Encrypted messaging service Signal experienced an outage on January 15. It blamed “technical difficulties”, but there is much more going on than just this.
The technical difficulties in this case related to the inability of the existing server infrastructure operated by the company to adequately handle messaging traffic. This was due to an increase of more than 40 million new users in the two weeks preceding the outage.
Signal witnessed an inordinate surge in popularity during January, at least in part the result of a migration of users from messaging rival WhatsApp after that company announced a change to their terms of service.
WhatsApp is the most widely-used encrypted messaging app in the world.
Facebook acquired WhatsApp in February 2014 for US$19 billion. At the time, it was the largest acquisition in history of a venture-backed company. This acquisition is still the subject of an anti-trust case, launched in the United States late last year.
In January, an in-app notification gave nearly all WhatsApp users until February 8 to accept new clauses added to the app’s terms of service and privacy policy. The notice was an ultimatum requiring users accept the new terms, or else lose access to their WhatsApp account.
Facebook’s “lapses” of privacy are legendary.
For example, last year the Office of the Australian Information Commissioner sued Facebook for significant and persistent infringements of the rule on privacy involving Cambridge Analytica.
Although WhatsApp was able to distance itself from Facebook’s unreliable privacy practices, that fringe benefit will soon be removed following the introduction of the proposed changes to their policy.
As a consequence WhatsApp users have voted with their virtual feet, migrating to Signal in droves.
Although Signal has long been considered the preferred choice for encrypted messaging, endorsed by the likes of US whistleblower Edward Snowden and multi-billionaire Elon Musk, it was not until the threat of reduced data privacy that many WhatsApp users reassessed their choice of messaging service, eventually leading to the outage experienced by Signal users.
What this event dramatically illustrates is that people still cherish their privacy and prefer explicit requests for consent as to how, when and by whom their data are used or shared.
If a service provider, such as WhatsApp, does not recognise and respect their users’ desire for privacy and data protection, they can expect no loyalty and possibly a devaluation of their stock.
While the result was a large migration of the WhatsApp user base to rival Signal and the consequent impact on that service, there is still no unified leadership regarding data protection and privacy from governments around the world.
This is probably because governments themselves are guilty of transgressions of privacy such as that exposed by Snowden in 2013.
Although the General Data Protection Regulation of the European Union offers some of that protection and will prevent WhatsApp’s policy changes impacting Europeans, citizens of the Five Eyes nations — Australia, Canada, Great Britain, New Zealand and the United States — are offered no such protections and can expect their account details, metadata associated with their chats, financial transactions (over WhatsApp Pay), log reports, device details and location (even if location sharing has not been consented to) to be collected and shared in accordance with the data policies used by Facebook.
Although their chats and calls are still end-to-end encrypted, Facebook will still be able to exploit all associated metadata to target its services and ads with.
There is one other issue associated with the use of all encrypted messaging apps which is rarely discussed. Most app developers usually try to minimise effort and to avoid re-inventing the wheel whenever possible.
If a library of code to perform some complex task is freely available, most app developers will use existing code when developing their apps, particularly if that code is already widely used and regarded as robust, such as that used for encryption.
In fact, tertiary cryptography courses explicitly recommend reusing the readily available encryption libraries.
Encryption libraries generally employ algorithms used for encryption that are administered by the National Institute of Standards and Technology (NIST) in the US.
In his revelations about mass surveillance, Snowden at one time indicated that the National Security Agency (NSA is a part of the US Department of Defense) had approached NIST to insert a flaw into these algorithms, the intention of which was to make it possible for the NSA to decrypt any message that had been encrypted using those algorithms.
This would suggest that even the use of an encrypted messaging app would not provide trustworthy privacy or data protection, notwithstanding that metadata is usually sufficient for simple surveillance purposes.
Although those who have migrated from WhatsApp to Signal can expect that their data will not be monetised by the likes of Facebook, they may still be operating on a false sense of security as to the privacy of their data, even as a citizen of the EU.