Metadata is the important part here. Metadata can show who you send a message to and when. You might remember the term from the Snowden leaks, because the CIA was collecting metadata on phone calls. While WhatsApp doesn’t keep your messaging beyond the course of it trying to deliver that message (if the recipient is offline it’ll stay on WhatsApp’s servers until the message goes through), it does collect a lot of other information about you. Based on their Privacy Policy, this includes usage and log information, device information, contact information, cookies, status updates (like when you were last online), and your location if you choose to share it. They can also put that metadata together using other people’s information. For example, if you’re not sharing your contact list, but a friend of yours is and you’re in it, then they can put those two pieces of information together. It’s also worth remembering that Facebook owns WhatsApp, which means it shares data for ad targeting. You can opt out of this, but it’s a noteworthy features because the relationship between the two is going to make some people uncomfortable. None of this is bad by any stretch of the word, but it’s still worth noting.

WhatsApp messenger is arguably the most popular mobile app available on all smart-phones. Over one billion people worldwide for free messaging, calling, and media sharing use it. In April 2016, WhatsApp switched to a default end-to-end encrypted service. This means that all messages (SMS), phone calls, videos, audios, and any other form of information exchanged cannot be read by any unauthorized entity since WhatsApp. In this paper we analyze the WhatsApp messaging platform and critique its security architecture along with a focus on its privacy preservation mechanisms. We report that the Signal Protocol, which forms the basis of WhatsApp end-to-end encryption, does offer protection against forward secrecy, and MITM to a large extent. Finally, we argue that simply encrypting the end-to-end channel cannot preserve privacy. The metadata can reveal just enough information to show connections between people, their patterns, and personal information. This paper elaborates on the security architecture of WhatsApp and performs an analysis on the various protocols used. This enlightens us on the status quo of the app security and what further measures can be used to fill existing gaps without compromising the usability. We start by describing the following (i) important concepts that need to be understood to properly understand security, (ii) the security architecture, (iii) security evaluation, (iv) followed by a summary of our work. Some of the important concepts that we cover in this paper before evaluating the architecture are - end-to-end encryption (E2EE), signal protocol, and curve25519. The description of the security architecture covers key management, end-to-end encryption in WhatsApp, Authentication Mechanism, Message Exchange, and finally the security evaluation. We then cover importance of metadata and role it plays in conserving privacy with respect to whatsapp.

In the privacy domain, there have been concerns related to user metadata as well. WhatsApp encrypts the communication channel between users using end-to-end encryption. The metadata of the user is encrypted as well when data is in motion on the communication channel between various parties. It is essential to understand that information stored in metadata is just as important in preserving privacy of the users, as is the data itself. The company's legal terms allow them to store information associated with successfully delivered messages such as time of delivery, mobile phone numbers involved in the messages, size of any digital content swapped between the two parties (Bernstein 2006). Also, the app persists the user to share one's entire contact list with the app. This is a way to further gather information about who is in a particular social network of a user. It is like trading the convenience of having the app to figure out who uses it amongst one's contacts for giving up the entire list of which one contacts regularly, including those who don't use the app. There is still no option of selectively adding contacts to the WhatsApp list. Any addition of this feature in the future will not help existing users as they have already shared this detail with the app.

A smartphone metadata reflects a wealth of details both at the level of individual calls and when analyzed in aggregate. Computer scientists and researchers have proved this a number of times in the past. It is here where WhatsApp falters. While the metadata is encrypted during transit, phone numbers, timestamps, connection duration, connection frequency, as well as user location are being stored on the company's servers. This metadata is sufficient to create a profile and draw some strong inferences between the communicating parties. And as we've seen very often, both governments and hackers can get their hands on the metadata if they realty go after it.

What advantage would Facebook, the parent company has in addition to the metadata related information coming via WhatsApp? WhatsApp had vowed that it would not be selling advertisements. However, there is no condition that can stop its parent company from doing so by using information gathered through the whatsapp. In combination to one's activities on Facebook, it can potentially help create a more accurate understanding of the user behavior, and social interactions thereby serving as a strong measure of profiling for some targeted ads. This is not truly a major concern as long as the user sees ads that make sense to them. Any change in the content delivery algorithm can lead to a very different user experience, where in some cases the user may outright stop using the app.

For group chat, the communication initiator sends message to the whatsapp server, which in turn distributes it to all the group members. This is a very easy way of for Facebook to learn all about ones social interactions and communities. A lot can be deduced by performing some kind of traffic analysis just by using the metadata like from the message volume exchanged.

In August 2016, WhatsApp changed its terms of privacy where it stated that it plans to transfer user data to its parent company, Facebook. It had earlier promised that this data would not be disclosed or used for marketing purposes. But now it will share user account information with Facebook and the Facebook family of companies, like the phone number the user used as a primary identifier. The companies intend to use WhatsApp account information to show users "more relevant ads on Facebook" and to send users marketing messages via WhatsApp. A phone number is like a digital social security number (EPIC - WhatsApp). It can uniquely identify a person as this information is provided every time when filling up forms for various purposes. It can also connect various sources of data, like health records, financial data, and education, online presence, etc. and create a full profile of a person.

In theory you could delete all contacts from your address book, except the ones that you would like to chat with on Whatsapp, then later re-add the ones you deleted, but doing it manually would be too much effort.

My dirty fix for this is to synchronize the contacts with a CardDAV server (owncloud/nextcloud, radicale, baikal,..) and to use an app that lets you synchronize multiple address books at the tap of a button.

The trick is to add a second address book to your server, to which you only add the names and phone numbers of people who use Whatsapp, remove your regular address book from your phone, synchronize the “Whatsapp address book”, grant Whatsapp the contacts permission, add your contacts, remove the contacts permission for Whatsapp, and synchronize your regular address book again.

L’entreprise collecte les numéros de téléphone mobile de ses membres qui servent d’identifiants, et les numéros présents dans leur carnet d’adresses, et surtout « WhatsApp peut conserver des informations horodatées associées aux messages délivrés avec succès et les numéros de téléphone impliqués dans les messages, ainsi que toutes autres informations que WhatsApp a l’obligation légale de collecter ». Cette dernière obligation s’entend selon le droit américain, puisque WhatsApp précise qu’il n’obéit à aucun autre régime juridique que celui de la Californie.

[...]

Ainsi WhatsApp peut tout à fait savoir — et dire aux autorités — à qui un utilisateur a envoyé un message un jour donné, combien de temps a duré la conversation avec tel autre internaute, quels nouveaux interlocuteurs sont apparus dans les contacts réguliers d’un individu, etc., etc.

Or ces métadonnées qui permettent par exemple d’identifier la source d’un journaliste sont parfois jugées plus précieuses encore que le contenu lui-même. C’est ce qu’avait rappelé la Cour de justice de l’Union européenne (CJUE) dans son arrêt Digital Rigts Ireland, pour invalider la directive qui imposait aux opérateurs de conserver de très nombreuses métadonnées, pour tous ses clients, et d’y donner accès aux autorités pour tous types d’enquêtes.

« Les données à conserver permettent de savoir avec quelle personne et par quel moyen un abonné ou un utilisateur inscrit a communiqué, de déterminer le temps de sa communication ainsi que l’endroit à partir duquel celle-ci a eu lieu et de connaître la fréquence des communications de l’abonné […] avec certaines personnes pendant une période donnée.

Ces données, prises dans leur ensemble, sont susceptibles de fournir des indications très précises sur la vie privée des personnes dont les données s ont conservées, comme les habitudes de la vie quotidienne, les lieux de séjour permanents ou temporaires, les déplacements journaliers ou autres, les activités exercées, les relations sociales et les milieux sociaux fréquentés ».

I posted this not because I was angry on having a GET request sent to my server on a char by char basis. My main concerns were privacy related, since I posted this some additional things came to light:

1) This leaks the IP address of the person writing the msg

2) When property="og:image" is used it also leaks the User Agent and Android version [1]

3) When presented with invalid headers as a reply it can cause a crash on IOS, which mean this is a potential RCE vector [2]

4) It leaks the exact time an URL is typed into a chat

5) It's on by default, this is the default behavior in E2E encrypted conversations [3]

I don't use WhatsApp, I found this out by accident as I just have a habit to tail my logs. I know though that Signal doesn't do any of this pre-fetching. I am aware this is a 'feature' but there's no place for it when security is involved.

[1] https://twitter.com/0xjomo/status/874585822158352384
[2] https://twitter.com/dr4ys3n/status/874725257722179584
[3] https://mastodon.social/@rysiek/9146943

Even with end-to-end encryption Big Brother is still in your phone: metadata

Facebook claims that no one can intercept WhatsApp messages, not even the company and its staff, ensuring privacy for its billion-plus users. But new research shows that the company could in fact read messages due to the way WhatsApp has implemented its end-to-end encryption protocol.

[...]

The vulnerability is not inherent to the Signal protocol. Open Whisper Systems’ messaging app, Signal, the app used and recommended by whistleblower Edward Snowden, does not suffer from the same vulnerability. If a recipient changes the security key while offline, for instance, a sent message will fail to be delivered and the sender will be notified of the change in security keys without automatically resending the message.

[...]

Boelter reported the vulnerability to Facebook in April 2016, but was told that Facebook was aware of the issue, that it was “expected behaviour” and wasn’t being actively worked on. The Guardian has verified the loophole still exists.

L’entreprise ne compte pas y remédier, car cette défaillance est très difficile à exploiter en pratique. WhatsApp reste ce qu’il se fait de mieux en matière de messageries sécurisées.

La CNIL annonce la mise en demeure de l’application Whatsapp. La Commission de protection de la vie privée demande à l’application de messagerie de se conformer à la loi pour la transmission de données personnelles vers Facebook.

Paris, le 20 décembre 2017 - Avant-hier, la CNIL a annoncé mettre en demeure WhatsApp de corriger son système de transfert de données personnelles à Facebook. L'entreprise a un mois pour ce faire, sous peine d'être sanctionnée (le montant maximal de l'amende est de 3 millions d'euros). La CNIL considère ce transfert illicite car se fondant sur le consentement forcé des utilisateurs, ceux-ci ne pouvant s'y opposer qu'en renonçant à utiliser le service. La Quadrature du Net se réjouit de l'analyse faite par la CNIL, car c'est exactement celle qu'elle défend depuis des années. Les conséquences en seront particulièrement importantes.

The CNIL said WhatsApp did not have the legal basis to share user data with Facebook and had violated its obligation to cooperate with the French authority.

WhatsApp, bought by Facebook in 2014, said it would begin sharing some user data with the social media group in 2016, drawing warnings from European privacy watchdogs about getting the appropriate consent.

In October, European Union privacy regulators criticized WhatsApp for not resolving their concerns over the messaging service’s sharing of user data with Facebook a year after they first issued a warning.

The French regulator said WhatsApp had not properly obtained users’ consent to begin sharing their phone numbers with Facebook for “business intelligence” purposes.

“The only way to refuse the data transfer for “business intelligence” purpose is to uninstall the application,” the CNIL said in a statement.

[...]

The CNIL said it had repeatedly asked WhatsApp to provide a sample of French users’ data transferred to Facebook but the company had explained it could not do so as it is located in the United States and “it considers that it is only subject to the legislation of this country.”

Bien que le transfert des données utilisateurs entre Facebook et Whatsapp soit temporairement et partiellement suspendu, les Cnil européennes estiment que les garanties présentées par la messagerie instantanée à ses utilisateurs européens ne sont pas satisfaisantes. Aux géants américains aussi, il faut expliquer la notion de consentement.