3. Think of an end-to-end encrypted message as of Alice sending a number-locked safe to Bob by a mail service. Alice puts the safe in a cardboard box, writes down Bob's address as well as her own, and delivers the package to the mail service. Now imagine that prior to sending the number-locked safe, Alice met Bob in private, and whispered in his ear that the secret code to unlock the safe is 654321. It means that neither the postal service, nor any thief who may somehow steal Alice's package on the way, has the ability to see what's inside the safe. Unless they know the secret code, the package is nothing more than a piece of metal junk to them, no matter how long it is stored in the postal office and no matter how many hands it exchanges before reaching Bob. Once Bob receives the package, only he can unlock the safe, because only Alice and Bob know the secret code. This is exactly how end-to-end encryption works.

  4. So privacy guaranteed, right?Not yet. Your postal service actually knows that Alice has sent "a package" to Bob. It knows their real names and addresses. It knows how late the package was sent and received, and at which location. It also knows exactly the weight of every package. This information is called raw metadata.

  5. You may think that raw metadata does not tell much on it's own, and you might be right. But because the postal service stores records of every delivery for every client for eternity, it can then analyze metadata to find patterns. Information such as day of the week, time of day, location, (shared) addresses, package weight, (ir)regularity of communication, etc., can all reveal a colossal amount of personal information, if properly analyzed.

Example: Alice and Bob exchange many packages every Wednesday and Friday evening between 21:00 and 22:00 PM. Coincidentally, it's exactly the time that Alice's husband Carlos is training at his gym. This package-exchange is then followed by Alice and Bob both sending packages from the same location at a nearby motel from 14:00 to 16:00 PM every Saturday (which coincidentally falls within the timeframe of Carlos being out fishing with his friends). Postal service also knows that the regularity of this pattern is interrupted when Carlos skips gym or stays home on Saturday.

  1. Now, The Postal Service has revealed something very specific about Alice and Bob — without ever opening a single package! Also note that The Postal Service now even knows something personal about Carlos. And now imagine that The Postal Service decides to partner up with a local Market to sell that information to anyone. Even though Alice is engaged in morally unacceptable activities in my example, she does not deserve to potentially get blackmailed by a malicious fourth party who has purchased her secret on the Market, does she? Please also note that even poor Carlos could suffer from this blackmailing, or potentially get blackmailed himself with this information — which would be devastating.

  2. This is simply an illustration of just one of a million ways how analyzed metadata can reveal personal information without the need of direct access to message content. Keep in mind that the same methods can — and will be — used to hunt down and identify human rights activists, whistleblowers, journalists and minorities. If this (meta)data is sold, than private institutions and foreign governments will gain access to the finest details of your private life, to a degree eventually exceeding human imagination (thanks to AI algorithms). These are essentially the dangers of WhatsApp sharing metadata with Facebook, since Facebook is extremely good at analyzing (meta)data and is known for selling it to third parties.


They can't read the messages.

I'd avoid the notion of "sharing with Facebook" as WhatsApp is Facebook. Instead I'd focus on what's used for advertisement targeting.

Here, metadata (data about the message, not it's content) that they are able to and already are collecting (e.g. who you're sending messages to and when) have been used for various things (e.g. preventing grooming by pedophiles), but not for advertising.

The new policy is controversial, because it technically allows this metadata to be used for advertising as well. They claim this only metadata that is going to be used this way your communication with business using WhatsApp - if you message a bike repair shop, expect to ads see ads for new bikes on FB or mobile apps using Facebook's ads services. But Facebook still wouldn't be able to read the messages, they just know you've now showed interest in bike repair - same as if you went to/liked the shop's Facebook page.

Additionally, businesses on WhatsApp will be able to store the message logs (not sure what this includes) on FB's servers for better access to them - also securely and without FB reading them.

Here's a twitter thread of Head of WhatsApp Will Cathcart explaining some of it: https://threadreaderapp.com/thread/1347660768225841152.html

The Verge article with explanation and sources: https://www.theverge.com/2021/1/12/22226792/whatsapp-privacy-policy-response-signal-telegram-controversy-clarification