Remember, Communication Services Cannot Guarantee Privacy
A couple of recent media reports involving the WhatsApp messaging service and the ProtonMail email service highlight the limits of communication services that claim to provide privacy.
ProPublica Reveals WhatsApp Message Monitoring
The non-profit investigative journalism site ProPublica published a lengthy report on WhatsApp privacy, or its supposed lack thereof. The messaging app, which Facebook purchased in 2014, promises end-to-end encryption and total privacy. WhatsApp’s privacy page states:
Our mission is to connect the world privately by designing a product that’s simple and private. Whether you are sending a personal message to your friends or family, or texting with a business, your communications are secure and you are in control.
ProPublica’s article implies that isn’t true and says that over 1000 contract workers monitor and police traffic on the service. But dig deep enough down into the article, and you reach this bit (emphasis ours):
Their jobs differ in other ways. Because WhatsApp’s content is encrypted, artificial intelligence systems can’t automatically scan all chats, images and videos, as they do on Facebook and Instagram. Instead, WhatsApp reviewers gain access to private content when users hit the “report” button on the app, identifying a message as allegedly violating the platform’s terms of service. This forwards five messages — the allegedly offending one along with the four previous ones in the exchange, including any images or videos — to WhatsApp in unscrambled form, according to former WhatsApp engineers and moderators. Automated systems then feed these tickets into “reactive” queues for contract workers to assess.
In other words, your WhatsApp messages are encrypted, and Facebook can’t see them unless a party in the conversation reports a message as violating WhatsApp’s terms of service. Facebook is in a tight spot here because if it didn’t have a reporting feature and human reviewers, it would be accused of enabling abusive behavior and criminal activities. If it does, it’s accused of violating your privacy. Damned if it does, damned if it doesn’t.
(It’s worth noting that Apple’s iMessage service is also end-to-end encrypted; there’s no way of reporting abusive behavior other than reporting junk messages from people not in your contact list. It’s entirely unclear what Apple does with those reports, but it hasn’t taken significant flak for that design. However, if you have iCloud Backup enabled, your Messages conversations are encrypted within the backup using a key that Apple controls, making it possible for law enforcement to subpoena the data from Apple. Until recently, WhatsApp had the same loophole but has announced that it will start encrypting its backups.)
However, many WhatsApp users abuse the reporting system to harass others:
The system is also undercut by the human failings of the people who instigate reports. Complaints are frequently filed to punish, harass or prank someone, according to moderators. In messages from Brazil and Mexico, one moderator explained, “we had a couple of months where AI was banning groups left and right because people were messing with their friends by changing their group names” and then reporting them. “At the worst of it, we were probably getting tens of thousands of those. They figured out some words the algorithm did not like.”
The broader lesson here is that your private messages are only as secure as the people you’re messaging keep them, which is true of all multi-party communications.
However, there are also real concerns with WhatsApp and its collection of metadata to further Facebook’s business of gathering data to sell ads:
Four months later, however, WhatsApp disclosed it would begin sharing user data with Facebook — precisely what Zuckerberg had said would not happen — a move that cleared the way for an array of future revenue-generating plans. The new WhatsApp terms of service said the app would share information such as users’ phone numbers, profile photos, status messages and IP addresses for the purposes of ad targeting, fighting spam and abuse and gathering metrics. “By connecting your phone number with Facebook’s systems,” WhatsApp explained, “Facebook can offer better friend suggestions and show you more relevant ads if you have an account with them.”
Whatever metadata Facebook collects, it’s required to hand over to law enforcement, and Facebook sneakily turns on logging whenever it’s convenient:
WhatsApp has for years downplayed how much unencrypted information it shares with law enforcement, largely limiting mentions of the practice to boilerplate language buried deep in its terms of service. It does not routinely keep permanent logs of who users are communicating with and how often, but company officials confirmed they do turn on such tracking at their own discretion — even for internal Facebook leak investigations — or in response to law enforcement requests. The company declined to tell ProPublica how frequently it does so.
The takeaway here is blatantly obvious: don’t trust Facebook, of all companies, with your privacy. But that said, WhatsApp is still a better option for private communications than email or SMS, even if it’s not as good as iMessage. I prefer Signal (see “Signal Provides Secure Cross-Platform Replacement for WhatsApp,” 18 January 2021), and although I don’t trust it entirely, the service has a good record on privacy so far. ProPublica says of Signal:
Other encrypted platforms take a vastly different approach to monitoring their users than WhatsApp. Signal employs no content moderators, collects far less user and group data, allows no cloud backups and generally rejects the notion that it should be policing user activities. It submits no child exploitation reports to NCMEC.
However, that could always change if Signal faced an existential threat of some kind: sufficient governmental pressure, for instance, or the need to monetize user information to stave off bankruptcy.
ProtonMail Reveals Data to Comply with Swiss Legal Order
Email service ProtonMail claims to be the most secure email service, with end-to-end encryption and “Swiss privacy.” Switzerland, where ProtonMail is based, is known for its strong privacy laws (and its famously private bank accounts), but ProtonMail has come under fire after hitting the limits on those laws.
While ProtonMail normally doesn’t collect IP addresses, it was ordered to by a Swiss judge, which led to the arrest of a French activist. In a public statement, the company said this was a single incident compelled by a court that ProtonMail couldn’t appeal. It also reiterated that Swiss law prevents ProtonMail from sharing data with foreign governments and that its encryption cannot be bypassed. ProtonMail recommends using its Tor onion site to obfuscate your IP address when using ProtonMail.
Many ProtonMail fans were upset with the company, but the lesson here is that businesses have to follow local laws. Even if Switzerland’s laws are better than those of most countries, with appropriate pressure from foreign governments, they can still be used against people who might not obviously seem to have violated the law.
Key Privacy Takeaways
Here’s what we can learn from these reports:
- It takes two to tango. Messages you believe to be private will remain so only as long as the people who receive them maintain that privacy, technically and socially.
- Be aware that most online services collect metadata surrounding your communications, such as your IP address, name, phone number, etc. Regardless of the encryption status of the content of your communications, that metadata may reveal information about you, and it’s almost always accessible to law enforcement with appropriate warrants.
- Companies and organizations have to follow local laws and comply with legal orders that require them to turn over what data they do have.
- When a company’s business model is based on selling user information, as it is for Facebook, its privacy promises are inherently suspect.
Perhaps the best privacy advice of all came from Boston political boss Martin Lomasney: “Never write if you can speak; never speak if you can nod; never nod if you can wink.” Or former New York governor Elliot Spitzer’s updated version: “Never talk when you can nod and never nod when you can wink and never write an e-mail, because it’s death. You’re giving prosecutors all the evidence we need.” Unfortunately for Mr. Spitzer, he didn’t follow his own advice.
For more realistic advice for those of us who aren’t worried about rival politicians or federal wiretaps, I’d share a recommendation I received in journalism school, which was, “Never put in an email anything you wouldn’t want on the front page of the New York Times.” I’d merely update that to change “in an email” to “on the Internet.”
Or, in other words, “A secret known by more than one person is no secret”.
Or as Benjamin Franklin once said: “Three can keep a secret, if two of them are dead.”
And the modern version, from The Pierces.https://www.youtube.com/watch?v=7ELxb8eb61Y
Fixed that for you. The announcement wasn’t the problem. What they announced was.
That is a little harsh. That material is illegal and they need to help root it out if they can. The really big issue is that they were going to do it on device…and that’s an invasion of privacy…I don’t think there would have been nearly as much outrage if they said they were going to scan on their end…and gave clear notice of how to opt out of that…and if you had photos to iCloud off and turned it on a prompt telling you that uploaded mights would be scanned for illegal material. Part of it is Apple looking at the legislative and judicial tea leaves and trying their best to mitigate any really bad ideas like banning encryption. Telling users your phone is private but material put on iCloud might not be solves the issue but doesn’t invade user device privacy. Unless iCloud got full E2EE…nothing on the cloud is really secret. As Steve Gibson of Security Now says…TNO…Trust No One…and PIE…Pre Internet Encryption…is the only way to adequately ensure privacy and security.
People would have still complained bout server side scanning…but less vigorously and Apple would have a much more defensible position.
Let’s try to keep this thread focused on the WhatsApp and ProtonMail examples and on the general issue of privacy with Internet communication services rather than getting back into the CSAM detection debate.
Join the discussion in the TidBITS Discourse forum