What's up with crypto in WhatsApp?

17 Feb. 2015

WhatsApp implemented end-to-end encrytpion last month, protecting their users from third parties spying on their content. However, what does the protection of content by a commercial company mean? Has metadata become more interesting than content?

Last Updated: 12 Oct 2015

Author: Fieke Jansen, Project Lead on the Politics of Data at Tactical Tech

Last month, the messenger app WhatsApp enabled end-to-end encryption in an attempt to protect its millions of users from third parties snooping on their private communications. One can wonder whether privacy has become the new currency now that popular communication services are integrating privacy protecting features. There is more than meets the eye. The data industry is built on collecting and aggregating user data. Enabling encryption in communication services doesn't change this business model nor does it necessarily protect all of your data. So what does end-to-end encryption in WhatsApp mean?

WhatsApp started working with Open Whisper Systems earlier this year to integrate the open-source software, TextSecure, in its product. The integration of TextSecure means that all the one-on-one messages that WhatsApp users send to each other through their Android devices are encrypted and can only be read by them and not by others. This means that if someone intercepts your encrypted WhatsApp message, they will only be able to see gibberish. While this is an important first step, we should realize that they are only protecting the content of the message.

This large scale integration of encryption in one of the most popular messaging apps is a very significant development. It signals a new trend, where privacy has become a unique selling point for communication services to attract new clients and to keep their existing ones. However, there is no such thing as a free ride - all free commercial communication services seek profit and user data has become a highly sought after commodity. Many companies in the data industry sell advertisements based on user profiles, which are created through the collection and analysis of user data. Even though WhatsApp states it doesn't collect or keep user data, they are part of this data industry. Therefore, WhatsApp's recent move to help users encrypt their communications raises the question of whether the content of our message is still the most interesting part of our communications.

The content is now protected, so lets explore the rest of the message. If we, for example, do a simple thing like sending a message to someone at 3am on a Friday night, WhatsApp no longer knows the content of our message but they will still have access to the following: our location, in this case we are in the same city as our phones are roughly in the same geographical location and the time and date the message was sent. It's unlikely that we would write a message to just anyone at 3am on a Friday evening and therefore third parties with access to this data can probably tell that we are contacting a close friend or significant other. You can see that from these five pieces of information - sender, receiver, location, time and data - there are many assumptions that we and third parties can make, which might or might not be accurate. We call this type of data “metadata” - which is information about information.


Why is metadata interesting?

When using a messenger app on a mobile phone it is important to realize that there are different layers of information. In the case of WhatsApp, other data they might know about you is your phone number, real name, profile picture and gender. This is what we call “service provider data”. Not only does WhatsApp have access to the metadata and service provider data of messages, but they also have access to all the metadata of the messages you exchanged with your friends. This is what we call the aggregation of data. By layering these messages over each other, third parties, such as WhatsApp, can tell quite an accurate story about you.

The Washington post explained how aggregate data based on your phone records can tell very personal stories: "Consider the following hypothetical example: A young woman calls her gynecologist; then immediately calls her mother; then a man who, during the past few months, she had repeatedly spoken to on the telephone after 11p.m.; followed by a call to a family planning center that also offers abortions. A likely storyline emerges that would not be as evident by examining the record of a single telephone call". This examples shows that it is not the content of our communication but the aggregation of metadata -who, where and when- that tells a very personal story.

Sending a message via a mobile phone has many different aspects. As mentioned above, the first layer is the message itself, the content of the message. The second layer is the metadata of the message. Service providers need this information to be able to deliver the message to the right person. In the case of a text message this includes information about the sender and receiver of the message and when it is sent. The third layer is other information the service provider knows about you. This could be your phone number, location, email account, other people in your network and their phone numbers. The fourth layer is aggregated data, which is a combination of different datasets. This could include the metadata of all your messages, network, time and location in one file.


The business of profiling

Companies tell us that they need information about us, our location, network and interests to be able to improve user services. To be able to walk and talk with your mobile phone your provider continuously searches for the nearest and best connection to a cell phone tower. This provides you with good reception, but also turns your phone into a tracking device. Google tracks your search patterns, your location and other interests to be able to provide you with the best personalized search results. WhatsApp needs to have access to your contacts to see which of your friends and family members also use WhatsApp, so that you can start messaging. For these companies it is a race to the top. By providing you with better services, you are more likely to stay with a specific service provider or join their service and not move to the competition or to open source tools. However, these data brokers are part of a multi-billion dollar business. They gain their revenue from the number of users they have and from the quality of the profiles that they sell about their users.

The news that WhatsApp is securing its users with end-to-end encryption signals a new trend. It is to be expected that in 2015 more communication services will launch privacy enhancing features. This itself is good news, as it will increase the privacy of millions of users with one centralized installment. However, as we have seen through the above examples, encryption is not a magic bullet. The content of our messages will be more private, but our personal data – through other aggregated data - will remain available. In short, it is important to remember that profiling is a profitable business model and that creating privacy enhancing features doesn't change the fact that companies are making money out of data collection and profiling.


Learn more

About trackingthe fine print of WhatsApps privacy policy and find more resources on data and big data.

Find out more about what you can do to protect your online privacy by exploring your digital shadow, using alternatives to WhatsApp or by visiting Security in a Box.


Source of image: http://media01.versus.io/whatsapp/front/front-1393846082939.flat.jpg