People on this forum often talk of using a disposable sim when signing up for Whatsapp. But it seems like Whatsapp also gets access to the number for any sim that you subsequently put in your phone.
The permissions for Whatsapp in the Play Store include:
- Answer phone calls
- Directly call phone numbers
- Read call log
- Read phone numbers
- Read phone status and identity
- Receive text messages (SMS)
- Send and view SMS messages
- Run foreground service with the type 'phoneCall'
- Route calls through the system
Given how greedy Meta are for data, I would be surprised if their lawyers didn't interpret at least one of these permissions to mean "Always know the number of the sim that is in the phone, whether or not it was used for verification".
The WhatsApp privacy policy seems more or less to confirm this:
- "We collect device and connection-specific information when you install, access, or use our Services. This includes information such as hardware model, operating system information, battery level, signal strength, app version, browser information, mobile network, connection information (including phone number, mobile operator or ISP), language and time zone, IP address, device operations information, and identifiers (including identifiers unique to Meta Company Products associated with the same device or account)."
This is complicated somewhat by the Google Support article on the "Use of SMS or Call Log permission groups" which says that:
- "Apps must be actively registered as the default SMS, Phone, or Assistant handler before prompting users to accept any of SMS or Call Log permissions. Those apps must immediately stop using the permission when they're no longer the default handler."
If this makes you breathe a sigh of relief, note that:
- It is unclear to me what exactly makes an app "the default SMS, Phone, or Assistant handler" and how you can determine if and when exactly WhatsApp has these permissions.
- In the "Exceptions" section of the same article it says that "Google Play may provide a temporary exception to apps that aren't Default SMS, Phone, or Assistant handlers when ... Use of the permission enables the core app functionality listed in the following table", which includes "Backup and restore for users", "Caller ID, spam detection, and/or spam blocking". WhatsApp may well make use of this as legal cover to collect whatever numbers they like.
If anyone knows of any casework relevant to these subjects, please reply. In particular it seems we should know
- if authorities have been shown to gain access to the numbers of other sims as well as registration sims when they ask WhatsApp for information
- if staff at WhatsApp have access to these numbers (and thus could be bribed / blackmailed / encouraged to leak them)
Unless we are lucky enough to have some lawyers lurking here, I think it is wise to assume that WhatsApp has access to the number of any sim you put in your Graphene phone.
Follow-up question:
- Does having WhatsApp in a separate profile prevent them from knowing the number of the sim in another profile?
- And, if so, shouldn't this be more well-known? Depending on their jurisdiction, people may have wasted a lot of effort getting disposable sims for WhatsApp when it may well do nothing.
Apologies in advance if I have missed other posts on this subject.