HOME

TheInfoList



OR:

This article provides a detailed chronological account of the historical reception and criticism of security and privacy features in the
WhatsApp WhatsApp (also called WhatsApp Messenger) is an internationally available freeware, cross-platform, centralized instant messaging (IM) and voice-over-IP (VoIP) service owned by American company Meta Platforms (formerly Facebook). It allows us ...
messaging service.


2011

On May 20, 2011, an unidentified security researcher from the Netherlands under the pseudonym "WhatsappHack" published a method to hijack WhatsApp accounts using a flaw in the authentication process, to the Dutch websites Tweakers.net and
GeenStijl GeenStijl is a Dutch blog founded on 10 April 2003. The logo is a pink coloured crown within a circle. In the Dutch language, the term "geen stijl" (literal translation: no style) is used to describe an act by a person or organisation that lack ...
. The method involved trying to log in to a person's account from another phone number and intercepting the verification text message that would be sent out. "WhatsappHack" provided methods to accomplish this on both
Symbian Symbian is a discontinued mobile operating system A mobile operating system is an operating system for mobile phones, tablets, smartwatches, smartglasses, or other non-laptop personal mobile computing devices. While computers such as typic ...
and
Android Android may refer to: Science and technology * Android (robot), a humanoid robot or synthetic organism designed to imitate a human * Android (operating system), Google's mobile operating system ** Bugdroid, a Google mascot sometimes referred to ...
operating systems. One day after the publication of the articles, WhatsApp issued a patch to both the Android and Symbian clients. In May 2011, another security hole was reported which left communication through WhatsApp susceptible to packet analysis. WhatsApp communications data was sent and received in
plaintext In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption algorithms. This usually refers to data that is transmitted or stored unencrypted. Overview With the advent of comp ...
, meaning messages could easily be read if packet traces were available.


2012

In May 2012 security researchers noticed that new updates of WhatsApp sent messages with encryption, but described the cryptographic method used as "broken." In August of the same year, the WhatsApp support staff stated that messages sent in the "latest version" of the WhatsApp software for
iOS iOS (formerly iPhone OS) is a mobile operating system created and developed by Apple Inc. exclusively for its hardware. It is the operating system that powers many of the company's mobile devices, including the iPhone; the term also includes ...
and Android (but not
BlackBerry The blackberry is an edible fruit produced by many species in the genus ''Rubus'' in the family Rosaceae, hybrids among these species within the subgenus ''Rubus'', and hybrids between the subgenera ''Rubus'' and ''Idaeobatus''. The taxonomy of ...
,
Windows Phone Windows Phone (WP) is a discontinued family of mobile operating systems developed by Microsoft for smartphones as the replacement successor to Windows Mobile and Zune. Windows Phone featured a new user interface derived from the Metro design la ...
, and Symbian) were encrypted, but did not specify the cryptographic method. On January 6, 2012, an unknown hacker published a website that made it possible to change the status of any WhatsApp user, so long as the phone number associated with the user's account was known. On January 9, WhatsApp reported that it had resolved the problem. In reality, WhatsApp's solution had been to block the website's IP address, which had allowed a Windows tool to be made that could accomplish the same thing. This problem has since been resolved by the institution of an IP address check on currently logged-in sessions. On September 14, 2012,
Heise Security Heise (officially ''Heise Gruppe'') is a German media conglomerate headquartered in Hanover. It was founded in 1949 by Heinz Heise and is still family-owned. Its core business is directory media as well as general-interest and specialist media ...
demonstrated how to use WhatsAPI to hijack any WhatsApp account. Shortly afterward, WhatsApp threatened to initiate legal action against the developers of WhatsAPI, an
opensource Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use the source code, design documents, or content of the product. The open-source model is a decentralized so ...
project, and WhatsAPI temporarily took down their source code. This, however, did not address the underlying security failure and Heise Security claimed they had been able to successfully repeat the hacking of WhatsApp accounts. The WhatsAPI team has since resumed active development.


2013–2015

On March 31, 2013, the
Saudi Arabia Saudi Arabia, officially the Kingdom of Saudi Arabia (KSA), is a country in Western Asia. It covers the bulk of the Arabian Peninsula, and has a land area of about , making it the fifth-largest country in Asia, the second-largest in the A ...
Communications and Information Technology Commission The Communications and Information Technology Commission (CITC; ar, هيئة الاتصالات وتقنية المعلومات, Hai'at al-Ittisalat wa Tiqniyyat al-Ma`lumat) is the Saudi communications authority. It was first established under ...
(CITC) issued a statement that mentioned possible measures against WhatsApp, among other applications, unless the service providers took serious steps to comply with monitoring and privacy regulations. In February 2014, the
Schleswig-Holstein Schleswig-Holstein (; da, Slesvig-Holsten; nds, Sleswig-Holsteen; frr, Slaswik-Holstiinj) is the northernmost of the 16 states of Germany, comprising most of the historical duchy of Holstein and the southern part of the former Duchy of Sch ...
advised against using WhatsApp, as the service lacked privacy protection such as end-to-end client-side encryption technology. In late 2014, WhatsApp began its implementation of end-to-end encryption, which it finished in April 2016. A joint Canadian-Dutch government investigation was launched into several concerns over WhatsApp's compliance with security regulations. The primary concern of the investigators was that WhatsApp required users to upload their mobile phone's entire address book, including contact information for contacts who were not using WhatsApp, to be mirrored on WhatsApp's servers. While WhatsApp stored these phone numbers in
hash Hash, hashes, hash mark, or hashing may refer to: Substances * Hash (food), a coarse mixture of ingredients * Hash, a nickname for hashish, a cannabis product Hash mark *Hash mark (sports), a marking on hockey rinks and gridiron football field ...
, the data was not salted. In late 2015, the Dutch government released a press statement claiming that WhatsApp had changed its hashing method, making it much harder to reverse, and thus subsequently complied with all rules and regulations. On December 1, 2014, Indrajeet Bhuyan and Saurav Kar demonstrated the WhatsApp Message Handler vulnerability, which allows anyone to remotely crash WhatsApp just by sending a specially crafted 2 kilobyte message. A user who receives the message must delete the whole conversation to avoid crashing WhatsApp upon opening the conversation. In early 2015, after WhatsApp launched a web client that can be used from the browser, Bhuyan found that the client had two new security issues: the WhatsApp photo privacy bug and the WhatsApp web photo sync bug.


2016

On March 2, 2016, WhatsApp introduced a document-sharing feature, that allows users to share PDF files with contacts. WhatsApp received criticism, however, about the default setting to automatically download attachments, which raised concerns about the downloading of malware and malicious files once the feature expands to include more than just PDFs. In August 2016, WhatsApp announced that it will start sharing account information such as the phone number of the account owner and aggregated analytical data, with Facebook. WhatsApp claims that the address books, message content, and
metadata Metadata is "data that provides information about other data", but not the content of the data, such as the text of a message or the image itself. There are many distinct types of metadata, including: * Descriptive metadata – the descriptive ...
of users would not be shared. According to WhatsApp, this account information is shared to "track basic metrics about how often people use our services and better fight spam on WhatsApp. And by connecting your phone number with Facebook's systems, Facebook can offer better friend suggestions and show you more relevant ads if you have an account with them." It was further stated that "User data will not be shared with advertisers, and is only used internally on the Facebook services," and that users would be given the choice to opt-out of sharing this data with Facebook for advertisement purposes. In October 2016, the Article 29 Working Party stated that it has serious concerns regarding the way that the information relating to the updated Terms of Service and Privacy Policy was provided to users, and, consequently, about the validity of the users’ consent. From the latest client as of April 5, 2016, end-to-end encryption is supported for all of a user's communications, including file transfers and voice calls. It uses Curve25519 for key exchange,
HKDF HKDF is a simple key derivation function (KDF) based on HMAC message authentication code. It was initially proposed by its authors as a building block in various protocols and applications, as well as to discourage the proliferation of multiple K ...
for generation of session keys (
AES-256 The Advanced Encryption Standard (AES), also known by its original name Rijndael (), is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001. AES is a variant ...
in CBC mode for encryption and
HMAC In cryptography, an HMAC (sometimes expanded as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret ...
-
SHA256 SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the United States National Security Agency (NSA) and first published in 2001. They are built using the Merkle–Damgård construction, from a one-way compression ...
for integrity verification), and
SHA512 SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the United States National Security Agency (NSA) and first published in 2001. They are built using the Merkle–Damgård construction, from a one-way compression ...
for generating the two 30 digit fingerprints of both users' identity keys so that users can verify encryption. The encryption prevents even the company from being able to decrypt users' communications. This update was received well by security professionals and privacy enthusiasts, and the move was praised by
Amnesty International Amnesty International (also referred to as Amnesty or AI) is an international non-governmental organization focused on human rights, with its headquarters in the United Kingdom. The organization says it has more than ten million members and sup ...
. The US
Federal Bureau of Investigation The Federal Bureau of Investigation (FBI) is the domestic intelligence and security service of the United States and its principal federal law enforcement agency. Operating under the jurisdiction of the United States Department of Justice, ...
criticized the update as threatening the work of law enforcement. In 2016, WhatsApp received a score of 6 out of 7 points on the
Electronic Frontier Foundation The Electronic Frontier Foundation (EFF) is an international non-profit digital rights group based in San Francisco, California. The foundation was formed on 10 July 1990 by John Gilmore, John Perry Barlow and Mitch Kapor to promote Internet ci ...
's "
Secure Messaging Scorecard The Electronic Frontier Foundation (EFF) is an international non-profit digital rights group based in San Francisco, California. The foundation was formed on 10 July 1990 by John Gilmore, John Perry Barlow and Mitch Kapor to promote Internet ci ...
". It has received points for having communications encrypted in transit, having communications encrypted with keys the provider doesn't have access to, allowing users to verify contacts' identities, having past messages secure if the encryption keys are stolen, having completed a recent independent security audit, and having the security designs properly documented. The missing seventh point is for the code not being open to independent review.


2017

On January 15, 2017, a research team from
Ruhr University Bochum The Ruhr University Bochum (, ) is a public research university located in the southern hills of the central Ruhr area, Bochum, Germany. It was founded in 1962 as the first new public university in Germany after World War II. Instruction began in ...
published a security analysis of group messaging protocols in WhatsApp and other messaging services, that found a privacy concern in that WhatsApp's servers effectively control the membership in groups. The report found that it would be therefore possible to add arbitrary phone numbers to a group chat such that future communication becomes insecure. In October 2017, the German software company
Open-Xchange Open-Xchange is a web-based communication, collaboration and office productivity software suite, which enables full integration of email, documents, scheduling and social media. History Founded in 2005 by Rafael Laguna and Frank Hoberg, the softw ...
criticized WhatsApp, among others, for using proprietary software and stated plans to create an open-source alternative.


''The Guardian'' Incident

On January 13, 2017, ''
The Guardian ''The Guardian'' is a British daily newspaper. It was founded in 1821 as ''The Manchester Guardian'', and changed its name in 1959. Along with its sister papers ''The Observer'' and ''The Guardian Weekly'', ''The Guardian'' is part of the Gu ...
'' reported that security researcher Tobias Boelter had found WhatsApp's policy of forcing re-encryption of initially undelivered messages, without informing the recipient, to constitute a loophole whereby WhatsApp could disclose the content of these messages. WhatsApp and Open Whisper Systems officials disagreed with this assessment. After complaints from 73 security researchers, The Guardian substantially revised and corrected their articles, and a follow up article from Boelter was removed. In June 2017, ''The Guardian'' readers’ editor Paul Chadwick wrote that "The Guardian was wrong to report in January that the popular messaging service WhatsApp had a security flaw so serious that it was a huge threat to freedom of speech." Chadwick also noted that since the Guardian article, WhatsApp has been "better secured by the introduction of optional two-factor verification in February."


2019

In May 2019, it was revealed that there was a security vulnerability in WhatsApp, allowing a remote person to install a spyware just by making a call which does not even need to be answered. Later, in June 2019, another vulnerability was revealed, allowing a user to transform an audio call into a video call, without the victim consent and without the victim noticing. A
bug bounty A bug bounty program is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabiliti ...
of US$5000 was offered for this bug. In June 2019, WhatsApp announced that it would take legal action against users who send disproportionately high number of messages using their communication platform. The company reiterated that its platform was meant for private messaging or for businesses to interact with their customers through their business app. In a notification on their website the company stated "Beginning on December 7, 2019, WhatsApp will take legal action against those we determine are engaged in or assisting others in abuse that violates our terms of service, such as automated or bulk messaging". In September 2019, WhatsApp was criticized for its implementation of a 'delete for everyone' feature. iOS users can elect to save media to their camera roll automatically. When a user deletes media for everyone, WhatsApp does not delete images saved in the iOS camera roll and so those users are able to keep the images. WhatsApp released a statement saying that "the feature is working properly," and that images stored in the camera roll cannot be deleted due to Apple's security layers. In November 2019, WhatsApp released a new privacy feature that let users decide who adds them to the group. In December 2019, WhatsApp confirmed a security flaw that would allow hackers to use a malicious GIF image file to gain access to the recipient's data. The flaw was first reported by a user named Awakened on GitHub with an explanation of how the exploit worked. When the recipient opened the gallery within WhatsApp, even if not sending the malicious image, the hack is triggered and the device and its contents become vulnerable. The flaw was patched and users were encouraged to update WhatsApp. On December 17, 2019, WhatsApp fixed a security flaw that allowed cyber attackers to repeatedly crash the messaging application for all members of group chat, which could only be fixed by forcing the complete uninstall and reinstall of the app. The bug was discovered by
Check Point Check Point is an American-Israeli multinational provider of software and combined hardware and software products for IT security, including network security, endpoint security, cloud security, mobile security, data security and security managem ...
in August 2019 and reported to WhatsApp. It was fixed in version 2.19.246 onwards.


2020

In April 2020, WhatsApp sued the
NSO Group NSO Group Technologies (NSO standing for Niv, Shalev and Omri, the names of the company's founders) is an Israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click surveillance o ...
for allegedly using the spyware it produces to hack at least 1,400 WhatsApp users. To which the company responded by claiming that it is not responsible for, nor can it control how its clients use its software. According to research by
Citizen Lab The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto, Canada. It was founded by Ronald Deibert in 2001. The laboratory studies information controls that impact the openness ...
countries which may have used the software to hack WhatsApp include,
Saudi Arabia Saudi Arabia, officially the Kingdom of Saudi Arabia (KSA), is a country in Western Asia. It covers the bulk of the Arabian Peninsula, and has a land area of about , making it the fifth-largest country in Asia, the second-largest in the A ...
,
Bahrain Bahrain ( ; ; ar, البحرين, al-Bahrayn, locally ), officially the Kingdom of Bahrain, ' is an island country in Western Asia. It is situated on the Persian Gulf, and comprises a small archipelago made up of 50 natural islands and an ...
,
Kazakhstan Kazakhstan, officially the Republic of Kazakhstan, is a transcontinental country located mainly in Central Asia and partly in Eastern Europe. It borders Russia to the north and west, China to the east, Kyrgyzstan to the southeast, Uzbeki ...
,
Morocco Morocco (),, ) officially the Kingdom of Morocco, is the westernmost country in the Maghreb region of North Africa. It overlooks the Mediterranean Sea to the north and the Atlantic Ocean to the west, and has land borders with Algeria to ...
,
Mexico Mexico (Spanish: México), officially the United Mexican States, is a country in the southern portion of North America. It is bordered to the north by the United States; to the south and west by the Pacific Ocean; to the southeast by Guatema ...
and the
United Arab Emirates The United Arab Emirates (UAE; ar, اَلْإِمَارَات الْعَرَبِيَة الْمُتَحِدَة ), or simply the Emirates ( ar, الِْإمَارَات ), is a country in Western Asia (The Middle East). It is located at th ...
. On 16 December 2020, as part of an anti-trust case against
Google Google LLC () is an American multinational technology company focusing on search engine technology, online advertising, cloud computing, computer software, quantum computing, e-commerce, artificial intelligence, and consumer electronics. ...
, a complaint was made that WhatsApp gave Google access to private messages. The complaint was heavily redacted due to being part of an ongoing case, and therefore it cannot be determined if the claim alleges tampering with the app's end-to-end encryption, or Google accessing user backups.


2021

In January 2021, WhatsApp announced an update to its Privacy Policy which states that WhatsApp would collect the metadata of users and share it with
Facebook Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dustin M ...
and its "family of companies" starting in February 2021. Previously, users could opt-out of such data sharing, but this will no longer be an option. The new policy will not fully apply within the EU, in order to comply with the GDPR. The new policy will not allow WhatsApp to see or send messages, which are still end-to-end encrypted, but it will allow Facebook to see data such as what phone and
operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also in ...
a user has, the user's
time zone A time zone is an area which observes a uniform standard time for legal, Commerce, commercial and social purposes. Time zones tend to follow the boundaries between Country, countries and their Administrative division, subdivisions instead of ...
,
IP address An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...
, profile picture, status, phone number, app usage, and all of the contacts which are stored in WhatsApp. This move has drawn intense criticism for Facebook and WhatsApp, with critics claiming that it erodes the users' privacy. Facing pushback and lack of clarity about Facebook data sharing, WhatsApp postponed the implementation of the updated privacy policy from February 8, 2021, to May 15, 2021, but announced they have no plans to limit the functionality of the app for those who don't approve the new terms or to give them persistent reminders to do so.


ProPublica investigation

In September 2021, ProPublica published an extensive investigation into WhatsApp's use of outside contractors and artificial intelligence systems to examine user communication, and its collaboration with law enforcement. The investigation includes information from a complaint filed by a whistleblower with the
U.S. Securities and Exchange Commission The U.S. Securities and Exchange Commission (SEC) is an independent agency of the United States federal government, created in the aftermath of the Wall Street Crash of 1929. The primary purpose of the SEC is to enforce the law against market ...
. Internal WhatsApp company documents revealed Facebook's considerable efforts to brand WhatsApp as "a paragon of privacy". WhatsApp employs around 1000 contractors in their 20s and 30s, via
Accenture Accenture plc is an Irish-American professional services company based in Dublin, specializing in information technology (IT) services and consulting. A ''Fortune'' Global 500 company, it reported revenues of $61.6 billion in 2022. Accentur ...
, at offices in Austin, Texas, Dublin and Singapore. Their job is to review content reported by WhatsApp users, and pay starts at $16.50/hour. When a user flags a message they've received, it and the previous four messages are decrypted and sent to this content review team. A reviewer has less than a minute to decide whether to do nothing, place the user on a watch list, or ban them. Due to pranks, ambiguous content, language nuances and translation errors, the process is prone to misunderstandings. WhatsApp also uses artificial intelligence systems to scan unencrypted data collected from users (profile image and status; phone number,
IMEI The International Mobile Equipment Identity (IMEI) is a numeric identifier, usually unique, for 3GPP and iDEN mobile phones, as well as some satellite phones. It is usually found printed inside the battery compartment of the phone but can also ...
and OS; names and images of the user's WhatsApp groups; a list of the user's electronic devices; any Facebook or Instgram accounts) and compares it against suspicious patterns or terms and images previously deemed abusive. WhatsApp shares message
metadata Metadata is "data that provides information about other data", but not the content of the data, such as the text of a message or the image itself. There are many distinct types of metadata, including: * Descriptive metadata – the descriptive ...
with law enforcement agencies such as the Department of Justice. If legally required, or at its own discretion (such as for investigating Facebook leaks), it can provide critical location or account information, or real-time data on the recipients messaged a target subject. WhatsApp message metadata has been used to help jail people such as whistleblower
Natalie Edwards Natalie Mayflower Sours Edwards (born 1978) is a United States former senior official with the U.S. Department of the Treasury who was employed in the Financial Crimes Enforcement Network (FinCEN). Sarah Ellison of ''The Washington Post'' has ...
. In 2020, WhatsApp reported 400,000 instances of possible child-exploitation imagery to the National Center for Missing & Exploited Children.


References

2020 {{instant messaging WhatsApp
WhatsApp WhatsApp (also called WhatsApp Messenger) is an internationally available freeware, cross-platform, centralized instant messaging (IM) and voice-over-IP (VoIP) service owned by American company Meta Platforms (formerly Facebook). It allows us ...
WhatsApp WhatsApp (also called WhatsApp Messenger) is an internationally available freeware, cross-platform, centralized instant messaging (IM) and voice-over-IP (VoIP) service owned by American company Meta Platforms (formerly Facebook). It allows us ...
WhatsApp WhatsApp (also called WhatsApp Messenger) is an internationally available freeware, cross-platform, centralized instant messaging (IM) and voice-over-IP (VoIP) service owned by American company Meta Platforms (formerly Facebook). It allows us ...