A shocking internal memo from WhatsApp’s security team has revealed a dangerous vulnerability that would allow government agencies to bypass the messaging app’s flagship encryption and monitor who users are communicating with.
The previously unreported threat assessment, which was obtained by the investigative journalists at The Intercept, warns that while the actual content of WhatsApp conversations remains secure, clever traffic analysis techniques can reveal “who is in a group together, who is messaging who, and… who is calling who.”
WhatsApp engineers wrote in a report sent to the upper management of Meta Platforms (META) that nation-states have been actively “bypassing [Meta’s] encryption” to unmask private user metadata like group memberships and call records – information that is supposed to be protected. While the memo does not name specific countries exploiting the flaw, it paints a disturbing picture of mass government surveillance.
“WhatsApp should mitigate the ongoing exploitation of traffic analysis vulnerabilities that make it possible for nation states to determine who is talking to who,” the threat assessment report highlighted. “Our at-risk users need robust and viable protections against traffic analysis.”
Traffic Analysis Techniques Can Be Used on WhatsApp to Identify Users’ Affiliations
The vulnerability can be exploited through a technique called “traffic analysis” – which involves observing patterns in encrypted internet data flows rather than breaking the encryption itself. Even if the messages exchanged between users are not relevant in terms of content, activity spikes between specific users can reveal connections between them.
“Inspection and analysis of network traffic is completely invisible to us, yet it reveals the connections between our users,” the assessment explains, noting that things like synchronized message bursts across group members can be used to identify private interactions.
Also read: New Provisions Would Let Defense Contractors Price-Gouge Taxpayers – Who Wins?
Although this would require sophisticated surveillance capabilities by tapping into a nation’s communications infrastructure, the memo uncovers that these are more than theoretical techniques. The report provides hints that traffic analysis is actively used by countries that have data-sharing treaties like the “Five Eyes” alliance, which includes Australia, Canada, the United Kingdom, New Zealand, and the United States.
Another example would be the use of this technology by countries whose infrastructure is used by neighboring or occupied nations – a reference that could include Israel, which has been accused of using technology to target suspected militants in the neighboring Gaza Strip during the current armed conflict.
Christina LoNigro, a spokesperson for Meta Platforms, commented: “WhatsApp has no backdoors and we have no evidence of vulnerabilities in how WhatsApp works.”
However, experts point to Meta’s track record of ignoring issues that affect their applications for a while until they become too noticeable or publicly known to keep sweeping them under the rug.
“Meta has a bad habit of not responding to things until they become overwhelming problems,” commented a source within the company who spoke in anonymity to The Intercept.
“The tension is always going to be market share, market dominance, focusing on the largest population of people rather than a small amount of people [that] could be harmed tremendously,” the source added.
The report showcased a few proposals that could help WhatsApp protect its users from “correlation attacks” and “traffic analysis.” Some of the options on the table would include sending decoy data to hide users’ conversations and interactions and creating a secure mode that puts in place additional measures to further disguise users’ digital footprint.
Engineers agree that the problem goes beyond what WhatsApp’s current security mechanisms can solve.
“We must first all agree to take on this fight and operate as one team to build protections for these at-risk, targeted users. This is where the rubber meets the road when balancing WhatsApp’s overall product principle of privacy and individual team priorities.”, the report concludes.
Report Points to Gaza Assassinations Driven by Digital Surveillance
This recent internal warning has raised concerns among WhatsApp employees that Israel, in particular, could be exploiting the vulnerability as part of its high-tech campaign to identify and assassinate Palestinians who are perceived as military threats and cause immense collateral damage.
Israel’s program of “targeted killing” operations in the Gaza Strip has become increasingly influenced by digital surveillance and artificial intelligence systems used to analyze massive datasets from residents of the neighboring region.
A joint investigation by Israeli magazine +972 and Local Call uncovered leaks last month that suggested that the Israeli military has a software platform called “Lavender” that automatically cross-references mobile data, internet traffic, and other sources to assign every Palestinian in Gaza a risk rating from 1-100 of being a militant.
Also read: The Future Of Social Is Messaging Apps: How Do Brands Fit In?
According to the investigation’s sources within Israeli military intelligence circles, high Lavender scores are heavily relied on to select Palestinians who will be targeted by deadly drone strikes and other lethal operations. WhatsApp activity was cited as one of the specific data points feeding into these AI-powered targeting systems.
“An individual found to have several different incriminating features will reach a high rating, and thus automatically becomes a potential target for assassination.”, the joint report from +972 and Local Call cites.
According to leaks obtained by 972 and Local Call, the IDF often waits for the suspected militant to go home to bomb them, putting entire families at risk of death or severe harm. If this is true and the IDF is using WhatsApp’s vulnerability to target these houses, Meta has nothing short of an extreme moral dilemma on their hands.
“WhatsApp usage is among the multitude of personal characteristics and digital behaviors the Israeli military uses to mark Palestinians for death,” The Intercept reported after the Lavender exposé. The messaging app remains hugely popular among Gaza’s 2.3 million residents.
WhatsApp’s parent company, Meta, has stayed conspicuously silent on the potential abuse of its platform as an accessory to these reports. When asked to comment, LoNigro insisted that the traffic analysis memo was merely “theoretical” and did not refer to a specific vulnerability found in the company’s software.
LoNigro declined to state if Meta had investigated if Israel was exploiting the vulnerability against Palestinian users as the memo warns.
Meta May Not Be Not Be Particularly Interested in Fixing the Issue – Here’s Why
While the assessment makes it clear that WhatsApp’s security staff recognizes the severity of the threat, it also notes that effectively preventing traffic analysis attacks would likely degrade the app’s usability and performance for its billions of users.
Techniques like inserting artificial delays into message delivery or constantly transmitting “decoy” data could throw off snooping efforts but would make WhatsApp sluggish and drain batteries faster. These tradeoffs may discourage Meta from adopting these solutions as they would put their competitiveness with rival apps like Telegram and Signal in jeopardy. It may also simply not want to use valuable engineering resources to fix the problem.
Moreover, the engineers highlighted that these proposed solutions may backfire as they could be used by traffic analysts to identify patterns as well.
“People who turn this feature on could also stand out like a sore thumb, which itself could inform a targeting decision,” cryptography professor Matthew Green told The Intercept. “[It would be] really unfortunate if the person who does it is some kid.”
Digital Footprints Give Countries Extra Capabilities to Engage in “Targeted” Wars
For privacy advocates and human rights groups, the WhatsApp threat assessment report showcases the need to expand the scope of encrypted communications to protect users against sophisticated metadata analysis.
“Today’s messenger services weren’t designed to hide this metadata from an adversary who can see all sides of the connection,” Green stressed. “Protecting content is only half the battle. Who you communicate [with] and when is the other half.”
The conflict in Gaza has evidenced how digital solutions are being used for purposes including mass-targeting and guided missile strikes.
The +972 and Local Call report cites several sources within the Israeli military who describe the software used to rank individuals based on their possible affiliation to Hamas as “cold” and “unparalleled”.
As the Gaza conflict rages with no end in sight, mounting reports of AI-powered assassinations have fueled widespread outrage at the role of Big Tech in helping military units identify targets by analyzing people’s digital footprint.
Pressure is intensifying both inside and outside Meta and other companies to overhaul how its tools handle user privacy – not just for a privileged few, but by design.
Will the company invest in further enhancing WhatsApp’s data protection measures? What seems clear at the moment is that current encryption alone is not enough to protect individuals from sophisticated surveillance programs.