WhatsApp cofounder Brian Acton expressed outrage at Facebook’s privacy policies last month by tweeting “It is time. #deletefacebook.” But WhatsApp’s Facebook-like group chat features also have design flaws that jeopardize user privacy. Maybe it’s also time to #DeleteWhatsApp.
WhatsApp differentiates itself from parent company Facebook by touting its end-to-end encryption. “Some of your most personal moments are shared with WhatsApp,” the company writes on its website, so “your messages, photos, videos, voice messages, documents, and calls are secured from falling into the wrong hands.”
But WhatsApp members may not be aware that when using the app’s Group Chat feature, their data can be harvested by anyone in the group. What is worse, their mobile numbers can be used to identify and target them.
WhatsApp groups are designed to enable up to 256 people to join a shared chat without having to go through a central administrator. Group originators can add contacts from their phones or create links enabling anyone to opt in. These groups, which can be found through web searches, discuss topics as diverse as agriculture, politics, pornography, sports, and technology. Not all groups have links, but in those that do, anyone who finds the link can join the group. While all new joining members are announced to the group, they are not required to provide a name or otherwise identify themselves. This design could leave inattentive members open to targeting, as a new report from European researchers shows.
The researchers demonstrated that a tech-savvy person can easily obtain treasure troves of data from WhatsApp groups by using nothing more than an old Samsung smartphone running scripts and off-the-shelf applications. This is not a security breach — the app is working exactly as designed.
Kiran Garimella of École Polytechnique Fédérale de Lausanne in Switzerland sent me a draft of a paper he coauthored with Gareth Tyson, from Queen Mary University, U.K. Titled “WhatsApp, doc? A first look at WhatsApp public group data,” it details how they were able to obtain data from nearly half a million messages exchanged between 45,794 WhatsApp users in 178 public groups over a six-month period, including the users’ mobile numbers and any images, videos, and web links they had shared. The groups had titles such as “funny,” “love vs. life,” “XXX,” “nude,” and “box ofﬁce movies,” as well as the names of political parties and sports teams.
The researchers obtained lists of public WhatsApp groups through web searches and used a browser automation tool to join a few of the roughly 2,000 groups they found — a process requiring little human intervention and easily applicable to a larger set of groups. Their smartphone began to receive large streams of messages, which WhatsApp stored in a local database. The data is encrypted, but the cipher key is stored inside the RAM of the mobile device itself. This allowed the researchers to decrypt the data using a technique developed by Indian researchers L.P. Gudipaty and K.Y. Jhala.
Note: The method Garimella and Tyson used only allowed them to access data posted to each of the groups after they’d joined; they weren’t able to access any earlier data posted in the groups.
The researchers’ goal was to determine how WhatsApp could be used for social science research (they plan to make their dataset and tools publicly available after they anonymize the data). But their paper demonstrates how easily marketers, hackers, and governments can take advantage of the WhatsApp platform — with no contractual restraints and for almost no cost.
This can have a much darker side. The New York Times recently published a story on the Chinese government’s detention of human rights activist Zhang Guanghong after the government monitored a WhatsApp group of Guanghong’s friends, with whom he had shared an article criticizing China’s president. The Times speculated that the government had hacked his phone or had a spy in his group chat, but gathering such information is easy for anyone with a group hyperlink or access to a server.
Earlier this year, Wired reported that researchers from Ruhr-University Bochum in Germany found a series of flaws in encrypted messaging applications that enable anyone who controls a WhatsApp server to “effortlessly insert new people into an otherwise private group, even without the permission of the administrator who ostensibly controls access to that conversation.” Gaining access to a computer server requires sophisticated hacking skills or the type of access only governments can gain. But as Wired wrote, “the premise of so-called end-to-end encryption has always been that even a compromised server shouldn’t expose secrets.”
Researcher Paul Rösler reportedly said, “The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them … If I hear there’s end-to-end encryption for both groups and two-party communications, that means adding of new members should be protected against. And if not, the value of encryption is very little.”
The bottom line is that Facebook and its family of companies are being much too casual about privacy, as we have seen from the Cambridge Analytica revelations. To avoid causing further harm to freedom and democracy, these social media giants need to be held to higher standards.
Editor’s note: VentureBeat reached out to WhatsApp regarding the researchers’ findings, but the company did not provide a statement.
Vivek Wadhwa is Distinguished Fellow at Carnegie Mellon University Engineering at Silicon Valley and author of The Driver in the Driverless Car: How Our Technology Choices Will Create the Future.