“Is it secret? Is it safe?” – Gandalf – Fellowship of the Ring – J. R. R. Tolkien
Those immortal words were spoken about quite a different subject matter than the one we’re addressing today: A magical ring that was once seen as just a clever trick. Those words were fuelled by worry, by traumatic experience, and by healthy paranoia.
We’re no wizards of course; our knowledge is limited to this too, too solid realm (read some Shakespeare if you don’t get the reference). And yet many of us had those same questions immediately spring to mind when WhatsApp recently announced their Terms of Service changes. The line that sparked the most alarm was:
“WhatsApp receives information from, and shares information with, the other Facebook Companies. We may use the information we receive from them, and they may use the information we share with them, to help operate.”
This was mainly a move to help sell targeted advertising by sharing demographics and the like within the Company Group. But people had a lot of privacy concerns, of course.
After a massive amount of backlash, WhatsApp reassured its users that private conversations will remain private, and they pushed back the effective data sharing date a couple of times, to declare it ultimately to happen on May 15th.
The last few weeks have been an absolute maelstrom of scientific discussion, whispered rumours, shouted lies, online messenger turf wars, conspiracy theories, expert opinions, and mass confusion.
All of it boils down to two basic questions that still need to be answered, however:
Is WhatsApp secret? Is WhatsApp safe?
What do you think?
Did I hear that right?
WhatsApp use the Signal Security Protocol?
To answer the questions of ‘secret’ and ‘safe’, we have to look at the way that WhatsApp encrypts their messages, and their ability to monitor them.
WhatsApp uses the Signal protocol to encrypt its chat messages end-to-end. The Signal protocol (not to be confused with the Signal app… until we intentionally mention that in our next post) was developed by Open Whisper Systems. Make a note of that, it’s going to come up again in a little while, believe it or not.
Properly implemented, the Signal protocol is incredibly secure. And we have no reason to think that it was improperly implemented, as the inventors themselves spent two years integrating it into every aspect of WhatsApp. To confirm that someone is who they say they are, users can even manually compare public keys with those they’ve chatted to in the past.
The important bit: Nothing that was recently announced changes any of that, as far as point to point and group messages are concerned. The only real loophole is on the OS of the device itself, it buffers prior to a message getting encrypted. It’s technically possible that the WhatsApp and Facebook apps could pass raw data back and forth if they had the right permissions on someone’s phone. But with people watching both apps like a hawk for any changes, that’s unlikely to happen any time soon.
So if your messages are private on WhatsApp, and the end-to-end encryption remains unchanged, what’s the big deal?
Your personal data. That’s the big deal. Isn’t it always?
What the WhatsApp announcement changes is the scope of how much of your personal data the two firms plan to commingle. This now includes location data, real name, phone number, address, login habits, sleep times, buying habits, cell network subscription, and a bunch of other stuff. They’ve essentially pledged to protect your messages, but freely share everything else about you. Bear in mind that the information is to be shared only internally in the company group. Albeit a large company….
So… is it secret? Your messages are.
Is it safe? Not as far as your personal information goes.
That’s been price tagged and will be shipped to Facebook in mid-May.
Is it a price worth paying?
The Gathering Storm: WhatsApp vs Signal
There is, however, another secure app using the Signal protocol for end-to-end chat encryption. Confusingly, or perhaps not, the app itself is also called Signal.
What’s the difference between Signal and WhatsApp? Signal doesn’t store any user data. It therefore doesn’t share user data. It’s also fully open source, meaning anyone can examine the code at any time. And it’s owned and operated by the nonprofit Signal Foundation.
Sounds too good to be true right? What’s the catch?
The catch is… some unfortunate personal connections amongst some quite influential people surrounding Signal’s newfound popularity.
Jack Dorsey, CEO of Twitter and Square, wholeheartedly endorses Signal at every turn. Moxie Marlinspike, who runs the Signal Foundation, had his prior company bought out by Twitter and worked with them for two years. That company’s name? Whisper Systems. Not Open Whisper Systems (the one we told you to remember from our previous post), which would come later, but you can imagine how this sparked confusion.
Oh, and who is the other Signal Foundation co-founder? Brian Acton, who also co-founded WhatsApp.
In short, everyone should know that there’s some cronyism at work within the Signal ecosystem, but so far nothing sinister has arisen. Everyone knows each other in that industry, a lot of time and money intermingles. The one thing we would caution is that Twitter and the Signal Foundation should continue to be monitored to make sure leadership decisions remain independent of one another. If Dorsey and Marlinspike ever buddy up on the same boards of directors, then there will be issues.
So Is Signal secret? Is Signal safe? So far, little ringbearer. So far…
How about Telegram?
The UK Parliament Home Affairs Committee shared a tasty statistic: In the three-week period after WhatsApp’s fall from grace, Signal gained 7.5 million users. Telegram gained 25 million users.
Telegram has a worse encryption scheme, but it’s a low hanging branch. Only one-on-one chats can be end-to-end encrypted on Telegram, and only via a special mode. Group chats can be read and monitored by anyone sitting in the middle. And yet, millions have fled to Telegram because it’s a household name. Unwise, but predictable.
One of the reasons that Telegram gained so much ground was a false syllogism: “If ISIS and other terrorist groups can use it safely, it must be really hard to break their security!”’
The truth is, Telegram’s group chats are wide open, virtually unsecured. The kind of propaganda channels that major terrorist organizations run are fully infiltrated by police officers from every major nation. Which might be why French police foiled a ricin attack in 2018 that was plotted on Telegram. It’s unlikely they managed to break the user-to-user encryption… they probably just monitored the suspect’s public groups and got the info they needed.
And it isn’t hard for Telegram to find these people. They get banned repeatedly! It’s simply that they create new accounts on new phones, and use smaller, unbranded channels for their activities. Until they’re caught, and the process starts all over again.
The policy line is clear: If it’s public, Telegram is happy to step in, swing the ban hammer, and even help law enforcement with investigations. If it’s a private, encrypted chat, they couldn’t help law enforcement even if they tried.
Just in case you didn’t know, Telegram does offer end-to-end encryption. The problem is, it doesn’t turn it on by default. Would you like to drive a car where the airbags have to be switched on manually?
Misdirection, Lies, and the price of Milling Rumours
When the first onrush of speculation washed over them from their privacy policy and Terms of Service change, WhatsApp released a statement that started with, “We want to address some rumours and be 100% clear we continue to protect your private messages with end-to-end encryption.”
They did this on Twitter, of course.
By addressing the wildest of rumours but not the more reasonable ones (such as how this policy will feed into Facebook’s current agreements with law enforcement, at a time when trust in law enforcement is at an all-time low), they fanned the flames.
People started to point out contradictory statements in their ToS about recording location data. It was ignored rather than addressed, which blew up into a whole new set of conspiracy theories.
There was no press conference, no open Q&A, no transparency. Because they didn’t want transparency. They were expanding the volume of user data that they were giving to Facebook, that much was clear. Who would want to be fully transparent about that?
Backlash – WhatsApp Losses:
A Tsunami or a Ripple in the pond?
At first glance, loosing millions of users by WhatsApp might seem like a dramatic shift.
It isn’t. It’s effectively nothing. The backlash has caused a lot of outrage in the English speaking world and has been nothing more than a whisper elsewhere.
WhatsApp has around two billion users worldwide. To them, losing even 50 million users is like having a bad day at bingo.
Their market penetration is unreal. The app has an over 95% penetration rate in several African countries. Over 90% in Brazil and Columbia. Over 85% in Mexico. Over 80% penetration in a dozen EU countries. Around 80% in Russia and Saudi Arabia.
In short, it owns the majority of the world’s messenger app market, dwarfing Facebook’s own Messenger service which still holds a healthy 1.3 billion users.
We can shout to the high heavens about how this new Terms of Service change is bad for various reasons. And most of the 340 million people using WhatsApp in India officially won’t care about our opinion.
WhatsApp downloads might have been down around 15% to 20% last month. But that’s still an amazing volume of new users, as well as users updating their devices and still choosing to make WhatsApp part of their lives.
And to add an icing on the cake, the new WhatsApp Terms of Service won’t apply within the European region, which does not limit to European Union only. Users living in Andorra, Switzerland or UK can rest easy as no digital earth quake is expected in this region anytime soon.
So let’s not mistake this privacy-fueled movement as a tsunami rushing towards WhatsApp. It’s ripples in a vast pond, at best. We’ll have to wait several months to see if the surge in Signal’s popularity will catch on elsewhere and have a significant impact. For the moment, that’s simply not the case.
Clearly, anyone touting this debacle as the end of WhatsApp isn’t looking at the numbers. It’s a ‘logical’ leap: They believe that privacy is a huge concern to everyone, and switching to a more secure app should be a no-brainer.
But the reality is, a messenger app without your friends on it is useless. And it’s easier to go with the flow than try to be the one that moves your cousin, your grandma, and your barber over to a new app when the old one is ‘working just fine’.
Meanwhile, don’t shed too many tears for WhatsApp and their rumour mill problems. On New Year’s Eve 2020, they shattered every industry record by hosting 1.4 billion voice and video calls in one day.
So any rumours of their imminent demise should be fact checked, cross referenced on Snopes, referred to a qualified medium, relayed to either a magic 8 ball or a ouija board (reader’s choice), and then filed away in the part of your mind that discards such things in favour of cute cat and dog pictures.