Privacy risk: WhatsApp for Windows Phone tags your geolocation metadata to saved photos

WhatsApp Windows Phone

Privacy in smartphones is always a big deal amongst consumers, so it’s a little odd to see the super popular WhatsApp messaging client have a platform-specific privacy breach regarding geo-location metadata.

The situation is a little convoluted so stick with us when trying to explain.  Photos that are received (not sent) from WhatsApp are automatically tagged with your current location, regardless of your privacy Settings (Applications > Photos + Camera). That means if you were to then pass that photo on to someone else or upload to SkyDrive, your location info will be preserved.

As an example, say Rich Edmonds sends me a photo of his house in the UK. When I save that photo to my gallery in the US (New York), my current location is tagged to that photo. If I were then to email it someone or share it publicly via SkyDrive, you would all see my current location.

Geolocation metadata
GPS info tagged by WhatsApp to a saved image from a user in the UK

Oddly enough, this behavior seems to be restricted to just the Windows Phone version of WhatsApp, as opposed to iOS and Android.  We also tried it on Kik and were unable to replicate the result (indeed Kik strips metadata automatically, so nothing is revealed or added).

The good news is the app is not tagging your photos with your location that you are sending to people, which would be a lot worse. In our case, we rarely download photos from friends and then pass them on to others (and if we sent it to another Windows Phone, it would ironically be over-written by that user’s location data).

Still, it’s discomforting to have your specific GPS coordinates stored unknowingly in your photo gallery. It also raises the question as to why WhatsApp is constantly accessing your geo-location information. Often, ads are targeted based on our current locale so having your info picked up in an app is the norm. But WhatsApp has no ads, which means this must be a side-effect of the optional “share your location” feature (powered by Foursquare). Clearly WhatsApp is constantly accessing your phone’s location for quick revelation when called upon by the user. The problem here is that the app is wrongfully using that info all the time to tag your saved images.

We’ll of course reach out to WhatsApp and Nokia (who are helping them with development) to see if this can be resolved. For now, you’ll want to think twice about passing on photos received from friends or until WhatsApp easily patches this bug.

Thanks, Amir, for the heads up



There are 38 comments. Sign in to comment

williog says:

Don't like this privacy intrusion. Seems we can't just remain anonymous again.

WinFan1 says:

That needs to get corrected.

We haven't been anonymous for decades. This isn't new, just another intrusion.

Eas195 says:

should anonymous take an action on WA?

Laura Knotek says:

Does this happen if pictures are shared via SMS instead of email?

It should never happen, period. Your GPS info should never be tagged to saved images. Kik doesn't do it, why should WhatsApp?

Laura Knotek says:

Could you test to see what happens when pictures from WhatsApp are shared via SMS?

If you've turned off locations from the phone settings, how is this app then able to get our location? 

Shifla says:

Should we have to turn off location always?

"If you've turned off locations from the phone settings, how is this app then able to get our location? "

I think you missed the point. The solution is not for the end-user to deal with their geolocation info being saved to images by a blanket shutting off of location services for the whole phone (killing Maps, Navigation, Groupon, and dozens of other apps) but for WhatsApp to fix this bug.

Your solution is like telling the 7.8 data bug users to just turn off all data on their phones. Sure, that "solves" the problem but c'mon, that's not really an option at all.

Laura Knotek says:

I agree. The app is the problem, not its users. Users should not need to jump through hoops to ensure basic functionality that they expect.

Neusyn says:

Speaking of the 7.8 bug. Any word on when an official fix is suppose to peak?

Sean Burns1 says:

What's App is buggy on my Lumia 620 lately. Sometimes it refuses to start up and it freezes too.

Jrexxx says:

Noticed that, but I don't really care...

lippidp says:

Great article! I chuckled, however, when I read, "Privacy in smartphones is always a big deal amongst consumers." The fact that Android and Google services are so popular would suggest otherwise...

Etios says:

Whatsapp is generally fast in addressing privacy issues, now that you have posted this info and also sent the info to Nokia, I am quite sure they will update the app and solve the problem.

adrian1338 says:

they are fast? they try lame workarounds. when do people understand that whatsapp and a solution only for smartphone devices is just crap

Etios says:

Whatsapp replied within 2 days, thats very fast response.

Jandieg says:

Why is everyone paranoid with "location"? Come on... do you walk on street covering your face? (you should, people may know where you are...)

Munkeyphyst says:

Because it could potentially reveal to an internet of people where you live, work, etc... If you don't think that may be problematic, feel free to post your driver's license for the world to see.

Jandieg says:

"Reveal" is conditioned to only those happening to be interested in that info, not the entire world. Besides, you may lock down all location features on your phone, but someone(if determined) could picture you entering your home and post that to the web. Or if more skilled, sniff your network traffic while you are on Starbucks, hack your accounts, get your address and more. So pointing innofensive apps for being location trackers is just nonsense...

Munkeyphyst says:

And by your reasoning, if someone really wants to break into your house, they can. So why bother locking doors, or even closing the front door when we're away from home?

Jandieg says:

The point is, your location is just as anonymous as your home seen on Here or Bing maps (unless you were really famous; or your home an airport)

mythos13 says:

What a brilliant analogy.

borasar says:

Would be nice for the them to get things together fast; its them and Nokia working on it, so I'm not sure why it takes so long to patch up a vital app. Don't mean to whine or complain, but they've had a number of udpates already and the app is still slow, still eats battery like crazy and still uses the damn audio API which is probably the cause of most user issues with the app; I'm not sure why that wasn't top of the list when it came to updates.

apocacrux says:

Meh,its just my location,not my credit card info.

Xaphoon148 says:

Good to se some metadata showing up SOMEWHERE, sure as hell it ain't showing anything exif ON my WP...
Want back the possibility to get "properties" like on old Windows Mobile without having to use apps...

awneze says:

Can those f**kers just fix this app already, n quit tryna know if I took a photo in my bathroom. Pathetic

Lucas says:

Fhotoroom app also did this, if I chose to send it to SkyDrive, I can read the geotag instantly.

Well shit. Uninstalling.

50000 says:

Whatscrapp is so shit.

never really used whatsapp. not planning to use it for a long time, unless they fix the crappy audio api thingie.

Theri0n says:

I don't really care as have already uninstalled the software after rumours about takeover by Google.

Anaron says:

You can install or uninstall any app you want but generally, it's a good idea not to act on rumours. And the $1B buyout rumour was just that... a rumour. WhatsApp denied it recently.

D Dowe says:

Great article. Hate to revive an old thread but I recently discovered this same windows phone/nokia vulnerability exists when photos are received from twitter and facebook, and saved to the windows phone (Lumia 922) regardless of location privacy settings. Photos that are saved/downloaded to the windows phone from facebook and twitter are geotagged/metadata tagged with the location that the phone is at when you save them/ download them. It preserves YOUR location where you downloaded the photos, so when you pass that photo on to someone else or share it/upload it YOUR location information is preserved in the metadata.  Has a fix/patch or solution to this been created? This exception to the privacy settings could expose the end user to potential liabilty because the metadata makes it look like the user that uploaded the content is also the source/author. If nothing else it tags the content  with YOUR location and makes it traceable back to YOU.