Internet Security Blog - Hackology
Facebook Instagram Whatsapp Merger

Privacy / Security Threat : Facebook Merger with WhatsApp & Instagram

Facebook is a business and businesses thrive on sales, Facebook is free so they sell our data. It is not something we are not familiar with and Facebook has been found guilty of the same (Cambridge Analytica might be fresh in your memory). Facebook acquired WhatsApp for $19 Billion USD in February 2014. WhatsApp an app famous for being add free and always adopting the latest encryption trends made a name already for being a privacy-invasion free messaging platform, but it just required a cellular number while no other registration was part of the signup process. So how Facebook would benefit from the deal ?

Update [1 Feb 2019] : Mark Zuckerberg has shared Why he wants to merge Facebook, WhatsApp, Instagram and Messenger and When he plans to make the merger Happen , details added at the end of article.

Update [7 Feb 2019] : Canada has barred Facebook fro merging Whatsapp+Instagram data with Facebook without ‘User Consent’ to which Facebook has replied with an aggressive stance, details added at the end of article.

WhatsApp Data Sharing with Facebook

Facebook had its messenger App and after buying WhatsApp , its dominion over the messaging industry increased many folds. But Facebook was still not able to make any profits out of its billion dollar purchase.

In 2016 Facebook decided to start sharing WhatsApp data with Facebook which would not include your chats but just your phone number your contact list to give you better ads [Facebook is a business it needs to earn]. as you can see in the above archive video. but it didn’t go well and due to immense pressure Facebook had to halt the move until GDPR is finalized and sharing of partial WhatsApp data with Facebook stopped , or did it ?

Facebook can Read through WhatsApp End-to-End Encryption

Facebook got lucky with launch of iOS 8. Even with WhatsApp end-to-end encryption Facebook is capable of reading your WhatsApp conversations. I am not saying that Facebook is already doing it , but it is “capable of doing so”.

With iOS 8, Apple introduced extensions, tiny apps embedded in their parent app, which could perform specific tasks like sharing a document or pushing content to Apple Watch. Apps and their extensions are allowed to share files placed in a special container, dubbed shared container. In addition, App Groups were introduced: a developer could now register all of their apps in the same App Group, and set up a shared container to enable apps of the same group to share assets and documents.

At some point after acquiring WhatsApp, Facebook registered it as part of the same App Group as the Facebook Messenger and Facebook apps. Facebook and WhatsApp now had a privileged way to share information across traditional sandboxing boundaries, via a shared container named group.com.facebook.family.

Team of iMazing (iOS Manager Suite) showed how “WhatsApp” shared the same family container as “Facebook” , this implies that Facebook App would read your WhatsApp messages database.

Facebook Family Shared Container for Messenger
Facebook ‘family’ shared container for Messenger App

Facebook ‘family’ shared container for WhatsApp aswell, indicating that Facebook can access WhatsApp message database

You might be wondering that WhatsApp has End to End encryption. Well, End-to-End Encryption in WhatsApp is used when you send or receive a message, WhatsApp maintains a database of all your conversation on your phone which has standard encryption which any “shared container” belonging to the same “family” can access.

WhatsApp Database is Encrypted

Yes it is encrypted, now lets open the same database outside of WhatsApp

WhatsApp Database Showing All Messages
WhatsApp Timestamps, text, from and to names, phone numbers, paths to attachments; it’s all there, enough to rebuild your entire chat history.

It would take only 1 day of coding on Facebook and WhatsApp apps that could discretely copy this database from one app to the other, via their shared container.

Many would argue here that Facebook would never do such a thing. Well we never thought Cambridge Analatyica would happen or the fact that Facebook was collecting SMS data from Android users for over a year. For iOS analysis one would require a Jailbreak Device, but jailbreaking is considered bad. Should one just believe them ? .

Facebook Merging WhatsApp , Instagram and Messenger

Facebook played smart this time and before they announce something on their Newsroom , NYTimes was made to do the bidding for them, Softening up the target. Following are key points reported by NYTimes regarding the merger:

  1. Strengthen Facebook’s grip on users raising antitrust, privacy and security question
  2. All apps will be using end-to-end encryption
  3. Considering our ways to make it easier to reach friends and family across networks
  4. Keeps users highly engaged inside the company’s ecosystem
  5. Reduce people’s appetite for rivals messaging services
  6. Business and revenue generation services
  7. It is also reported that this project will be completed by the end of this year or earlier 2020

Facebook has had a notoriously hard time earning revenue off of WhatsApp’s 1.5 billion users, in part because of end-to-end encryption.
I will not debate the above mentioned points because serial (5),(6),(7) are just pertaining to Facebook business model while serial (2) has been explained already in this article that even if WhatsApp is encrypted a merger would allow Facebook to pretty much do anything with our data in plea of serial (4) while serial (3) is a gimmick , It is already easier for me to find friends. Serial (1) is the biggest issue their business plan requires our “data” , data which would invade our privacy and how Facebook gets a grip or addresses all the security and privacy questions is something we will see in future. Ah , I just clarified the above mentioned points.

Various news reporting platforms have already reported on this news while the original source is an article on The New York Times, I think Mark Zuckerberg is preparing everyone for whats about to come so that we may not be surprised, quoting a statement from Facebook NYT wrote :

Build the best messaging experiences we can; and people want messaging to be fast, simple, reliable and private. We’re working on making more of our messaging products end-to-end encrypted and considering ways to make it easier to reach friends and family across networks.

Security Experts on Facebook-WhatsApp-Insta Merger

Facebook Merger of WhatsApp – Instagram – Messenger raised alot of eyebrows thus bringing out some really important questions which Facebook will be noting for now and figuring out how they can “answer” them not “solve” them because if Facebook wanted to solve they would not be merging the Apps and putting user privacy at stake.

 

Facebook should take considerable care in how the integration was handled given the firm’s “spotty history” with user privacy

Merging personal information and privacy configurations from three significant applications won’t be trivial. Facebook development teams would do well to look at this precedent and prioritize user privacy.

With the integration project currently expected to take a year to complete, and with end-to-end encryption as part of the plan, we should expect the Facebook engineering teams to focus attention on uniform data security both in their platform and in the apps themselves.

Tim Mackey [@timintech]

The obvious identity issue is usernames.I’m one thing on Facebook and another on Instagram.

In some ways, having the three linked more closely together would be good because it would make it more transparent that they are connected. But there are some Instagram and WhatsApp users who don’t want to use Facebook. This might be seen as a way to try to push more people in.

—Jim Fenton [web]

There’s a world where Facebook Messenger and Instagram get upgraded to the default encryption of WhatsApp, but that probably isn’t happening.

It’s too technically challenging and would cost Facebook access to lots of data. While end-to-end encryption can’t solve every privacy issue for everyone all the time anyway, it’s harder to know how to take advantage of it safely when a service doesn’t offer it consistently, and creates potential privacy issues when it centralizes identities.

—Mathew D. Green [web]

Mark Zuckerberg Speaks About Facebook , WhatsApp , Instagram & Messenger Unification

When

Mark confirmed during Facebook’s recent earnings call that Facebook does plan to merge Messenger, WhatsApp, and Instagram chats. But the move won’t happen until at least 2020

There’s a lot more that we need to figure out before we finalize the plans. And then, of course, this is going to be a long-term project that I think will probably be to whatever extent we end up doing it in — a 2020 thing or beyond

Mark would love to make this unification to happen tomorrow or even yesterday but the simple fact is he can not and they need to calculate their next moves carefully not to damage already damaged credibility of the company

Why

Facebook = Business = Money , That is the why nothing else. To make it work they need to strike a balance, Generate revenue while keeping the encryption intact or at-least portray that it is intact. I have already shared above that even with current encryption they can read our everything on WhatsApp , but its not about what they can do its about how they will tell the world , as stated by Nick, Communication Chief at Facebook

We haven’t worked out how that will work, whether it’s workable, what regulators may or may not think about it before they jump to any conclusions, what you would need to do, how you make that work in the data infrastructure, how much data integration you need between them

To give us all a sense of calm and ease , Zuckerberg states

People really like this in WhatsApp. I think it’s the — it’s the direction that we should be going in with more things in the future. I think there’s an opportunity to use the work that we have done with WhatsApp there rather than doing it in different ways in the different messaging experiences

First of all whatever WhatsApp has achieved it was before Facebook bought it , the end-to-end encryption and the No-Ads no bullshit policy and the only change Facebook wanted to bring was about putting up Ads and sharing WhatsApp data and now we get to read that Mark is very excited about have end-to-end encryption with this app unification , Plausible ? .

Germany Stopped Facebook to Combine WhatsApp + Instagram Data without Consent

Germany’s national competition regulator has ordered Facebook to stop combining user data from different sources without voluntary consent. The order applies to data collected by Facebook-owned platforms like WhatsApp and Instagram, while extending the same orders to 3rd party data collecting sources. The authority’s decision covers different data sources:

Facebook-owned services like WhatsApp and Instagram can continue to collect data. However, assigning the data to Facebook user accounts will only be possible subject to the users’ voluntary consent. Where consent is not given, the data must remain with the respective service and cannot be processed in combination with Facebook data.

 Collecting data from third party websites and assigning them to a Facebook user account will also only be possible if users give their voluntary consent.

If consent is not given for data from Facebook-owned services and third party websites, Facebook will have to substantially restrict its collection and combining of data. Facebook is to develop proposals for solutions to this effect.

Facebook retaliated with the decision of Bundeskartellamt in their own statement which is titled : Why We Disagree With the Bundeskartellamt , Facebook blames that Bundeskartellamt underestimates the fierce competition we face in Germany, misinterprets our compliance with GDPR and undermines the mechanisms European law provides for ensuring consistent data protection standards across the EU. Facebook thinks that it is being targeted by stating

people interact with companies that connect and use data in similar ways. And all of this should be – and is – a legitimate area of focus for regulators and policymakers around the world. Yet the Bundeskartellamt is trying to implement an unconventional standard for a single company.

I say it is Facebook monopoly and other countries should also pass this bill that Consent from people should be taken before the data merger could take place

Whats your take on this news ? and do you use any or all the platforms owned by Facebook ? Would it make you leave WhatsApp if the merger really does happens ?

Happy Data Privacy Day ( #DataPrivacyDay )

I Would also like to thank Abid Khan for assisting with the article

 

1 comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Get Wise

Subscribe to my newsletter to get latest InfoSec / Hacking News (1 Email/week)
Utopia p2p Ecosystem