Using WhatsApp

There’s been a lot of media buzz about the changes in the WhatsApp Terms of Service lately and the use of WhatsApp in general – here are my views on this.

I got no time for this, the summary?

Keep using WhatsApp as you did in the past, nothing has really changed. It’s only for personal use, though (as per the WhatsApp Terms of Service). The data privacy issue around phone numbers being uploaded to find fellow WhatsApp users in the address book still exists as well, that’s why the access from WhatsApp to a company address book should be disabled by default on company phones and company enabled phones, at least if that address book contains phone numbers of people who do not use WhatsApp or haven’t consented to the server-side phone number matching.

Thinking about it, I got some time, so what's this fuss in the news about?

I honestly don't know. The often quoted “changes” of WhatsApp’s Terms and Services seem to mainly affect the business integration of WhatsApp and are mostly relevant for (online-) shop owners. So for example if somebody is purchasing goods from a web site directly via WhatsApp, some data related to this purchase can be passed directly to backend order processing and fulfillment systems. That is fairly obvious as it’s the point of the integration, but it was something WhatsApp needed to clarify.

Apparently the changes were also necessary to pave the road for other planned services such as using Facebook Pay while shopping with WhatsApp. WeChat users will know how this works, they’ve had it for years now. There might be more small tweaks but it’s very far from even remotely justifying the current outcry. There some more information about this here: Shopping, Payments, and Customer Service on WhatsApp - WhatsApp Blog

Now what does all of that mean for the business side of things?

In short: There’s no change. As per the Terms of Service (that every user agrees to) WhatsApp is for personal use only: “You will not use (or assist others in using) our Services in ways that […] involve any non-personal use of our Services unless otherwise authorized by us”. This hasn’t changed with the updated Terms.

And that’s OK because even theoretically the implications of a broad use of WhatsApp for “classic business content” are quite complex: Evidence in a commercial context, substantiation in the event of disputes, liability, integrity, data storage and retention periods, availability, handovers, deputies, handling joiners-movers-leavers ... and that’s just off the top of my head.

It is certainly not impossible (generally there are scenarios which involve the use of instant messenger for business already today) but enabling WhatsApp as a global business platform in “the old economy” would require an effort that would most likely outweigh potential advantages, at least for now.

Besides that the center piece of the WhatsApp data privacy criticism is usually the process of (temporarily) sharing the contact's phone numbers with WhatsApp. Under the GDPR (EU General Data Protection Regulation) this step requires explicit permission for at least those contacts who do not use WhatsApp themselves. Business contacts should therefore be protected from access by WhatsApp in some form, typically by using a “mobile device management” (MDM) software which manages different contexts, access rights, containers etc.

By the way: Signal is generally using the same process of uploading contact information for identifying contacts which are already using Signal, but since the data is ‘hashed’ (think “one way encryption”) the data privacy criticism to this “matching” doesn’t apply.

In our company we’re not prohibiting the use of the major messengers on company phones or company enabled phones (or any mainstream app really, for that matter) but we have implemented the separation mentioned above.

Within our company’s security community we will keep using WhatsApp as our social chat app, but that’s private entertainment for non-business content (to be honest it’s mostly memes and sharing links to geek stuff). I believe WhatsApp currently hits a sweet spot with a high level of security and end-to-end encryption, good usability and almost ubiquitous, global deployment on all different kind of phones.

Back to WhatsApp – so the chat security is not affected?

No changes have been made to the security aspect and for all we know the chats are still securely end-to-end encrypted and private. WhatsApp is still using the secure Signal protocol (more specifically this library) and the main security criticism right now is the fact that it’s not possible for the general public to build an identical, working WhatsApp version from public sources to verify (or refute) the security claims. However, this is something WhatsApp shares with most popular products including operating systems like Microsoft Windows or Mac OS. WhatsApp posted a very concise statement on Twitter about this.

There’s also a good summary about all of this in The Verge: WhatsApp clarifies privacy practices after surge in Signal and Telegram users - The Verge

That’s what they say, but what makes YOU PERSONALLY think WhatsApp is secure?

Two aspects really: WhatsApp and ultimately Facebook Inc. are under permanent fire from practically any direction. Governments in general, lots of law enforcement agencies, various interest and lobby groups and individual entities all over the world are constantly knocking on Facebook’s door and want content blocked, deleted, analyzed, promoted, changed, stored or any combination thereof. Legally those are typically grim “or else…!” situations.

This is serious for them and they can’t win in the long run, especially not against the very lawmakers in all the jurisdictions they operate in. The only way out is to make sure they don’t have the content everybody is after. And this better be tight enough, secure enough, so that even in front of a court of law and under oath, threats or expert eyes they can truthfully say: “We do not have the content, we do not have access to the content, please go away and talk to the person who has access!”.

Moderating Facebook and Instagram is bad enough already, it makes sense to assume they absolutely do not want that kind of work for a platform that’s currently provided free of charge and without ads while handling 100 billion messages per day. A while ago I talked to Alex Stamos, the former chief security officer at Facebook, about this and he not only agreed violently but he also had a term for it: “They are engineering their way out of the problem.” – and I thought that was a great description! Instead of hiring thousands of people in every corner of the world to answer and act upon all these external requests it’s so much cheaper, more efficient and generally less headache to make sure they don’t have the problem in the first place.

The second aspect is related to probability and the sheer size of WhatsApp (in terms of usage and spread): If you want your name in every newspaper and all over the Internet – hacking WhatsApp and proving the existence of a backdoor would be a very good way to achieve that. Attacking Facebook on that scale and winning pretty much guarantees a spot in the history books of the Internet, if not beyond (ask Max Schrems). Thousands of people are trying it every single day and even though it is a closed product if there was something obviously fishy in the software there’s a very (very) high probability somebody would’ve found and published it by now.

Generally a very good way to verify the integrity of security products is to read the source-code, build the finished product from it and see if the outcome is identical to the original product in question. It also makes sense to check if data created from both “versions” is interchangeable and one would ideally test this both for the client and server components.

This whole ordeal is possible for some products (e.g. for Signal) but not for WhatsApp. However, the Signal library used for the end-to-end encryption is known and open (see above) and even though it’s not allowed as per the Terms of Services (and illegal in some jurisdictions in general!) a lot of people have reverse engineered different WhatsApp clients and haven’t found any evidence of manipulation or irregularities so far.

(Interesting piece for security nerds: Reverse Engineering WhatsApp Encryption for Chat Manipulation and More)

OK. But I still don’t want WhatsApp anymore. What else is there?

Realistically the only viable mainstream alternative right now is Signal. It’s basically the same product but open source and you could build your own version from the source code if you wanted to. The Signal Foundation is an American non-profit organization, founded in 2018 by Moxie Marlinspike and Brian Acton. Moxie is a respected security researcher and one of the main persons behind the Signal protocol (the encryption used in WhatsApp), Brian Acton was a co-founder of WhatsApp who certainly made a substantial amount of money when it was bought by Facebook. If you want an “Open Source WhatsApp” Signal is a good choice!

Fun fact: As mentioned above Signal is hashing all phone numbers before uploading them from your address book to their servers to identify fellow Signal users among your contacts. Had WhatsApp implemented that one extra step it would’ve probably saved them from 99.8% of the privacy criticism of the past years.

Another option cited quite often lately is Telegram and the symmetry with WhatsApp is almost beautiful: Telegram was founded by Pavel Durov from Leningrad, Russia, who also founded VK (former “VKontakte”), the largest social network in Russia and often called “the Russian Facebook” -- which kind of almost makes Telegram “the Russian WhatsApp”, now mostly built and operated out of Dubai.

Telegram is using a proprietary algorithm (“MTProto”) and while at least some parts of the source code are openly available, everybody who would want to build Telegram from the sources still needs to use their servers via the “Telegram API”, the server-side software is closed source.

The software might or might not be OK, at the end of the day it’s similar to WhatsApp but with far less users, less public attention and thus less "oversight". A substantial disadvantage is that especially in recent months a lot of conspiracy theorists and political right-wing activists have flocked to Telegram – generally company to avoid.

There are many more messengers out there, some with a strong regional focus (like WeChat and QQ), others with more specific audiences or usage scenarios (like Snapchat or Kik) and countless others with a smaller userbase (Line, Viber, Threema, Wickr to name just a few).

Some of them are technically certainly well done as well, Threema for example is open source and has implemented the NaCL (“salt”) library – created by D. J. Bernstein, an exceptionally security-conscious developer with an impressive track record (qmail!) during his entire career. But ultimately most people’s choices will not only be determined by the product itself but also by the size of the existing user base, especially regarding the overlap with one's own social network.

So overall and for those who absolutely want an alternative messenger Signal currently is a great app (some of you have found and texted me there already, just note that I’m not really actively using it). Currently I don’t see a need to favor it over WhatsApp. Also Signal not having a browser-based web-interface is a serious disadvantage for me (there is a desktop client, though).

But the WhatsApp Terms of Service…?

There's one paragraph in the terms of service that seems unsettling to many: "Your License To WhatsApp. In order to operate and provide our Services, you grant WhatsApp a worldwide, non-exclusive, royalty-free, sublicensable, and transferable license to use, reproduce, distribute, create derivative works of, display, and perform the information (including the content) that you upload, submit, store, send, or receive on or through our Services."

Does that mean all images, videos, text and voice messages transferred are handed over to WhatsApp? I'm not a lawyer but apparently the answer is "No". The passage continues: "The rights you grant in this license are for the limited purpose of operating and providing our Services (such as to allow us to display your profile picture and status message, transmit your messages, and store your undelivered messages on our servers for up to 30 days as we try to deliver them)."

In combination with the already discussed end-to-end encryption this means the transferred information should still be secure, regardless of the statement in the Terms.

One could argue that the passage is not necessary (at least not just for the sake of harmonization across all Facebook companies, as the terms and service from Facebook, WhatsApp and Instagram all contain this paragraph) but that's most likely a legal discussion for another forum. But I'd love to read what my lawyer friends think about this part!

Anything else?

Well, really only for the sake of completeness: There’s also “Metcalfe's law” which states that the "usefulness of a communications network is proportional to the square of the number of users". In Internet terms this is an old statement (from the 90's) but it certainly still plays a role when looking at acceptance or general usage of communication apps.

There are of course exceptions (like the TikTok story) but by and large that’s one good explanation why systems which made it “up there” are so hard to replace by new systems with fewer users.