BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

WhatsApp Comes Under New Scrutiny For Privacy Policy, Encryption Gaffs

This article is more than 10 years old.

Facebook no doubt did its due diligence before acquiring messaging app firm WhatsApp for more than the gross domestic product of Iceland. But now that the deal's been announced, the privacy community is subjecting the company to its own form of scrutiny, and finding a lot not to like.

On Thursday, researcher Paul Jauregui of the security firm Praetorian outlined a series of oversights in how WhatsApp ensures the encryption of its users' communications, the latest in a series of concerns raised over the degree to which the company protects its 450 million users' privacy from hackers, spies and now its new owners at Facebook.

Jauregui points to the lack of the SSL encryption safeguard known as "certificate pinning," which prevents the forgery of the digital certificate proving that an app or website is sending encrypted information to the intended recipient. SSL's certificate forgery problem has come to light as certificate authority firms including Diginotar and Comodo have been hacked to create false credentials and perform "man-in-the-middle" attacks that would invisibly intercept data despite supposed SSL encryption. Though the attack would require a certain level of sophistication, WhatsApp could have easily prevented it with certificate pinning, Jauregui points out. "It basically allows them—or an attacker—to man-in-the-middle the connection and then downgrade the encryption so they can break it and sniff the traffic," he writes. "This is the kind of stuff the NSA would love."

Jauregui also points out that WhatsApp supports "null ciphers"--essentially the policy of automatically switching to no encryption at all if the the app's encryption techniques don't match those of the server--as well as SSLv2, an implementation of SSL often considered to be insecure.

Aside from those encryption oversights, WhatsApp's other privacy issue may be more intentional: the sheer amount of data it collects. Privacy researcher and former developer for the anonymity software Tor (and sometimes Forbes contributor) Runa Sandvik pointed out on her Twitter feed that despite WhatsApp's lack of ads, its privacy policy allows it to periodically scan the mobile address book of its users and upload the numbers to its server, albeit without names attached to those numbers. It collects the IP address of anyone who visits its website, along with the site they visited previously and afterwards. And it also tracks who the user talks to and when, a vast metadata collection that no doubt figured into the company's high acquisition price.

"I think is more broad than what should be considered the default," she says. "When you think about the information Facebook has, what you like, your friends...combined with this dataset it gives Facebook the ability to know even more about its users." Though it's not certain Facebook will merge the data sets, Sandvik points out that WhatsApp's terms of service explicitly allows any acquirer to do so.

I've contacted WhatsApp for comment on all of these concerns, and I'll update this post if I hear back from the company.

WhatsApp's privacy issues aren't new, but they're receiving renewed attention as the app hits the spotlight. In early 2013, the Canadian Privacy Commission performed a thorough study of the app's privacy protections, and found that it was collecting too many phone numbers of non-users via users' address books, improperly encrypting messages, and didn't fully make clear how and whether it retained their message history. And another flaw found by a researcher at the University of Utrecht in October of last year would have allowed anyone to decrypt its messages. PandoDaily has outlined the company's spotty security and privacy history here.

WhatsApp's privacy flaws and data collection are hardly uncommon among mobile apps or even much larger tech firms. But they're more embarrassing for a company that has touted itself as an alternative to other more spy-friendly communication channels. "I grew up in a society where everything you did was eavesdropped on, recorded, snitched on," the company's Ukrainian-born founder Jan Koum told Wired UK. "Nobody should have the right to eavesdrop, or you become a totalitarian state -- the kind of state I escaped as a kid to come to this country where you have democracy and freedom of speech. Our goal is to protect it. We have encryption between our client and our server. We don't save any messages on our servers, we don't store your chat history. They're all on your phone."

In an age where the NSA has taken advantage of every technical chink in software's armor to surveil communications, it's a nice idea. Now the privacy community is holding Koum--and his new boss Mark Zuckerberg--to those terms.

Follow me on Twitter , email me, anonymously send me sensitive documents or tips , and check out the new paperback edition of my book, This Machine Kills Secrets: Julian Assange, the Cypherpunks, and Their Fight to Empower Whistleblowers.