Facebook's WhatsApp states its messages are protected by the Signal encryption protocol. A report published today by investigative non-profit ProPublica contends that WhatsApp communication is less private than users understand or expect.
"WhatsApp assures users that no one can see their messages — but the company has an extensive monitoring operation and regularly shares personal information with prosecutors," ProPublica claims.
The ProPublica report says that WhatsApp contractors "sift through streams of private messages, images and videos that have been reported by WhatsApp users as improper and then screened by the company’s artificial intelligence systems."
It also says that parent company Facebook downplays the information it collects from WhatsApp – metadata – and how much of that metadata gets shared with law enforcement authorities.
WhatsApp in a statement emailed to The Register pushed back against ProPublica's claims.
"WhatsApp provides a way for people to report spam or abuse, which includes sharing the most recent messages in a chat," a WhatsApp spokesperson said. "This feature is important for preventing the worst abuse on the internet. We strongly disagree with the notion that accepting reports a user chooses to send us is incompatible with end-to-end encryption."
In other words, ProPublica is not disputing the technical integrity of the end-to-end encryption applied to WhatsApp messages. Rather it's arguing that WhatsApp has created a system that encourages its own users to undo its privacy promises by reporting unlawful or objectionable message content to WhatsApp contract moderators. And it suggests that users "likely understand or expect" something else – which is not the same thing as having actual data about what users actually understand and expect.
Report earns sub-par grades
The report has not been well-received by Facebook's former chief security officer Alex Stamos, now an adjunct professor at Stanford University's Center for International Security and Cooperation, who described the article as "terrible."
"It is inconsistent with much of what ProPublica has written in the past, it incorrectly conflates responsible reporting mechanisms with proactive moderation, and creates the wrong incentive structure for E2EE products," he said via Twitter.
Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, offered a similarly disappointed assessment.
"There are a lot of problems at WhatsApp, but 'the existence of abuse reporting undermines the promise of end-to-end encryption' is an impressively bad take," she said via Twitter. "If I receive a WhatsApp message and then send it to the WhatsApp abuse team because it's abusive, I am not undermining [end-to-end] encryption any more than if I screenshot the message and post it here for everyone to see."
- Facebook: Let us tell you WhatsApp – we don't want to pay that €225m GDPR fine
- WhatsApp pulls plug on Taliban helpline, shuts down official-looking accounts
- Bumble fumble: Dude divines definitive location of dating app users despite disguised distances
- Once again, Facebook champions privacy ... of its algorithms: Independent probe into Instagram shut down
In some ways, ProPublica's report echoes the recent revelations that Swiss email provider ProtonMail reported a user's IP address and device details to Swiss authorities in response to a legal demand, despite having said it doesn't regularly record IP addresses. The company is still capable of accessing user IP and device information and did so when required by law, despite some website wording that many misconstrued as promising non-cooperation with authorities.
ProPublica almost certainly is correct that people misunderstand WhatsApp's privacy promises. But WhatsApp is not alone among the companies that market privacy without really trying to clear up those misunderstandings – look at Apple casting itself as a privacy champion while planning, until recently, to scour customer devices for illegal child sex abuse material.
The differences between privacy and anonymity, between message contents and metadata, and between encryption and unobserved communication, can be baffling to those not steeped in technical minutiae, the law, and the imprecision of corporate privacy claims.
So people's expectations shouldn't be given too much weight unless there's evidence they've been misled. And ProPublica's report doesn't provide that beyond describing the vagueness of Facebook's and WhatsApp's privacy commitments. Certainly more clarity would be worthwhile, but does anyone really expect WhatsApp to ignore CSAM or other illegal content traversing its network?
While we await marketing statements to accurately describe reality, here's a workable model for the internet: two people can keep a secret if one of them is dead and neither used a third-party service provider. If you want the dictionary definition of privacy – being unobserved – don't look for it online, it's the greatest surveillance mechanism ever devised. ®