Menlo Park, CA – WhatsApp’s security team issued an internal warning in March, alerting colleagues about potential vulnerabilities to government surveillance despite the app’s powerful encryption. The warning, detailed in a threat assessment obtained by The Intercept, revealed that while the contents of messages among WhatsApp’s 2 billion users remain secure, governments are potentially bypassing encryption through traffic analysis. This technique allows them to determine which users are communicating, the membership of private groups, and possibly even the locations of users.
The threat assessment underscores the danger of traffic analysis, a network-monitoring technique that can reveal communication patterns by observing internet traffic on a large scale. The document highlights that WhatsApp is not the only messaging platform vulnerable to such surveillance. Still, it urges Meta, WhatsApp’s parent company, to decide whether to prioritize the app’s functionality or the safety of its most at-risk users.
“WhatsApp should mitigate the ongoing exploitation of traffic analysis vulnerabilities that make it possible for nation states to determine who is talking to who,” the assessment urged. “Our at-risk users need robust and viable protections against traffic analysis.”
The warning gained particular attention against the backdrop of the ongoing war on Gaza, raising concerns that Israel might be exploiting this vulnerability to monitor Palestinians. Four WhatsApp employees speculated that Israel’s use of digital surveillance could be influencing targeting decisions in Gaza, as part of a broader surveillance program.
Meta spokesperson Christina LoNigro emphasized that WhatsApp has no backdoors and no evidence of vulnerabilities in its encryption. LoNigro described the document’s findings as “theoretical” and not unique to WhatsApp. However, she did not respond when asked if the company had investigated whether Israel was exploiting this vulnerability.
The assessment illustrates how governments can use their access to internet infrastructure to monitor encrypted communications, similar to observing a mail carrier delivering a sealed envelope. This surveillance can reveal powerful inferences about who is conversing, even if the content of the conversations remains secure. The document notes that even if WhatsApp’s encryption is unbreakable, ongoing “collect and correlate” attacks can still undermine user privacy.
The WhatsApp threat assessment does not cite specific instances of state actors using this method but refers to reports from The New York Times and Amnesty International about how countries spy on dissidents using similar techniques. Metadata, which includes information about the who, when, and where of conversations, holds immense value for intelligence, military, and police agencies worldwide. Former NSA chief Michael Hayden famously quipped, “We kill people based on metadata.”
The discussion around these vulnerabilities intensified following an exposé by +972 Magazine and Local Call, revealing that Israel’s army uses a software system called Lavender to algorithmically assign ratings to Palestinians in Gaza, potentially marking them for assassination. The system considers a multitude of personal characteristics and digital behaviours, including WhatsApp usage.
The report indicates that WhatsApp usage is among the many personal characteristics the Israeli military uses to determine targets. This raised concerns among Meta employees about the possibility of WhatsApp data feeding into Israel’s surveillance and targeting systems.
Meta spokesperson Andy Stone denied any specific targeting of employee discussions about the war and emphasized the company’s general workplace conduct rules. Nevertheless, concerned employees have organized under the campaign Metamates 4 Ceasefire, demanding transparency and an end to internal censorship.
The internal assessment highlights the difficulty of protecting users against traffic analysis without compromising the app’s performance. Adding delays to messages or transmitting decoy data could help, but such measures may affect user experience and increase data usage.
To WhatsApp’s security personnel, the solution lies in a unified effort within the company to build protections for at-risk users. The assessment suggests adopting a hardened security mode similar to Apple’s “Lockdown Mode” for iOS, though this could inadvertently highlight users as targets.
Meta’s ongoing efforts to address these vulnerabilities reflect the complex balance between privacy and functionality in messaging apps. As governments continue to exploit digital surveillance techniques, the stakes remain high for protecting user data and maintaining trust in encrypted communication platforms.
