Is it time to #DeleteWhatsApp?
We should hold all social media companies accountable for the massive breaches of privacy
WhatsApp differentiates itself from Facebook by touting its end-to-end encryption. “Some of your most personal moments are shared with WhatsApp”, it says, so “your messages, photos, videos, voice messages, documents, and calls are secured from falling into the wrong hands”. A WhatsApp founder recently expressed outrage at Facebook’s privacy policies by tweeting “It is time. #deletefacebook”. But WhatsApp may need to look in the mirror. Its members may not be aware that when using WhatsApp’s “group chat” feature, they are susceptible to the same type of data harvesting and profiling that Cambridge Analytica employed on Facebook. WhatsApp makes available mobile phone numbers, which can be used to accurately identify and locate group members.
WhatsApp groups are designed to enable discussions between family and friends. Businesses also use them to provide information and support. The originators of groups can add contacts from their phones or create links enabling anyone to opt in. These
HEALING TOUCH
groups, which can be found through web searches, discuss topics as diverse as agriculture, politics and pornography.
Researchers in Europe demonstrated that any tech-savvy person can obtain treasure troves of data from WhatsApp groups by using nothing more than an old Samsung smartphone running scripts.
Kiran Garimella, of École Polytechnique Fédérale de Lausanne, in Switzerland sent me a draft of a paper he co-authored with Gareth Tyson, of Queen Mary University, UK, titled “WhatsApp, doc? A first look at WhatsApp public group data”. It details how they were able to obtain data from nearly half a million messages exchanged between 45,754 WhatsApp users in 178 public groups over a six-month period, including their mobile numbers and the images, videos, and web links that they had shared.
The researchers obtained lists of public WhatsApp groups through web searches and used a browser automation tool to join a few of the roughly 2,000 groups they found. Their smartphones began to receive large streams of messages, which WhatsApp stored in a local database. The data is encrypted, but the cipher key is stored inside the RAM of the mobile device itself. This allowed the researchers to decrypt the data using a technique developed by Indian researchers, LP Gudipaty and KY Jhala. It was no harder than using a key hidden atop a door to enter a home.
The researchers’ goal was to determine how WhatsApp could be used for social science research. They plan to make their dataset and tools publicly available after they anonymise the data. Their intentions are good, but their paper has exposed the flaws of the application, and how easily marketers, hackers, and governments can take advantage of the WhatsApp platform.
Indeed, The New York Times recently published a story on the Chinese government’s detention of human rights activist, Zhang Guanghong, after monitoring a WhatsApp group of Guanghong’s friends, with whom he had shared an article that criticised China’s president. The Times speculated that the government had hacked his phone ; but gathering such information is easy for anyone with a group hyperlink.
This is not the only fly in the WhatsApp ointment that this year has revealed. Wired reported that researchers in Germany, found a series of flaws in encrypted messaging applications that enable anyone who controls a WhatsApp server to “effortlessly insert new people into an otherwise private group, even without the permission of the administrator who ostensibly controls access to that conversation”. Gaining access to a computer server requires sophisticated hacking skills or the type of access that only governments can gain. But as Wired wrote, “the premise of so-called end-to-end encryption has always been that even a compromised server shouldn’t expose secrets”.
WhatsApp also announced in 2016 that it would be sharing user data, including phone numbers, with Facebook. In an exchange of emails, the company told me that it does not track location within a country and does not share contacts or messages, which are encrypted, with Facebook. But it did confirm that it is sharing users’ phone numbers, device identifiers, operating system information, control choices, and usage information with the “Facebook family of companies”. That leaves open the question as to whether Facebook could then track those users in greater detail even if WhatsApp doesn’t.
Facebook and its “family of companies” are being much too casual about privacy. It is time to hold them all accountable for their massive breaches of our privacy.