WhatsApp’s Security Flaw: Governments Can Track Users

In March, the WhatsApp security team reported a significant threat to users of the messaging platform. Despite robust encryption, users remain vulnerable to government surveillance. An internal document obtained by The Intercept asserts that while the content of communications for 2 billion users remains protected, government agencies can circumvent encryption to determine who is communicating, identify members of private groups, and possibly even ascertain users’ locations.

“Doble marca azul Whatsapp” by DownloadsourceES is licensed under CC BY-NC-SA 2.0

The vulnerability is tied to traffic analysis—a method of network monitoring based on observing internet traffic on a national scale. The document indicates that WhatsApp is not the only service susceptible to such threats. According to an internal assessment, Meta, which owns WhatsApp, is advised to implement additional security measures to protect a small but vulnerable portion of users. These measures may include more robust traffic encryption, metadata masking, and other countermeasures against national-level traffic analysis.

Amid the ongoing armed conflict in the Gaza Strip, the warning about this vulnerability has caused serious concern among some Meta employees. WhatsApp staff have expressed fears that this vulnerability could potentially be exploited by Israeli intelligence agencies to surveil Palestinians as part of their operational programs in Gaza, where digital surveillance plays a role in targeting. Four employees, speaking anonymously, told The Intercept about such concerns within the company. However, it is important to note that no concrete evidence of exploitation of the vulnerability was presented at that time.

Meta spokesperson Kristina LoNigro stated that WhatsApp has no vulnerabilities and the document reflects only a theoretical possibility, not unique to WhatsApp.

The document demonstrates how government agents can use access to internet infrastructure to monitor encrypted communications, allowing them to deduce who is communicating with whom. This is akin to watching a mail carrier deliver a sealed envelope. Traffic analysis enables governments to identify the individuals involved in conversations, even if the content remains hidden. Metadata, such as who is communicating, when, and where, holds immense value for intelligence and military agencies worldwide.

The WhatsApp document does not provide specific examples of state actors using this method, but it references reports from The New York Times and Amnesty International showing how countries monitor the use of encrypted messaging applications.

“[That] description… is absolutely correct. We kill people based on metadata. But that’s not what we do with this metadata,” said Hayden, apparently referring to domestic metadata collection. “It’s really important to understand the program in its entirety. Not the potentiality of the program, but how the program is actually conducted.”

Only after the April publication exposing Israel’s data-driven approach to warfare did the WhatsApp threat assessment become a point of contention within Meta.

A joint report by +972 Magazine and Local Call last month revealed that the Israeli military uses software called Lavender to automatically authorize the killing of Palestinians in the Gaza Strip. Utilizing a vast database on the 2.3 million residents of Gaza, Lavender algorithmically assigns “almost every resident of Gaza a rating from 1 to 100, indicating the likelihood they are a combatant,” according to the report citing six Israeli intelligence sources. “A person with several compromising qualities will attain a high rating and thus automatically become a potential target for killing.”

Concerned that a vulnerability in the company’s product could be exploited for surveillance and harm to civilians in the conflict zone, some Meta employees organized an internal campaign called “Metamates for Ceasefire.”

The group published an open letter, signed by more than 80 employees, urging the cessation of censorship and the removal of employee statements on this issue within the company.

For successful traffic analysis attacks, all participants in WhatsApp group chats or both sides of a conversation must be on the same network and in the same country. While users in countries with proper privacy laws may be less vulnerable, similar surveillance methods have been noted even in the United States. In the Gaza Strip, the situation is particularly dire, as internet access is controlled by Israeli authorities, making Palestinian users extremely vulnerable to such attacks.

WhatsApp is considering implementing an enhanced security mode for vulnerable users, akin to Apple’s “Lockdown Mode.” However, this could backfire by singling out such users, making them even more susceptible to surveillance.

The internal WhatsApp document clearly shows that coordinated efforts across the company are necessary to protect users from traffic analysis.