Does backing up WhatsApp on Google Drive expose messages?

  • I was wiping and restoring a family member's Android phone today, as it was running slowly with loads of apps on it.

    I decided to back up their WhatsApp messages to Google Drive in order to recreate their chat history easily after the wipe.

    On the phone, I noticed this message from WhatsApp:

    Important: Media and messages you back up are not protected by WhatsApp end-to-end encryption while in Google Drive.

    The same message is also available here, at the end of the section for Creating a Google Drive Backup:

    Does this mean that if I have been chatting to anyone in the past, and that person has periodic Google Drive backups enabled, then my conversation is compromised to Google and/or WhatsApp?

    If this is the case then it actually makes end-to-end encryption on WhatsApp useless unless the person you're chatting to swears that they don't have Google Drive backup enabled on their end. We might as well just use server-side encryption.

    Or is the message given by WhatsApp badly expressed and ambiguous?

    Erm, obviously?

    Obviously there's a compromise at play, or obviously the description given by WhatsApp is badly expressed and ambiguous? Your answer is far from obvious.

    If someone voluntarily exports their data from Whatsapp to anywhere else, Whatsapp would lose control over it. So it won't be protected by Whatsapp end to end encryption (which is used to encrypt data in transit between Whatsapp clients)

    So what you're saying is that WhatsApp is putting out a disclaimer on the data to say that they no longer have control over it, but that data in itself is still sent to Google Drive in an encrypted form? I don't mean that it's sent over TLS, I mean that when Google get it, the data is encrypted?

    @bitofagoob No. Whatsapp doesn't encrypt the data. If it did, it would have to provide a decryption key along with it. I don't think Whatsapp does that

    Honestly Whatsapp E2E seems obsolete to me in some cases. Your autocomplete keyboard on android is often Google-made. They have said in their privacy policy that words you type might be sent to Google for improvement of " predictions and other google services ". One of those services are ads. I was talking to a friend over whatsapp about Guitars. Next thing I know, Google Ads showed Guitars. So E2E is an illusion with some of the default options on Android...

  • zzarzzur

    zzarzzur Correct answer

    4 years ago

    You're confusing message integrity and security with secrecy. WhatsApp provides end to end encryption, meaning the message you send can only be read by the recipient and vice versa. This protects you from third parties trying to eavesdrop on your conversation, and even prevents WhatsApp themselves from reading the messages. You can't demand WhatsApp to allow you to wiretap a conversation if WhatsApp themselves have no idea what's being sent.

    However once the message is in the hands of the recipient, it's a different story. In order for it to appear in their chat history, it has to be saved on the phone. If a persons device is compromised, so is your chat history with that person. The person could also screenshot your conversation, or even use another phone to take a picture of your conversation. Backup to Google Drive is simply a way of backing up your chat history so if you change devices or reset your phone all your messages aren't gone.

    Once the conversation is in Google Drive however, if a valid law enforcement request is made for your files, your conversation is now compromised, as Google only provides server side encryption, which allows them to decrypt your files. This even opens you up to further compromise if the recipients Google account was ever hacked, as the hackers would have access to your message history with that person.

    In short, no, the warning is accurate. It's not ambiguous, it tells you exactly what it means, if you save the messages to Google Drive, anyone with access to that account can retrieve the messages. This all boils down to the level of trust you have in your recipient. If you're not 100% sure that the person you're talking to isn't going to rat you out, best not to voice your dissent of your government to them.

    Thanks `zzarzurr`. I think this answer is detailed enough for anyone reading it to get a technical overview of what happens to the Google Drive backup, without it going into excessive detail. It's a great answer for someone reading who may be more interested in the privacy aspect, rather than digging deeply. When I asked the question I was more interested in privacy than security and this answer suits my question perfectly. I award my bounty to you and mark the question answered.

    Where the heck did u read that Google only provides server side encryption - its the opposite. Only transfer encryption. Dont spread misinformation. Just google "Google whatsapp storage encryption". Pleaase prove me wrong, one of the few times I would love being wrong.

    @killjoy I assume you’re referring to the quote “Media and messages you back up aren't protected by WhatsApp end-to-end encryption while in Google Drive”. That quote doesn’t say messages aren’t encrypted, just that it’s not protected by WhatsApp Encryption. Google Drive uses 128-bit AES to store your data at rest, however the key is managed by them, making it server side encryption.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM