Why This Matters
A vulnerability called "Careless Whisper" allows attackers to track when you're online, map your activity patterns, and even drain your battery—all using delivery receipts [1]. Researchers warned Meta and Signal in 2024. Neither has fully patched the flaw.
This guide shows you how to configure receipt settings to reduce your exposure.
Understanding the Checkmarks
Messaging apps use different receipt types:
Delivery Receipt
WhatsApp: Two gray checkmarks
Signal: Single checkmark turns filled
What it means: Message reached your device
Privacy risk: HIGH - Used in tracking attack
Read Receipt
WhatsApp: Two blue checkmarks
Signal: Filled checkmark appears
What it means: You opened the message
Privacy risk: Medium - Reveals activity
Typing Indicator
Shows "typing..." when composing
What it means: You're actively in the chat
Privacy risk: Low - Real-time only
The problem: You can disable read receipts on both apps. But you cannot fully disable delivery receipts—the exact thing exploited by the tracking attack.
WhatsApp Privacy Settings
Step 1: Disable Read Receipts
- Open WhatsApp
- Tap Settings (gear icon)
- Tap Privacy
- Scroll to Read receipts
- Toggle OFF
What this does: Prevents blue checkmarks from appearing when you read messages.
What this doesn't do: Doesn't stop delivery receipts (gray checkmarks). Your phone still confirms message delivery, which is what the attack exploits.
Step 2: Enable "Block Unknown Messages"
This is the most important setting for mitigating the tracking attack:
- Open WhatsApp → Settings
- Tap Privacy
- Tap Advanced
- Enable Block messages from unknown accounts
What this does: Blocks messages from people not in your contacts. Since the attack requires sending you messages, this prevents unknown attackers from probing you.
Limitation: Anyone in your contacts can still track you. Doesn't help if the attacker adds you first or uses a known number.
Step 3: Additional WhatsApp Privacy Settings
While you're in settings, check these too:
Settings → Privacy:
- Last seen: Set to "Nobody" or "My contacts"
- Profile photo: Set to "My contacts" or "Nobody"
- About: Set to "My contacts" or "Nobody"
- Status: Set to "My contacts"
- Groups: Set to "My contacts" (prevents strangers adding you)
Settings → Privacy → Advanced:
- Protect IP address in calls: Enable (routes calls through WhatsApp servers)
- Disable link previews: Enable (prevents URL fetching)
Signal Privacy Settings
Step 1: Disable Read Receipts
On Android:
- Open Signal
- Tap your profile icon (top left)
- Tap Privacy
- Scroll to Read receipts
- Toggle OFF
On iOS:
- Open Signal
- Tap Settings (your profile)
- Tap Privacy
- Toggle Read Receipts OFF
Step 2: Disable Typing Indicators
- Settings → Privacy
- Toggle Typing indicators OFF
This prevents people from seeing when you're composing a message.
Step 3: Enable Additional Signal Privacy Features
Settings → Privacy:
- Screen security: Enable (prevents screenshots in recent apps)
- Incognito keyboard: Enable (prevents keyboard from learning)
- Always relay calls: Enable (hides your IP in calls)
Settings → Privacy → Sealed Sender:
- Ensure "Allow from anyone" is OFF if you want maximum privacy
- This limits who can message you without revealing metadata to Signal servers
Step 4: Configure Message Requests
- Settings → Privacy
- Review Message requests settings
- Consider enabling stricter filtering
Signal's rate limiting already provides some protection against the battery/data attack variants, but tracking via delivery receipts still works.
Comparison: What Each Setting Does
| Setting | Stops Tracking Attack? | Stops Battery Drain? | Stops Activity Monitoring? |
|---|---|---|---|
| Disable read receipts | No | No | Partial |
| Block unknown messages (WhatsApp) | Partial* | Partial* | Partial* |
| Disable typing indicators | No | No | Yes (typing only) |
| Hide last seen | No | No | Yes (last seen only) |
| Always relay calls | No | No | Hides IP in calls |
*Only blocks unknown attackers. Known contacts or anyone who can add you first can still attack.
For High-Risk Users: Alternative Apps
If you're a journalist, activist, or face targeted surveillance, these settings aren't enough. Consider:
Threema
- Not vulnerable to the Careless Whisper attack
- No phone number required
- Swiss-based, strong privacy laws
- One-time purchase (~$5), no subscription
Session
- No phone number or email required
- Decentralized network
- Onion routing for metadata protection
- Free and open source
SimpleX
- No persistent user identifiers at all
- Each conversation uses different address
- Maximum metadata protection
- Free and open source
For truly sensitive communications, use these instead of trying to harden WhatsApp or Signal.
Quick Reference: Settings Checklist
- ☐ Read receipts: OFF
- ☐ Block unknown messages: ON
- ☐ Last seen: Nobody or My contacts
- ☐ Profile photo: My contacts
- ☐ Groups: My contacts
- ☐ Protect IP in calls: ON
- ☐ Disable link previews: ON
Signal
- ☐ Read receipts: OFF
- ☐ Typing indicators: OFF
- ☐ Screen security: ON
- ☐ Incognito keyboard: ON
- ☐ Always relay calls: ON
- ☐ Sealed sender from anyone: Consider OFF
The Uncomfortable Truth
These settings reduce your exposure but don't eliminate it. The fundamental problem is that delivery receipts can't be fully disabled in either app, and that's what the tracking attack exploits.
You're relying on:
- WhatsApp to block "high volume" probing (they don't define the threshold)
- Signal's rate limiting (helps but doesn't prevent tracking)
- Attackers not having your number in their contacts
Meta and Signal Foundation were warned about this in 2024. Neither has implemented a protocol-level fix. Until they do, these settings are your best available mitigation—but they're not a solution.
For more on the vulnerability itself, see: The "Careless Whisper" Attack: How Delivery Receipts Track 3 Billion Users
References
- "Careless Whisper" - University of Vienna and SBA Research, 2024
- Cyber Insider - Tool allows stealthy tracking of Signal and WhatsApp users
- The Register - CISA: Spyware crews breaking into Signal, WhatsApp accounts