Latest News: Technology |  Celebrity |  Movies |  Apple |  Cars |  Business |  Sports |  TV Shows |  Geek

Trending

Filed under: News | Technology News

 

Whatsapp Comes Under New Scrutiny For Privacy Policy, Encryption Gaffs

Feb 21 2014, 2:51pm CST | by

1 Updates
Whatsapp Comes Under New Scrutiny For Privacy Policy, Encryption Gaffs
 
 

YouTube Videos Comments

Recommend Your Tweet as Top Tweet:

Full Story

Whatsapp Comes Under New Scrutiny For Privacy Policy, Encryption Gaffs

Facebook no doubt did its due diligence before acquiring messaging app firm WhatsApp for more than the gross domestic product of Iceland . But now that the deal’s been announced, the privacy community is subjecting the company to its own form of scrutiny, and finding a lot not to like.

On Thursday, researcher Paul Jauregui of the security firm Praetorian outlined a series of oversights in how WhatsApp ensures the encryption of its users’ communications, the latest in a series of concerns raised over the degree to which the company protects its 450 million users’ privacy from hackers, spies and now its new owners at Facebook.

Jauregui points to the lack of the SSL encryption safeguard known as “certificate pinning,” which prevents the forgery of the digital certificate proving that an app or website is sending encrypted information to the intended recipient. SSL’s certificate forgery problem has come to light as certificate authority firms including Diginotar and Comodo have been hacked to create false credentials and perform “man-in-the-middle” attacks that would invisibly intercept data despite supposed SSL encryption. Though the attack would require a certain level of sophistication, WhatsApp could have easily prevented it with certificate pinning, Jauregui points out. “It basically allows them—or an attacker—to man-in-the-middle the connection and then downgrade the encryption so they can break it and sniff the traffic,” he writes. “This is the kind of stuff the NSA would love .”

Jauregui also points out that WhatsApp supports “null ciphers”–essentially the policy of automatically switching to no encryption at all if the the app’s encryption techniques don’t match those of the server–as well as SSLv2, an implementation of SSL often considered to be insecure.

Aside from those encryption oversights, WhatsApp’s other privacy issue may be more intentional: the sheer amount of data it collects. Privacy researcher and former developer for the anonymity software Tor (and sometimes Forbes contributor ) Runa Sandvik pointed out on her Twitter feed that despite WhatsApp’s lack of ads, its privacy policy allows it to periodically scan the mobile address book of its users and upload the numbers to its server, albeit without names attached to those numbers. It collects the IP address of anyone who visits its website, along with the site they visited previously and afterwards. And it also tracks who the user talks to and when, a vast metadata collection that no doubt figured into the company’s high acquisition price. Though it’s not certain Facebook will merge the data sets, WhatsApp’s terms of service explicitly allows any acquirer to do so.

I’ve contacted WhatsApp for comment on all of these concerns, and I’ll update this post if I hear back from the company.

WhatsApp’s privacy issues aren’t new, but they’re receiving renewed attention as the app hits the spotlight. In early 2013, the Canadian Privacy Commission performed a thorough study of the app’s privacy protections , and found that it was collecting too many phone numbers of non-users via users’ address books, improperly encrypting messages, and didn’t fully make clear how and whether it retained their message history. And another flaw found by a researcher at the University of Utrecht in October of last year would have allowed anyone to decrypt its messages . PandoDaily has outlined the company’s spotty security and privacy history here .

WhatsApp’s privacy flaws and data collection are hardly uncommon among mobile apps or even much larger tech firms. But they’re more embarrassing for a company that has touted itself as an alternative to other more spy-friendly communication channels. “I grew up in a society where everything you did was eavesdropped on, recorded, snitched on,” the company’s Ukrainian-born founder Jan Koum told Wired UK . “Nobody should have the right to eavesdrop, or you become a totalitarian state — the kind of state I escaped as a kid to come to this country where you have democracy and freedom of speech. Our goal is to protect it. We have encryption between our client and our server. We don’t save any messages on our servers, we don’t store your chat history. They’re all on your phone.”

In an age where the NSA has taken advantage of every technical chink in software’s armor to surveil communications, it’s a nice idea. Now the privacy community is holding Koum–and his new boss Mark Zuckerberg –to those terms.


Follow me on Twitter  , email me , anonymously send me sensitive documents or tips  , and check out the new paperback edition of my book, This Machine Kills Secrets: Julian Assange, the Cypherpunks, and Their Fight to Empower Whistleblowers .

Source: Forbes

 

You Might Also Like

Updates


Sponsored Update


Advertisement


More From the Web

Shopping Deals

 
 
 

<a href="/latest_stories/all/all/31" rel="author">Forbes</a>
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.

 

 

Comments

blog comments powered by Disqus

Latest stories

Fox&#039;s &#039;Gracepoint&#039; Gets An October Premiere Date
Fox's 'Gracepoint' Gets An October Premiere Date
Gracepoint is Fox's remake of the UK drama Broadchurch and stars David Tennant and Anna Gunn.
 
 
Andre Johnson Being Eyed By 4 Teams
Andre Johnson Being Eyed By 4 Teams
Four teams are said to be interested in trading for Houston Texans wide receiver Andre Johnson, per NFL.com.
 
 
Michael Irvin's Wife Told By Cris Carter to Leave Him
Michael Irvin's Wife Told By Cris Carter to Leave Him
Hall of Fame Dallas Cowboys wide receiver Michael Irvin revealed in a recent Dan Le Batard that fellow Hall of Fame wide receiver Cris Carter told his wife to leave him at the height of his cocaine addiction.
 
 
iPhone 6 Will Feature Dynamic Haptic Feedback Technology
iPhone 6 Will Feature Dynamic Haptic Feedback Technology
Every touch is now going to get a vibration in your next gen iPhone