Shall I migrate to Signal, Threema or Telegram? No, because they all have — WhatsApp included — the same problem: They are walled gardens. Imagine a world where for each mail recipient using a separate domain, I would need separate mail client? Or in other words: Gmail users can only communicate with Gmail users. Let’s […]

Both Signal and WhatsApp are encrypted, but Signal takes extra steps to keep your chats private.

Last update: May 22, 2020
Español - Italiano
Introduction
This article analyses the security and confidentiality features of the most commonly used communication services or applications.
Note: the comparison is made between WhatsApp (the most widespread 1.6 billion users), Telegram (the most secure and widespread 400 million users), Signal and Wire (the most secure and confidential) according to world statistics. A comparison in terms of functionality is available at this address.
Remark: for any communication…

Pavel Durov criticized WhatsApp in new blog post

Germany's data privacy chief has told federal bodies not to use WhatsApp, amid concerns that it feeds Facebook with data. Ulrich Kelber said it appeared that the government has failed to establish enough safe services.

The unmaintained blog

Matrix.org

Une app israélienne transformée en mouchard servait à observer la croissance du service de messagerie. Quand Facebook a déboursé 19 milliards de dollars (17,5 milliards d'euros) pour acheter WhatsApp en février 2014, beaucoup se sont demandés si Mark Zuckerberg n'avait pas perdu...

Countries focus on increasingly effective encryption of communications

Critical Security Flaw Found in WhatsApp Desktop Platform Allowing Cybercriminals Read From The File System Access

Platform has option to make messages automatically disappear after set time period

Social media platforms based in the U.S. including Facebook and WhatsApp will be forced to share users’ encrypted messages with British police under a new treaty between the two countries, according to a person familiar with the matter.

WhatsApp has announced that it will start sharing your phone number with Facebook. The messaging service has updated its privacy policy to indicate the changes as well as other additions to the platform, such as WhatsApp Web, desktop clients, end-to-end encryption, and voice call service.

This is the end of era centralized communication!

WhatsApp is the only messaging app among those with over a billion monthly active users, which hasn’t started actual monetisation ...

WhatsApp detailed plans to sell ads and charge big companies that want to reach their customers through its service, launching its first major revenue streams as growth at Facebook’s main app is starting to decelerate.

WhatsApp also has the glaring vulnerability that Facebook could at any time reset your key to a compromised one without your knowledge, and WhatsApp will resend any hanging messages automatically upon the change, making any undelivered messages available to the one who has the decryption capability associated with that new key. It's possible they've put in a method to do this without notifying the user. Also, this "automatic resend" behavior means that a physical attack can be made simply by switching SIMs on the phone before the message is sent. It requires some careful timing to be a real vulnerability and anyone using a phone to communicate will certainly opt for a more secure platform for critical applications.

After a long dispute over how to produce more revenue with ads and data, the messaging app’s creators are walking away leaving about $1.3 billion on the table.​

Selon Elizabeth Dwoskin, journaliste au Washington Post, Facebook aurait tenté de mettre en place une passerelle visant à exploiter les données personnelles des utilisateurs de WhatsApp, tout en affaiblissant le chiffrement utilisé par la messagerie.

The Bottom Line

WhatsApps adoption of a strong encrypted protocol is a significant improvement in secure messaging, but problems remain. Although the data is well protected on the wire, there is still significant metadata leakage and there are significant privacy issues related to using the app.

Whilst WhatsApp might not provide full content of messages, the kind of metadata it provides is often enough to draw an informative map of a target's life, said Neema Singh Guliani, legislative counsel with the American Civil Liberties Union (ACLU). She noted that WhatsApp already shares contact information with Facebook where users haven't opted out, which they may provide to government. And the WhatsApp privacy policy notes that it does store some location and contacts information where users have opted to provide them.

"The best practise is to purge information," Guliani added. "When it comes to metadata, how often is WhatsApp purging this kind of information?" As a comparison, the Signal messaging app doesn't store any such metadata and therefore doesn't need to purge it. And whilst it openly admits contact numbers are shared with Signal servers, they're garbled by an encryption algorithm into what's known as a "hash" (though former developer Frederic Jacobs told me it's "trivial" to bruteforce those hashes, so if in the unlikely event a fake Signal server is set up to target a user, their contacts could be exposed).

WhatsApp’s recent privacy policy update announced plans to share data with WhatsApp’s parent company Facebook, signalling a concerning shift in WhatsApp’s attitude toward user privacy. In particular, the open-ended, vague language in the updated privacy policy raises questions about exactly what WhatsApp user information is or is not shared with Facebook. WhatsApp has publicly announced plans to share users’ phone numbers and usage data with Facebook for the purpose of serving users more relevant friend recommendations and ads. While existing WhatsApp users are given 30 days to opt out of this change in their Facebook user experience, they cannot opt out of the data sharing itself. This gives Facebook an alarmingly enhanced view of users’ online communications activities, affiliations, and habits.

If you use both WhatsApp and Facebook, this change allows Facebook access to several pieces of your WhatsApp information, including your WhatsApp phone number, contact list, and usage data (e.g. when you last used WhatsApp, what device you used it on, and what OS you ran it on). With confusing wording, the update correctly points out that your phone number and messages will not be shared onto Facebook. This means that your data will not be shared publicly on your Facebook page or anywhere else on Facebook’s platform. Instead, it will be shared with Facebook—that is, Facebook systems and the “Facebook family of companies.” While WhatsApp’s privacy-friendly end-to-end encryption remains, and the company assures users it will not share their data directly with advertisers, this nevertheless presents a clear threat to users’ control of how their WhatsApp data is shared and used.

[...]

Most critically for user privacy, however, sharing this kind of metadata also gives Facebook an enhanced view of users’ online communication activities, affiliations, and habits, and runs the risk of making private WhatsApp contacts into more public Facebook connections. The new privacy policy, for example, permits Facebook to suggest WhatsApp contacts as Facebook friends. Facebook can also use the data to show “more relevant” ads. In an announcement accompanying the privacy policy update, WhatsApp offers the example of “an ad from a company you already work with, rather than one from someone you’ve never heard of”—a frightening prospect considering the data coordination and sharing required for Facebook to know the companies with whom you do business.

Nous sommes tout particulièrement préoccupés par la nouvelle politique de confidentialité de WhatsApp annoncée en août 2016, qui autorise le partage de données avec la société mère Facebook. Ceci accorde à Facebook le droit d'accéder à plusieurs éléments relatifs aux informations des utilisateurs de WhatsApp, y compris les numéros de téléphone sur WhatsApp et l'usage des données.

When Facebook bought the start-up WhatsApp in 2014, Jan Koum, one of WhatsApp’s founders, declared that the deal would not affect the digital privacy of his mobile messaging service’s millions of users.

[...]

WhatsApp said on Thursday that it would start disclosing the phone numbers and analytics data of its users to Facebook. It will be the first time the messaging service has connected users’ accounts to the social network to share data, as Facebook tries to coordinate information across its collection of businesses.

WhatsApp is changing its policy as it begins building a moneymaking business after long placing little emphasis on revenue. The company plans to allow businesses to contact customers directly through its platform. A similar strategy is already being tested on Facebook Messenger, a separate messaging service Facebook owns.

[...]

Among the changes, Facebook will be able to use a person’s phone number to improve other Facebook-operated services, such as making new Facebook friend suggestions, or better-tailored advertising, WhatsApp added. It said the data-sharing would also be used to fight spam text messages across it

The social network announced in August that it would begin sharing data from its 1 billion-plus user base, including phone numbers, from WhatsApp users with Facebook for the purpose of targeted ads. It gave users the option of opting out of the data being used for advertising purposes, but did not allow them to opt out of the data sharing between WhatsApp and Facebook.

The phone number associated with a user’s WhatsApp account will be used on Facebook to show them ads. This will form part of the targeting the company allows for paying advertisers, who can upload contact databases. Those who use Facebook and are in the contact database uploaded by the advertiser will then be shown the targeted ads.

The information will also be used to show how people interact with a specific ad, but Facebook said that it would not tell advertisers who specifically interacted with the ad.

Metadata is the important part here. Metadata can show who you send a message to and when. You might remember the term from the Snowden leaks, because the CIA was collecting metadata on phone calls. While WhatsApp doesn’t keep your messaging beyond the course of it trying to deliver that message (if the recipient is offline it’ll stay on WhatsApp’s servers until the message goes through), it does collect a lot of other information about you. Based on their Privacy Policy, this includes usage and log information, device information, contact information, cookies, status updates (like when you were last online), and your location if you choose to share it. They can also put that metadata together using other people’s information. For example, if you’re not sharing your contact list, but a friend of yours is and you’re in it, then they can put those two pieces of information together. It’s also worth remembering that Facebook owns WhatsApp, which means it shares data for ad targeting. You can opt out of this, but it’s a noteworthy features because the relationship between the two is going to make some people uncomfortable. None of this is bad by any stretch of the word, but it’s still worth noting.

WhatsApp messenger is arguably the most popular mobile app available on all smart-phones. Over one billion people worldwide for free messaging, calling, and media sharing use it. In April 2016, WhatsApp switched to a default end-to-end encrypted service. This means that all messages (SMS), phone calls, videos, audios, and any other form of information exchanged cannot be read by any unauthorized entity since WhatsApp. In this paper we analyze the WhatsApp messaging platform and critique its security architecture along with a focus on its privacy preservation mechanisms. We report that the Signal Protocol, which forms the basis of WhatsApp end-to-end encryption, does offer protection against forward secrecy, and MITM to a large extent. Finally, we argue that simply encrypting the end-to-end channel cannot preserve privacy. The metadata can reveal just enough information to show connections between people, their patterns, and personal information. This paper elaborates on the security architecture of WhatsApp and performs an analysis on the various protocols used. This enlightens us on the status quo of the app security and what further measures can be used to fill existing gaps without compromising the usability. We start by describing the following (i) important concepts that need to be understood to properly understand security, (ii) the security architecture, (iii) security evaluation, (iv) followed by a summary of our work. Some of the important concepts that we cover in this paper before evaluating the architecture are - end-to-end encryption (E2EE), signal protocol, and curve25519. The description of the security architecture covers key management, end-to-end encryption in WhatsApp, Authentication Mechanism, Message Exchange, and finally the security evaluation. We then cover importance of metadata and role it plays in conserving privacy with respect to whatsapp.

In the privacy domain, there have been concerns related to user metadata as well. WhatsApp encrypts the communication channel between users using end-to-end encryption. The metadata of the user is encrypted as well when data is in motion on the communication channel between various parties. It is essential to understand that information stored in metadata is just as important in preserving privacy of the users, as is the data itself. The company's legal terms allow them to store information associated with successfully delivered messages such as time of delivery, mobile phone numbers involved in the messages, size of any digital content swapped between the two parties (Bernstein 2006). Also, the app persists the user to share one's entire contact list with the app. This is a way to further gather information about who is in a particular social network of a user. It is like trading the convenience of having the app to figure out who uses it amongst one's contacts for giving up the entire list of which one contacts regularly, including those who don't use the app. There is still no option of selectively adding contacts to the WhatsApp list. Any addition of this feature in the future will not help existing users as they have already shared this detail with the app.

A smartphone metadata reflects a wealth of details both at the level of individual calls and when analyzed in aggregate. Computer scientists and researchers have proved this a number of times in the past. It is here where WhatsApp falters. While the metadata is encrypted during transit, phone numbers, timestamps, connection duration, connection frequency, as well as user location are being stored on the company's servers. This metadata is sufficient to create a profile and draw some strong inferences between the communicating parties. And as we've seen very often, both governments and hackers can get their hands on the metadata if they realty go after it.

What advantage would Facebook, the parent company has in addition to the metadata related information coming via WhatsApp? WhatsApp had vowed that it would not be selling advertisements. However, there is no condition that can stop its parent company from doing so by using information gathered through the whatsapp. In combination to one's activities on Facebook, it can potentially help create a more accurate understanding of the user behavior, and social interactions thereby serving as a strong measure of profiling for some targeted ads. This is not truly a major concern as long as the user sees ads that make sense to them. Any change in the content delivery algorithm can lead to a very different user experience, where in some cases the user may outright stop using the app.

For group chat, the communication initiator sends message to the whatsapp server, which in turn distributes it to all the group members. This is a very easy way of for Facebook to learn all about ones social interactions and communities. A lot can be deduced by performing some kind of traffic analysis just by using the metadata like from the message volume exchanged.

In August 2016, WhatsApp changed its terms of privacy where it stated that it plans to transfer user data to its parent company, Facebook. It had earlier promised that this data would not be disclosed or used for marketing purposes. But now it will share user account information with Facebook and the Facebook family of companies, like the phone number the user used as a primary identifier. The companies intend to use WhatsApp account information to show users "more relevant ads on Facebook" and to send users marketing messages via WhatsApp. A phone number is like a digital social security number (EPIC - WhatsApp). It can uniquely identify a person as this information is provided every time when filling up forms for various purposes. It can also connect various sources of data, like health records, financial data, and education, online presence, etc. and create a full profile of a person.

In theory you could delete all contacts from your address book, except the ones that you would like to chat with on Whatsapp, then later re-add the ones you deleted, but doing it manually would be too much effort.

My dirty fix for this is to synchronize the contacts with a CardDAV server (owncloud/nextcloud, radicale, baikal,..) and to use an app that lets you synchronize multiple address books at the tap of a button.

The trick is to add a second address book to your server, to which you only add the names and phone numbers of people who use Whatsapp, remove your regular address book from your phone, synchronize the “Whatsapp address book”, grant Whatsapp the contacts permission, add your contacts, remove the contacts permission for Whatsapp, and synchronize your regular address book again.

L’entreprise collecte les numéros de téléphone mobile de ses membres qui servent d’identifiants, et les numéros présents dans leur carnet d’adresses, et surtout « WhatsApp peut conserver des informations horodatées associées aux messages délivrés avec succès et les numéros de téléphone impliqués dans les messages, ainsi que toutes autres informations que WhatsApp a l’obligation légale de collecter ». Cette dernière obligation s’entend selon le droit américain, puisque WhatsApp précise qu’il n’obéit à aucun autre régime juridique que celui de la Californie.

[...]

Ainsi WhatsApp peut tout à fait savoir — et dire aux autorités — à qui un utilisateur a envoyé un message un jour donné, combien de temps a duré la conversation avec tel autre internaute, quels nouveaux interlocuteurs sont apparus dans les contacts réguliers d’un individu, etc., etc.

Or ces métadonnées qui permettent par exemple d’identifier la source d’un journaliste sont parfois jugées plus précieuses encore que le contenu lui-même. C’est ce qu’avait rappelé la Cour de justice de l’Union européenne (CJUE) dans son arrêt Digital Rigts Ireland, pour invalider la directive qui imposait aux opérateurs de conserver de très nombreuses métadonnées, pour tous ses clients, et d’y donner accès aux autorités pour tous types d’enquêtes.

« Les données à conserver permettent de savoir avec quelle personne et par quel moyen un abonné ou un utilisateur inscrit a communiqué, de déterminer le temps de sa communication ainsi que l’endroit à partir duquel celle-ci a eu lieu et de connaître la fréquence des communications de l’abonné […] avec certaines personnes pendant une période donnée.

Ces données, prises dans leur ensemble, sont susceptibles de fournir des indications très précises sur la vie privée des personnes dont les données s ont conservées, comme les habitudes de la vie quotidienne, les lieux de séjour permanents ou temporaires, les déplacements journaliers ou autres, les activités exercées, les relations sociales et les milieux sociaux fréquentés ».

I posted this not because I was angry on having a GET request sent to my server on a char by char basis. My main concerns were privacy related, since I posted this some additional things came to light:

1) This leaks the IP address of the person writing the msg

2) When property="og:image" is used it also leaks the User Agent and Android version [1]

3) When presented with invalid headers as a reply it can cause a crash on IOS, which mean this is a potential RCE vector [2]

4) It leaks the exact time an URL is typed into a chat

5) It's on by default, this is the default behavior in E2E encrypted conversations [3]

I don't use WhatsApp, I found this out by accident as I just have a habit to tail my logs. I know though that Signal doesn't do any of this pre-fetching. I am aware this is a 'feature' but there's no place for it when security is involved.

[1] https://twitter.com/0xjomo/status/874585822158352384
[2] https://twitter.com/dr4ys3n/status/874725257722179584
[3] https://mastodon.social/@rysiek/9146943

Even with end-to-end encryption Big Brother is still in your phone: metadata

Facebook claims that no one can intercept WhatsApp messages, not even the company and its staff, ensuring privacy for its billion-plus users. But new research shows that the company could in fact read messages due to the way WhatsApp has implemented its end-to-end encryption protocol.

[...]

The vulnerability is not inherent to the Signal protocol. Open Whisper Systems’ messaging app, Signal, the app used and recommended by whistleblower Edward Snowden, does not suffer from the same vulnerability. If a recipient changes the security key while offline, for instance, a sent message will fail to be delivered and the sender will be notified of the change in security keys without automatically resending the message.

[...]

Boelter reported the vulnerability to Facebook in April 2016, but was told that Facebook was aware of the issue, that it was “expected behaviour” and wasn’t being actively worked on. The Guardian has verified the loophole still exists.

L’entreprise ne compte pas y remédier, car cette défaillance est très difficile à exploiter en pratique. WhatsApp reste ce qu’il se fait de mieux en matière de messageries sécurisées.

La CNIL annonce la mise en demeure de l’application Whatsapp. La Commission de protection de la vie privée demande à l’application de messagerie de se conformer à la loi pour la transmission de données personnelles vers Facebook.

Paris, le 20 décembre 2017 - Avant-hier, la CNIL a annoncé mettre en demeure WhatsApp de corriger son système de transfert de données personnelles à Facebook. L'entreprise a un mois pour ce faire, sous peine d'être sanctionnée (le montant maximal de l'amende est de 3 millions d'euros). La CNIL considère ce transfert illicite car se fondant sur le consentement forcé des utilisateurs, ceux-ci ne pouvant s'y opposer qu'en renonçant à utiliser le service. La Quadrature du Net se réjouit de l'analyse faite par la CNIL, car c'est exactement celle qu'elle défend depuis des années. Les conséquences en seront particulièrement importantes.

The CNIL said WhatsApp did not have the legal basis to share user data with Facebook and had violated its obligation to cooperate with the French authority.

WhatsApp, bought by Facebook in 2014, said it would begin sharing some user data with the social media group in 2016, drawing warnings from European privacy watchdogs about getting the appropriate consent.

In October, European Union privacy regulators criticized WhatsApp for not resolving their concerns over the messaging service’s sharing of user data with Facebook a year after they first issued a warning.

The French regulator said WhatsApp had not properly obtained users’ consent to begin sharing their phone numbers with Facebook for “business intelligence” purposes.

“The only way to refuse the data transfer for “business intelligence” purpose is to uninstall the application,” the CNIL said in a statement.

[...]

The CNIL said it had repeatedly asked WhatsApp to provide a sample of French users’ data transferred to Facebook but the company had explained it could not do so as it is located in the United States and “it considers that it is only subject to the legislation of this country.”

Bien que le transfert des données utilisateurs entre Facebook et Whatsapp soit temporairement et partiellement suspendu, les Cnil européennes estiment que les garanties présentées par la messagerie instantanée à ses utilisateurs européens ne sont pas satisfaisantes. Aux géants américains aussi, il faut expliquer la notion de consentement.

Une fausse application WhatsApp est parvenue à passer les filtres de sécurité du store Google Play. Quelles conséquences pour les victimes ?

L’autorité de la concurrence italienne a annoncé, vendredi 12 mai, avoir infligé une amende de 3 millions d’euros à l’application de messagerie.

The firm also claims to have surveillance capabilities to extract data from 'many web accounts and apps'.

Facebook claims that no one can intercept WhatsApp messages, not even the company and its staff, ensuring privacy for its billion-plus users. But new research shows that the company could in fact read messages due to the way WhatsApp has implemented its end-to-end encryption protocol.

La Commission européenne assure qu’en 2014 le réseau social avait indiqué « qu’il n’était pas en mesure d’associer automatiquement et de manière fiable ses comptes d’utilisateurs avec ceux de WhatsApp ». Mais après réflexion, Bruxelles considère que « cette possibilité technique existait déjà en 2014 », indique la lettre officielle de la Commission.

Pour étayer son accusation, la Commission s’appuie sur les modifications opérées par Facebook en août 2016 dans la politique de confidentialité de WhatsApp, qui a permis d’associer les numéros de téléphone de ses utilisateurs aux profils des membres de sa maison mère Facebook.

Fin août, WhatsApp faisait savoir que, dorénavant, certaines données de ses utilisateurs seraient partagées avec sa maison mère, nommément Facebook. Deux mois et...

En attendant l'Europe, Facebook a accepté de revenir en Inde sur le changement de politique de vie privée de sa filiale WhatsApp. Les données ne seront pas partagées en l'absence de consentement explicite.

Un mois après l'annonce de WhatsApp, qui s'est mis à partager les données de ses utilisateurs avec Facebook, un des organes de régulation allemand a tapé du poing...

When the messaging service WhatsApp announced last month that it was starting to share some of its users’ online information with Facebook, its parent company, many users expressed anger that their digital privacy could be at risk.

The German consumer watchdog has threatened legal action against WhatsApp over its hugely controversial data sharing deal with Facebook.