The Worsening of WhatsApp - Signal for Privacy

WhatsApp isn’t what it used to be. Since the 2014 acquisition by Facebook for $19 billion, there have been noticable changes in the application.

Read on for the erosion of a well secured and private messaging application and the quest for profit that drove their descent.

Prior to the Facebook acquisition, WhatsApp had been the go to messaging platform for activists, dissidents, diplomats, and journalists. Unfortunately, ever since they have been trading security and privacy away for usability and scaling.

WhatsApp has made privacy and security a primary selling point, and has become a go-to communications tool of activists, dissidents and diplomats.
https://www.theguardian.com/technology/2017/jan/13/whatsapp-design-feature-encrypted-messages

WhatsApp uses some well regarded end-to-end encryption from the Open Whisper Systems – makers of Signal. There were flaws; however, not in the actual encryption itself (which remains solid) but rather in the implementation and key exchange.

Serious Flaw in Encryption

In 2017 a serious flaw in the implementation of the crypto algorithm allowed 3rd parties to read your messages. This was effectively a MITM (man in the middle) attack.

A Feature as a Flaw in Design

The way WhatsApp implemented the Signal protocol was vulnerable when new keys were generated when a user gets a new phone or reinstalls the app. Messages waiting to be delivered during this time are then encrypted again and resent automatically. The problem is the sender having the opportunity to verify the recipient is who they intend.

While this makes the app more convenient and easy to use, this deviation from the implementation of the Signal protocol provides a weakness to be exploited.

False Reporting on Backdoor

The Guardian story above has had a major correction – this was not a backdoor as initially explained but a misunderstanding about a feature which became vulnerable. I know this may seem like doublespeak but there is an important distinction to make i.e. designing features which may later become exploited is not the same as designing a fatal flaw in the encryption (back door).

The blog post on Signal “There is no WhatsApp backdoor” explains the situation. As the article explains:

The fact that WhatsApp handles key changes is not a “backdoor,” it is how cryptography works. Any attempt to intercept messages in transit by the server is detectable by the sender, just like with Signal, PGP, or any other end-to-end encrypted communication system.
https://signal.org/blog/there-is-no-whatsapp-backdoor/

Furthermore,

The only question it might be reasonable to ask is whether these safety number change notifications should be “blocking” or “non-blocking.” In other words, when a contact’s key changes, should WhatsApp require the user to manually verify the new key before continuing, or should WhatsApp display an advisory notification and continue without blocking the user.
https://signal.org/blog/there-is-no-whatsapp-backdoor/

In this case, I believe the criticism of WhatsApp’s end-to-end encryption is somewhat exaggerated. Read the technical whitepaper from WhatsApp explaining their encryption implementation design.

Profits > Privacy

The trouble started when Facebook acquired WhatsApp back in 2014. From 2009-2014 WhatsApp had been a great choice for private and secure messaging. However, it started to go downhill with the pressure to scale and monetize the platform by Facebook.

In 2016 the EFF lays out the four biggest security concerns of WhatsApp:

Unencrypted backups – although messaging is end-to-end encrypted the backups are stored unencrypted. If you need to use WhatsApp please turn off the automatic backups to secure your data!
Key change notifications – as discussed above, the key exchange between users can be compromised. Make sure to turn on key change notifications!
Web Interface – this is inherently less secure of a client than the app. This isn’t a major problem but one to be aware of.
Facebook data sharing – you know those privacy policies that we accept and never read? Now that Facebook owns WhatsApp they modified theirs to tell they are increasing the sharing of data across their platforms. To me this is the biggest problem and one that cannot be fixed besides completely dismantling the system.

…and after

What Would It Take To Forfeit $850 Million?

In a Forbes interview with WhatsApp co-founder Brian Acton, they tell the story of the acquisition and eventual departure of Brian from the company he formed into a billion dollar business.

It began with selling the company he formed for $14 billion and then forfeiting $850 million to leave Facebook.

WhatsApp had previously been anti-ads. This provided a natural conflict between WhatsApp and Facebook. Targeted advertising is an abomination to privacy advocates who know all too well the implications.

“They are businesspeople, they are good businesspeople. They just represent a set of business practices, principles and ethics, and policies that I don’t necessarily agree with.”
Brian Acton – https://www.forbes.com/sites/parmyolson/2018/09/26/exclusive-whatsapp-cofounder-brian-acton-gives-the-inside-story-on-deletefacebook-and-why-he-left-850-million-behind

Disillusion of Key Staff

This wasn’t the first time key employees had become disillusioned by the business practices of Facebook.

“We have created tools that are ripping apart the social fabric of how society works”
Chamath Palihapitiya – https://www.theverge.com/2017/12/20/16800842/facebook-2017-russia-scandal-news-feed-criticism-defectors

That’s from the former leader of Facebooks user growth team. But there were more.

Justin Rosenstein was the lead developer behind the LIKE button. He too became disenchanted with how the pleasure derived from your online friends liking your post could control your emotions.

Most famously, Sean Parker has voiced regrets. Parker was the first president of Facebook and a key influential player in the formation of their business.

“…the unintended consequences of a network when it grows to a billion or 2 billion people and… it literally changes your relationship with society, with each other…”
Sean Parker – https://www.theverge.com/2017/12/20/16800842/facebook-2017-russia-scandal-news-feed-criticism-defectors

It Ends With #DeleteFacebook

After the Cambridge Analytica debaucle, Acton had enough with Facebook.

It is time. #deletefacebook

— Brian Acton (@brianacton) March 20, 2018

Targeted Surveillance Attack

Strong adversaries can sense the weakening of WhatsApp and have been on the attack. This month, WhatsApp discovered a targeted surveillance attack on its platform.

From what we know the exploit was first presented by the NSO Group – a cyber arms dealer.

This attack involved the attackers using the voice calling feature in WhatsApp to a target device. Then, even if the call was not answered, it could install malware on the device.

The huge install base of WhatsApp and integration with Facebook makes it much more of a target for nation state attackers and other highly capable black hats.

A Clear Signal Ahead

I recommend replacing WhatsApp with Signal to better secure and keep your communications private. There is little functionality present in WhatsApp that is not in Signal.

We All Have Something to Hide

Moxie Marlinspike is a privacy advocate and computer security researcher who formed Open Whisper Systems and Signal. On his blog he wrote a compelling piece about privacy.

He points out the trouble of law enforcement in general and segues it to contemporary law enforcement.

Law enforcement used to be harder. If a law enforcement agency wanted to track someone, it required physically assigning a law enforcement agent to follow that person around. Tracking everybody would be inconceivable, because it would require having as many law enforcement agents as people.
Moxie – https://moxie.org/blog/we-should-all-have-something-to-hide/

As he then points out, today things are much different than before. We all have smartphones in our pockets or on our wrist every single day that track and record us. The level of surveillance today would have been inconceivable even 50 years ago.

Watch Moxie speak at DefCon a few years back.

My Questions to You

All that being said, I have some questions and thoughts for you:

Is this just what happens when a system gets to be so big?
How valuable are these “free” services (Facebook, Twitter, Gmail, etc.) that we use? How much would you pay for them if charged?
Can a company owned by Facebook ever be trusted with your data privacy?
Will security and privacy always take the back seat to usability and convenience?

Stay safe online and use Signal!

If you liked this post then you might also like my recent post about Surveillance in the Workplace – Care or Coercion?

Do you care about InfoSec and Privacy? Then YOU need to use a VPN.

Did you find this helpful? Please subscribe!

3 thoughts on “The Worsening of WhatsApp – Signal for Privacy”

Data Privacy Day 2021 - Privacy Aware – MlakarTechTalk says:

January 28, 2021 at 11:07 pm

[…] If you liked this post then you might also like my post about The Worsening of WhatsApp – Signal for Privacy […]

Signal Stands Firm Against UK Anti-Encryption Bill – MlakarTechTalk says:

September 30, 2023 at 10:59 pm

[…] Signal is my go-to app for secure and private communications. The company / app has been around for almost 10 years. Founded by Moxie Marlinspike and Brian Acton. Moxie is a security researcher and former head of security at Twitter. Brian co-founded WhatsApp and left in disgust after Facebook purchased the company. […]

Defend Your Fortress: Signal Usernames for Phone Privacy – MlakarTechTalk says:

December 27, 2023 at 4:43 pm

[…] now. I started using it heavily when WhatsApp was purchased by Facebook a.k.a. Meta in 2014. I wrote about my concerns and they eventually manifested into […]