Hacks and spyingIs WhatsApp safe for diplomats?

The Facebook-owned app has become a standard tool for international negotiations. Amid rising security concerns, EU experts now suggest a safer alternative. But the WhatsApp era is far from over.

Whatsapp and the diplomat
CC-BY 4.0 Oliver Hinzmann

Brexit has forced a digital clean-up on diplomats in Brussels. Officials often use WhatsApp to coordinate meetings between EU member states. Entire working parties in the Council have a shadow life in group chats on the green app.

On October 31st, scores of British diplomats were taken off e-mail lists and kicked out of WhatsApp groups. As often on the chat app, some groups were re-founded minus one member to spare people’s feelings.

What happened in Brussels will not seem unusual for most people on the globe – the Facebook-owned app boasts two billion users worldwide.

WhatsApp has become the standard tool for international negotiations. As early as 2016, the Guardian talked about the „rise and rise of diplomacy by WhatsApp“.

WhatsApp’s popularity with diplomats comes from the fact that it is encrypted and has a large base of users, says Corneliu Bjola. „Almost everyone has a WhatsApp account“, he notes.

Bjola teaches Diplomatic Studies at the University of Oxford. He also advises officials on digital diplomacy. Bjola says WhatsApp is used in multilateral settings such as the UN, as well as within foreign ministries.

Tricky security questions

Yet high-profile hacking cases and apparent security flaws have raised uncomfortable questions about the app.

WhatsApp’s popularity among diplomats could take a serious hit after the Cryptoleaks scandal. Investigative journalists revealed that German and US intelligence used faulty encryption to spy on allies across the globe.

US spying has caused trouble for WhatsApp’s parent company Facebook since revelations by whistle-blower Edward Snowden about the NSA in 2013.

The widespread use of surveillance casts doubts on whether free services by US firms can guarantee adequate protection for their users.

Europe has to ask itself – is WhatsApp safe enough for its diplomats?

EU mulls alternatives

European Commissions experts appear to have doubts. A note on the issue by the EU’s Information Technology and Cybersecurity Board (ITCB) was recently sent to thousands of officials.

The note, which netzpolitik.org publishes in full, recommends official to switch to Signal, an app championed by privacy advocates such as former NSA spy Snowden, as „safer alternative for instant messaging“ with colleagues.

The document does not mention WhatsApp by name. A Commission spokesperson said that using Signal was not mandatory.

While it is unclear how many Commission officials will actually install Signal, the network effect makes it unlikely that a new tool becomes standard unless it has to be used.

Meanwhile, WhatsApp is still widely used among diplomats in the Council, even if such use is „not an official one“, as Croatian EU presidency spokesperson Goranka Primc stresses.

„It is not in the remit of the Presidency to suggest services to be used for this kind of unofficial communication“, she wrote in an e-mailed reply.

No seal on sender information

Messages on WhatsApp are well-secured, at least in principle. Since 2016, the app uses end-to-end encryption, which makes messages close to impossible to read even if intercepted.

Facebook likes to stress that WhatsApp uses the same protocol for encryption as Signal. However, the Silicon Valley is sparse on details on how it implements the technology.

WhatsApp’s end-to-end encryption also does not cover metadata. This means that Facebook knows the time and date of the message, the identity of the sender and the size of the message.

The metadata gives Facebook information about the „social graph“ of users – who and how often they talk to. The size of the messages allows inference if photos and pictures were sent.

WhatsApp stores metadata centrally on its servers. The app has access to users‘ address books, information which it shares with its parent company Facebook to fuel its online ads business.

In contrast, Signal aims to keep as little data about users as possible. The service says it seals information about the sender, making it hard to trace messages. Metadata is deleted from its servers once messages are delivered.

Metadata not safe, says Schrems

Intelligence services have pushed for backdoors in messaging services to get access to encrypted messages. WhatsApp, Apple and civil society groups have pushed back against such a move, saying it would hurt user security and trust.

Yet in some cases metadata can reveal as much as the content of messages.

Diplomacy, after all, is about networking and secret agreements. When a French official lobbies her German counterpart just before a decisive vote, isn’t that fact alone just as confidential as the content of her message?

The Austrian Max Schrems, a privacy advocate who has led the legal battle against US intelligence collection in Europe, told netzpolitik.org: „The metadata goes directly to Facebook and therefore also to the American intelligence services.“

„For officials from foreign and defence ministries, for example, but also for journalists and human rights activists, this is a substantial risk“, agrees Jan Penfrat, a senior policy advisor with the NGO European Digital Rights.

The point is neatly illustrated by a quote from former NSA director Michael Hayden, who in 2014 stated bluntly: „We kill people based on metadata.“

Germany’s chief data protection official Ulrich Kelber cautions against WhatsApp use by authorities under his supervision. Kelber is „sceptical“ because of WhatsApp’s data sharing with Facebook, a spokesperson said in an e-mail.

Facebook is reluctant to discuss its security measures for user metadata. A spokesperson for the company declined to comment on how WhatsApp protects users from snooping.

No place to hide

Diplomats and EU officials can safely assume they are a target for foreign intelligence. Brussels has been called a „city of spies“ for years. Only last month, police raided homes and offices of a prominent German ex-diplomat accused of spying for China.

The NSA affair saw allegations of a massive eavesdropping program by the US against European diplomats and officials in Brussels, as well as at the UN seats in Vienna and Geneva.

In the latter city, Snowden was posted while he still worked for the NSA. The whistleblower said he believes that US intelligence is still spying there.

Brexit could lead to new security challenges. The UK is among Washington’s closest allies. Together with Canada, Australia and New Zealand, they form the Five Eyes intelligence network.

For the high-tech intelligence world, the EU is already an attractive target, while Brexit could end any restraint on the part of the Five Eyes alliance.

The EU has lots to protect. In negotiations with the UK on their future relationship, EU documents will be confidential by default. The same applies to EU-US diplomacy on trade.

Metadata could compromise the EU’s internal deliberations on its position, giving leverage to US and UK negotiators.

Safer alternatives

For diplomatic correspondence to be considered secure, the threshold is higher than for ordinary users.

Those who want to avoid US intelligence agencies looking at their metadata should use Signal, or alternatives such as Wire or the Switzerland-based service Threema, said NGO analyst Jan Penfrat.

He also suggests to use Matrix, an open-source protocol that is used by the German military and the French government.

The EU Commission, however, does not plan to end reliance on US tech firms. The expert group recommends Signal only „until Skype for Business on Mobile (S4BM) will be out“. Officials should then use S4BM, it says.

Skype for Business is a service owned by Microsoft, which the US giant will discontinue next year. Microsoft tells customers to switch to Teams after July 2021. The Commission did not reply to our query whether it will then recommend Teams.

The Teams application is part Office 365, which is eyed with scepticism by data protection authorities in Germany and the Netherlands over privacy concerns.

Such concerns, it appears, are not a deterrent for the Commission. A solution that offers both security and technological autonomy is still a long way off.

Update on February 24, 2020: The original version of this story referred to both Wire and Threema as Switzerland-based services. Wire’s holding company has reportedly changed its registration to the US. The reference to Wire as Swiss-based company was changed accordingly.

Eine Ergänzung

Wir freuen uns auf Deine Anmerkungen, Fragen, Korrekturen und inhaltlichen Ergänzungen zum Artikel. Bitte keine reinen Meinungsbeiträge! Unsere Regeln zur Veröffentlichung von Ergänzungen findest Du unter netzpolitik.org/kommentare. Deine E-Mail-Adresse wird nicht veröffentlicht.