July 26, 2020
Home  »  Magazine  »  Business  » Cover Stories  » Cover Story »  Reapers Of The Intimate Word

Reapers Of The Intimate Word

How secure is the data we splurge on WhatsApp? Third parties can get hold of your number, and research reveals chinks in the ­protection of public group chats.

Google + Linkedin Whatsapp
Follow Outlook India On News
Reapers Of The Intimate Word
The Zuck Stops Here
The Facebook founder testifies before a US Senate committee on April 10
Photograph by Getty Images
Reapers Of The Intimate Word
  • Anna Eshoo, Congresswoman: “Was your data included in the data sold to the malicious third parties, your personal data?”
  • Mark Zuckerberg, CEO, Facebook and Owner of WhatsApp: “Yes.”


We are all on WhatsApp. We send our ATM PINs to our children, bank passwords to our husbands, property papers to brokers, PAN cards to our CAs, front and back of our passports as proof of residence to get gas connections, personal photos and videos to our family group, business strategies and marketing plans to our office groups, dirty jokes to college buddies. Intelligence agencies, police departments and military personnel are known to be interacting on this messenger service. Practically, our whole lives, warts and all, are on WhatsApp.

What if all this can be spied on? It’s our entire life ­history, after all, that’s out there. How safe is it on WhatsApp? Have you ever imagined your bank opening your locker and selling off your valuables? Can information be commodified and sold to interested marketers or political parties? Of course it can. It’s already happening across the board. Will WhatsApp do it?

Well, Facebook already stands exposed. In the biggest ‘breach’ on the internet since Edward Snowden snooped in on the all-snooping NSA in the US, Canadian whistleblower Christopher Wylie revealed that his former firm Cambridge Analytica used data from 87 million Facebook ­accounts—inc­luding that of its top boss Mark Zuckerberg, as he made clear when he deposed to the US senate—to target them with campaign material prior to the country’s 2016 presidential election. Over 5 million Ind­ians were also affected by the breach, courtesy of a Facebook app titled ‘This Is Your Digital Life’.

Facebook can get access to Android call records; Dylan McKay found that it had “my entire call ­history with my partner’s mum.”

So, what’s the safeguard that the Facebook-owned WhatsApp won’t do the same? The messenger service is ­already prone to its own leaks, and data firm Statista ­estimates that WhatsApp had close to 200 million active ­users from India in Feburary 2017, a number Zuckerberg also confirms. This is a tenfold inc­rease from 2013 when it started to become popular in India.

Can anybody hook a periscope into the millions of conversations happening every day and scan what so many users are saying? Researchers Outlook spoke to say they can. They say there’s a faultline in public group chats that allows those controlling WhatsApp servers to let themselves into the chat and snoop in. WhatsApp is said to be working on this weak link. There are also concerns surrounding the kind of data that it shares with its owner Facebook and the targeted advertising that comes along with it.

In October 2014, Facebook acquired a loss-making WhatsApp for $19 billion. Two years later, in August 2016, WhatsApp ann­ounced that it was updating its terms and privacy policy for the first time in four years, and gave users an option to opt out of sharing their information with Facebook. “But by coordinating more with Facebook, we’ll be able to do things like track basic metrics about how often people use our services, and better fight spam on WhatsApp. And by connecting your phone number with Facebook’s ­systems, Facebook can offer better friend suggestions and show you more relevant ads if you have an account with them,” the release said.

The following year, after the Delhi High Court dismissed a PIL against this change in the privacy policy, the Supreme Court decided to set up a five-judge constitution bench to hear the matter in May. Earlier, the apex court had asked why the matter was a right-to-privacy breach when users could opt out of what was a “free service”. In September 2017, WhatsApp told the court that it shares the user’s telephone number, device details, device registration number and ‘last seen’ (feature on WhatsApp) details with third parties.

“When WhatsApp gets into payments, it will open a pandora’s box. It will have a goldmine of new data to share with Facebook, and abuse.”
Vivek Wadhwa, Author and Distinguished Fellow, Carnegie Mellon University.

“The question is, can a company “share” users’ data with third parties? In the US and EU, privacy statements or disclosures on a company’s website typically state the “purpose” for which the website or platform is collecting the data (e.g., to improve services for the users). I typically ask the company to confirm this data is not being shared with third parties when drafting privacy statements,” says Aarthi S. Anand, an attorney with a New York law firm. Anand says that if we allow sites to “share” user data with others, we are saying the company rather than the person “owns” that person’s personal information. “Does the law want to countenance such a position? Does the law support the position that, because a person uses a service or platform or website, that service or website owns that individual’s personal data?” she asks. The answer is no. “Some data collection can help the website improve its services to that person or others  Hence, users may agree for this purpose, but that is different from agreeing that your data may be sold to other third-party companies,” she states. She asks whether the right to privacy guaranteed by the recent SC judgement will have any meaningful value if we allow websites to harvest and sell individuals’ data (because they ‘consented’ by checking the terms of use).

Concerns over confidentiality are near peak levels right now. On April 2, WABetaInfo, a fan-info website that tracks WhatsApp, tweeted: “All users from Israel are now connected to WhatsApp through the Facebook servers.” The account said that Facebook would thus have access to meta-data generated through chats, but added: “This just ensures a better quality of the connection. All chats and calls are end-to-end encrypted, so WhatsApp/Facebook cannot read/listen (to) them.”

This January, Germany-based researchers Paul Rösler, Christian Mainka and Jörg Schwenk co-­authored a paper titled “More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp and Threema”, analysing the three messaging apps for chinks. While Signal and Threema were relatively uns­cathed, WhatsApp did seem compromised.

The researchers took adv­antage of a bug that showed that WhatsApp servers, or anyone who controlled them, could snoop into group chats. WhatsApp groups only allow the group administrator to add or remove members, but the bug allowed the server to do the same. “Apart from the ability to become a group member, the server can also reorder messages in transmission or forward single messages to only some of the users,” Rösler tells Outlook. The paper says it would enable the server to take “full control over a group”, while users in the group would merely be notified of a new entrant. The researchers say the server can also reorder the messages in the group, “cache sent messages to the group, read their content first and decide in which order they are delivered to the members.”

“Any company can easily get data from public groups. With­access to phone­numbers, they could use this data for advertising.”
Kiran Garimella, Researcher, EPFL. Co-Author Of Paper On Public Group Data.

“They were not interested in our reports in the first place, but finally responded after we presented our work at this year’s Real World Crypto conference,” says Rösler. He says that WhatsApp is now working on a “new group protocol specification” but only as a result of the breach the resea­rchers had detected. Rösler says that where end-to-end sec­urity features on one-to-one private chats are concerned, “WhatsApp is among the most usable and still secure protocols one can ima­gine.” He says that even in a group setting, WhatsApp is still “secure enough” for a normal user. However, when it comes to confidentiality in groups where not everyone knows each other, “WhatsApp is probably not the best messenger,” says Rösler. “Finally, also for use cases in which it is important to be sure who sent and received which messages within a group, I think WhatsApp does not reach a sufficient level of reliability and security,” he adds.

This is worrying because WhatsApp has a near-monopoly hold over Indian users. Till 2010, mobile phone users were still cued into SMSes, with 6.1 trillion texts sent that year. But now WhatsApp has emerged as the dominant force, at least in India where over 94 per cent of Android devices have the app installed and 78 per cent of them use it daily. A study by US-based media agency Zenith last year had est­imated that India’s mobile phone users would hit 530 million by 2018, with a majority of them being Android users.

A bug lets the server “become a group ­member, reorder ­messages in ­transmission or ­forward messages to only some users.”
Paul Rösler, Ruhr-University Bochum. Co-Author Of Paper On Group Chat Security.

On March 21, Dylan McKay from New Zealand tweeted that he had downloaded all the data Facebook had on him, and was surprised to find: “Somehow it has my entire call history with my partner’s mum.” The website Ars Technica followed up on the story and reported several instances of Facebook having access to call and SMS records on Android devices. Facebook responded to the alleged snooping by saying that they had been doing it as “call and text history logging is part of an opt-in feature for people using Mess­enger or Facebook Lite on Android.” On their blog, they also mentioned that “people have to expressly agree to use this feature.” This is pretty much what Facebook founder and head honcho Zuckerberg told the United States Congress in his deposition after the Cambridge Analytica exposé. And he said, in not so many words, that Facebook had no plans to change its business model.  

Now, this trickles down to WhatsApp as well. Researchers have already established that advertisers and brand ­managers can use the messenger service to push their products. And India is particularly vulnerable.

How, exactly?

In a paper titled “WhatsApp, Doc? A First Look at WhatsApp Public Group Data”, researchers Kiran Gari­mella and Gareth Tyson reveal how they were able to scrape data from 178 ­publicly accessible WhatsApp groups that were themed around popular topics like politics, football and music. And what did the data tell them?

In total, the duo had access to about 45,000 users and 4,54,000 messages. Out of this total, they were able to locate about 25,000 users from India (the maximum) and 3,600 from Pakistan, while Russia, Brazil and Columbia had close to 3000, 2000 and 1000 respectively. Their research also reveals the linguistics at play: English was the most used language, followed by Hindi and Spanish. Gujarati, Tamil and Marathi also feature in the top ten, beating German, Polish and Italian.


Unless they opt out, WhatsApp users have some of their data automatically shared with Facebook

Photograph by Getty Images

When it came to the most frequently shared websites, the usual suspects like YouTube, Google and Amazon were on top. But surprisingly, more obscure websites like lootdealsindia.in, marugujarat.com and kamalking.in are also frequen­tly shared. “It is clear that WhatsApp groups may offer an effective vantage into lesser known web content and how it is accessed by fringe communities,” the paper says.

The researchers were also able to identify broad categories in the 178 groups. They zeroed in on 70 generic groups, 19 adult groups, 17 pertaining to movies and 15 to political parties. “We were able to show that we can collect data from public WhatsApp groups. These are by definition public, meaning, the users who join them are aware that they are part of a group with strangers, who can see their phone number,” Kiran Garimella, one of the researchers, tells ­Outlook. Stressing that what they did was not a hack, he says that it requires a fair bit of technical knowledge to source data. “However, any company that wants to do this and can invest time or resources can easily do it. Getting access to such phone numbers, these companies can potentially use this data for advertising,” he adds.

Experts believe that exposure of such data, or even ­meta-data, can lead to dangerous consequences. “Once they have the data, they can do whatever they like with it. This is a worse situation than what Facebook enabled with Cambridge Analytica, where there were rules for what apps could do. Here anyone can enter a group using a public link and sit back and mine data to their heart’s content,” says Vivek Wadhwa, author and distinguished ­fellow at Carnegie Mellon University’s ­College of Engineering.

He adds that those who get into public groups would also have the numbers of other users, which can be used to search Facebook for more information. “In other words, WhatsApp is offering marketers and governments an all-you-can-eat buffet of information—with no strings attached. The people in these public groups buy the propaganda WhatsApp puts out about privacy being in their DNA and believe that they are magically protected by end-to-end enc­ryption,” he says. “Traditionally, their defence was that no individual was reading your messa­ges (and that the data was anonymised). The Cambridge Ana­lytica episode disputes this benign explanation and instead shows that if you hand over raw data, someone is able to draw causal links and influence my decision on fundamental democratic values such as electing our leaders.” says Anand.

What about India’s laws?

Where data is concerned, everyone wants a piece of action, and as China is the Forbidden Kingdom for West-based servers (see story on pages 47–48), India is now hot property. In August 2017, the government set up the Srikrishna Committee to look at a data protection law. The committee has released a white paper that includes a chapter titled ‘Data Localisation’. “Data localisation requires companies to store and process data on servers physically located within national borders,” the paper says. On April 5, Techcrunch reported that Facebook planned on complying across the world with the norms of EU’s GDPR, the strict new European data protection law. However, reports later said that this compliance would be limited to Europe. Also, CNBC reported in June last year that Facebook was planning on getting WhatsApp servers off IBM’s Cloud service (which hosts the likes of Microsoft and Amazon) and into Facebook’s own data centres.

Between Scylla and Charybdis, which is the lesser evil for the Indian user—their personal information being in the hands of a US-based company, or with their own government? Experts are divided on the ­iss­ue. Garimella says India should also look to enforce a regulation along the lines of the EU’s GDPR. “In India, it is feast time for these foreign companies: no laws, no impediments, and political leaders who are in such awe of western companies that they would rather get selfies with CEOs than hold them accountable,” agrees Wadhwa. He says the government should limit what data WhatsApp can gather, and prevent it from sharing any data with Facebook or any other company.

The Indian government has also had a history of going after instant messenger apps that have encryption. After years of trying, in 2013, the government got access to emails sent over Blackberry Messenger, and was also able to look into the status of chats. Anand says that governments should not get access to this data, as it would after all be individuals—that is, bureaucrats and officers—who get access, and with it the potential to misuse that access.

CNBC reported last year that Facebook was planning to move WhatsApp servers from IBM’s Cloud service to its own data centres.

WhatsApp is only likely to grow more indispensable in the days to come. It is planning on moving into payments on its platform by rolling out the feature for some users; this could hit e-wallets like PayTM. In India, IndusInd Bank has tied up with WhatsApp for a pilot project that would enable the bank to communicate important transaction alerts to its customers via the messenger service. Their press release pointed out that this setup also allows for two-way com­munication with ­replies to customer mes­sages, and ­provides basic banking services such as checking one’s ­balance, getting mini statements and checking reward points, as well as the ability to update one’s Aadhaar details through WhatsApp, “When WhatsApp gets into payments, it will open up a new Pandora’s Box because people will be sharing mobile numbers, putting themselves at risk. WhatsApp will have a goldmine of new data to share with Facebook, and abuse,” says Wadhwa.

There is also the matter of ‘fake news’, which finds WhatsApp, among others, to be an easy channel for dissemination. Garimella says the current technology at hand “does not make it easy to quickly identify such sources of fake news since most of it is in visual form, like videos or images.” He mentions that as Indian users are not as “internet-literate” with many being first-time users, “issues with being manipulated by propaganda and fake news are a much, much bigger problem in places like India than in developed nations like the US or European countries. We already see the effects of platforms like WhatsApp on the day-to-day lives of many hundreds of millions. It’s only a matter of time before some hostile actor can use this to mass-manipulate user opinions.” There were allegations that the Muzaffarnagar riots in 2013 were triggered and fuelled by fake WhatsApp videos of inflammatory sloganeering from Pakistan.

But that’s another story. What is worrying everyone right now is the safety of the personal information they’ve shared. Data, they say, is the new oil. Whoever has access to it, especially big data, will be the new sheikhs and emirs. How effectively all the data floating around on WhatsApp can be used to influence what you buy or who you vote for is anybody’s guess. But the next time your insurance agent asks you to WhatsApp a photo of your Aadhaar card to update the KYC, it may be better to say no.

Next Story >>
Google + Linkedin Whatsapp

The Latest Issue

Outlook Videos