20 May 2019

WhatsApp Security Breach, a Global Privacy Issue?

Had a missed call on WhatsApp recently?

Only days after the story broke of Russia allegedly spying on Norway with the help of a charming white beluga whale, we are again witnessing a similar threat, albeit this time much more serious.

The Financial Times (“FT”) reported recently that a vulnerability was discovered in the WhatsApp messaging app, which enabled attackers to transmit a malicious code named Pegasus to a target’s device by calling him/her. The scary part? One did not even have to receive or click on the phone call – the code transmitted itself without any action on behalf on the user. And yes, your iPhone could have been affected just as much as any Android phone.

Within minutes, data, such as your private messages, browser history or location could be extracted and sent to a computer on the other side of the world. What’s more, Pegasus allows the attacker to turn on your camera and microphone, therefore leaving you susceptible to becoming a target of live-stream spying.

WhatsApp, owned by Facebook, is one of the most popular messaging apps with over 1.5 billion users around the world. The app is often lauded for its end-to-end encryption both for messaging and voice calls, or as they put itPrivacy and security is in our DNA, which is why we have end-to-end encryption”. Employees at WhatsApp learned about the embedded spyware in early May. On May 13, they pushed an update to the app, urging users to install it and get the patch for the vulnerability.

Who created the malware?

Pegasus was developed by an Israeli cyber intelligence company, the NSO Group (“the NSO”). In a statement for the Financial Times, NSO explained:

Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies. NSO would not, or could not, use its technology in its own right to target any person or organization”.

While the software itself is not new, Pegasus is such a powerful upgrade that the Israeli Ministry of Defence (the “Israeli MoD”) regulates its sale. The malicious code helped this rather low-profile company (it set up its own website only recently) achieve an astonishing market valuation of around USD 1 billion.

Privacy issue priors

The NSO has faced legal disputes prior to the WhatsApp incident. A number of Mexican journalists, government critics and one Saudi dissident living in Canada have filed a lawsuit against the NSO, claiming that “the company shares liability for any abuse of its software by clients”. Claimants received assistance with their legal action from a UK-based human rights lawyer whose phone was a target of the software surveillance method at hand.

Nevertheless, WhatsApp also gives cause for concern as regards respect for privacy. In February 2019, the German competition authority Bundeskartellamt, prohibited Facebook-owned platforms, including WhatsApp, from assigning data they have collected to Facebook user accounts.

To jog your memory, Facebook faced a barrage of criticism in the wake of the Cambridge Analytica scandal, when personal user data was used to assess voting preferences of US citizens without their consent. This incident led to investigations and calls for Facebook to be broken up.

Reactions

The WhatsApp incident also garnered the attention of the World’s leading non-governmental human rights organization – Amnesty International, which reiterated its support for the legal action brought against the Israeli MoD’s decision not to revoke the NSO’s export license. These two organizations already have a history of levelling accusations against each other dating back to August 2018 when Pegasus targeted an Amnesty staff member, which Amnesty also linked to attacks on activists and journalists in Saudi Arabia, Mexico and the United Arab Emirates.

Is there a solution?

Vulnerability of social media platforms is old news but as Alex Stamos, former head of cybersecurity at Facebook, explained:

We certainly can’t completely shut down the global trade in offensive technologies used against activists and journalists, but we can try to make it unwise to conduct this trade in the open and with US offices”.

Platform vulnerability seems to be merely one of a litany of user concerns. Trust in WhatsApp as a secure communication platform may be further eroded given not only the incident at hand but previous practice too. Privacy issues, stemming from external software surveillance or from the platform itself, have ramifications that go beyond states’ jurisdictions.

The global character of the ramifications of such security breaches suggests a turbulent future. It is yet to be seen whether state governments and cybersecurity services of social media platforms are robust enough to counter illegal software surveillance and halt any exacerbation of privacy issues.

Relevance for Serbia

After a nine-month-long adaptation period, Serbia’s new GDPR-based Data Protection Act is set to come into force in August 2019. Time will tell whether Serbia’s data protection watchdog – the Commissioner for Information of Public Importance and Personal Data Protection, will launch investigations into how tech giants protect the personal data of their users in an effort to prevent WhatsApp-type incidents.

Furthermore, in view of the Bundeskartellamt’s ban on Facebook assigning data collected through WhatsApp and other Facebook-owned platforms to Facebook user accounts, it is not beyond the realms of possibility that Serbia’s Commission for Protection of Competition would taking steps to prevent any abuse of the huge market power that the tech giants wield. Chances are that with data evolving as a key asset for modern companies, data protection and competition authorities will encounter an unprecedented number of issues of common concern. The hope would be that they could find a common ground on which to pool their efforts and introduce effective safeguards for users.