WhatsApp, the popular messaging app owned by Meta, has been warned about a vulnerability that allows governments to bypass its encryption and determine who users are communicating with. The vulnerability, known as “traffic analysis,” involves monitoring internet traffic on a large scale to identify patterns and connections between users. While the contents of conversations remain secure, governments can still gather metadata to make inferences about users’ activities. This vulnerability is not unique to WhatsApp but affects other messaging platforms as well. However, the assessment emphasizes that WhatsApp should prioritize the safety of its vulnerable users and take steps to mitigate these vulnerabilities.
The concern over this vulnerability has been heightened in the context of the ongoing conflict in Gaza. Some WhatsApp employees speculate that Israel may be exploiting this vulnerability to monitor Palestinians, as digital surveillance plays a role in determining targets for assassination. While WhatsApp denies any evidence of vulnerabilities or backdoors, the company has not addressed whether Israel is exploiting this vulnerability.
The assessment highlights the significance of metadata in intelligence and military operations. Metadata, which includes information about who, when, and where conversations occur, can be used to make accurate inferences about individuals. Former NSA chief Michael Hayden famously stated that “we kill people based on metadata.” However, even baseless analyses of metadata can have lethal consequences, potentially leading to the killing of innocent people.
The publication of an exposé on Israel’s data-centric approach to war has brought attention to the WhatsApp threat assessment within Meta. The exposé revealed that Israel’s military uses a software system called Lavender to automatically identify potential targets for assassination based on a range of personal characteristics and digital behaviors, including WhatsApp usage. This revelation has raised concerns among Meta employees that their product may be contributing to the targeting of innocent people.
Efforts to press Meta for information about the vulnerability and its potential use by Israel have been unsuccessful. Meta employees concerned about this issue and other aspects of the war have organized under a campaign called Metamates 4 Ceasefire, demanding an end to censorship within the company.
The internal assessment explains how governments can exploit the vulnerability by observing encrypted data and using correlation attacks to de-anonymize users. WhatsApp’s security team has identified several examples of how these attacks can compromise privacy. However, addressing this vulnerability presents a challenge for Meta, as it involves a tradeoff between performance and privacy. Enhancing security measures may make the app slower and less accessible to its wide user base.
The assessment suggests that protecting at-risk users will clash with Meta’s profit-driven goal of maximizing market share. Meta has a history of inaction in response to problems until they become overwhelming, as seen in the case of Facebook’s role in Myanmar’s Rohingya genocide. Balancing privacy and market dominance will always be a tension for the company.
To address the vulnerability, WhatsApp’s security team proposes building protections for at-risk users and operating as one team. They suggest adopting a hardened security mode similar to Apple’s “Lockdown Mode” for iOS. However, even this extra setting could potentially make users stand out and become targets.
In conclusion, WhatsApp’s vulnerability to traffic analysis poses a significant threat to user privacy and safety. While the company denies evidence of vulnerabilities, concerns remain about potential exploitation by governments, particularly in conflict zones like Gaza. Addressing this vulnerability requires a delicate balance between privacy and accessibility, as well as a commitment to protecting at-risk users.
