what-matters-in-security

WhatsApp, FB Messenger, iMessage, government; life not so private after all!

In "WhatsApp: A whopping growth journey by the numbers, and what it means for you", we explored the stratospheric quantitative growth of the WhatsApp platform and its value propositions. We also explored how some of its strongest unique selling points included end-to-end encryption (E2EE) and its business-friendly approach, making it a platform for choice for both individual and business needs.

We discussed the pros and cons of E2EE in:

While researching and writing this article, I also came across several posts and reports where META (former Facebook) delayed its plans to use E2EE in its Facebook Messenger and Instagram platforms to at least 2023.

My research showed there is apparent friction between:

  • Big Tech wants to upgrade the privacy capabilities of their platforms to drive higher commercial value propositions for their global user base.
  • Customers are increasingly exposed to news that people they do not authorise directly are being given access to their personal information with limited control, e.g. employees, partners and government agencies.
  • Government and enforcement agencies are pushing all Big Tech companies to either stop new rollouts or provide them with a backdoor mechanism for them to use to combat online abuse and crime.

Noise! Suspicions! Theories? Facts?

While there is a lot of "noise" around the accelerated adoption of E2EE in other messaging apps, there are parallel increasing reports around:

  • Third parties having access to the messages sent/received.
  • Messages stored without encryption or being easily decryptable. This means they are not necessarily private at rest.
  • Messages are stored in the cloud, making them vulnerable to government requests.
  • Deleted messages are only "marked for deletion" and not necessarily physically deleted. This means they technically can still be retrieved, read and reported on.
  • Group chats are stored in the cloud to support synchronisation and ease of communication, making them an easy centralised point of attack.
  • Giving its parent company (META, i.e. former Facebook) even more information about yourself, your friends, and communication styles. E.g. it tracks how much time you spend on an app, knows who your friends are, how you use it etc.
  • To be clear, no app is impenetrable, and as long as you use messaging apps, there is always the risk of your information being accessed by someone else the communications were not intended for.

It gets worse

In a conversation that matters, Patrick Bet David Patrick Bet-David sat down with former Facebook moderator Shawn Speagle.

In this interview, they talk about:

  • His experience working as a META (Facebook, Instagram, Whatsapp, Facebook Messenger) content moderator.
  • Some of the things he saw while working there.
  • What type of access to information do META and partner agents have access to.
I strongly suggest you follow this conversation.

META alone owns Instagram, WhatsApp, Facebook and Facebook Messenger. This means that data from all systems across META are accessible to law enforcement agencies should META comply with requests for information (over and above any internal abuse and potential bribery of employees to access information).

Law enforcement

New IT rules, applicable to large social media platforms, including WhatsApp, Twitter, Facebook, Microsoft etc., are being put into force that allows governments to keep tabs and give access to private conversations, driving new concerns over privacy and freedom of expression.

While organisations have publicly refuted making such capabilities available to governments, official FBI documents/leaks of such documents show something completely different!

Warrants

Warrants are built on the principle that should you be suspected of a criminal offence, legal enforcement departments can serve you with an authentic warrant to WhatsApp, to get access to all your messages in easily readable plain text. This means that while the messages can be secure in transmission (using technology like E2EE), they must be stored in an easily reversible way. This would allow companies like META to be legally supportive of regulatory frameworks against fraud and criminal activity should there be enough evidence against an individual/entity on-demand.

While, in principle, this information can be made available to legitimate queries, what is to stop employees or third parties supporting the service from accessing such information illegitimately.

There is a reason why China has already banned Facebook, WhatsApp, Quora etc., in favour of local variants, and the USA worked to ban Huawei, TikTok etc. Is this clarity around superpowers having access to the personal information of their constituents?

Think about what they would have access to:

  • Your friends
  • Your likes
  • Your purchases
  • Your financial info
  • Your contact info
  • Your apps
  • Your patterns of behaviour

It gets worse

While big tech has built and continued building several fronts preaching the importance of privacy, especially when it comes to secure messaging, a document allegedly obtained from the FBI claims how easy it is to harvest and access data from these services, including WhatsApp.

The document (titled "Lawful Access", dated Jan 7, 2021) describes that while messages are safe while being transferred, the weakness remains at the endpoints, where law enforcement agencies have multiple paths to gain lawful access to the data from these messaging solutions.

Document Detail - Property of the People

Today, WhatsApp is the most popular messaging app globally, with more than 2 billion connected and networked users (Statista, Nov 2021).

The document highlights the value of the data that such solutions reveal. It also provides context around how WhatsApp will provide near-real-time information about a user and their activities when presented with a formal warrant, including address-book contacts and other meta-information that may be available. While identifying some limitations in the content of the data, the range of available data is still impressive, it flies in the face of the perception of privacy driven by technological terms such as end-to-end encryption.

This information needs to be taken in the context that a regulatory agency may request and access data and information from a broader set of services, including iMessage, iCloud, Instagram, Facebook Messenger etc.

Other organisations, including Apple, have shown that they provide similar support to government agencies that can either get customer consent or request a search warrant that will give them the required access.

Conclusion

I cannot say I am surprised by the outcomes of my findings to date.

What I am more surprised at is my own surprise at how smooth the dots connected between the misdirection caused by the attack on E2EE while building such backdoor bridges that still give the necessary access legal entities need to do their work.

What started as an interest in the success of WhatsApp led me down a phenomenal train ride exploring several stops along the way:

  • What E2EE is and how it provides value.
  • The controversy around E2EE.
  • The fuel behind the growth of WhatsApp.
  • Organisations continue to misdirect using noble causes and achieve what they need in an ever-changing world.

By the end, I learned a lot and reinforced my belief that E2EE is great for the greater good!

I would love to learn more about your opinion on this!

Let me know….


Let us know what you think!. We believe in productive discourse and welcome opportunities to refine our understanding through discussion. Comment in the comments area below or reach out on hi@andremuscat.com

Comments

Follow Andre Muscat and join the conversation. As a follower, you will also receive new posts by email (you can unfollow at any time).

Share on


Tags

Follow today!

Keep up to date on new postings and materials

Follow Now