/ 27 October 2016

What does WhatsApp and Facebook’s data sharing agreement mean for you?

Defendants react behind bars at a court in Cairo following the acquittal last year of 26 men accused of 'debauchery.' Authorities have been known to use social media connections as the basis for such arrests.
Defendants react behind bars at a court in Cairo following the acquittal last year of 26 men accused of 'debauchery.' Authorities have been known to use social media connections as the basis for such arrests.

Like an unhealthy number of Jo’burg drivers, earlier this year Nick was in an accident. Fortunately, no one was hurt. Almost as fortunately, since it was his boss’s car he was driving, the accident wasn’t Nick’s fault either. So Nick reported it to the police and WhatsApped the other driver’s details to his boss.

Nick’s boss is very careful about online security and privacy. He doesn’t use Facebook much, he certainly doesn’t have the Facebook app on his phone, and he was a bit worried about the culpable driver — let’s call him John — in this accident, who was both uninsured, and had been quite threatening towards Nick. Imagine his surprise, then, when the next time he logged into Facebook John appeared in his “people you might know and want to add as a friend” panel.

At this stage, I should probably point out that Nick’s boss is me. Other than that WhatsApp the only communication between me and John was via phone call or SMS.

Now I’m a lot more careful about online security than most, but at the same time more blasé about personal safety than many residents of my adopted city, Johannesburg. The thought that John would have the same option on his screen, and by implication see my personal data and details about my family that I can’t stop relatives posting to Facebook, was genuinely one of the few moments of genuine fear I’ve felt since moving to South Africa four years ago. That’s bearing in mind that I was attacked by striking truckers on my first day here, and accidentally drove into Hillbrow in the middle of the night about a month later.

All this happened long before August, when WhatsApp announced that it was going to start sharing data with its parent company, Facebook, and allow businesses to use its app for direct marketing. In doing so, it reneged on two long-standing promises it had made to its users, most of whom probably didn’t even read the updated terms and conditions. At the time of the accident, there was supposed to be no communication between WhatsApp and Facebook data — yet somehow a connection made via one service quickly became an interaction of interest on the other.

And I’m far from the first person to have had a creepy experience with Facebook’s suggested friends list. No wonder when that data-sharing agreement was unveiled there was general internet outrage at the thought that Facebook would have access to even more of your personal information.

What’s WhatsApp’s security like?

Many aspects of the security built into WhatsApp are good, or better than good. It was a trailblazer when it adopted a strategy of encrypting all messages by default, for example. Even if someone does intercept or subpoena your actual messages, they shouldn’t be able to read them.

Writing for the Electronic Frontier Foundation, a leading activist organisation for online privacy in the US, Bill Budington and Gennie Gebhart say: “Under the hood, WhatsApp uses the best-in-breed for encrypted messaging: the Signal Protocol. This gives a high assurance that messages between you and your contacts are encrypted such that even WhatsApp can’t read them, that your contacts’ identities can be verified, and that even if someone steals your encryption keys and is able to tap your connection, they can’t decrypt messages you’ve already sent.”

Facebook Messenger also uses the same Signal protocol for chats, as does Google Allo and the open source messaging app Signal (the protocol takes its name from the latter).

So how did Facebook make the connection between John and me, if even WhatsApp couldn’t read the number Nick sent me? The Electronic Frontier Foundation worry that there’s ambiguity in the new privacy policy between WhatsApp and Facebook around exactly what data will be shared between the two services, but the truth is I don’t know, and have no way of knowing how John got into my feed. It could be that Nick WhatsApped John, and the leap was made via their address books. Or maybe it had nothing to do with that chat message at all. Perhaps John looked for me on Facebook and that’s where the connection was made. Or perhaps it was Facebook testing a new technology. This isn’t unusual: earlier this year Facebook tested the use of location data to link you to people you might have met, but quickly decided against it when the “people you might know” lists got even more creepy.

Part of the problem with WhatsApp and Facebook is that the way they work and interact with each other is known only to the employees of those companies. What we do know is that WhatsApp is leaky around the edges: for example, by default it offers to back up all your chats in an unencrypted format on a cloud drive, leaving that back-up vulnerable to anyone who can get the keys to your storage. Your WhatsApp history is also stored in unencrypted format on your phone itself.

All about the meta

From a traditional tech security point of view, chief executive at security firm Trend Micro Southern Africa Darryl O’Brien says that data-sharing between WhatsApp and Facebook isn’t likely to make one more vulnerable as a result, and to an extent the internet backlash in this case wasn’t justified.

“Many users simply do not understand that this update does not mean that Facebook — or anyone else — can see personal WhatsApp conversations,” says O’Brien. “It’s primarily aimed at creating better personalised advertising.”

Not even WhatsApp can read your messages, because of the fact that they’re encrypted in transit. It can, however, see who you’re talking to, and who’s in your phone book. That’s valuable information to Facebook, because it’s giving it even more ammo for targeted ads and friend suggestions.

Opening up WhatsApp to third party advertisers might carry an increased threat if it can be used to deliver malicious code or harvest information from WhatsApp, but this is yet to be seen, according to O’Brien. The primary concern about WhatsApp when it comes to security is still that it is being used as a conduit for phishing scams, he says.

Indeed, according to WhatsApp, the new data sharing policy helps with security in some ways as it gives the two companies extra resources to spot fraudulent behaviour and make the connections to stop spammers. That’s not unlikely at all: in his recent book Chaos Monkeys: Inside the Silicon Valley Money Machine ex-Facebook product manager Antonio Garcia Martinez describes a culture inside Facebook that is extraordinarily paranoid about leaking data outside its own walls, and has a dedicated crime fighting team which has “likely put away as many (if not more) bad guys than our local law enforcement agency”.

What is the risk?

The ability to make clever connections between people or goods and services they might like is the business model of all the big social media and search companies in the world.

But that ability to link metadata from different services and have it accidentally toss up revealing connections could, in some circumstances, be very dangerous. Here’s a not entirely far-fetched example: you’re an Egyptian secret service officer “shoulder surfing” users of an internet cafe and the name of a prominent LGBTQ activist appears as a suggested friend on a random user’s screen. Was the user WhatsApping with them, and has been given away by a Facebook tell? You’d better haul them in for questioning.

Or perhaps you live in a less liberal country than South Africa and those abortion ads on your Facebook page are in danger of giving away your secret WhatsApp messages to the doctor’s clinic.

If that sounds paranoid, the trouble is that WhatsApp is hugely, enormously popular all over the world, and especially across Africa. With a billion users, an improbable sequence of events becomes much more likely to happen. In Tazania it’s the most popular social network, with around three times the number of users as Facebook. It’s become the go-to tool for electioneering and propaganda, according to the website Quartz.

The BBC’s African team, meanwhile, use WhatsApp extensively for research and newsgathering, but more pertinently WhatsApp is the tool of choice for activists around the continent. Maya Indira Ganesh is the director of applied research at Tactical Technology Collective, an organisation that helps activists in repressive regimes use communication tools as safely as possible.

Earlier this year, Ganesh was the co-author of a report “Privacy, anonymity, visibility: Dilemmas in tech use by marginalised communities”. She interviewed activists in Johannesburg and Cape Town, primarily those involved in housing, land and development rights issues. The key tool for organisation, she found, is WhatsApp.

“Activists’ tech use tends to be shaped by their conditions of access, so they adopt something that is mainstream,” Ganesh says, “By which I mean cheap or free, and works well across the different kinds of phones popular in their area.”

According to Ganesh, many activists here feared that police infiltrators were accessing WhatsApp groups (although she didn’t find any corroborating evidence). Tactical Tech is currently researching the types of tactics police around the world use to gather information from social media. But she suspects that practices will differ from region to region, and thus the reaction of anyone looking to keep their private information private will have to be the same.

“What Egyptian police do to identify LGBTQ activists is not how some other use of that same tech will be compromised,” Ganesh says, “Strategies and mitigation are inevitably more sustainable when they are local.”