Blog: Fortigate CVE-2023-27997 (XORtigate) in the eyes of the owl
WhatsApp and your data privacy in 2021
Putting your parents or even grandparents on a smartphone is not easy. Allowing them to receive photos of their children or grandchildren through Whatsapp, as well as to see them in a video call is even less simple but many have taken to it. <<Mom, I see your ear there, it's a video call>> is a classic phrase and I refer you to these videos by Cyprien: https://www.youtube.com/watch?v=uFpKj3JbORset https://www.youtube.com/watch?v=ZJD1zoAaCmo
Migrating these populations to another application is even less simple but, to my surprise, my close circle of friends and family migrated to Signal without difficulty. But why migrate?
Concretely, what is changing?
Terms and conditions of use
There is no big change on what they collect but it's mostly the sharing displayed with Facebook that changes:
Businesses On WhatsApp.
Businesses you interact with using our Services may provide us with information about their interactions with you. We require each of these businesses to act in accordance with applicable law when providing any information to us. When you message with a business on WhatsApp, it’s important to keep in mind that the content you share may be visible to several people in that business. In addition, some businesses might be working with third-party service providers (which may include Facebook) to help manage their communications with their customers. For example, a business may give such third-party service provider access to its communications to send, store, read, manage or otherwise process them for the business.
Device And Connection Information.
We collect device and connection-specific information when you install, access, or use our Services. This includes information such as hardware model, operating system information, battery level, signal strength, app version, browser information, mobile network, connection information including phone number, mobile operator or ISP, language and time zone, IP address, device operations information, and identifiers (including identifiers unique to Facebook Company Products associated with the same device or account).
We collect and use precise location information from your device with your permission when you choose to use location-related features, like when you decide to share your location with your contacts or view locations nearby or locations others have shared with you. There are certain settings relating to location-related information which you can find in your device settings or the in-app settings, such as Location sharing. Even if you do not use our location-related features, we use IP addresses and other information, like phone number area codes, to estimate your general location (e.g., city and country). We also use your location information for diagnostics and troubleshooting purposes.>>
I love the justification they give for collecting and sharing your information with third parties:
Information Others Provide About You. We receive information about you from other users. For example, when other users you know use our Services, they may provide your phone number, name, and other information (like information from their mobile address book) just as you may provide theirs. They may also send you messages, send messages to groups to which you belong, or call you. We require each of these users to have lawful rights to collect, use, and share your information before providing any information to us.
You should keep in mind that in general any user can capture screenshots of your chats or messages or make recordings of your calls with them, and send them to WhatsApp or anyone else, or post them on another platform.>>
I translate 😉: Your contacts have your phone number and can share it, so why bother us when we do?
The main thing that changes is that with this new update of the terms and conditions, either you accept or you don't use WhatsApp anymore, tough!
On the other hand, it is stated that if the user is European, then, these changes only partially apply: thank you RGPD!
I recommend you to read this article from Le Monde on the subject: https://www.lemonde.fr/pixels/article/2021/01/07/whatsapp-revoit-ses-conditions-d-utilisation-sur-le-partage-des-donnees-utilisateurs-avec-facebook_6065529_4408996.html
Phew, Europeans are saved! Finally...
The General Data Protection Regulation (GDPR) is our savior, great, long live Europe!
Great, but no, in reality, WhatsApp has been sharing data with Facebook since 2016: https://9to5mac.com/2016/08/25/whatsapp-facebook-data-opt-out/
Following Facebook's acquisition of WhatsApp in 2014, Facebook had pledged not to cross-reference data, including phone numbers, for at least 5 years but finally did so after 3 years: https://ec.europa.eu/commission/presscorner/detail/fr/IP_16_4473
<< contrary to Facebook's claims ... the technical possibility to automatically associate Facebook user IDs with WhatsApp user IDs already existed in 2014. At this stage, therefore, the Commission is concerned that Facebook may have deliberately or negligently provided inaccurate or misleading information to the Commission in violation of its obligations under the EU Merger Regulation.
It is essential that companies comply with the obligation to provide accurate and non-misleading information for the purposes of merger investigations so that the Commission can effectively review mergers and acquisitions.
Facebook had been sanctioned with 100 million euros: https://www.lefigaro.fr/secteur/high-tech/2017/05/18/32001-20170518ARTFIG00072-la-commission-europeenne-sanctionne-facebook-d-une-amende-de-110-millions-d-euros.php
Of course, there is no proof that the data was cross-referenced, but Facebook lied: it has been possible, since the beginning, to cross-reference WhatsApp and Facebook data.
This change of conditions has woken up the world a bit, which is starting to realize the abuses of Facebook and is starting to change platforms, especially for Signal, created by one of the founders of WhatsApp who left at the time of the takeover by Facebook and supported by the "Freedom of the Press Foundation".
So I can only recommend you to migrate from WhatsApp to something else and let you choose for yourself, see "Security Secure messaging solutions (or not)".
Isn't it already too late?
To be honest, I have no idea but if you delete your WhatsApp account, I doubt that Facebook or WhatsApp will keep your data at the risk of getting another severe fine from the European Commission.
And I'd take the old adage here: it's never too late 👍.
How to do it?
Personally, I mostly use Signal, which has a fat client for Windows, macOS and Linux: https://signal.org/download/
There are other secure messaging solutions like Olvid or Telegram (which does not encrypt end-to-end communications by default), which I also use but for specific purposes. Friends, family, neighbors... it's Signal.
So I started to migrate my WhatsApp exchanges and groups to Signal, sending a message describing the problem, which for me was :
Hello, due to the takeover of WhatsApp by Facebook, WhatsApp will provide all user information to Facebook, starting February 8th: https://www.bleepingcomputer.com/news/security/whatsapp-share-your-data-with-facebook-or-delete-your-account/
In addition to the phone number (which will be cross-referenced with Facebook databases), there will also be all the other information such as the address book, the installed applications...
I was already very reluctant to use Whatsapp but this change marks for me the end of this tool, in favor of Signal: safe, open and just as easy to use (with cooler features like being able to react to a message with an emoticon).
End for a person: To contact me, you will have to use the Signal application, or the mail, or the phone 😉
End for a group: I will create a Signal group with the same name, here is the link: https://signal.group/...
I admit I could have done better, talk about the European commission, be more precise, more moderate, but I already find it too long 😉.
And if not, yes, I love to give my opinion on messages with emoticons, which WhatsApp does not allow :
Ok but if everyone leaves, Facebook will back off!
Some people assume that if people migrate massively from WhatsApp to Signal (or any other solution), then they will backtrack on this sharing decision. Personally, I highly doubt it because sharing is at the heart of their business model and the WhatsApp buyout.
I rather think that people will not switch massively to Signal and that "normal" people will keep WhatsApp on top of Signal, so they can keep chatting with their strange friends/husband/wife/cousin/... geeky computer scientist who rebel against Facebook.
On its side, Facebook will keep its back to the wall, accept the loss of accounts and continue because future generations will maybe forget that before, there was a notion of privacy, that any company couldn't buy all the information about a person's life to harass them with useless ads*... I don't hope for that, but it's a possibility and it seems to me to be the strategy of Facebook.
Let's stay optimistic 🤞 in the face of this kind of business model based on the unlimited plundering and reselling of personal data going against individual freedoms. Maybe a massive awareness could make it precarious and unprofitable.
Good migration 😄
*in the best case, in the worst case with a significant influence on our lives and I suggest you listen to this program: https://www.franceinter.fr/emissions/le-code-a-change/pourquoi-s-est-on-mis-tout-noter-avec-vincent-coquaz and this one https://www.franceinter.fr/emissions/le-code-a-change/ils-cherchent-les-trucs-bizarres-qu-il-y-a-dans-vos-telephones-rencontre-avec-des-traqueurs-de-trackers