In March, WhatsApp’s security team issued an internal warning to their colleagues: Despite the software’s robust encryption, users were still at risk of government surveillance. The threat assessment obtained by The Intercept revealed that while the contents of conversations on the app are secure, government agencies were able to bypass the encryption to track user communication, group memberships, and potentially their locations.
The vulnerability, known as “traffic analysis,” relies on monitoring internet traffic on a large scale. The document highlighted that WhatsApp was not the only platform susceptible to this type of surveillance. However, it emphasized that Meta, WhatsApp’s owner, needed to prioritize either the functionality of the chat app or the safety of a vulnerable segment of its users.
“WhatsApp should address the ongoing exploitation of traffic analysis vulnerabilities that allow nation states to identify users’ communication patterns,” the assessment recommended. “Our at-risk users require strong protections against traffic analysis.”
Amid the conflict in Gaza, some Meta employees speculated that Israel might be using this vulnerability to monitor Palestinians. Meta spokesperson Christina LoNigro stated that WhatsApp does not have backdoors or evidence of vulnerabilities in its system.
Although the document mentions WhatsApp multiple times and describes the vulnerabilities as “ongoing,” LoNigro clarified that it was not a reflection of a specific vulnerability in WhatsApp and was not unique to the platform. She did not confirm whether Israel was exploiting this vulnerability.
Despite the fact that WhatsApp messages are encrypted, the assessment demonstrated how governments could use internet infrastructure access to track encrypted communications’ timing and location. This capability allows agencies to infer which individuals are communicating, even if the content of their conversations remains private.
“The nature of these systems is that they’re going to kill innocent people and nobody is even going to know why.”
The WhatsApp threat assessment did not provide specific instances of state actors deploying this method. However, it referenced reports by the New York Times and Amnesty International, illustrating how countries use these techniques to spy on encrypted chat apps like WhatsApp.
As warfare becomes increasingly digital, metadata has become crucial for intelligence and military operations worldwide. “We kill people based on metadata,” former NSA chief Michael Hayden once remarked.
Matthew Green, a cryptography professor, warned that even inaccurate metadata analyses could have deadly consequences. “The nature of these systems is that they’re going to kill innocent people and nobody is even going to know why,” Green said.
It wasn’t until a report on Israel’s data-centric warfare approach was published in April that the WhatsApp threat assessment sparked tension within Meta.
A joint report by +972 Magazine and Local Call revealed that Israel’s army used a software system called Lavender to target Palestinians in Gaza for assassination based on data analysis. The report suggested that WhatsApp usage was one of the factors used by the Israeli military to identify potential targets.
WhatsApp usage is among the multitude of personal characteristics and digital behaviors the Israeli military uses to mark Palestinians for death.
The Israeli military denied using an AI system to identify terrorists but confirmed Lavender’s purpose as a database for intelligence cross-referencing.
After the Lavender exposé and subsequent discussions on the topic, more Meta employees became aware of the March WhatsApp threat assessment, according to anonymous company sources.
The revelation that governments may be able to access personally identifying metadata from WhatsApp’s encrypted conversations raised concerns about the potential use of this vulnerability in Lavender or other Israeli military targeting systems.
Efforts to urge Meta to disclose information about the vulnerability and its possible exploitation by Israel have been unsuccessful, with sources reporting a pattern of internal censorship against expressions of solidarity with Palestinians.
In response to fears that innocent individuals may be targeted by the Israeli military, Meta employees have formed a group called Metamates 4 Ceasefire. The group has published an open letter signed by over 80 staff members, demanding an end to censorship within the company.
According to an internal assessment, network traffic analysis can reveal user connections on WhatsApp, posing a significant threat to user privacy. The analysis highlights how observation of encrypted data can compromise privacy protections, potentially exposing user identities and locations.
WhatsApp’s internal security team has identified correlation attacks that can bypass the app’s privacy measures, emphasizing the importance of protecting metadata in addition to message content. The assessment also discusses the vulnerability of users in regions where internet access is routed through potentially surveilled infrastructure.
The assessment indicates that WhatsApp has been aware of these risks for some time, with similar surveillance techniques applicable to other messaging apps as well.
Donncha Ó Cearbhaill, head of Amnesty International’s Security Lab, pointed out that most major messenger applications and communication tools do not consider traffic analysis attacks in their threat models. While researchers have acknowledged the technical feasibility of such attacks, the practicality and reliability on a large scale, such as at a country level, remained uncertain.
The assessment highlighted that WhatsApp engineers are aware of the seriousness of the issue but face challenges in persuading their company to address it. De-anonymization techniques, extensively discussed in academic literature, present a significant challenge for companies like Meta due to the complex tradeoff between performance, responsiveness, and privacy.
In response to inquiries about enhancing protection against traffic analysis, Meta’s spokesperson emphasized their commitment to addressing identified issues, holding bad actors accountable, and continuously strengthening their systems against future threats.
The report acknowledged that improving security measures would impact the app’s user experience, particularly concerning correlation attacks. Balancing user protection with maintaining mass appeal poses a dilemma for Meta, as the company aims to maximize market share and accessibility while safeguarding at-risk users.
“The tension is always going to be market share, market dominance.”
A Meta insider noted the company’s tendency to be reactive rather than proactive, citing past instances like the role of Facebook in Myanmar’s Rohingya genocide. The challenge lies in prioritizing market dominance over the security of a smaller but vulnerable user segment.
The report explored potential solutions such as introducing delays in message transmission to thwart geolocation efforts or sending decoy data to obfuscate real conversations. However, these measures could impact user experience, battery life, and data usage, posing additional challenges.
WhatsApp’s security team emphasized the need for collective action to combat traffic analysis, highlighting the importance of unity in developing protections for targeted users. The memo suggested implementing a hardened security mode akin to Apple’s “Lockdown Mode” for at-risk users, although potential drawbacks, such as drawing unwanted attention to users, were noted.
In navigating the delicate balance between privacy and usability, WhatsApp faces complex decisions in safeguarding users against sophisticated threats while maintaining a seamless user experience.
