Latest News: Technology |  Celebrity |  Movies |  Apple |  Cars |  Business |  Sports |  TV Shows |  Geek

Trending

Filed under: News | Technology News

 

Whatsapp Comes Under New Scrutiny For Privacy Policy, Encryption Gaffs

1 Updates
Whatsapp Comes Under New Scrutiny For Privacy Policy, Encryption Gaffs
 
 

YouTube Videos Comments

Full Story

Whatsapp Comes Under New Scrutiny For Privacy Policy, Encryption Gaffs

Facebook no doubt did its due diligence before acquiring messaging app firm WhatsApp for more than the gross domestic product of Iceland. But now that the deal’s been announced, the privacy community is subjecting the company to its own form of scrutiny, and finding a lot not to like.

On Thursday, researcher Paul Jauregui of the security firm Praetorian outlined a series of oversights in how WhatsApp ensures the encryption of its users’ communications, the latest in a series of concerns raised over the degree to which the company protects its 450 million users’ privacy from hackers, spies and now its new owners at Facebook.

Jauregui points to the lack of the SSL encryption safeguard known as “certificate pinning,” which prevents the forgery of the digital certificate proving that an app or website is sending encrypted information to the intended recipient. SSL’s certificate forgery problem has come to light as certificate authority firms including Diginotar and Comodo have been hacked to create false credentials and perform “man-in-the-middle” attacks that would invisibly intercept data despite supposed SSL encryption. Though the attack would require a certain level of sophistication, WhatsApp could have easily prevented it with certificate pinning, Jauregui points out. “It basically allows them—or an attacker—to man-in-the-middle the connection and then downgrade the encryption so they can break it and sniff the traffic,” he writes. “This is the kind of stuff the NSA would love.”

Jauregui also points out that WhatsApp supports “null ciphers”–essentially the policy of automatically switching to no encryption at all if the the app’s encryption techniques don’t match those of the server–as well as SSLv2, an implementation of SSL often considered to be insecure.

Aside from those encryption oversights, WhatsApp’s other privacy issue may be more intentional: the sheer amount of data it collects. Privacy researcher and former developer for the anonymity software Tor (and sometimes Forbes contributor) Runa Sandvik pointed out on her Twitter feed that despite WhatsApp’s lack of ads, its privacy policy allows it to periodically scan the mobile address book of its users and upload the numbers to its server, albeit without names attached to those numbers. It collects the IP address of anyone who visits its website, along with the site they visited previously and afterwards. And it also tracks who the user talks to and when, a vast metadata collection that no doubt figured into the company’s high acquisition price. Though it’s not certain Facebook will merge the data sets, WhatsApp’s terms of service explicitly allows any acquirer to do so.

I’ve contacted WhatsApp for comment on all of these concerns, and I’ll update this post if I hear back from the company.

WhatsApp’s privacy issues aren’t new, but they’re receiving renewed attention as the app hits the spotlight. In early 2013, the Canadian Privacy Commission performed a thorough study of the app’s privacy protections, and found that it was collecting too many phone numbers of non-users via users’ address books, improperly encrypting messages, and didn’t fully make clear how and whether it retained their message history. And another flaw found by a researcher at the University of Utrecht in October of last year would have allowed anyone to decrypt its messages. PandoDaily has outlined the company’s spotty security and privacy history here.

WhatsApp’s privacy flaws and data collection are hardly uncommon among mobile apps or even much larger tech firms. But they’re more embarrassing for a company that has touted itself as an alternative to other more spy-friendly communication channels. “I grew up in a society where everything you did was eavesdropped on, recorded, snitched on,” the company’s Ukrainian-born founder Jan Koum told Wired UK. “Nobody should have the right to eavesdrop, or you become a totalitarian state — the kind of state I escaped as a kid to come to this country where you have democracy and freedom of speech. Our goal is to protect it. We have encryption between our client and our server. We don’t save any messages on our servers, we don’t store your chat history. They’re all on your phone.”

In an age where the NSA has taken advantage of every technical chink in software’s armor to surveil communications, it’s a nice idea. Now the privacy community is holding Koum–and his new boss Mark Zuckerberg–to those terms.


Follow me on Twitter , email me, anonymously send me sensitive documents or tips , and check out the new paperback edition of my book, This Machine Kills Secrets: Julian Assange, the Cypherpunks, and Their Fight to Empower Whistleblowers.

Source: Forbes

 

iPad Air Giveaway. Win a free iPad Air.

You Might Also Like

Updates


Sponsored Update


Advertisement


More From the Web

Shopping Deals

 
 
 

<a href="/latest_stories/all/all/31" rel="author">Forbes</a>
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.

 

 

Comments

blog comments powered by Disqus

Latest stories

Chloe Grace Moretz starring in “Dead as a Doornail” Drama
Chloe Grace Moretz starring in “Dead as a Doornail” Drama
Chloe Grace Moretz is starring in a drama titled “If I Stay” that is “dead as a doornail”. At least that is what the reviews say.
 
 
Britney Spears wants her Freedom Back
Britney Spears wants her Freedom Back
Britney Spears is fed up living under her father's control since the past six years. Now she wants her freedom back.
 
 
Leaked Photos Claim To Show iPad Air 2 Internal Parts
Leaked Photos Claim To Show iPad Air 2 Internal Parts
French blog iPhonote gives us a glance at what is claimed to be the iPad Air 2′s GPS antenna, microphone, and Wi-Fi module components
 
 
iPhone 6 docs confirm 128GB version
iPhone 6 docs confirm 128GB version
Gone is the 32GB memory option with the 64GB one sitting in its place.
 
 
 

About the Geek Mind

The “geek mind” is concerned with more than just the latest iPhone rumors, or which company will win the gaming console wars. I4U is concerned with more than just the latest photo shoot or other celebrity gossip.

The “geek mind” is concerned with life, in all its different forms and facets. The geek mind wants to know about societal and financial issues, both abroad and at home. If a Fortune 500 decides to raise their minimum wage, or any high priority news, the geek mind wants to know. The geek mind wants to know the top teams in the National Football League, or who’s likely to win the NBA Finals this coming year. The geek mind wants to know who the hottest new models are, or whether the newest blockbuster movie is worth seeing. The geek mind wants to know. The geek mind wants—needs—knowledge.

Read more about The Geek Mind.