WhatsApp vulnerability: Concerns for Sri Lanka, questions for New Zealand

Technology 5 Minutes

An article published in The Intercept is a chilling warning that nations can monitor chat activity on WhatsApp, along with fears that Israel is using this trick to pick assassination targets in Gaza.

This is not good. It surfaces what was a known vulnerability around the harvest, and analysis of network, and metadata at scale associated with E2EE apps like WhatsApp, now used to target Palestinians. Horrific stuff.

As the article notes,

The vulnerability is based on “traffic analysis,” a decades-old network-monitoring technique, and relies on surveying internet traffic at a massive national scale. The document makes clear that WhatsApp isn’t the only messaging platform susceptible. But it makes the case that WhatsApp’s owner, Meta, must quickly decide whether to prioritize the functionality of its chat app or the safety of a small but vulnerable segment of its users.

While completely chilling in the context of use against Palestinians, this vulnerability is one that some of us suspected would be used in this manner, and have for many years warned activists of its potential to be used against them by highly motivated, and well financed actors including states, non-state actors, and foreign state actors acting as proxies.

I’ve further maintained that Surveillance-as-a-Service (a different kind of SaaS!) is possible even when nation-states (for e.g., small authoritarian states, or those defined by a significant democratic deficit, and rampant militarisation including, for example, Sri Lanka) don’t have the necessary compute power, finances, infrastructure, and technical know-how to achieve intended aims.

The article went on to note,

…WhatsApp usage is among the multitude of personal characteristics and digital behaviors the Israeli military uses to mark Palestinians for death, citing a book on AI targeting written by the current commander of Unit 8200, Israel’s equivalent of the NSA. “The book offers a short guide to building a ‘target machine,’ similar in description to Lavender, based on AI and machine-learning algorithms,” according to the +972 exposé. “Included in this guide are several examples of the ‘hundreds and thousands’ of features that can increase an individual’s rating, such as being in a Whatsapp group with a known militant.”

In Sri Lanka, speaking to this vulnerability, I’ve used for over a decade the analogy of the much reviled, but commonly seen security vehicle convoys that ply our streets as if they own them. With blacked-out windows, and backup vehicles, it’s impossible to know exactly which VIP is in these motorcades, but it’s equally impossible for the convoy to merge with other traffic. The relative security afforded to the VIP is the very thing that makes the convoy stand out. The analogy helps explain to activists who don’t understand metadata how even without knowing who is in the vehicle it is possible – with sufficient motivation, and resources – to track, and trace where a convoy goes to, and originates from by observing movement, road disruptions, and traffic flows.

To wit, as The Intercept article notes,

WhatsApp’s internal security team has identified several examples of how clever observation of encrypted data can thwart the app’s privacy protections, a technique known as a correlation attack, according to this assessment. In one, a WhatsApp user sends a message to a group, resulting in a burst of data of the exact same size being transmitted to the device of everyone in that group. Another correlation attack involves measuring the time delay between when WhatsApp messages are sent and received between two parties — enough data, the company believes, “to infer the distance to and possibly the location of each recipient.”

Worryingly, the article possibly implicates the role of the Five Eyes countries in this network packet sniffing, and metadata harvesting at scale.

The internal warning notes that these attacks require all members of a WhatsApp group or both sides of a conversation to be on the same network and within the same country or “treaty jurisdiction,” a possible reference to the Five Eyes spy alliance between the U.S., Australia, Canada, U.K., and New Zealand.

For readers in New Zealand, this will set off a number of alarm bells. A decade ago, Greg Dawes wrote to the Otago Daily Times noting,

Worse still, some individuals are targeted not because there is any specific evidence against them, but because they are associating with people who are presumed guilty or because they are acting in a manner that is deemed suspicious.

In 2019, David Fisher wrote to the New Zealand Herald flagging a “report into New Zealand’s knowledge and involvement in the CIA’s rendition programme between 2001 and 2009” which found the country’s intelligence agencies including the GCSB were “not fully alive to the range and extent of risks for their organisations and for the Government more generally”. Fisher notes that “One GCSB staff member described the agency as “profoundly naïve” over the implications in deploying staff to assist on “kill or capture” missions, particularly when intelligence went to agencies not operating under standard “Rules of Engagement”.”

This year, in what could be filed under “stuff you really can’t make up”, media reports highlighted how the Government Communications Security Bureau (GCSB) had been,

…rebuked for hosting a foreign agency’s spy operation for several years without telling its minister, and without knowing whether doing so was contributing to military strikes overseas. Once operational, the Government Communications Security Bureau (GCSB) failed on multiple levels including a lack of due diligence, record-keeping and staff training. Nor did it have visibility of what the hosting was helping to enable, including any military targeting.

If The Intercept article is to be believed, it could be the case that New Zealand’s SIGINT capabilities under the Five Eyes is aiding, and abetting the harvesting of network signals, and metadata around end-to-end encrypted messaging apps like WhatsApp that helps target, and kill Palestinians, with the possibility that no one really knows about it. Yet.

More broadly, all this speaks to how security is located, contextual, gendered, conditional, and needs based. It is a multivariate, fluid challenge that many activists don’t comprehend the complexity of, and many cybersecurity experts – who are good at securing commercial or enterprise level network infrastructure – have little to no understanding when it comes to human rights defenders, and socio-political contexts outside purely or primarily corporate domains. This sometimes places activists at greater risk.

If what’s noted in The Intercept article is being done in Gaza, it is a mere flick of a switch away from being deployed in Colombo, Caracas, Kigali or Kabul. Activists, human rights defenders, and investigative journalists everywhere should be cautious, and concerned. There’s no geographic, context or country-specific ring fence to this technology, and its abuse.

The WhatsApp vulnerability alone is a wicked problem, with no easy solutions. As The Intercept’s article ends by noting,

To WhatsApp’s security personnel, the right approach is clear. “WhatsApp Security cannot solve traffic analysis alone,” the assessment reads. “We must first all agree to take on this fight and operate as one team to build protections for these at-risk, targeted users. This is where the rubber meets the road when balancing WhatsApp’s overall product principle of privacy and individual team priorities.” The memo suggests WhatsApp may adopt a hardened security mode for at-risk users similar to Apple’s “Lockdown Mode” for iOS. But even this extra setting could accidentally imperil users in Gaza or elsewhere, according to Green. “People who turn this feature on could also stand out like a sore thumb,” he said. “Which itself could inform a targeting decision. Really unfortunate if the person who does it is some kid.”

But the inability to realise a perfect solution shouldn’t stop Meta from figuring out ways to keep the most vulnerable safe. So-called ‘edge cases’, in my experience, are a harbinger of what, at scale, often plagues all users, especially at the scale Meta’s operating at.

It should also not stop citizens in New Zealand demanding scrutiny into, and answers from GCSB, and their country’s intelligence services around complicity in surveillance frameworks that end up killing civilians, instead of the avowed goal of their raison d’être – which is to protect citizens.

Published by Sanjana

An Ashoka, Rotary World Peace and TED Fellow, I have since 2002 used, studied and advocated Information and Communications Technologies (ICTs) to strengthen peace, human rights & democratic governance. I founded in 2006 and till June 2020 edited the award-winning Groundviews, Sri Lanka's first civic media website. From 2002-2020 I was a Senior Researcher at the Centre for Policy Alternatives. I pioneered both the use of social media for activism and online citizen journalism/civic media in Sri Lanka, including setting up South Asia's first Twitter and Facebook accounts for civic media, in 2007. Having started digital security training for human rights activists in 2010, I continue to advise civil society on digital hygiene, mass and personal surveillance, privacy and secure communications to date. I also curate a comprehensive digital archive of material linked to peace and conflict in Sri Lanka, since 2002. I specialise in, advise and train on social media communications strategy, countering-violence extremism online, web-based activism, online advocacy and grounded, context-based, platform-specific social media research. My work experience over two-decades spans five continents. Through the ICT4Peace Foundation and since 2006, I help strengthen information management during crises and work on countering violent extremism online. For over a decade, this included leading the Foundation's work on these lines with the United Nations and other multi-lateral organisations involved in peacebuilding, peacekeeping, and humanitarian affairs. Since 2008, I have worked in South Asia, South East Asia, North Africa, Europe and the Balkans to capture, disseminate and archive inconvenient truths in austere, violent contexts. I completed doctoral studies at the University of Otago, New Zealand, looking at the symbiotic relationship between offline unrest and online instigation of hate and harm in Sri Lanka and, in the aftermath of the Christchurch massacre in 2019, facilitated by leading research based on New Zealand's first ever Data for Good grant by Twitter.

Published