Earlier this year, Facebook decided to change their Privacy Terms and Conditions for using their messaging application WhatsApp. This has led to “mass migrations” (itself probably hyperbole) and media fueled hysteria. As with all of these issues, there is much miscontrued, but also a kernel of truth. Whilst I don’t believe there’s a need for fear, and certainly not hysteria, there are valid concerns. Let’s not throw the baby out with the bath water.
Do I Have Any Expertise In This Discussion?
First some context. Why do I even believe I have a voice in this discussion?
Firstly, I have actually read the new T’s & C’s. which actually are very readable. I encourage you to read them for yourself, rather than relying on a news outlet, or even me, suggesting best practice for you. This is a legal agreement between the Service Provider and Yourself. You wouldn’t rely on a news outlet to tell you how to behave with your mortgage, or your marriage, or your gym membership, neither should you about IT services. (Especially free ones).
Secondly, I have worked as an engineer, solution architect, consultant, and CTO within the Data Privacy, and Security industries for organisations including Nokia, Atos (formerly Origin), Compaq, Hewlett-Packard, Microsoft, HPE Enterprise Services (now DXC) for over three decades. As CTO for Innovation at HPE Enterprise Services I worked with large banks, fast food enterprises, and even our own organisation looking to use meta-data to understand and predict behaviour (more on that later.) All that means is I can interpret the T’s & C;s, and discuss the potential impact.
Thirdly, I did a thesis on using meta-data for personal targeting in my Ethics and IT course during my Masters degree, way back in 2003. That was before Facebook, iPhones, even the Cloud. But the ethics of analysing someone based on their behaviour, and selling that analysis, hasn’t changed. Again, all this means is I have some insight into how companies can use this data and have thought through the ethical implications.
Finally, whilst I now run a start-up gathering behavioural (training) data using Virtual Reality, so am intimately connected to our legal counsel about using that data, I don’t consider myself current anymore. However, I do have very close friends and colleagues whom do actively work in this space. These including founders of Data Security start-ups, as well senior security and privacy engineers for companies from Salesforce to Tesla. Our conclusions are the same. I.e. there is a valid concern, enough for us to do our best to migrate away from FB companies, or at least minimise our risk profile as much as we can.
But as I mention, please read this post as an input to your own decision making process. I’m not the expert by any stretch.
What Isn’t The Issue?
The content of your messages, whether text, images, videos, audio calls, video calls, is all encrypted. On your device, over the network (both Internet and Cellular), and at rest on the servers. What you communicate is private on WhatsApp. That is not in question.
Facebook simply can’t know what you say. And as Emma Sadleir mentions in this great video, they gather far more content through your Facebook posts, Messenger chats, Instagram photos anyway. So if you use those services, WhatsApp is the more secure platform to message on. In short, don’t bother migrating from WhatsApp if you actively post/communicate (to the same people) on other Facebook group platforms.
What’s So Important About Meta-Data Then?
When I was working for HPE I worked intimately with a company called Trustsphere Their products analyse the meta-data, initially they just used email headers, within an organisation, and can provide remarkable amounts of insight. Like, e.g. if someone is planning to resign within a number of weeks, or the likelihood of winning a competitive bid.
As with WhatsApp, this insight is derived not from the content of the messages, but the meta-data that includes:
- Who the messages are sent to and from
- The frequency of communication
- The directionality of communication (including replies, reply alls, forwards etc.)
- The location of sends/receipts
- And more….
Now WhatsApp keeps all of this meta-data and much, much more. Information like your profile photo, all your group interactions, your status, your GPS location, your phone IMEI, battery status etc. – and remember they can correlate this via time stamps and your contact number with your sentiment, your purchases, photos, face recognition of people you’re with…
So if a rudimentary analysis of the meta-data of simple email can infer so much about you. Imagine what you could do with the kind’ve intimate knowledge you can glean from all of that meta-data. Even if you weren’t using other Facebook properties. In fact even if you aren’t actively using WhatsApp, just being in someone’s contact list and having the app on your phone, gives very rich profiling information.
One of the (intended) benefits of this is to be able to target advertising at every person individually, lowering resistance. In fact done well, you wouldn’t even be aware that you are being targetted at all. This is far more insidious than a banner ad, using broad demographics served to millions of people.
Alas, this comes with more nefarious applications as well, like manipulating your behavioural and social interactions. Does Facebook do this? Oh noooooo. Will their customers? Cambridge Analytica is one recent example of note.
But so what? We’ve already mentioned that Facebook, Messenger, Instagram, all have this data and your content. And they “legitimately” use it to “improve their services.”
The problem is two-fold:
- The new T’s and C’s, no longer allow you to “opt out.” Whilst there are some settings you can change to lower risk, you can no longer say “nope, I’d rather you didn’t figure out I was pregnant before I knew” and more importantly,
- They make that data available to their business customers. So (the inferred analysis) of your communications behaviour, is on the open market to whoever wants to buy it.
Do we need to be scared? Hell no. But we don’t have to be scared to minimise our footprint and migrate to a service that doesn’t act this way.
Also, this is a trend of Facebook. They do sell PII, and inferred data. They also own Oculus, and Instagram, and are in danger of becoming the entryway, if not the only service many people will use on the Internet. Already they’ve shown, through misadventure, how this has affected elections and referendums. Stopping or at least mitigating this trend away from privacy is important.
Don’t All Social Media Services Do This?
But I hear you say, what about:
- Google, Gmail, Google Home
- Microsoft Windows, Hotmail and Outlook
- Amazon (with AWS, Alexa, Kindle, Audible)
Don’t they all do this? In short: No, they don’t. Whilst some do keep various bits of meta-data, they have ‘opt-out’ policies, and don’t make this data available to 3rd parties. With the exception of governments, whom require a legitimate warrant for that information. (In the West at least)
This really is a dick move by Facebook.
So I Really Should Migrate Then?
Entirely up to you. Chances are, if you’re anything like me:
- You have friends and family, who in turn have friends and family, and so on, that use WhatsApp. Getting your more IT savvy contacts to move is one thing, your 70-something parent or grandparent, not so much.
- Some of your closest groups only use WhatsApp (or FB platforms). So leaving is tantamount to ending the relationship
Which makes it really, really difficult to migrate fully. Which of course is exactly what Zuck is counting on.
Nevertheless, you can migrate as many chats as you can from WhatsApp. You don’t have to leave entirely to minimise the impact of your meta-data being used against you. Metcalfe’s Law states that the value of a network is proportional to the square of the number of nodes in the network. This works both ways. So if you had say 100 contacts on WhatsApp, the value of your meta-data is 10,000x, whereas if you had 20 contacts, it’s only 400x.
Don’t forget, all of your contact list data is freely available to WhatsApp as well, so like a wearing facemask, reducing that list protects your friends exponentially too.
Where To Migrate?
If you do want to start migrating friends and groups, there are really only three services that make the most sense right now:
- Apple iMessage – for those of your family and friends that only use an iPhone, or Apple devices, using iMessage makes a lot of sense. Many families are “all Apple”, so this is the quickest, easiest, and frankly most private platform choice to make. Alas, I have an Android phone so:
- Signal – Signal only keeps your contact number and they don’t share even this with anyone. This has been the secure messaging network of choice for Investigative Journalists, whistleblowers, and others looking to keep their communications private. It uses open source encryption methodologies, and is funded through donations and philanthropy.
- Telegram – Telegram is a privately owned (Pavel and Nikolai Durov, Russian bothers) LLC in the USA, and Ltd Partnership in the UK. It is not as puported Indian, Chinese, or Russian, and was founded in 2013 in Berlin. Benefits of Telegram include massive group sizes (200k) as well as multi-device usage. Because of the public facing, social media aspects, not to mention imminent monetization plans, Signal is arguably a better choice. But Telegram is still way better than WhatsApp.
Wrapping It Up
Based on my expertise, experience, and that of my colleagues, our consensus is:
There’s no need for fear, but that doesn’t negate being informed and understanding your exposure. It makes no sense to just sign up for something on the (false) premise that “everyone is surveilling us anyway” There is a reason in Western Democracies why the government has to get a warrent to gather your communication and location data.
Minimise your surveillance footprint. For me that means:
- I don’t use Messenger. If someone messages me there, I’ll shift them to Signal
- I rarely look at Facebook (weekly scan of my notifications at most) and never post directly on the platform
- I use multi-factor authentication wherever I can
- I’m suggesting gently to as many people as I can on WhatsApp to migrate. This reduces my contact area, as well as insidious targetting for my dollars (at the very least)
- If the consensus of a particular group is to stay on WhatsApp, then I’ll stay. I am informed, aware, and my relationships are more important to me than worrying about this right now.
Over to you…