BuzzFeed News

Reporting To You

tech

Don't Be Like Paul Manafort. Backing Up Your WhatsApp Messages Creates A Security Loophole

Manafort got into trouble because he didn't understand that enabling cloud backups on his WhatsApp account gave investigators a way to circumvent the app's end-to-end encryption. Here’s how to disable those backups.

Posted on June 7, 2018, at 2:18 p.m. ET

Paul Manafort, President Trump’s former campaign chair and noted dictator whisperer, was accused Monday of trying to tamper with witnesses in his federal tax and money laundering case. Federal prosecutors working for the special counsel, Robert Mueller, said that Manafort tried to contact witnesses, sometimes through the messaging app WhatsApp, and attempted to persuade them to commit perjury.

In the wake of this revelation, some people wondered how federal investigators were able to circumvent WhatsApp’s end-to-end encryption. Usually, end-to-end encryption means only two people — the sender and the receiver — can see each other’s full messages. But in Manafort’s case, there was a loophole: He was backing up information from WhatsApp to Apple’s iCloud, where data is not encrypted. The police, armed with the appropriate search warrants, were able to look into Manafort’s iCloud backup to gather evidence.

Seems to be some confusion about how Mueller accessed Manafort's WhatsApp messages seeing as it's an encrypted app. Look at the source columns. Appears Manafort's messages were backed up on iCloud. https://t.co/B6uqI9dtOp

But you don’t have to leave yourself vulnerable like Manafort. Here’s how to disable WhatsApp backups to Apple’s iCloud and to Google Drive.

Go to your Settings app, then tap on your name right up top.


Open the "iCloud" item right on that first screen.


Scroll down until you see "iCloud Drive." Keep scrolling until you see the rest of your apps that save to the iCloud Drive.


Near the very bottom — because these are alphabetically arranged — you'll see the WhatsApp iCloud backup. Flip that sucker off.

And these are the steps for Android phones…

Tap on the three dots in the upper right corner of WhatsApp, and then tap on “Settings.”


Tap on “Chats.” Then “Chat backup.”

Hit “Back up to Google Drive,” and then “Never.”


And if you want clear your old WhatsApp backups, go to the Google Drive app on your phone. Tap on “Backups” and you'll see the last backup saved in the cloud storage. Delete that sucker.

Congratulations, that's it! You're done!

Of course, you could also use a secure messaging program like Signal coupled with disappearing messages — then you wouldn't have this problem.

But it's important to note that WhatsApp's encryption works just fine. This is just a loophole that has to do with cloud backups, which you can easily fix.

And if you want to be a real stickler for security, consider limiting your use to only mobile apps instead of opening WhatsApp (or Signal for that matter) on your desktop. These apps are secure on the desktop, but you'd be expanding what's called your "threat surface" — which means bad actors have more ways to target you. Plus, computers are inherently less secure than phones.


  • Picture of Davey Alba

    Davey Alba is a senior technology reporter for BuzzFeed News and is based in New York. Her PGP Fingerprint is 639B 7AD2 1C67 F8FC 951E 4A58 2D33 698D C619 3C9E.

    Contact Davey Alba at davey.alba@buzzfeed.com.

    Got a confidential tip? Submit it here.

ADVERTISEMENT