The social network announced in August that it would begin sharing data from its 1 billion-plus user base, including phone numbers, from WhatsApp users with Facebook for the purpose of targeted ads. It gave users the option of opting out of the data being used for advertising purposes, but did not allow them to opt out of the data sharing between WhatsApp and Facebook.

The phone number associated with a user’s WhatsApp account will be used on Facebook to show them ads. This will form part of the targeting the company allows for paying advertisers, who can upload contact databases. Those who use Facebook and are in the contact database uploaded by the advertiser will then be shown the targeted ads.

The information will also be used to show how people interact with a specific ad, but Facebook said that it would not tell advertisers who specifically interacted with the ad.

Metadata equals surveillance data, and collecting metadata on people means putting them under surveillance.

An easy thought experiment demonstrates this. Imagine that you hired a private detective to eavesdrop on a subject. That detective would plant a bug in that subject's home, office, and car. He would eavesdrop on his computer. He would listen in on that subject's conversations, both face to face and remotely, and you would get a report on what was said in those conversations.

[...]

Now imagine that you asked that same private detective to put a subject under constant surveillance. You would get a different report, one that included things like where he went, what he did, who he spoke to -- and for how long -- who he wrote to, what he read, and what he purchased. This is all metadata, data we know the NSA is collecting. So when the president says that it's only metadata, what you should really hear is that we're all under constant and ubiquitous surveillance.

What they are trying to say is that disclosure of metadata—the details about phone calls, without the actual voice—isn't a big deal, not something for Americans to get upset about if the government knows. Let's take a closer look at what they are saying:

• They know you rang a phone sex service at 2:24 am and spoke for 18 minutes. But they don't know what you talked about.
• They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret.
• They know you spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour. But they don't know what was discussed.
• They know you received a call from the local NRA office while it was having a campaign against gun legislation, and then called your senators and congressional representatives immediately after. But the content of those calls remains safe from government intrusion.
• They know you called a gynecologist, spoke for a half hour, and then called the local Planned Parenthood's number later that day. But nobody knows what you spoke about.

Sorry, your phone records—oops, "so-called metadata"—can reveal a lot more about the content of your calls than the government is implying. Metadata provides enough context to know some of the most intimate details of your lives. And the government has given no assurances that this data will never be correlated with other easily obtained data. They may start out with just a phone number, but a reverse telephone directory is not hard to find. Given the public positions the government has taken on location information, it would be no surprise if they include location information demands in Section 215 orders for metadata.

Metadata is the important part here. Metadata can show who you send a message to and when. You might remember the term from the Snowden leaks, because the CIA was collecting metadata on phone calls. While WhatsApp doesn’t keep your messaging beyond the course of it trying to deliver that message (if the recipient is offline it’ll stay on WhatsApp’s servers until the message goes through), it does collect a lot of other information about you. Based on their Privacy Policy, this includes usage and log information, device information, contact information, cookies, status updates (like when you were last online), and your location if you choose to share it. They can also put that metadata together using other people’s information. For example, if you’re not sharing your contact list, but a friend of yours is and you’re in it, then they can put those two pieces of information together. It’s also worth remembering that Facebook owns WhatsApp, which means it shares data for ad targeting. You can opt out of this, but it’s a noteworthy features because the relationship between the two is going to make some people uncomfortable. None of this is bad by any stretch of the word, but it’s still worth noting.

WhatsApp messenger is arguably the most popular mobile app available on all smart-phones. Over one billion people worldwide for free messaging, calling, and media sharing use it. In April 2016, WhatsApp switched to a default end-to-end encrypted service. This means that all messages (SMS), phone calls, videos, audios, and any other form of information exchanged cannot be read by any unauthorized entity since WhatsApp. In this paper we analyze the WhatsApp messaging platform and critique its security architecture along with a focus on its privacy preservation mechanisms. We report that the Signal Protocol, which forms the basis of WhatsApp end-to-end encryption, does offer protection against forward secrecy, and MITM to a large extent. Finally, we argue that simply encrypting the end-to-end channel cannot preserve privacy. The metadata can reveal just enough information to show connections between people, their patterns, and personal information. This paper elaborates on the security architecture of WhatsApp and performs an analysis on the various protocols used. This enlightens us on the status quo of the app security and what further measures can be used to fill existing gaps without compromising the usability. We start by describing the following (i) important concepts that need to be understood to properly understand security, (ii) the security architecture, (iii) security evaluation, (iv) followed by a summary of our work. Some of the important concepts that we cover in this paper before evaluating the architecture are - end-to-end encryption (E2EE), signal protocol, and curve25519. The description of the security architecture covers key management, end-to-end encryption in WhatsApp, Authentication Mechanism, Message Exchange, and finally the security evaluation. We then cover importance of metadata and role it plays in conserving privacy with respect to whatsapp.

In the privacy domain, there have been concerns related to user metadata as well. WhatsApp encrypts the communication channel between users using end-to-end encryption. The metadata of the user is encrypted as well when data is in motion on the communication channel between various parties. It is essential to understand that information stored in metadata is just as important in preserving privacy of the users, as is the data itself. The company's legal terms allow them to store information associated with successfully delivered messages such as time of delivery, mobile phone numbers involved in the messages, size of any digital content swapped between the two parties (Bernstein 2006). Also, the app persists the user to share one's entire contact list with the app. This is a way to further gather information about who is in a particular social network of a user. It is like trading the convenience of having the app to figure out who uses it amongst one's contacts for giving up the entire list of which one contacts regularly, including those who don't use the app. There is still no option of selectively adding contacts to the WhatsApp list. Any addition of this feature in the future will not help existing users as they have already shared this detail with the app.

A smartphone metadata reflects a wealth of details both at the level of individual calls and when analyzed in aggregate. Computer scientists and researchers have proved this a number of times in the past. It is here where WhatsApp falters. While the metadata is encrypted during transit, phone numbers, timestamps, connection duration, connection frequency, as well as user location are being stored on the company's servers. This metadata is sufficient to create a profile and draw some strong inferences between the communicating parties. And as we've seen very often, both governments and hackers can get their hands on the metadata if they realty go after it.

What advantage would Facebook, the parent company has in addition to the metadata related information coming via WhatsApp? WhatsApp had vowed that it would not be selling advertisements. However, there is no condition that can stop its parent company from doing so by using information gathered through the whatsapp. In combination to one's activities on Facebook, it can potentially help create a more accurate understanding of the user behavior, and social interactions thereby serving as a strong measure of profiling for some targeted ads. This is not truly a major concern as long as the user sees ads that make sense to them. Any change in the content delivery algorithm can lead to a very different user experience, where in some cases the user may outright stop using the app.

For group chat, the communication initiator sends message to the whatsapp server, which in turn distributes it to all the group members. This is a very easy way of for Facebook to learn all about ones social interactions and communities. A lot can be deduced by performing some kind of traffic analysis just by using the metadata like from the message volume exchanged.

In August 2016, WhatsApp changed its terms of privacy where it stated that it plans to transfer user data to its parent company, Facebook. It had earlier promised that this data would not be disclosed or used for marketing purposes. But now it will share user account information with Facebook and the Facebook family of companies, like the phone number the user used as a primary identifier. The companies intend to use WhatsApp account information to show users "more relevant ads on Facebook" and to send users marketing messages via WhatsApp. A phone number is like a digital social security number (EPIC - WhatsApp). It can uniquely identify a person as this information is provided every time when filling up forms for various purposes. It can also connect various sources of data, like health records, financial data, and education, online presence, etc. and create a full profile of a person.

In theory you could delete all contacts from your address book, except the ones that you would like to chat with on Whatsapp, then later re-add the ones you deleted, but doing it manually would be too much effort.

My dirty fix for this is to synchronize the contacts with a CardDAV server (owncloud/nextcloud, radicale, baikal,..) and to use an app that lets you synchronize multiple address books at the tap of a button.

The trick is to add a second address book to your server, to which you only add the names and phone numbers of people who use Whatsapp, remove your regular address book from your phone, synchronize the “Whatsapp address book”, grant Whatsapp the contacts permission, add your contacts, remove the contacts permission for Whatsapp, and synchronize your regular address book again.

L’entreprise collecte les numéros de téléphone mobile de ses membres qui servent d’identifiants, et les numéros présents dans leur carnet d’adresses, et surtout « WhatsApp peut conserver des informations horodatées associées aux messages délivrés avec succès et les numéros de téléphone impliqués dans les messages, ainsi que toutes autres informations que WhatsApp a l’obligation légale de collecter ». Cette dernière obligation s’entend selon le droit américain, puisque WhatsApp précise qu’il n’obéit à aucun autre régime juridique que celui de la Californie.

[...]

Ainsi WhatsApp peut tout à fait savoir — et dire aux autorités — à qui un utilisateur a envoyé un message un jour donné, combien de temps a duré la conversation avec tel autre internaute, quels nouveaux interlocuteurs sont apparus dans les contacts réguliers d’un individu, etc., etc.

Or ces métadonnées qui permettent par exemple d’identifier la source d’un journaliste sont parfois jugées plus précieuses encore que le contenu lui-même. C’est ce qu’avait rappelé la Cour de justice de l’Union européenne (CJUE) dans son arrêt Digital Rigts Ireland, pour invalider la directive qui imposait aux opérateurs de conserver de très nombreuses métadonnées, pour tous ses clients, et d’y donner accès aux autorités pour tous types d’enquêtes.

« Les données à conserver permettent de savoir avec quelle personne et par quel moyen un abonné ou un utilisateur inscrit a communiqué, de déterminer le temps de sa communication ainsi que l’endroit à partir duquel celle-ci a eu lieu et de connaître la fréquence des communications de l’abonné […] avec certaines personnes pendant une période donnée.

Ces données, prises dans leur ensemble, sont susceptibles de fournir des indications très précises sur la vie privée des personnes dont les données s ont conservées, comme les habitudes de la vie quotidienne, les lieux de séjour permanents ou temporaires, les déplacements journaliers ou autres, les activités exercées, les relations sociales et les milieux sociaux fréquentés ».

I posted this not because I was angry on having a GET request sent to my server on a char by char basis. My main concerns were privacy related, since I posted this some additional things came to light:

1) This leaks the IP address of the person writing the msg

2) When property="og:image" is used it also leaks the User Agent and Android version [1]

3) When presented with invalid headers as a reply it can cause a crash on IOS, which mean this is a potential RCE vector [2]

4) It leaks the exact time an URL is typed into a chat

5) It's on by default, this is the default behavior in E2E encrypted conversations [3]

I don't use WhatsApp, I found this out by accident as I just have a habit to tail my logs. I know though that Signal doesn't do any of this pre-fetching. I am aware this is a 'feature' but there's no place for it when security is involved.

[1] https://twitter.com/0xjomo/status/874585822158352384
[2] https://twitter.com/dr4ys3n/status/874725257722179584
[3] https://mastodon.social/@rysiek/9146943

Even with end-to-end encryption Big Brother is still in your phone: metadata

Facebook claims that no one can intercept WhatsApp messages, not even the company and its staff, ensuring privacy for its billion-plus users. But new research shows that the company could in fact read messages due to the way WhatsApp has implemented its end-to-end encryption protocol.

[...]

The vulnerability is not inherent to the Signal protocol. Open Whisper Systems’ messaging app, Signal, the app used and recommended by whistleblower Edward Snowden, does not suffer from the same vulnerability. If a recipient changes the security key while offline, for instance, a sent message will fail to be delivered and the sender will be notified of the change in security keys without automatically resending the message.

[...]

Boelter reported the vulnerability to Facebook in April 2016, but was told that Facebook was aware of the issue, that it was “expected behaviour” and wasn’t being actively worked on. The Guardian has verified the loophole still exists.

TF1, Le Figaro, Le Parisien, Le Monde... Depuis 2016, Facebook verse des millions d’euros à plusieurs grands médias français pour produire des contenus vidéo sur son réseau social. Une pratique qui pose la question de la dépendance des rédactions et ouvre la voie à un système à deux vitesses pénalisant les « petits médias ».

Encore une fois, Android est victime d'un logiciel espion et celui découvert par les ingénieurs de Kaspersky fait froid dans le dos. Actif depuis 2014 et conçu pour une cybersurveillance ciblée, cet implant, nommé Skygofree, "comporte des fonctionnalités inédites, telles que l’enregistrement audio suivant la géolocalisation via des appareils infectés", souligne l'éditeur de sécurité. Son vecteur de propagation est classique : il se planque dans des pages web imitant celles de grands opérateurs mobiles.