Added: ProPublica updated its article on September 8 to clarify that this does not mean that WhatsApp's end-to-end encryption has been compromised.

Don't worry: WhatsApp is secure.

Pro Publica, a non-profit news organization, published an article today (September 7) titled "How Facebook Undermines Privacy Protections for Its 20 Billion WhatsApp Users." The article details how Facebook uses outsourced contractors to check WhatsApp messages for illegal or potentially abusive content, and how Facebook complies with court orders to submit metadata about specific WhatsApp users. The report details the following.

However, the article does not state that Facebook can read your WhatsApp messages. Rather, according to the Pro Publica article, content "reviewers" are looking at potentially abusive messages reported by WhatsApp users themselves, and the metadata provided to law enforcement to comply with a court order does not include message content that.

Here is a key paragraph, one-third of the article: [Because WhatsApp content is encrypted, the artificial intelligence system cannot automatically scan every chat, image, and video like Facebook and Instagram. Instead, WhatsApp reviewers can access private content by allowing users to press the app's "report" button.

These reviewers look at the content sent before recommending action, such as kicking the user out of WhatsApp. This article details the difficulty of understanding the content of reported messages, especially those using lesser-known languages, and how it is not always easy to discern whether images actually depict sexual abuse or violence against children.

It also explains how Facebook would cooperate with law enforcement if it received a court order requesting user metadata (i.e., recording the user's name, phone number, avatar, device information, and how many messages the user sent, when, and to whom) The report also explains how it will cooperate with law enforcement if it receives a court order requiring it to record when and how many messages are sent to whom. Legally, Facebook must turn over what it has and allow law enforcement to monitor the suspect's activity on the device.

Such WhatsApp metadata was apparently instrumental in the conviction of Natalie Edwards, a former U.S. Treasury Department employee who pleaded guilty to leaking information to Buzzfeed News.

The FBI was able to see a number of messages sent between Edwards and a Buzzfeed reporter (identified elsewhere as Jason Leopold) the day after the Buzzfeed article was published in 2018, establishing that Edwards and Leopold were in constant contact Edwards and Leopold were in constant contact.

WhatsApp can only collect less metadata. For example, it can capture only the user's phone number and omit name and device information. However, at least in the short term, WhatsApp would need to see which other numbers the WhatsApp account is messaging with.

Still, neither the FBI nor Facebook could see exactly what Edwards and Leopold were messaging each other; end-to-end encryption using WhatsApp's Signal protocol allows Facebook and WhatsApp not be able to see the contents of the messages being sent.

Messages are only decrypted on the sender's and recipient's devices. Any content reported to WhatsApp by users that appears to be abusive or illegal will be decrypted on the reporter's device.

According to the Pro Publica article, such content is sent to reviewers in "unscrambled form," but it is unclear whether the content is sent unencrypted or only "unscrambled" when the reviewer reviews it

The reviewer's content may be sent unencrypted.

With regard to the metadata, it is not stated whether the FBI was able to examine Edwards' or Leopold's devices for unencrypted messages.

After all, Facebook cannot read your WhatsApp messages. For now, you don't need to worry.

Facebook collects a lot of metadata about WhatsApp users. If you don't like that - and I don't myself - I suggest you use Signal, Threema, or some other encrypted messaging app.