Protect yourself and your data when using WhatsApp

Updated 2021

Table of Contents

...Loading Table of Contents...

    Setup

    Know how hard it is to move what you have posted off social media

    • Test how effective it is to use the "download my data" functions of each platform you use. Start the download process, then take a thorough look at what data it provides. You may find that what is downloaded is not in a format you find easy to use.
    • Allow some time for this process. If you have had an account for a long time, there will be a lot of data to download, and the service may take a day or so to bundle it for your download.
    • Request your account information
    • Export your chat history:
    Learn why we recommend this

    Avoid relying on a social networking site as a primary host for your content, contacts, or other information.

    Consider what you would lose access to if your government blocked a site or app. It is easy for governments to block access to social media within their boundaries if they object to what people are sharing. Social media services may also decide to remove objectionable content themselves, rather than face censorship in a particular country.

    Social media might also remove content that they believe violates their policies about, for example, violent images or harassment. It is often difficult for them to understand the local context of what users have posted, particularly if it is not in English.

    Decide whether you will use a real or fake name, and maintain separate accounts

    • Be aware that even if you provide a fake name to a social media site, you may still be identifiable by the network you connect from and the IP address it assigns to your device unless you use a VPN or Tor to hide this information.
      • Use a VPN when setting up an account for the first time to make it harder for someone to associate your profile with your IP address.
    • Consider using separate accounts or separate identities/pseudonyms for different campaigns and activities. You will likely want to keep your personal and work accounts separate, at the very least.
    • Remember that the key to using a social network safely is being able to trust people in that network. You and the others in your network will want to know that the people behind the accounts are who they say they are, and have ways to validate this. That does not necessarily mean you have to use your real name, but it may be important to use consistent fake names.
    Learn why we recommend this

    Some people maintain social media accounts with fake names, or one account with their actual name and one with a fake name, to ensure they can organize and connect with others with less risk to their free speech, safety, or liberty.

    Set up with a fresh email address

    Learn why we recommend this

    Email addresses provide one of the easiest ways to search for you: you need to provide one each time you set up a new account. If you really need to hide your identity, it is best to start over with a new social media account which you do not connect to your old accounts or to existing email addresses.

    Don’t associate your phone number with your account

    Learn why we recommend this

    Your phone number can be easily used to look you up and identify you. Consider whether your local law enforcement might make a legal request to social media companies to find the activity associated with your account, or whether someone seeking to harass or find you might make use of your number.

    Skip “find friends”

    • WhatsApp requires access to your mobile's contact list in order to function. Be aware that WhatsApp will show that you are using their services to anyone who has your number in their contact list; there is nothing stopping anyone who knows your phone number from viewing your WhatsApp account. See more information here.
    • Change your privacy settings so that a limited group of people (or no one) can see your profile photo, status updates, and "about" information
    • Consider only connecting to people you know, whom you trust not to misuse the information you post.
    • If you need to connect to an online community of like-minded individuals whom you have never met, consider carefully what information you will share with these people.
    • Do not share your employer or educational background, as social media may use this information to share your profile with others unexpectedly.
    Learn why we recommend this

    Social media often ensure they will gain in popularity by by using the contact lists in your devices and email accounts to find and recommend more people you might want to connect to. This can have dangerous effects when you want to keep your contacts hidden from others. Consider whether law enforcement in your area might use these contact lists to build a case against you and your colleagues if they confiscated your device or accessed your account. Or consider what might happen if social media revealed information about others you associate with to the public. If these are concerns for you, limit social media apps and sites' permissions to use your contacts.

    Designate someone to manage your account if you are unable to do it yourself

    • WhatsApp cannot help recover data from or give access to an account because it is encrypted. If you would like to have a selected colleague or friend access or take over your account in the event you are incapacitated, you may need to share login information using your encrypted password manager.
    Learn why we recommend this

    This is something everyone should think about, regardless of their risk level. Social media sites have developed processes to handle situations where someone passes away or is seriously ill or jailed and others need to manage their account. Designating someone to care for your account can ensure others are notified of your situation, and prevent malicious people from defacing or hacking your account.

    Account protection

    Check recovery email and phone

    • View your current number in Settings > your profile.
    • Because WhatsApp accounts are tied to phone numbers, if someone previously had your phone number, their account information (like name and profile picture) may still be in WhatsApp's system. This does not mean they have access to your account. Learn more here
    • Change this information immediately if you lose access to your email address or phone number.
    Learn why we recommend this

    Your accounts use an email address and/or a phone number to help recover your account in case of authentication issue. The email address is also used to inform the user of any security related event. It is important to check this information to be sure that an attacker did not change them to gain control of your account later.

    Use strong passwords

    • Use strong passwords to protect your accounts. Anyone who gets into your social media account gains access to a lot of information about you and anyone you are connected to. See our guide on how to create and maintain secure passwords for more information.

    Set up multifactor authentication (2FA)

    Learn why we recommend this

    See our guide to passwords and other login protections for more on why and how to set up multifactor authentication, sometimes known as 2FA or MFA.

    Get a verification code to get back into your account

    • Get verification codes
    • Store those codes in your password manager.
    • Alternately, print these codes out before you are in a situation where you might need them. Keep them somewhere safe and hidden, like your wallet or a locked safe.
    Learn why we recommend this

    Having verification codes written down or printed out gives you another way to get back into your account if you lose access. If you are traveling, this can be especially useful when you need to get into your accounts and may not have access to wifi or cellular data to use other multifactor authentication.

    If your device is lost or stolen

    Look for suspicious access

    Check active sessions and authorized devices, review account activity and security events

    • Look at the following pages listing which devices have recently logged in to your account (including using browsers or apps). Does every login look familiar?
    • Note that if you are using a VPN or Tor Browser, which can conceal your location, you may see your own device, connected in unexpected locations.
    • Look for instructions on how to log out devices that are not yours.
    • If you see suspicious activity on your account, immediately change your password to a new, long, random passphrase you do not use for any other accounts. Save this in your password manager.
    Learn why we recommend this

    Governments, police, domestic abusers, and other adversaries may find ways to watch your accounts by logging in from their devices. If they do so, it is possible you will be able to see it from these pages where social media services show which devices have been used to log into your accounts.

    Get notified about logins

    Learn why we recommend this

    If you suspect your account may be watched, or your adversaries may break into it, use this feature of social media accounts to be notified right away when it happens.

    If you think your account has been hacked

    Download data for further analysis (advanced)

    Learn why we recommend this

    If you suspect someone has intruded on your device, you might want to download all records of activity on your account, so you or your technical support person can look for unusual activity.

    Decide what to post

    The more information about yourself you reveal online, the easier it becomes for the authorities and others to identify you and monitor your activities. For example, if you share (or "like") a page that opposes some position taken by your government, agents of that government might very well take an interest and target you for additional surveillance or direct persecution. This can have consequences even for those not living under authoritarian regimes: the families of some activists who have left their home countries have been targeted by the authorities in their homelands because of things those activists have posted on social media.

    Information that should never be sent on social media, even via direct message (DM)

    • Passwords
    • Personally identifying information, including
      • your birthday
      • your phone number (does it appear in screenshots of communications?)
      • government or other ID numbers
      • medical records
      • education and employment history (these can be used by untrustworthy people who want to gain your confidence)

    Information that you might not want to post on social media, depending on your assessment of the threats in your region:

    • Your email address (at least consider having more- and less-sensitive accounts)

    • Details about family members

    • Your sexual orientation or activity

    • Even if you trust the people in your networks, remember it is easy for someone to copy your information and spread it more widely than you want it to be.

    • Agree with your network on what you do and do not want shared, for safety reasons.

    • Think about what you may be revealing about your friends that they may not want other people to know; be sensitive about this, and ask them to be sensitive about what they reveal about you.

    Don’t share location

    Learn why we recommend this

    If you are worried about someone finding you and doing you physical harm, stop your accounts from storing your location information. Turning off location services on your device also makes your mobile device's battery charge last longer.

    Share photos and videos more safely

    Learn why we recommend this

    What you share could put yourself or others at risk. Get in the habit of seeking consent before posting about others, where possible. You may want to work with your colleagues to set guidelines for what you will and won't share publicly, under what conditions.

    Photos and videos can reveal a lot of information unintentionally, particularly what is in the background. Many cameras also embed hidden data (metadata or EXIF tags) about the location, date, and time the photo was taken, the camera that took the photo, etc. Social media may publish this information when you upload photos or video.

    Decide who can see

    Share to select people

    Manage who can reply to what you post

    Learn why we recommend this

    In some cases, replies to posts have been used to build false claims of human rights defenders associating with people they did not actually associate with. Replies can also be used to harass you. Controlling who can reply can help lower your stress levels.

    Think about group membership and who you connect with

    Learn why we recommend this

    When you join or start a community or group online it is revealing something about you to others. People may assume that you support or agree with what the group is saying or doing, which could make you vulnerable if you are seen to align yourself with particular political groups, for example. In some countries, connections on social media to individuals or groups have been used in court to make a case against someone, even when the two people were only loosely connected.

    If you set up a group and people choose to join it, consider: what are they announcing to the world by doing so? For example, if it is a LGBTQI support group, will that affiliation bring dangers for members in your region? Consider the impact of visibility in your current moment. There may be times when it is valuable for your movement to be visible, and even at that moment people who want your support might need a way to connect with your group without being identified. Think strategically about the platforms where you create your groups, what you name them (would a coded name help, as it did the Mattachine Society or the Daughters of Bilitis gay and lesbian organizations in the 1950s?), and whether they are public or private.

    If you join a large group with members that you don't know, be aware that adversaries might also join groups or make connections to identify you or your colleagues, get a better view of what you are doing, or even build false trust. If you suspect this is likely to happen, it is important to choose connections and post selectively when you make an account connected to your work.

    Limit who can contact you

    Learn why we recommend this

    Limiting who can contact you can lessen the likelihood that you will be found when you are trying to be private, or targeted by people trying to falsely gain your trust or the trust of your network. This can also be useful if you are being harassed in non-public messages.

    Manage advertising

    Learn why we recommend this

    There is a possibility governments or police forces might buy advertising data from social media companies to target you and your network with disinformation, or try to find you.

    Learn what social media will turn over to governments or law enforcement

    Learn why we recommend this

    Social media sites may give your information, including information you were trying to keep private, to governments or law enforcement if requested. Look through the following links to learn more about the conditions under which they will do so.

    Leave no trace

    Precautions when using a public or shared device

    • Avoid accessing your social network account from shared devices (like an internet cafe or other people's devices).
    • Delete your password and browsing history when you use a web browser on a public machine. Change the passwords of any accounts you accessed from shared devices as soon as you can, using your own device.

    Handle abuse

    Report abuse

    Learn why we recommend this

    Social media have unfortunately become a favorite method of harassment and disinformation worldwide. If you see malicious impersonation, hashtags being flooded, disinformation being spread, or you or your colleagues are being targeted and harassed, you are not alone and there may be help. Review the processes for reporting using the following links.

    Report harassment that reveals information about you

    Learn why we recommend this

    Some abusers may try to target you by revealing information about where you live or work, your family or friends, or other personal details including images. In many cases you have a right to have this taken down, even if that information is true. Review the following links for information on how to get that information removed.

    Identify and report coordinated inauthentic activity (botnets and spam)

    Learn why we recommend this

    Some harassment and disinformation is posted through automated means, rather than by individual people. If you suspect that you are seeing this "coordinated inauthentic activity," you can report it to the social media sites and they may ban those automated systems. While automation can be hard to prove, there are some cases in which reporting coordinated inauthentic activity might be more successful than reporting harassment, if you suspect the social media site will not understand the context of the harassment.

    Report impersonation

    Learn why we recommend this

    Impersonation in the form of parody is usually accepted as free speech by most social media platforms, and will not be removed. However, impersonation for the purposes of defamation of character may not be, and you can report it.

    Hide stressful content

    Learn why we recommend this

    Any of us may find some content more distressing than other people do, whether it be information on the death of a friend, public arguments which devalue us because of who we are, or frightening events in the news. If you need a break from this stress, here are some tools which can help hide content you do not wish to see, for as long as you wish.

    Learn how to recover your account if it is disabled or suspended

    Learn why we recommend this

    For one reason or another, social media sites will sometimes disable an account. Human rights defenders have sometimes had their accounts shut down because they are documenting human rights abuses with violent scenes that violate the social media platforms's policies; because they have been reported by government, police, or other people who disagree with them; or even because the social media platform does not understand their context well enough to make sense of what they are posting. If this happens to you, you can appeal the decision and ask to have your account restored. Review the links below for information on how.

    Take a break from your account

    • WhatsApp does not support suspension or auto-response, but consider backing up your messages and deleting the app from your phone if you will still have access to the same phone number. Or, if you just want to let people know you will be away, put a note in your status message.
    Learn why we recommend this

    If you want to stop people from posting to your account because you will not be able to access it for a while-- you suspect you may be detained or jailed, or just because you need to take a break!--you may be able to temporarily deactivate your account on some social media. This can be useful if you face harassment or defamation. On other accounts, like email, you may not be able to stop incoming messages, but can set your account to automatically respond that you are away.

    Learn how social media use your information

    Learn why we recommend this

    It is often unclear what social media will do with your information when you share it. Are they combined with other data to guess things about you? Are they sold to other companies that may share that information even if you did not want it to be shared? Read the End User Licence Agreement and Privacy Policy or Data Use Policy for social media sites to find out.