So a few months ago I opened WhatsApp and got that message in the app. Wait, I thought it was end-to-end encrypted? And I bet you thought so too, right? Well, not quite. Of course WhatsApp uses your data! It’s a business, you know!
Until recently you would have thought WhatsApp would only peek at your metadata (when you write, who you write to, etc.). But now it’s creepier than that. Now it shares metadata with Facebook. And it can read your messages!
How WhatsApp was born (a very quick review)
Strictly speaking, WhatsApp was born in 2009. However it did not have all the bells and whistles it has today. For instance, it did not have end-to-end encryption. It implemented simple encryption in 2012. Then Facebook bought it at the start of 2014. And by November 2014 they partnered with Open Whisper Systems to provide end-to-end encryption. They finished in 2016.
Sounds like WhatsApp touches perfection. And it’s free, right? But appearances are deceiving. So, where’s the catch?
Of course WhatsApp uses your data
Why? Because it’s a business. Especially since Facebook bought it! And a business must make money. So the question remains: how can they make money from an encrypted messaging system?
Well, if they can’t harvest your messages they have to get their data elsewhere. That’s called metadata.
On March 17 2014, right after Facebook bought WhatsApp, one of the messaging app’s founders (Jan Koum) published a post to “set the record straight“. In short, he states that WhatsApp hasn’t gathered sensitive data so far and partnering with Facebook won’t change a thing. Right. But it still gathers some data: your phone number, who you message and when. Micah Lee from The Intercept warned us!
That might not look like much. But it is! Standford published a mind-blowing study on how much you can know a person just from his telephone metadata. Using data any app would get once installed on a phone, plus the volunteers’ phone records, they were able to predict the person’s location. Or understand whether a person was in a relationship. Or whether he was ill. It’s amazing the info they could guess from those phone records!
Never underestimate the power of metadata. But wait, it gets better.
It’s about cross-referencing
In September 2016, the German regulator orders Facebook to stop gathering and storing data obtained from WhatsApp. And one year later the CNIL (France’s watchdog) demands the same. At least now we know there’s data to share!
But why is sharing data between Facebook and WhatsApp worrying? Because their data can be cross-referenced! The messaging app knows your phone number. So does Facebook. And Facebook knows so much more about you: your full name, your friends, what you like or not, etc. On the other end, WhatsApp knows who you call. With that info, Facebook knows your contacts, even if they’re not your friends in the social network. Gone is your privacy!
When Facebook bought WhatsApp, they essentially bought even more metadata to add to their systems. And by mining that data they run a successful business. After all, one doesn’t buy WhatsApp for $19 billions if it can’t make lots of money with it!
WhatsApp uses your data, including your messages
Wait, what? WhatsApp set the record straight, right? End-to-end encryption? Well, not always. It appears that Facebook can obtain a readable copy of your messages. Why? Because they moderate messages flagged as “improper”. This flagging is currently manual. But WhatsApp is not Open Source: we cannot know if the client app implements a simple AI to detect sensitive keywords.
Anyways, anyone can flag one of your messages. When that happens your metadata is processed: name, phone number, Facebook profile, Instagram accounts, device fingerprinting… Yep, that’s a lot of data. Then a human reviewer examines the flagged message. They can ignore it, ban the account or put it on a watch list.
Now, here’s an interesting question: who has access to that info? Facebook of course. But what about a subpoena ? Then the Department of Justice could see all that data. What if there’s a leak? Then hackers can see that data. Catch my drift? If that data is obtained and used for the wrong reasons (such as, when you don’t like the currently-elected president), then using such a messaging system becomes a problem. Not to mention that you’ve been cheated by WhatsApp and Facebook.
No one should use your data
Let’s sum up. WhatsApp is a “free” messaging system. But in fact it’s not free. You pay it with your metadata, because one can cross-reference that data with more data. Facebook bought WhatsApp so that it can access that info. That’s how the business goes: they mine data and use it for targeted ads. However that data can and will be misused. More worryingly, Facebook receives copies of your messages under certain circumstances. And we don’t really know which ones, do we?
Of course WhatsApp uses your data. Bummer. I wouldn’t call that a secure and private messaging system.
A secure and private messaging app shouldn’t use your phone number to register. It would protect or avoid logging your metadata, so that no one is tempted to use it for business reasons afterwards. It would be managed by an independent group whose business model doesn’t include data mining.
Certainly not a small feat, but one that Seeld will try to reach.
PS: I know “Facebook” is called “Meta” nowadays. But at least naming it “Facebook” reminds me where that company comes from.