So what happens when an invitation to a group discussion is shared using a web link? Nothing good, as this article from Motherboard demonstrates. The lesson to learn here is simple: don’t expose discussion groups! Indeed, a single loose end can result in a serious security issue…
So what happened?
In WhatsApp you can generate a link to invite persons to your group discussion. You can also decide to share this link outside of WhatsApp. For instance you could publish that URL on a website or a forum. This way anyone who wants to join your group can simply follow the link.
What could go wrong? Well, whoever shares that group discussion link publicly exposes its participants… and their phone numbers!
As an illustration, imagine you belong to an NGO. A search engine could index the WhatsApp invitation link shared among its members. Consequently a simple search on Google would allow someone to obtain all the phone numbers of the organisation members!
This can obviously be very dangerous, as someone opposed to that organisation could start doxing its members: a phone number is indeed a good starting point for gathering info on someone!
One could also stumble upon one of the many WhatsApp groups sharing adult material. If for some reason he joins that group, his phone number becomes exposed as a group participant. Not necessarily the kind of membership one wants to be publicly available, right?
Why does Google index those group invitation links? Because that’s how search engines work. If something is publicly accessible then the search engine indexes it. And it works for Google as well as for DuckDuckGo, Qwant or StartPage!
Don’t expose discussion groups
At Seeld we’re pretty much opinionated about what one user should be authorized to do. Certainly, we’re talking about a private messaging systems here. Therefore what’s the purpose of sharing a group discussion?
We certainly can see why WhatsApp decided to add the feature of sharing a group discussion using a link: send the link to someone who’s not on WhatsApp and potentially recruit a new user!
In other words: expand at the expense of security.
However convenience cannot take precedence over privacy.
Effectively this group sharing feature goes beyond WhatsApp’s secure boundaries. If one willingly or unwillingly exposes something from a private application then he must consider all the risks involved. By all means, this is not an easy task!
So at Seeld we decided not to take this risk.
Seeld puts privacy first
Obviously you can start a group discussion. But Seeld only informs the group’s participants within its boundaries. There is no point in exposing that discussion with a link! Unless one wants to use that link to force persons in joining their messaging system, of course. But by now you should know we don’t have that kind of motivation.
Furthermore, Seeld fully encrypts the details of that group discussion at the client level. So our servers are unable to access those details. In fact, no one but the participants can see who is part of the group! So even if Seeld servers suffers a breach, its participants are safe from exposure.
Of course we also avoid asking information we don’t need, such as your phone number. The best way of preventing data leaks is to avoid storing it in the first place!