Monthly Archives: November 2015

WhatsApp Reneges On Their Promise Of True Message Encryption

WhatsApp’s security was recently hacked by white-hat researchers.  After much click-baiting, it turns out they’re not actually collecting any information they shouldn’t be.  They are, however, protecting it poorly, and they still have access to message content with the ability to share it with Facebook.

Security researchers at Brno University of Technology in the Czech Republic (fun fact: Brno is where Mendel discovered modern genetics) were able to reverse-engineer WhatsApps’s security mechanisms and published their findings in an academic journal. Instantly there was a frenzy of click-baited articles about how WhatsApp was stealing data from users.  Reading the study itself showed that while they are indeed collecting data, that data is reasonable given the service they are providing.  For example, if you start a call with a friend, your WhatsApp client sends your phone number and that of your friend to the server.  In WhatsApp your number is your username, which is needed for the system to know who to connect you with.

A while back we wrote a post about how WhatsApp announced it would be releasing end-to-end encryption for its mobile service.  They had also announced that they themselves would lose access to user messages, with only the sender and recipient being able to decrypt communication.  This confused me because it came just after their $19Bn acquisition by Facebook, presumably for the content of the user communication coursing through their network.  Why on earth were they worth $19Bn to Facebook if the user generated content within WhatsApp was about to disappear within an encrypted channel?  What the Brno hack revealed is that their implementation fell far short of their claims, and Facebook’s investment in the content of WhatsApp’s users’ communication was safe.

In interviews with journalists WhatsApp stated that they would use Public Key Encryption, where only the sender and recipient can unencrypted content.  Indeed they did, but they used the same key for every user.  This makes the Brno hack possible, meaning anyone on the same network as your phone could gain access to the content of your messages.  Also, it means that WhatsApp themselves still have access to all message content.  Moreover, their parent corporation Facebook has access as well and the ability to target you with advertising based on the content of your WhatsApp messaging.  While this is surprising given WhatsApp’s previous PR, it does explain the mysterious $19Bn price tag that Facebook was willing to put on WhatsApp.  In my opinion, fully encrypting all WhatsApp content would make WhatsApp a near worthless asset to Facebook, especially considering the repeal of the $0.99 a year subscription model. We should not expect it any time soon, no matter how many posts like this one appear.

BofA Shuts Down Mint, Staking Their Claim to Your Data

Bank of America shut down 3rd party access to consumer transaction data through their website.  While it tightens security, it also hammers home the fact that user data does not belong to the user.

Bank of America recently shut down Intuit’s access to user data through BofA’s online banking system.  Intuit owns Mint, a service which allows users to aggregate their financial information from bank accounts and credit card sites to have an overview of their financial information and spending in one place.  Users logged into their online banking and credit card systems using their BofA user names and passwords, which allows Mint and other aggregators to collect their transaction and balance data.

BofA argued that they shut down 3rd party aggregator access because it weakened security by giving the aggregator access to the user’s password.  In fact, many banks changed their terms of service to state that using Mint or another aggregator voided their identity theft coverage.  While this sounds logical, shutting down access even with user consent drives home the point that users do not own, or even have access rights to their own financial transaction history. Some surmise that the real reason is because Mint provides users with deeper insight into the fee structures of their accounts, information that banks would prefer stay less explicit.

Almost every web service we use has a Terms and Conditions document that grants that service access to the data it generates.  Most of those also grant the services ownership, or an “irrevocable lifetime license” to that data.  That’s great as long as everything works as expected because there is no perceptible difference between us owning the data as opposed to the 3rd party service providers.  The issue only comes to a head when users want their data back, and that request is denied, or access is granted but made difficult.  What remains to be seen is how hard users will push back against institutional data silos to maintain access.

Aggregators such as Mint provide users with increased incentives to ask for access to their own data. Should these requests be denied, the issue of ownership of personal data may quickly come to a head. The technology exists to give safe read-only access to aggregators in the same way that Google and Facebook can give read-only access to your friends list in an app (OAuth), yet BofA chooses not to.  Perhaps a little consumer outrage fueled by Mint’s PR machine will make a change.

-dawud
@d4wud