Menu
Clone of Alibaba (BABA) IPO Shares Jump 36%

Alibaba (BABA) IPO Shares Jump 36%

The Sexiest Halloween Costumes of 2014

The Sexiest Halloween Costumes of 2014

Mazda Miata 2016 model revealed

Mazda Miata 2016 model revealed

Miley Cyrus New Butt Gets in Trouble with Law

Miley Cyrus New Butt Gets in Trouble with Law

Larry Ellison Steps Down as CEO of Oracle

Larry Ellison Steps Down as CEO of Oracle

Whatsapp Comes Under New Scrutiny For Privacy Policy, Encryption Gaffs

Feb 21 2014, 2:51pm CST | by , in News | Technology News

Whatsapp Comes Under New Scrutiny For Privacy Policy, Encryption Gaffs
 
 

YouTube Videos Comments

Full Story

Whatsapp Comes Under New Scrutiny For Privacy Policy, Encryption Gaffs

Facebook no doubt did its due diligence before acquiring messaging app firm WhatsApp for more than the gross domestic product of Iceland. But now that the deal’s been announced, the privacy community is subjecting the company to its own form of scrutiny, and finding a lot not to like.

On Thursday, researcher Paul Jauregui of the security firm Praetorian outlined a series of oversights in how WhatsApp ensures the encryption of its users’ communications, the latest in a series of concerns raised over the degree to which the company protects its 450 million users’ privacy from hackers, spies and now its new owners at Facebook.

Jauregui points to the lack of the SSL encryption safeguard known as “certificate pinning,” which prevents the forgery of the digital certificate proving that an app or website is sending encrypted information to the intended recipient. SSL’s certificate forgery problem has come to light as certificate authority firms including Diginotar and Comodo have been hacked to create false credentials and perform “man-in-the-middle” attacks that would invisibly intercept data despite supposed SSL encryption. Though the attack would require a certain level of sophistication, WhatsApp could have easily prevented it with certificate pinning, Jauregui points out. “It basically allows them—or an attacker—to man-in-the-middle the connection and then downgrade the encryption so they can break it and sniff the traffic,” he writes. “This is the kind of stuff the NSA would love.”

Jauregui also points out that WhatsApp supports “null ciphers”–essentially the policy of automatically switching to no encryption at all if the the app’s encryption techniques don’t match those of the server–as well as SSLv2, an implementation of SSL often considered to be insecure.

Aside from those encryption oversights, WhatsApp’s other privacy issue may be more intentional: the sheer amount of data it collects. Privacy researcher and former developer for the anonymity software Tor (and sometimes Forbes contributor) Runa Sandvik pointed out on her Twitter feed that despite WhatsApp’s lack of ads, its privacy policy allows it to periodically scan the mobile address book of its users and upload the numbers to its server, albeit without names attached to those numbers. It collects the IP address of anyone who visits its website, along with the site they visited previously and afterwards. And it also tracks who the user talks to and when, a vast metadata collection that no doubt figured into the company’s high acquisition price. Though it’s not certain Facebook will merge the data sets, WhatsApp’s terms of service explicitly allows any acquirer to do so.

I’ve contacted WhatsApp for comment on all of these concerns, and I’ll update this post if I hear back from the company.

WhatsApp’s privacy issues aren’t new, but they’re receiving renewed attention as the app hits the spotlight. In early 2013, the Canadian Privacy Commission performed a thorough study of the app’s privacy protections, and found that it was collecting too many phone numbers of non-users via users’ address books, improperly encrypting messages, and didn’t fully make clear how and whether it retained their message history. And another flaw found by a researcher at the University of Utrecht in October of last year would have allowed anyone to decrypt its messages. PandoDaily has outlined the company’s spotty security and privacy history here.

WhatsApp’s privacy flaws and data collection are hardly uncommon among mobile apps or even much larger tech firms. But they’re more embarrassing for a company that has touted itself as an alternative to other more spy-friendly communication channels. “I grew up in a society where everything you did was eavesdropped on, recorded, snitched on,” the company’s Ukrainian-born founder Jan Koum told Wired UK. “Nobody should have the right to eavesdrop, or you become a totalitarian state — the kind of state I escaped as a kid to come to this country where you have democracy and freedom of speech. Our goal is to protect it. We have encryption between our client and our server. We don’t save any messages on our servers, we don’t store your chat history. They’re all on your phone.”

In an age where the NSA has taken advantage of every technical chink in software’s armor to surveil communications, it’s a nice idea. Now the privacy community is holding Koum–and his new boss Mark Zuckerberg–to those terms.


Follow me on Twitter , email me, anonymously send me sensitive documents or tips , and check out the new paperback edition of my book, This Machine Kills Secrets: Julian Assange, the Cypherpunks, and Their Fight to Empower Whistleblowers.

Source: Forbes

 

You Might Also Like

Updates


Sponsored Update


Advertisement


More From the Web

Shopping Deals

 
 
 

<a href="/latest_stories/all/all/31" rel="author">Forbes</a>
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.

 

 

Comments

blog comments powered by Disqus

Latest stories

Macy’s Black Friday
Macy’s Black Friday
Department stores, to many people, seem like a part of a bygone era. In reality, there are many that are still doing well and Black Friday is an excellent example of this. When you look at the kinds of deals that Macy’s...
 
 
Hacking (the hair) of Kaley Cuoco-Sweeting
Hacking (the hair) of Kaley Cuoco-Sweeting
How does a young celebrity handle being hacked and dealing with leaked pictures? By taking the situation into her own hands and not backing down.
 
 
Netropolitan: Country Clubbed Facebook For Rich
Netropolitan: Country Clubbed Facebook For Rich
Netropolitian is looking to make a big social media splash. All you need is a $9,000 entrance fee and time to spare.
 
 
Sony SmartEyeglass Attempts to Challenge Google Glass
Sony SmartEyeglass Attempts to Challenge Google Glass
Sony has been cobbling cool stuff lately. For example, its VR headset - Project Morpheus - has already secured the company's seat in the future, a time when the virtual reality market will saturate. In spite of Sony's...
 
 
 

About the Geek Mind

The “geek mind” is concerned with more than just the latest iPhone rumors, or which company will win the gaming console wars. I4U is concerned with more than just the latest photo shoot or other celebrity gossip.

The “geek mind” is concerned with life, in all its different forms and facets. The geek mind wants to know about societal and financial issues, both abroad and at home. If a Fortune 500 decides to raise their minimum wage, or any high priority news, the geek mind wants to know. The geek mind wants to know the top teams in the National Football League, or who’s likely to win the NBA Finals this coming year. The geek mind wants to know who the hottest new models are, or whether the newest blockbuster movie is worth seeing. The geek mind wants to know. The geek mind wants—needs—knowledge.

Read more about The Geek Mind.