Delivery Receipt Privacy: How to Configure Signal & WhatsApp

Why This Matters

A vulnerability called "Careless Whisper" allows attackers to track when you're online, map your activity patterns, and even drain your battery—all using delivery receipts [1]. Researchers warned Meta and Signal in 2024. Neither has fully patched the flaw.

This guide shows you how to configure receipt settings to reduce your exposure.

Understanding the Checkmarks

Messaging apps use different receipt types:

Delivery Receipt

WhatsApp: Two gray checkmarks

Signal: Single checkmark turns filled

What it means: Message reached your device

Privacy risk: HIGH - Used in tracking attack

Read Receipt

WhatsApp: Two blue checkmarks

Signal: Filled checkmark appears

What it means: You opened the message

Privacy risk: Medium - Reveals activity

Typing Indicator

Shows "typing..." when composing

What it means: You're actively in the chat

Privacy risk: Low - Real-time only

The problem: You can disable read receipts on both apps. But you cannot fully disable delivery receipts—the exact thing exploited by the tracking attack.

WhatsApp Privacy Settings

Step 1: Disable Read Receipts

  1. Open WhatsApp
  2. Tap Settings (gear icon)
  3. Tap Privacy
  4. Scroll to Read receipts
  5. Toggle OFF

What this does: Prevents blue checkmarks from appearing when you read messages.

What this doesn't do: Doesn't stop delivery receipts (gray checkmarks). Your phone still confirms message delivery, which is what the attack exploits.

Step 2: Enable "Block Unknown Messages"

This is the most important setting for mitigating the tracking attack:

  1. Open WhatsApp → Settings
  2. Tap Privacy
  3. Tap Advanced
  4. Enable Block messages from unknown accounts

What this does: Blocks messages from people not in your contacts. Since the attack requires sending you messages, this prevents unknown attackers from probing you.

Limitation: Anyone in your contacts can still track you. Doesn't help if the attacker adds you first or uses a known number.

Step 3: Additional WhatsApp Privacy Settings

While you're in settings, check these too:

Settings → Privacy:

  • Last seen: Set to "Nobody" or "My contacts"
  • Profile photo: Set to "My contacts" or "Nobody"
  • About: Set to "My contacts" or "Nobody"
  • Status: Set to "My contacts"
  • Groups: Set to "My contacts" (prevents strangers adding you)

Settings → Privacy → Advanced:

  • Protect IP address in calls: Enable (routes calls through WhatsApp servers)
  • Disable link previews: Enable (prevents URL fetching)

Signal Privacy Settings

Step 1: Disable Read Receipts

On Android:

  1. Open Signal
  2. Tap your profile icon (top left)
  3. Tap Privacy
  4. Scroll to Read receipts
  5. Toggle OFF

On iOS:

  1. Open Signal
  2. Tap Settings (your profile)
  3. Tap Privacy
  4. Toggle Read Receipts OFF

Step 2: Disable Typing Indicators

  1. Settings → Privacy
  2. Toggle Typing indicators OFF

This prevents people from seeing when you're composing a message.

Step 3: Enable Additional Signal Privacy Features

Settings → Privacy:

  • Screen security: Enable (prevents screenshots in recent apps)
  • Incognito keyboard: Enable (prevents keyboard from learning)
  • Always relay calls: Enable (hides your IP in calls)

Settings → Privacy → Sealed Sender:

  • Ensure "Allow from anyone" is OFF if you want maximum privacy
  • This limits who can message you without revealing metadata to Signal servers

Step 4: Configure Message Requests

  1. Settings → Privacy
  2. Review Message requests settings
  3. Consider enabling stricter filtering

Signal's rate limiting already provides some protection against the battery/data attack variants, but tracking via delivery receipts still works.

Comparison: What Each Setting Does

Setting Stops Tracking Attack? Stops Battery Drain? Stops Activity Monitoring?
Disable read receipts No No Partial
Block unknown messages (WhatsApp) Partial* Partial* Partial*
Disable typing indicators No No Yes (typing only)
Hide last seen No No Yes (last seen only)
Always relay calls No No Hides IP in calls

*Only blocks unknown attackers. Known contacts or anyone who can add you first can still attack.

For High-Risk Users: Alternative Apps

If you're a journalist, activist, or face targeted surveillance, these settings aren't enough. Consider:

Threema

  • Not vulnerable to the Careless Whisper attack
  • No phone number required
  • Swiss-based, strong privacy laws
  • One-time purchase (~$5), no subscription

Session

  • No phone number or email required
  • Decentralized network
  • Onion routing for metadata protection
  • Free and open source

SimpleX

  • No persistent user identifiers at all
  • Each conversation uses different address
  • Maximum metadata protection
  • Free and open source

For truly sensitive communications, use these instead of trying to harden WhatsApp or Signal.

Quick Reference: Settings Checklist

WhatsApp

  • Read receipts: OFF
  • Block unknown messages: ON
  • Last seen: Nobody or My contacts
  • Profile photo: My contacts
  • Groups: My contacts
  • Protect IP in calls: ON
  • Disable link previews: ON

Signal

  • Read receipts: OFF
  • Typing indicators: OFF
  • Screen security: ON
  • Incognito keyboard: ON
  • Always relay calls: ON
  • Sealed sender from anyone: Consider OFF

The Uncomfortable Truth

These settings reduce your exposure but don't eliminate it. The fundamental problem is that delivery receipts can't be fully disabled in either app, and that's what the tracking attack exploits.

You're relying on:

  • WhatsApp to block "high volume" probing (they don't define the threshold)
  • Signal's rate limiting (helps but doesn't prevent tracking)
  • Attackers not having your number in their contacts

Meta and Signal Foundation were warned about this in 2024. Neither has implemented a protocol-level fix. Until they do, these settings are your best available mitigation—but they're not a solution.

For more on the vulnerability itself, see: The "Careless Whisper" Attack: How Delivery Receipts Track 3 Billion Users


References

  1. "Careless Whisper" - University of Vienna and SBA Research, 2024
  2. Cyber Insider - Tool allows stealthy tracking of Signal and WhatsApp users
  3. The Register - CISA: Spyware crews breaking into Signal, WhatsApp accounts