Whatsapp is used by 1.5B people monthly across the world. Only in India, it is used by over 200M monthly active users. Most of these users, in all probability, do not understand what’s at risk here. Whatsapp makes their life easier in the short term, and the short term is all that matters.
Till it doesn’t.
This week, Facebook was forced to acknowledge Whatsapp security breach where it accepted that Whatsapp had been the target of hackers (most likely Govt agencies) who attempted to use a vulnerability in Whatsapp to get access to a remote user’s phone by simply placing a Whatsapp VOIP (internet) call. The hacker could potentially get access to the phone even without the user actually picking up the phone as reported by FT and Citizenlab.
Whatsapp’s response to this was basically “oh shucks, that’s bad” and to roll out a bug fix and h̶o̶p̶e̶ ask users d̶o̶n̶’̶t̶ ̶f̶i̶n̶d̶ ̶a̶b̶o̶u̶t̶ ̶i̶t̶ to update. I say “hope” because Facebook did not even bother to directly notify affected users to update, they are banking on the lap-everything-FB-says media to limit damage to only those who get to read about the security breach. Here’s an example, watch how Facebook “asks users” to update without sending a notification to update but through a press release instead. How’s that for asking without asking?
In a day or two all would be forgotten. FB will come out as the victim of “those bad hacker bullies”, Zuck might shoot a random sorry at worse and balance of universe would be restored. Some Whatsapp users might update after reading the news while most would remain clueless. Of course, this specific hacking case isn’t threatening to most Whatsapp users because most aren’t of importance to Government agencies and the likes but for the ones who are but do not update, this is a matter of life and death. Like in the case of Jamal Khashoggi (the Journalist who was hacked to death by Saudi agents inside the Saudi embassy in Turkey).
After reading through dozens of news, reports, and columns on this issue, it was obvious that the media does not care about educating their readers. The problem isn’t this one case, the problem here is Whatsapp, the problem here is Facebook and the problem here is the pliant media. Too much at stake, the media needs Facebook to survive much more than Facebook needs them.
Then there is this one guy who doesn’t need Facebook as much, or at all. And he wrote a blog about it. I will let this image from that blog do the talking:
“I don’t like to focus on competitors. But since people keep asking me about WhatsApp, I have just written this post. It includes my thoughts on them. It also includes my thoughts on us” wrote Pavel Durov, the billionaire founder of Telegram chat app, the only real competitor to Whatsapp outside of the nation of Facebook and China. Pavel made his billions founding and selling the Russian Facebook “Vkontakte”.
“As a matter of fact, I started working on Telegram as a direct response to personal pressure from the Russian authorities. Back then, in 2012, WhatsApp was still transferring messages in plain-text in transit. That was insane. Not just governments or hackers, but mobile providers and wifi admins had access to all WhatsApp texts” Durov says in the note.
Durov left Russia after facing a can’t-win-with-us battle with Putin and company for control of Vkontakte. Having learned from his own bitter experiences he founded the chat app Telegram, and unlike Whatsapp where security and privacy wasn’t even an afterthought, Telegram was built for privacy and expecting Governments to come seeking control.
So it comes as no surprise that the most scathing critique of Facebook comes from someone like him. The point he makes is simple, Whatsapp was never secure or designed to be secure and privacy focussed, and now under the Facebook umbrella, things have gotten worse and will get worse and there is no light at the end of this tunnel.
“Every time WhatsApp has to fix a critical vulnerability in their app, a new one seems to appear in its place. All of their security issues are conveniently suitable for surveillance, and look and work a lot like backdoors” – Durov
Again, the problem isn’t *this* one incidence, it is that creepy ad or friend suggestion you get after having a conversation with a friend offline, or sending a forward on WA, of Facebook saving passwords in plaintext and selling data of users to whoever pays the most and then pretending to not know. Imagine Facebook to be the soil that’s poisonous, the trees that grow on it won’t be any different.
And before you say “Whatsapp now has encryption” hear this from Durov: “When making this push, WhatsApp didn’t tell its users that when backed up, messages are no longer protected by end-to-end encryption and can be accessed by hackers and law enforcement. Brilliant marketing, and some naive people serving their time in jail as a result”. That’s right, one backdoor closed, another backdoor opened.
And this was what struck me most about Durov’s post:
“WhatsApp and its parent company Facebook maybe even required to implement backdoors – via secret processes such as the FBI’s gag orders . It’s not easy to run a secure communication app from the US. A week our team spent in the US in 2016 got us 3 infiltration attempts by the FBI. Imagine what 10 years in that environment can bring upon a US-based company.”
“WhatsApp has a consistent history – from zero encryption at its inception to a succession of security issues strangely suitable for surveillance purposes. Looking back, there hasn’t been a single day in WhatsApp’s 10-year journey when this service was secure.” writes Durov.
And that is the crux of it. For countries like India and rest, who are being squeezed between two options – the American ones and the Chinese ones, neither of them can be trusted. When most of the top apps on Indian Playstore are either Chinese or American or are being funded by the Chinese or American, the chance that these apps have or will open a backdoor for their Governments is very very real. And there is no solution in sight.
I encourage you to read the full post by Pavel Durov and share this post with as many friends and family as possible to make them aware to be careful who they trust.