Whatsapp Comes Under New Scrutiny For Privacy Policy, Encryption Gaffs

Posted: Feb 21 2014, 2:51pm CST | by , Updated: Feb 21 2014, 7:39pm CST, in News | Technology News

 
Whatsapp Comes Under New Scrutiny For Privacy Policy, Encryption Gaffs
/* Story Top Left 2010 300x250, created 7/15/10 */ google_ad_slot = "8340327155";
 

Black Friday Deals Tracker is Live

Facebook no doubt did its due diligence before acquiring messaging app firm WhatsApp for more than the gross domestic product of Iceland. But now that the deal’s been announced, the privacy community is subjecting the company to its own form of scrutiny, and finding a lot not to like.

On Thursday, researcher Paul Jauregui of the security firm Praetorian outlined a series of oversights in how WhatsApp ensures the encryption of its users’ communications, the latest in a series of concerns raised over the degree to which the company protects its 450 million users’ privacy from hackers, spies and now its new owners at Facebook.

Jauregui points to the lack of the SSL encryption safeguard known as “certificate pinning,” which prevents the forgery of the digital certificate proving that an app or website is sending encrypted information to the intended recipient. SSL’s certificate forgery problem has come to light as certificate authority firms including Diginotar and Comodo have been hacked to create false credentials and perform “man-in-the-middle” attacks that would invisibly intercept data despite supposed SSL encryption. Though the attack would require a certain level of sophistication, WhatsApp could have easily prevented it with certificate pinning, Jauregui points out. “It basically allows them—or an attacker—to man-in-the-middle the connection and then downgrade the encryption so they can break it and sniff the traffic,” he writes. “This is the kind of stuff the NSA would love.”

Jauregui also points out that WhatsApp supports “null ciphers”–essentially the policy of automatically switching to no encryption at all if the the app’s encryption techniques don’t match those of the server–as well as SSLv2, an implementation of SSL often considered to be insecure.

Aside from those encryption oversights, WhatsApp’s other privacy issue may be more intentional: the sheer amount of data it collects. Privacy researcher and former developer for the anonymity software Tor (and sometimes Forbes contributor) Runa Sandvik pointed out on her Twitter feed that despite WhatsApp’s lack of ads, its privacy policy allows it to periodically scan the mobile address book of its users and upload the numbers to its server, albeit without names attached to those numbers. It collects the IP address of anyone who visits its website, along with the site they visited previously and afterwards. And it also tracks who the user talks to and when, a vast metadata collection that no doubt figured into the company’s high acquisition price. Though it’s not certain Facebook will merge the data sets, WhatsApp’s terms of service explicitly allows any acquirer to do so.

I’ve contacted WhatsApp for comment on all of these concerns, and I’ll update this post if I hear back from the company.

WhatsApp’s privacy issues aren’t new, but they’re receiving renewed attention as the app hits the spotlight. In early 2013, the Canadian Privacy Commission performed a thorough study of the app’s privacy protections, and found that it was collecting too many phone numbers of non-users via users’ address books, improperly encrypting messages, and didn’t fully make clear how and whether it retained their message history. And another flaw found by a researcher at the University of Utrecht in October of last year would have allowed anyone to decrypt its messages. PandoDaily has outlined the company’s spotty security and privacy history here.

WhatsApp’s privacy flaws and data collection are hardly uncommon among mobile apps or even much larger tech firms. But they’re more embarrassing for a company that has touted itself as an alternative to other more spy-friendly communication channels. “I grew up in a society where everything you did was eavesdropped on, recorded, snitched on,” the company’s Ukrainian-born founder Jan Koum told Wired UK. “Nobody should have the right to eavesdrop, or you become a totalitarian state — the kind of state I escaped as a kid to come to this country where you have democracy and freedom of speech. Our goal is to protect it. We have encryption between our client and our server. We don’t save any messages on our servers, we don’t store your chat history. They’re all on your phone.”

In an age where the NSA has taken advantage of every technical chink in software’s armor to surveil communications, it’s a nice idea. Now the privacy community is holding Koum–and his new boss Mark Zuckerberg–to those terms.


Follow me on Twitter , email me, anonymously send me sensitive documents or tips , and check out the new paperback edition of my book, This Machine Kills Secrets: Julian Assange, the Cypherpunks, and Their Fight to Empower Whistleblowers.

Source: Forbes

This story may contain affiliate links.

Comments

The Author


Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.

 

 

Advertisement

comments powered by Disqus