WhatsApp differentiates itself from Facebook by touting its privacy and end-to-end encryption. “Some of your most personal moments are shared with WhatsApp”, it says, so “your messages, photos, videos, voice messages, documents, and calls are secured from falling into the wrong hands”. A WhatsApp founder expressed outrage at Facebook’s policies by tweeting “It is time. #deletefacebook”.
But WhatsApp may need to look into the mirror. Its members may not be aware that when using WhatsApp’s “group chat” feature, they are also susceptible to data harvesting and profiling. What’s worse is that WhatsApp makes available mobile-phone numbers, which can be used to accurately identify and locate group members.
WhatsApp groups are designed to enable discussions between family and friends. Businesses also use them to provide information and support. The originators of groups can add contacts from their phones or create links enabling anyone to opt-in. These groups, which can be found through web searches, discuss topics as diverse as agriculture, politics, pornography, sports, and technology.
Researchers in Europe demonstrated that any tech-savvy person can obtain treasure troves of data from WhatsApp groups by using nothing more than an old Samsung smartphone running scripts and off-the-shelf applications.
Kiran Garimella, of École Polytechnique Fédérale de Lausanne, in Switzerland sent me a draft of a paper he coauthored with Gareth Tyson, of Queen Mary University, U.K. titled “WhatsApp, doc? A first look at WhatsApp public group data”. It details how they were able to obtain data from nearly half a million messages exchanged between 45,754 WhatsApp users in 178 public groups over a six-month period, including their mobile numbers and the images, videos, and web links that they had shared. The groups had titles such as “funny”, “love vs. life”, “XXX”, “nude”, and “box ofﬁce movies”, as well as the names of political parties and sports teams.
The researchers obtained lists of public WhatsApp groups through web searches and used a browser automation tool to join a few of the roughly 2000 groups they found—a process requiring little human intervention and easily applicable to a larger set of groups. Their smartphone began to receive large streams of messages, which WhatsApp stored in a local database. The data are encrypted, but the cipher key is stored inside the RAM of the mobile device itself. This allowed the researchers to decrypt the data using a technique developed by Indian researchers L.P. Gudipaty and K.Y. Jhala. It was no harder than using a key hidden atop a door to enter a home.
The researchers’ goal was to determine how WhatsApp could be used for social-science research. They plan to make their dataset and tools publicly available after they anonymize the data. Their intentions are good, but their paper illustrates how easily marketers, hackers, and governments can take advantage of the WhatsApp platform.
Indeed, The New York Times recently published a story on the Chinese Government’s detention of human-rights activist Zhang Guanghong after monitoring a WhatsApp group of Guanghong’s friends, with whom he had shared an article that criticized China’s president. The Times speculated that the Government had hacked his phone or had a spy in his group chat; but gathering such information is easy for anyone with a group hyperlink.
This is not the only fly in the WhatsApp ointment that this year has revealed. Wired reported that researchers from Ruhr-University Bochum, in Germany, found series of flaws in encrypted messaging applications that enable anyone who controls a WhatsApp server to “effortlessly insert new people into an otherwise private group, even without the permission of the administrator who ostensibly controls access to that conversation”. Gaining access to a computer server requires sophisticated hacking skills or the type of access that governments can only gain. But as Wired wrote, “the premise of so-called end-to-end encryption has always been that even a compromised server shouldn’t expose secrets”.
Researcher Paul Rösler reportedly said: “The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them… If I hear there’s end-to-end encryption for both groups and two-party communications, that means adding of new members should be protected against. And if not, the value of encryption is very little”.
WhatsApp also announced in 2016 that it would be sharing user data, including phone numbers, with Facebook. In an exchange of emails, the company told me that it does not track location within a country and does not share contacts or messages, which are encrypted, with Facebook. But it did confirm that it is sharing users’ phone numbers, device identifiers, operating-system information, control choices, and usage information with the “Facebook family of companies”. That leaves open the question as to whether Facebook could then track those users in greater detail even if WhatsApp doesn’t.
Facebook and its “family of companies” are being much too casual about privacy, as we have seen from the Cambridge Analytica revelations, harming freedom and democracy. It is time to hold them all accountable for the bad design of their products and the massive breaches of our privacy that they enable.