{"id":262918,"date":"2024-05-27T12:01:18","date_gmt":"2024-05-27T11:01:18","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=262918"},"modified":"2024-05-24T05:50:55","modified_gmt":"2024-05-24T04:50:55","slug":"this-undisclosed-whatsapp-vulnerability-lets-governments-see-who-you-message","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2024\/05\/this-undisclosed-whatsapp-vulnerability-lets-governments-see-who-you-message\/","title":{"rendered":"This Undisclosed WhatsApp Vulnerability Lets Governments See Who You Message"},"content":{"rendered":"
\"\"<\/a>

The Instagram, Facebook, and WhatsApp apps seen on a smartphone, reflecting the Meta logo.\u00a0 Photo: Jens B’ttner\/picture-alliance\/dpa\/AP Images<\/p><\/div>\n

Engineers warned Meta that nations can monitor chats; staff fear Israel is using this trick to pick assassination targets in Gaza. <\/em><\/p><\/blockquote>\n

22 May 2024 <\/em>– In March, WhatsApp\u2019s<\/span> security team issued an internal warning to their colleagues: Despite the software\u2019s powerful encryption, users remained vulnerable to a dangerous form of government surveillance. According to the previously unreported threat assessment obtained by The Intercept, the contents of conversations among the app\u2019s 2 billion users remain secure. But government agencies, the engineers wrote, were \u201cbypassing our encryption\u201d to figure out which users communicate with each other, the membership of private groups, and perhaps even their locations.<\/p>\n

The vulnerability is based on \u201ctraffic analysis,\u201d a decades-old network-monitoring technique, and relies on surveying internet traffic at a massive national scale. The document makes clear that WhatsApp isn\u2019t the only messaging platform susceptible. But it makes the case that WhatsApp\u2019s owner, Meta, must quickly decide whether to prioritize the functionality of its chat app or the safety of a small but vulnerable segment of its users.<\/p>\n

\u201cWhatsApp should mitigate the ongoing exploitation of traffic analysis vulnerabilities that make it possible for nation states to determine who is talking to who,\u201d the assessment urged. \u201cOur at-risk users need robust and viable protections against traffic analysis.\u201d<\/p>\n

Against the backdrop of the ongoing war on Gaza, the threat warning raised a disturbing possibility among some employees of Meta. WhatsApp personnel have speculated Israel might be exploiting this vulnerability as part of its program to monitor Palestinians at a time when digital surveillance is helping decide who to kill across the Gaza Strip<\/a>, four employees told The Intercept.<\/p>\n

\u201cWhatsApp has no backdoors and we have no evidence of vulnerabilities in how WhatsApp works,\u201d said Meta spokesperson Christina LoNigro.<\/p>\n

Though the assessment describes the \u201cvulnerabilities\u201d as \u201congoing,\u201d and specifically mentions WhatsApp 17 times, LoNigro said the document is \u201cnot a reflection of a vulnerability in WhatsApp,\u201d only \u201ctheoretical,\u201d and not unique to WhatsApp. LoNigro did not answer when asked if the company had investigated whether Israel was exploiting this vulnerability.<\/p>\n

Even though the<\/span> contents of WhatsApp communications are unreadable, the assessment shows how governments can use their access to internet infrastructure to monitor when and where encrypted communications are occurring, like observing a mail carrier ferrying a sealed envelope. This view into national internet traffic is enough to make powerful inferences about which individuals are conversing with each other, even if the subjects of their conversations remain a mystery. \u201cEven assuming WhatsApp\u2019s encryption is unbreakable,\u201d the assessment reads, \u201congoing \u2018collect and correlate\u2019 attacks would still break our intended privacy model.\u201d<\/p>\n

\u201cThe nature of these systems is that they\u2019re going to kill innocent people and nobody is even going to know why.\u201d<\/strong><\/em><\/p><\/blockquote>\n

The WhatsApp threat assessment does not describe specific instances in which it knows this method has been deployed by state actors. But it cites extensive reporting by the New York Times<\/a> and Amnesty International<\/a> showing how countries around the world spy on dissident encrypted chat app usage, including WhatsApp, using the very same techniques.<\/p>\n

As war has grown increasingly computerized, metadata \u2014 information about the who, when, and where of conversations \u2014 has come to hold immense value to intelligence, military, and police agencies around the world. \u201cWe kill people based on metadata,\u201d former National Security Agency chief Michael Hayden once infamously quipped<\/a>.<\/p>\n

But even baseless analyses of metadata can be lethal, according to Matthew Green, a professor of cryptography at Johns Hopkins University. \u201cThese metadata correlations are exactly that: correlations. Their accuracy can be very good or even just good. But they can also be middling,\u201d Green said. \u201cThe nature of these systems is that they\u2019re going to kill innocent people and nobody is even going to know why.\u201d<\/p>\n

It wasn\u2019t until the April publication of an expos\u00e9 about Israel\u2019s data-centric approach to war that the WhatsApp threat assessment became a point of tension inside Meta.<\/p>\n

A joint report by +972 Magazine and Local Call<\/a> revealed last month that Israel\u2019s army uses a software system called Lavender to automatically greenlight Palestinians in Gaza for assassination. Tapping a massive pool of data about the Strip\u2019s 2.3 million inhabitants, Lavender algorithmically assigns \u201calmost every single person in Gaza a rating from 1 to 100, expressing how likely it is that they are a militant,\u201d the report states, citing six Israeli intelligence officers. \u201cAn individual found to have several different incriminating features will reach a high rating, and thus automatically becomes a potential target for assassination.\u201d<\/p>\n

WhatsApp usage is among the multitude of personal characteristics and digital behaviors the Israeli military uses to mark Palestinians for death.<\/em><\/strong><\/p><\/blockquote>\n

The report indicated WhatsApp usage is among the multitude of personal characteristics and digital behaviors the Israeli military uses to mark Palestinians for death, citing a book on AI targeting written by the current commander of Unit 8200, Israel\u2019s equivalent of the NSA. \u201cThe book offers a short guide to building a \u2018target machine,\u2019 similar in description to Lavender, based on AI and machine-learning algorithms,\u201d according to the +972 expos\u00e9. \u201cIncluded in this guide are several examples of the \u2018hundreds and thousands\u2019 of features that can increase an individual\u2019s rating, such as being in a Whatsapp group with a known militant.\u201d<\/p>\n

The Israeli military did not respond to a request for comment, but told The Guardian<\/a> last month that it \u201cdoes not use an artificial intelligence system that identifies terrorist operatives or tries to predict whether a person is a terrorist.\u201d The military stated that Lavender \u201cis simply a database whose purpose is to cross-reference intelligence sources, in order to produce up-to-date layers of information on the military operatives of terrorist organizations. This is not a list of confirmed military operatives eligible to attack.\u201d<\/p>\n

It was only after the publication of the Lavender expos\u00e9 and subsequent writing on the topic<\/a> that a wider swath of Meta staff discovered the March WhatsApp threat assessment, said the four company sources, who spoke on the condition of anonymity, fearing retaliation by their employer. Reading how governments might be able to extract personally identifying metadata from WhatsApp\u2019s encrypted conversations triggered deep concern that this same vulnerability could feed into Lavender or other Israeli military targeting systems.<\/p>\n

Efforts to press Meta from within to divulge what it knows about the vulnerability and any potential use by Israel have been fruitless, the sources said, in line with what they describe as a broader pattern of internal censorship against expressions of sympathy or solidarity with Palestinians since the war began.<\/p>\n

Meta employees concerned by the possibility their product is putting innocent people in Israeli military crosshairs, among other concerns related to the war, have organized under a campaign they\u2019re calling Metamates 4 Ceasefire. The group has published an open letter<\/a> signed by more than 80 named staff members. One of its demands is \u201can end to censorship \u2014 stop deleting employee\u2019s words internally.\u201d<\/p>\n

Meta spokesperson Andy Stone told The Intercept any workplace discussion of the war is subject to the company\u2019s general workplace conduct rules, and denied such speech has been singled out. \u201cOur policy is written with that in mind and outlines the types of discussions that are appropriate for the workplace. If employees want to raise concerns, there are established channels for doing so.\u201d<\/p>\n

\"MENLO
Crowds gather outside of Meta headquarters in Menlo Park, Calif., to protest Mark Zuckerberg and Meta\u2019s censoring of Palestine posts on social platforms, on Nov. 3, 2023.
\n<\/span>Photo: Tayfun Coskun\/Anadolu via Getty Images<\/span><\/figcaption><\/figure>\n

According to the<\/span> internal assessment, the stakes are high: \u201cInspection and analysis of network traffic is completely invisible to us, yet it reveals the connections between our users: who is in a group together, who is messaging who, and (hardest to hide) who is calling who.\u201d<\/p>\n

The analysis notes that a government can easily tell when a person is using WhatsApp, in part because the data must pass through Meta\u2019s readily identifiable corporate servers. A government agency can then unmask specific WhatsApp users by tracing their IP address, a unique number assigned to every connected device, to their internet or cellular service provider account.<\/p>\n

WhatsApp\u2019s internal security team has identified several examples of how clever observation of encrypted data can thwart the app\u2019s privacy protections, a technique known as a correlation attack, according to this assessment. In one, a WhatsApp user sends a message to a group, resulting in a burst of data of the exact same size being transmitted to the device of everyone in that group. Another correlation attack involves measuring the time delay between when WhatsApp messages are sent and received between two parties \u2014 enough data, the company believes, \u201cto infer the distance to and possibly the location of each recipient.\u201d<\/p>\n

The internal warning notes that these attacks require all members of a WhatsApp group or both sides of a conversation to be on the same network and within the same country or \u201ctreaty jurisdiction,\u201d a possible reference to the Five Eyes spy alliance between the U.S., Australia, Canada, U.K., and New Zealand. While the Gaza Strip has its own Palestinian-operated telecoms, its internet access ultimately runs through Israeli fiber optic cables<\/a> subject to Israeli state surveillance. Although the memo suggests that users in \u201cwell functioning democracies with due process and strong privacy laws\u201d may be less vulnerable, it also highlights the NSA\u2019s use of these telecom-tapping techniques on U.S. soil.<\/p>\n

\u201cToday\u2019s messenger services weren\u2019t designed to hide this metadata from an adversary who can see all sides of the connection,\u201d Green, the cryptography professor, told The Intercept. \u201cProtecting content is only half the battle. Who you communicate [with] and when is the other half.\u201d<\/p>\n

The assessment reveals WhatsApp has been aware of this threat since last year, and notes the same surveillance techniques work against other competing apps. \u201cAlmost all major messenger applications and communication tools do not include traffic analysis attacks in their threat models,\u201d said Donncha \u00d3 Cearbhaill, head of Amnesty International\u2019s Security Lab, told The Intercept. \u201cWhile researchers have known these attacks are technically possible, it was an open question if such attacks would be practical or reliable on a large scale, such as whole country.\u201d<\/p>\n

The assessment makes clear that WhatsApp engineers grasp the severity of the problem, but also understand how difficult it might be to convince their company to fix it. The fact that these de-anonymization techniques have been so thoroughly documented and debated in academic literature, Green explained, is a function of just how \u201cincredibly difficult\u201d it is to neutralize them for a company like Meta. \u201cIt\u2019s a direct tradeoff between performance and responsiveness on one hand, and privacy on the other,\u201d he said.<\/p>\n

Asked what steps the company has taken to shore up the app against traffic analysis, Meta\u2019s spokesperson told The Intercept, \u201cWe have a proven track record addressing issues we identify and have worked to hold bad actors accountable. We have the best engineers in the world proactively looking to further harden our systems against any future threats and we will continue to do so.\u201d<\/p>\n

The WhatsApp threat assessment notes that beefing up security comes at a cost for an app that prides itself on mass appeal. It will be difficult to better protect users against correlation attacks without making the app worse in other ways, the document explains. For a publicly traded giant like Meta, protecting at-risk users will collide with the company\u2019s profit-driven mandate of making its software as accessible and widely used as possible.<\/p>\n

\u201cThe tension is always going to be market share, market dominance.\u201d<\/strong><\/em><\/p><\/blockquote>\n

\u201cMeta has a bad habit of not responding to things until they become overwhelming problems,\u201d one Meta source told The Intercept, citing the company\u2019s inaction when Facebook was used to incite violence during Myanmar\u2019s Rohingya genocide<\/a>. \u201cThe tension is always going to be market share, market dominance, focusing on the largest population of people rather than a small amount of people [that] could be harmed tremendously.\u201d<\/p>\n

The report warns that adding an artificial delay to messages to throw off attempts to geolocate the sender and receiver of data, for instance, will make the app feel slower to all 2 billion users \u2014 most of whom will never have to worry about the snooping of intelligence agencies. Making the app transmit a regular stream of decoy data to camouflage real conversations, another idea floated in the assessment, could throw off snooping governments. But it might also have the adverse effect of hurting battery life and racking up costly mobile data bills.<\/p>\n

To WhatsApp\u2019s security personnel, the right approach is clear. \u201cWhatsApp Security cannot solve traffic analysis alone,\u201d the assessment reads. \u201cWe must first all agree to take on this fight and operate as one team to build protections for these at-risk, targeted users. This is where the rubber meets the road when balancing WhatsApp\u2019s overall product principle of privacy and individual team priorities.\u201d<\/p>\n

The memo suggests WhatsApp may adopt a hardened security mode for at-risk users similar to Apple\u2019s \u201cLockdown Mode\u201d for iOS. But even this extra setting could accidentally imperil users in Gaza or elsewhere, according to Green. \u201cPeople who turn this feature on could also stand out like a sore thumb,\u201d he said. \u201cWhich itself could inform a targeting decision. Really unfortunate if the person who does it is some kid.\u201d<\/p>\n

_________________________________________________<\/p>\n

\n
\n
\"\"<\/a> <\/em><\/div>\n
<\/div>\n
<\/div>\n
Sam Biddle – <\/a> sam.biddle@theintercept.com – <\/a> <\/span> <\/span> @sambiddle.29 <\/span> on Signal<\/span> <\/span> <\/span> – @sambiddle.bsky.social <\/a> on Bluesky<\/span> <\/span> <\/span> – @samfbiddle <\/a> on X<\/span> <\/span> <\/span><\/em><\/div>\n<\/div>\n<\/div>\n

 <\/p>\n

 <\/p>\n

Go to Original – theintercept.com<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

22 May 2024 – Engineers warned Meta that nations can monitor chats; staff fear Israel is using this trick to pick assassination targets in Gaza.<\/p>\n","protected":false},"author":4,"featured_media":262919,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[62],"tags":[87,88,2689,1006,1109,911,2661],"class_list":["post-262918","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-media","tag-gaza","tag-israel","tag-metaverse","tag-social-media","tag-spying","tag-surveillance","tag-whatsapp"],"_links":{"self":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/262918","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/comments?post=262918"}],"version-history":[{"count":4,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/262918\/revisions"}],"predecessor-version":[{"id":262924,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/262918\/revisions\/262924"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/media\/262919"}],"wp:attachment":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/media?parent=262918"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/categories?post=262918"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/tags?post=262918"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}