• The Paladins

What's up with WhatsApp?

This is the first of a series of articles about differing messaging services commonly used on mobile telephones, and their relative advantages and disadvantages.

Is WhatsApp a good piece of messaging software? The short answer is that it is so ubiquitous that it doesn't really matter; you're likely to find yourself using it anyway, because your friends, colleagues and loved ones are using it. But are there any specific features of it that one ought to be aware of? Here we try to provide a few hints as to the strengths and weaknesses of this messaging provider.

  1. The first thing to say is that WhatsApp is a secure messaging service, in that the messages communicated between one person and the other are secured and are not hackable by other private people. It is not possible for a private investigator to sit in a cafe and run software such that your WhatsApp messages are appearing on his computer screen. All variants on this sort of commercial espionage are prohibited by WhatsApp's Pretty Good Privacy end-to-end encryption, which is enabled as standard.

  2. In this sense it is superior to Telegram, which allows end to end encryption only if both messaging parties have enabled end to end encryption, which comes as turned off with the application's standard settings. Because many people don't know this, and because they also don't know whether their interlocutor knows this, the greater majority of Telegram communications turn out not to be encrypted at all.

  3. WhatsApp has a government backdoor but only certain governments have access to it. We will not give a list here; these things are state secrets. But if you are using your telephone habitually to commit crimes, for example drug dealing or arranging acts of terrorism in concert with other co-conspirators, then you can expect to get caught when using WhatsApp. That fact is in common with most other messaging services; few are reliably encrypted in the face of the most determined government intervention. Remember that even if a government does not have a facility for backdoor access to WhatsApp messages, it may borrow the services of another government's security and intelligence services if the individuals it is investigating are liable to commit particularly egregious or serious crimes.

  4. Where governments do this, they typically hoover up all the WhatsApp messages a person send or receives; as well as the numbers they are sent to and from, and the entirety of the account's address book. So if you are within the attentions of a government, then this is the information they will have from your WhatsApp account.

  5. They may also take recordings of conversations and of the infamous voicemail messages that WhatsApp allows a person to send to another (and that people rarely listen to except governments).

  6. On the other hand, government collection of information from a WhatsApp account is not particularly intrusive upon your privacy because, unless the government believes that you are committing particularly serious crimes invasive of government interests (e.g. serious drug trafficking offences; plots relating to crimes of serious violence; and serious acts of violent sedition) they are unlikely to employ the resources to read all your communications that they have gathered. There are machine learning methods of analysing harvested communications but ultimately it really needs a human being to read the communications; and this takes substantial human resources. (To monitor all the communications a single person engaged in might require a team of four to five people, particularly if multiple languages are involved.

  7. WhatsApp is not immune to Pegasus, a popular Israeli mobile telephone hacking software that is downloaded illicitly via attachments to SMS and/or WhatsApp attachments inter alia and allow the spy to monitor (almost) everything going on on a person's mobile telephone on a real time basis. However again monitoring all the data Pegasus gives you is a particularly time consuming exercise requiring substantial human resources that most people aren't prepared to devote to most people.

  8. WhatsApp shares your address book with its sister software Facebook and with third parties, for fees. The weaknesses in WhatsApp all derive from its frail address book interface, which WhatsApp refuses to improve because it is WhatsApp's ability to use address book data flexibly and hence commercially that is the main revenue generator for the piece of software. (WhatsApp tried to sell the messaging software on licence but it just caused product diversion so they gave up making money in that way and make it exclusively with reference to the address book.)

  9. Here is one of the principal address book weaknesses that you can be a victim to. It is possible for a person to steal your identity and pretend to be you on WhatsApp by manipulating the weak address book cross-referencing structure. The way this happens is as follows. The Defendant (D) is assumed to know the telephone number of the person whose identity is to be stolen (P). D adds P's number to their address book. P then takes another number, from a "burner" SIM card they install in a mobile phone, that is to say an anonymous SIM card not connected with any particular individual's name and address. (Almost every jurisdiction in the world allows people to buy "burners"; even if in theory they are banned then informal shops will sell them anonymously nonetheless. Most major European cities are full of such shops.) D then adds their "burner" telephone number to the address book of the telephone and/or of WhatsApp, installed upon their phone, to the same name as that of P. D then sends a WhatsApp message from the "burner" number to the WhatsApp account of the victim ("V"), who knows P and therefore has P's real telephone number stored in their address book. Then V's address book, spotting a second telephone number for P that they did not previously know about, automatically updates itself (as does the WhatsApp central address book) to add the "burner" number to the address book details of the person P whose address book details are already stored in the telephone of V. At this point D can write messages to V that appear to come from P whereas in fact they come from D, albeit from a different number to the one V has for P but V may not notice that or may just assume it is a new or different number V did not previously have for P because that number is stored together with a known number for P in V's address book. Then D writes to V pretending to be P and asking V to send D money, or a loan, or provide personal banking information on some pretext, and so on and so forth.

  10. Doing this, although rather common because WhatsApp refuses to fix the hole in its address book software (collating the known telephone numbers of the same people and learning who knows whom is the most valuable thing WhatsApp produces, and by doing this they can sell valuable personal information about their customers to a range of third parties), involves a serious series of offences, including (for example in England, for the facts described above) (a) attempted theft; (b) attempting to obtain a pecuniary advantage by deception; (c) fraud; and (d) using an electronic device to impersonate another person.

  11. We implore the Police in all jurisdictions to stamp down upon this practice by making arrests and charges; and we implore WhatsApp to address the problem by closing the holes in its coding.

  12. Finally, you may be interested to know that there are enhanced versions of WhatsApp with additional functionality beyond that available to the general public; but we are unable to tell you about that.

  13. Enjoy using WhatsApp but be careful of identity frauds involving this software. Virtually every messaging application is better than WhatsApp in terms of the passage to third parties of address book information and measures to avoid fraudulent impersonation of another WhatsApp user. However WhatsApp remains a senior product in terms of the end to end encryption it adopts.