But WhatsApp may need to look in the mirror. Its members may not be aware that when using WhatsApp’s “group chat” feature, they are susceptible to the same type of data harvesting and profiling that Cambridge Analytica employed on Facebook. WhatsApp goes further, making available mobile phone numbers, which can be used to accurately identify and locate group members.
WhatsApp groups are designed to enable discussions between family and friends. Businesses also use them to provide information and support. The originators of groups can add contacts from their phones or create links enabling anyone to opt in. These groups, which can be found through web searches, discuss topics as diverse as agriculture, politics, pornography, sports, and technology.
Researchers in Europe demonstrated that any tech-savvy person can obtain treasure troves of data from WhatsApp groups by using nothing more than an old Samsung smartphone running scripts and off-the-shelf applications.
Kiran Garimella, of École Polytechnique Fédérale de Lausanne, in Switzerland sent me a draft of a paper he co-authored with Gareth Tyson, of Queen Mary University, UK, titled “WhatsApp, doc? A first look at WhatsApp public group data”. It details how they were able to obtain data from nearly half a million messages exchanged between 45,754 WhatsApp users in 178 public groups over a six-month period, including their mobile numbers and the images, videos, and web links that they had shared. The groups had titles such as “funny”, “love vs. life”, “XXX”, “nude”, and “box office movies”, as well as the names of political parties and sports teams.
The researchers obtained lists of public WhatsApp groups through web searches and used a browser automation tool to join a few of the roughly 2,000 groups they found—a process requiring little human intervention and easily applicable to a larger set of groups. Their smartphones began to receive large streams of messages, which WhatsApp stored in a local database. The data is encrypted, but the cipher key is stored inside the RAM of the mobile device itself. This allowed the researchers to decrypt the data using a technique developed by Indian researchers, LP Gudipaty and KY Jhala. It was no harder than using a key hidden atop a door to enter a home.
The researchers’ goal was to determine how WhatsApp could be used for social science research. They plan to make their dataset and tools publicly available after they anonymise the data. Their intentions are good, but their paper has exposed the flaws of the application, and how easily marketers, hackers, and governments can take advantage of the WhatsApp platform.
Indeed, The New York Times recently published a story on the Chinese government’s detention of human rights activist, Zhang Guanghong, after monitoring a WhatsApp group of Guanghong’s friends, with whom he had shared an article that criticised China’s president. The Times speculated that the government had hacked his phone or had a spy in his group chat; but gathering such information is easy for anyone with a group hyperlink.
This is not the only fly in the WhatsApp ointment that this year has revealed. Wired reported that researchers from Ruhr-University Bochum, in Germany, found a series of flaws in encrypted messaging applications that enable anyone who controls a WhatsApp server to “effortlessly insert new people into an otherwise private group, even without the permission of the administrator who ostensibly controls access to that conversation”. Gaining access to a computer server requires sophisticated hacking skills or the type of access that only governments can gain. But as Wired wrote, “the premise of so-called end-to-end encryption has always been that even a compromised server shouldn’t expose secrets”.
Researcher Paul Rösler has said: “The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them… If I hear there’s end-to-end encryption for both groups and two-party communications, that means adding of new members should be protected against. And if not, the value of encryption is very little”.
WhatsApp also announced in 2016 that it would be sharing user data, including phone numbers, with Facebook. In an exchange of emails, the company told me that it does not track location within a country and does not share contacts or messages, which are encrypted, with Facebook. But it did confirm that it shares phone numbers, device identifiers, operating system information, control choices, and usage information with the “Facebook family of companies”. That leaves open the question as to whether Facebook could then track those users in greater detail even if WhatsApp doesn’t.
Facebook and its “family of companies” are being much too casual about privacy, as we have seen from the Cambridge Analytica revelations, harming freedom and democracy. It is time to hold them all accountable for their massive breaches of our privacy.