Beware: Your WhatsApp conversations are being monitored by governments & Israeli exploitation

An internal memo from Meta has revealed an unknown security vulnerability in the WhatsApp application that allows governments to monitor conversations. The warning about the vulnerability has raised concerns among some company employees that Israel might be exploiting it as part of its program to monitor Palestinians and identify assassination targets during the Gaza war, according to the American website The Intercept, on Thursday, May 23, 2024.

According to The Intercept, the WhatsApp security team had issued an internal warning last March, stating that despite WhatsApp’s strong encryption, users remained vulnerable to a dangerous form of government surveillance.

According to an internal threat assessment, which had not been previously reported and was reviewed by the American website, the contents of the conversations between the app’s two billion users remain secure. However, government agencies, as engineers reported, were “bypassing our encryption” to determine which users were communicating with each other, private group memberships, and possibly even their locations.

Details of the Security Vulnerability

The security vulnerability relies on “traffic analysis,” a network monitoring technique that has been in use for decades and involves scanning internet traffic on a large national scale. The internal assessment memo indicates that WhatsApp is not the only messaging platform at risk.

It suggests that Meta, the app’s owner, urgently needs to decide whether to prioritize the chat app’s functions or the safety of a small but vulnerable segment of its users.

The assessment urged WhatsApp to mitigate the ongoing exploitation of traffic analysis weaknesses that allow states to determine who is talking to whom.

According to the assessment, “Our vulnerable users need strong and actionable protection against traffic analysis.”

The Gaza War and Concerns of Israeli Exploitation

Against the backdrop of the ongoing war on Gaza, the internal assessment memo raised a troubling possibility among some Meta employees. WhatsApp employees speculated that Israel might be exploiting this security vulnerability as part of its program to monitor Palestinians while digital surveillance helps identify targets for assassinations across the Gaza Strip, four employees told The Intercept.

Meta employees, concerned that their product might cause the deaths of innocent people by the Israeli occupation army, launched a campaign called “Meta Friends for Ceasefire.” The group published an open letter signed by more than 80 employees, calling for an end to internal employee surveillance.

Reports have mentioned that the Israeli occupation army implemented an AI inspection campaign in the Gaza Strip by scanning the faces of ordinary Palestinians as they moved through the devastated area, whether they were trying to escape the ongoing bombing or looking for food for their families.

This program relies on two different facial recognition tools, according to The New York Times: one made by the Israeli company Corsight, and the other based on the popular consumer photo organization platform provided by Google’s Photos program.

An unnamed Israeli official told the American newspaper that “Google Photos” works better than any alternative facial recognition technology and helps Israelis create a “hit list” of alleged Hamas fighters who participated in the October 7, 2023 attack.

Monitoring by National Governments

Kristina Lunigro, a spokesperson for Meta, said, “WhatsApp has no backdoors, and we have no evidence of vulnerabilities in how WhatsApp operates.”

Although the internal assessment memo described “weaknesses” as “ongoing” and specifically mentioned WhatsApp 17 times, Lunigro said the document “does not reflect a security flaw in WhatsApp, but only a ‘theory,’ and is not unique to the app.”

Lunigro did not respond when asked if the company had investigated whether Israel was exploiting this security vulnerability.

While the contents of WhatsApp communications remain unreadable, the assessment explained how governments could use their access to internet infrastructure to monitor when and where encrypted communications might occur, akin to monitoring a mail carrier delivering a sealed envelope.

This view of national internet traffic allows governments to draw strong conclusions about who is communicating with whom, even if the subjects of their conversations remain obscure.

The assessment stated, “Even assuming that WhatsApp’s encryption is unbreakable, ongoing ‘correlation and inference’ attacks would still violate our intended privacy model.”

The assessment did not specify particular instances where this method had been used by government entities. However, it cited extensive reports previously published by The New York Times and Amnesty International detailing how states around the world spy on dissidents using encrypted chat applications, including WhatsApp, using similar techniques.

As computing technologies are increasingly used during wars, metadata (information about who, when, and where conversations occur) has become immensely valuable to intelligence, military, and law enforcement agencies worldwide, according to The Intercept.