The Reality About WhatsApp’s Signal Encryption Integration…and It Isn’t Good

whatsapp1Alright, a serious reality check is needed. WhatsApp doesn’t give a shit about your privacy. There it is. I don’t care if they put in the best mobile device-centric encryption, which Open Whisper Systems’ Signal app encryption is. And let me be clear right out of the gate: I don’t believe that Moxie Marlinspike, Signal, and Open Whisper Systems overall are somehow complicit or evil in what I’m about to describe. But Facebook–WhatsApp’s parent company–certainly is evil. Straight up.

Why am I bringing this up now when I’ve already covered all of this on my tech podcast, Sovryn Tech, already? Because of this tweet for earlier today…

So now it’s official (even though it has been rolling out incrementally for over a year). Facebook’s WhatsApp is now encrypted for all users with Open Whisper Systems’ top-notch end-to-end encryption. I know, at first you’re thinking, “That’s great!“, and even the EFF (who I have stopped donating to over a year ago) is lauding Facebook with praise over their recent security/privacy implementations.

Well, I’m here to tell you, it’s all bullshit. Literal smoke and mirrors. Let’s quickly breakdown all of the security/privacy implementations that Facebook has implemented in the past year or so, and then I want to tell you what it’s all really about.

  • Facebook has an official Tor site for accessing via Tor.
  • The Facebook Android app can be routed through Tor via Orbot.
  • You can upload your email PGP key to your profile on Facebook.
  • Facebook is helping fund OpenPGP development.
  • Implementing Signal-style encryption into WhatsApp.

And there’s more than that, but that makes for a quick breakdown. Now, if any other company was doing all of that, I would be showering them with praise. These are “all the right moves” as far as having a secure and private backbone for your system.

But we’re talking about Facebook here.

We’re talking about the company that collects all of your photos and uses facial recognition to auto-tag you, gathers tons of your posts and private messages (and even stores the things you erased or type-and-changed-your-mind), gleefully works with governments to give them information on their users, enforces a “real name policy” requiring you to send your identifying documents to them or not use the service at all, and also–next to Apple–may be the most socially conservative tech giant out there with not even letting you share photos of breast feeding or artistic nudity (not that “non-artistic” nudity is a problem…really, let the porn flow, folks).

None of this adds up to a company that gives a shit about civil liberties.

So then, what’s the real purpose behind Facebook’s implementation of all these security/privacy features in their ecosystem?

It’s called a “honey pot”.

SIDE NOTE: Another major reason that Tor and other security implementations have been put in by Facebook is likely to get more users, perhaps notably in China where Facebook is illegal. If Facebook can be accessed via Tor, the chances of people in more tyrannical nations (every nation is tyrannical, obviously) being able to get onto Facebook increases. This is a play that falls in line with that idiotic Silicon Valley goal of “growth at all costs”. Also, Whatsapp is arguably the most used app in the world outside of places where Facebook isn’t a big deal, so making that app/data part of the ecosystem is logical business sense for Facebook.

Let me explain. In a day and age where you have very public–though full of bullshit–battles between governments and private industry (as if such a thing exists) over whether or not encryption should be legal, or whether it should have backdoors, etc., and to have such in the name of “safety”…it’s all crap. The amount of data and metadata that companies and governments can collect about you, without seeing the actual content/text of that data is staggering. Governments have more ways to track you today, with or without encryption, than they’ve ever had. The “battle” over encryption is a ruse. Yes, absolutely, it’s a base level thing that every app and device should provide, and it is a very important and excellent tool…but if the argument is that it’s a problem because it empowers “terrorists” or “criminals” (emphasis on the quotation marks), then all of the apps and devices that use that encryption equally–if not more so–empowers governments and corporations (an insidious and present hybrid system known as: Corporatism).

SIDE NOTE: In case you’re new to the Dark Android Project, I don’t mind admitting that I am an ardent peaceful anarchist.

Hopefully I haven’t lost you yet with all of my rhetoric, because there’s more. Let’s say you use all of these “properly secured” services from Facebook. How do you login in to these services? Ahhh…with a Facebook account. So even though you’re connecting to Facebook via Tor, even though you’re using your PGP key to email somebody, and even though you’re using the best encryption on mobile with your WhatsApp messages…you’re still–by attaching all of it to your Facebook account–giving Facebook loads and loads of information about your activities and what you’re doing, even if they can’t read the text…there’s still a ton of context as to what you’re doing and saying, just by playing ball in Facebook’s ecosystem. Facebook is just giving you a false sense of security here (and so are all of the news sites, organizations, and individuals claiming that WhatsApp’s encryption and other Facebook efforts somehow protect you).whatsapp3

And do you think that can’t be used to track what you’re doing? How about a government-foiled terrorist plot–potentially using Signal-style encrypted WhatsApp at the time–in Belgium in June of 2015? It’s confirmed that these terrorists were stopped by tracking their WhatsApp usage, but what was never confirmed was whether or not WhatsApp’s encryption scheme was cracked. But that fact doesn’t matter. All it took was metadata from WhatsApp–likely handed over by Facebook–to put a stop to the attacks before they could start.

SIDE NOTE: In a time when encryption is being popularly encroached upon by governments, many populations in countries around the world have been turning to the Telegram messaging app. While Telegram’s encryption is questionable, it has become very popular because of that encryption. Certainly, Facebook is very concerned about its acquired WhatsApp messaging app losing market share to competition simply because that competition is “encrypted”. It only makes sense they would add in proved encryption to try and beat out the competition with questionable encryption (ie: Telegram).

Obviously, I’m happy that lives were saved. I think ANY human death is 100% unacceptable. But that doesn’t change the fact that Facebook has created a honey pot here. They’ve created a go to ecosystem full of metadata to assist their own goals, and to hand over data at any time that some government alphabet soup organization needs it. Facebook seems to be always ready to grab the ankles when user data requests are made. And all it takes is for you–for whatever justification gets dreamed up–to become a “criminal” in the eyes of the government for this entire Facebook ecosystem to reveal all about you and track you to the ends of Earth…encryption be damned. Facebook, with Tor and encryption in place, is just a one-stop shop for governments to keep an eye on you.whatsapp2

SIDE NOTE: WhatsApp and Facebook Messenger may at some point become a merged app. While this means Messenger would then also be encrypted via the Open Whisper Systems protocol, that also means that now WhatsApp will be getting the ads that are going to be/getting pushed to you in Messenger. What, you didn’t think Facebook would acquire WhatsApp for billions, make it free again, and then not find a way to make money off of it with ads? Really?

Please don’t misunderstand me, I think encryption is a great thing. Hell, it’s a genuinely beautiful thing, especially the encryption from Open Whisper Systems (and I whole-heartedly recommend the use of the Signal app). Every app, service, and device should have it. But encryption is like a gloved hand, and it’s important to not whose hand is wearing the glove. In this case, it’s Facebook. And, at the end of the line, that means it’s the velvet-gloved hand of corporatist tyranny.

So don’t congratulate, get excited about, or use WhatsApp (or Facebook, if you’re saucy enough). If you want to use encryption, go with the Signal app itself, or use PGP emails on mobile via K9 and OpenKeychain. Those are real solutions, and ones that don’t enter you into the Facebook honey pot. Stay out of there if you can.

Carpe lucem!