Whatsapp and Instagram hacks show that “online privacy” industry is largely snake oil
DESPITE what you may have heard, cybersecurity experts cannot really guarantee your security.
In early 2019, news emerged of an incredible Whatsapp security breach that permitted hackers to turn the target’s smartphone into an all-in-one remote video, audio and text surveillance tool. According to the FT, the hack worked by exploiting a security flaw in Whatsapp’s video call feature, enabling a hostile entity to install the dreaded Pegasus mobile surveillance malware on the target’s phone by targeting a missed call at their number. Within a few hours of the flaw going public, Whatsapp rushed
out an update that purportedly fixed the hole, and encouraged users to install the update and rest easy – nothing to see here folks!
In the same month, Instagram joined the list of Meta-owned platforms to suffer a major security crisis, with a researcher stumbling across sensitive details linked to 49 million Instagram accounts. Inevitably, there followed a bland corporate statement from Facebook assuring users that it was looking into the breach, and would unravel how the data became public. While these were two very different types of security concerns, they both serve to illustrate a fundamentally true, albeit unpleasant truth about the ‘online security’ movement – nothing that passes through the internet will ever be truly “private” in the absolute sense of the word. Anyone who says otherwise is selling snake oil.
6HFXULW\ QHUGV DUH QRW WKDW JRRG DW VHFXULW\
The biggest strength of security nerds offering a variety of fixes, encryptions and workarounds purportedly keeping information secret on the internet is also their greatest weakness – they have a terrible habit of reducing security to a set of narrow technical issues. In the real world, security is a large, multifaceted issue with multiple potential failure points. Governments, especially, understand this very well. Security nerds, however, tend to focus exclusively on fixing specific problems and then declaring “We have fixed internet security forever!”
In actual fact, those with an interest in compromising user security – especially state-backed actors – do not see their mission as merely “hacking Whatsapp” or “penetrating Gmail.” They think of the information they wish to steal, and they devise means of getting to that in3-dimensionally formation that may or may not involve the high tech hacks that the nerds spend all day fighting against. Thus, while they think about how to access private information, the internet security person functions within a very narrowly-defined set of parameters that prevents them from actually doing their job well.
7KH VROXWLRQ WR WHFK DLGHG VS\LQJ LV OHVV WHFK QRW PRUH
Whatsapp, for example, has spent years crowing about how its end-to-end encryption makes it impossible to snoop on users via data interception. To the nerds, the fact that an intercepted Whatsapp message cannot be read is proof that fully secure instant messaging has been achieved.
To a suitably resourced hacker, however, this is a mere inconvenience. A state actor for example, would work around it by finding a way to install screen-reading malware on the target’s phone or hack the target’s Google account, giving them access to the unencrypted chat backups stored in plain CSV format on the Google Drive.
In other words, if a suitably resourced actor really wants to spy on your messages, view your pictures and listen to your conversations, they will – regardless of whatever the security nerds writing Really Intelligent Code might be telling you.
This leads to the unavoidable conclusion that nothing on the internet is ever truly secure. As long as it has ever existed on a cloud server, it is safe to assume that whoever wants it badly enough and has the resources to make it happen will get it. No amount of Really Smart Dudes writing endless amounts of code will stop a determined, midsized national government for example, from gaining access to whatever information it wants.
If you really want your information to be invisible and bulletproof in this environment, you need to ditch your smartphone and buy a feature phone that cannot access the internet. You also need to get rid of any device or service that requires access to a cloud. If, like most ordinary people, these sacrifices are too much for you to make, then you need to accept that you will never be completely “private” in the true sense of it. That ship has sailed, and we might as well deal with it.
In other words, if a suitably resourced actor really wants to spy on your messages, view your pictures and listen to your conversations, they will – regardless of whatever the security nerds writing Really Intelligent Code might be telling you