What You (and Your Boss) Need to Know About the Facebook + WhatsApp Merge

Things have changed. There was a time in the not-so-distant past when companies and organizations felt confident and secure in communicating via email. As technology developed, many of those entities supplemented their communications by adding text messaging to send quick updates or transmit time sensitive information.

These days, most enterprises know that email comms lack security. And even text messages are subject to phishing attacks. To keep private information private and to remain in compliance and avoid regulatory fines, savvy leaders are looking for more secure solutions.

…and some of them have settled on WhatsApp.

WhatsApp likes to boast that it’s a simple and secure messaging platform. But what exactly does that mean for businesses and government organizations looking to use it for internal communications? Should WhatsApp be trusted with proprietary information, patient data, or launch codes just because they say they’re secure?

Real communications security deserves a bit more vetting.

So let’s vet. Should enterprise and government organizations trust their comms to WhatsApp?

The Facebook Connection

As you probably know, Facebook users were left feeling betrayed again last month after KrebsOnSecurity exposed a data breach that affected hundreds of millions of accounts.

Hundreds of millions.

And they were probably feeling completely taken advantage of when news broke last week that 540 million records with information about Facebook users were found on publicly exposed AWS servers.

But, when it comes to privacy and security, we probably shouldn’t expect much from Facebook. Since its inception, Facebook has been involved in more data breaches and security scandals than you can keep up with. Here’s a very abbreviated list:

In 2007, Facebook allowed companies to track its users’ purchases and then notify their “friends” about what they bought without the users’ consent. The program, called Beacon, resulted in a class action lawsuit and Facebook ended up paying out $9.5 million.

In 2011, Facebook reached a deal with the Federal Trade Commission (FTC) after regulators said the company allowed private information to be made public without warning. As a result, Facebook was forced to make changes to its policies and is subject to privacy audits every two years through at least 2020.

In 2013, a bug exposed 6 million Facebook user email addresses and phone numbers to anyone with a connection to the users or to anyone who knew one piece of their contact information.

In 2014, Facebook data scientists published a study with the results of a mood-manipulation experiment in which they altered users’ news feeds to show either positive posts or more negative posts in an effort to examine how emotions spread on social media. Users didn’t give consent to the experiment or the study.

In 2018, a Facebook bug allowed attackers to take over nearly 50 million user accounts. The hackers could see everything in the users’ profiles and may have compromised third party accounts the users accessed through Facebook.

And that’s only a glimpse of Facebook’s security woes.

But what does that have to do with WhatsApp?

Facebook acquired WhatsApp in early 2014. And as you can imagine, many security minded users who had grown to trust WhatsApp’s encrypted messaging platform felt a bit apprehensive.

Can you blame them?

However, at that time, WhatsApp co-founder – Jan Koum – assured users that everything would be ok. In a blog post announcing the purchase, he told users, “Here’s what will change for you, our users: nothing. WhatsApp will remain autonomous and operate independently.”

Ok, great! Except… that’s not actually happening.

Earlier this year, Facebook confirmed plans to merge its three messaging platforms: Facebook Messenger, WhatsApp, and Instagram messaging. They say they want to integrate the messaging platforms to give users a better experience and allow them to more easily and securely communicate across platforms.

So much for WhatsApp remaining autonomous and operating independently.

But where is this all coming from? Is the goal really to help users communicate easily and securely across all three platforms?

Only Facebook knows the real truth, but it does warrant some consideration from users on its platforms – especially WhatsApp. It also warrants reevaluating business related use cases for the tool – unless Instagram messaging and Facebook Messenger are part of your vision for enterprise comms…

WhatsApp Before Facebook

WhatsApp hit the scene in 2009 largely as a text message alternative. People liked WhatsApp because it freed them of any text messaging constraints imposed by their cell phone service provider.

Over the next five years, WhatsApp increased its service offerings and evolved its encryption delivery until growing to about 450 million active monthly users.

That rapid growth in users coupled with WhatsApp’s yearly subscription-based model earned it a $1.5 billion valuation in its final financing round before purchase.

And $1.5 billion sounds like a lot – until you realize that Facebook bought WhatsApp shortly afterward for $22 billion.

Facebook Acquisition

A lot of people thought Facebook was crazy to buy WhatsApp for $22 billion. After all, the app was only charging people a dollar per year to use the service – and that limited subscription model didn’t allot for $22 billion in revenue generation with “only” 450 million users.

But, since the acquisition, WhatsApp’s user base has surged to about 1.5 billion – and that provides a stronger baseline for the purchase price.

The average consumer might think that Facebook would continue with the WhatsApp revenue model and make money off the app a dollar at a time.

…and the average consumer would be wrong.

In early 2016, WhatsApp dropped their subscription model. Of course, users and other interested parties wondered how WhatsApp would sustain without the payments. Would they start running ads? Sell users’ information?

But WhatsApp insisted that the move was geared toward making the platform more accessible to more people, and they would not replace the subscription with third-party ads.

So where would the money come from?

For years, it came from nowhere. Facebook couldn’t figure out how to quickly monetize WhatsApp to make good on their investment, and it’s no secret that Facebook leadership “grew impatient for a greater return.”

Generally, Facebook makes a lot of money – more than $40 billion in 2017. And they did that, largely, with targeted ads through data collection. Basically, Facebook collects personal information about you – your name, age, gender, shopping habits, conversation details – and it uses that data to inundate you with “relevant” ads. They use your personal information to try and influence your spending habits… and that might be the least sinister thing they do with your private information.

So it’s easy to imagine that Facebook was having a difficult time figuring out how to monetize WhatsApp. Remember, WhatsApp’s end-to-end encryption doesn’t allow Facebook to gather and exploit data from users – supposedly.

So, how do you make money on a service without a subscription model and honor its motto: no ads, no games, no gimmicks? Is it even possible?

Follow the Money

In order to make good on its investment, Facebook has invested heavily in alternative methods of monetizing WhatsApp. One of those methods is to make the platform more businesses-friendly and charge businesses per message in order to communicate directly with customers. And while this new “business-friendly” platform might be helpful for businesses talking to their customers, it doesn’t address secure internal business communication needs.

For now, Facebook outlines that those B2C messages will be non-promotional and serve to give business and customers an easier way to interface.

But weary watchers have doubts that WhatsApp will actually stay free of ads or other promotional material. Some of them point to Facebook’s move to include business ads on Facebook newsfeeds that link directly to a WhatsApp chat.

Is Facebook doing this to ease its way into more pervasive WhatsApp ads? Get users more familiar and more comfortable with ads and WhatsApp going together?

Probably. The door for WhatsApp ads is officially opened. And that’s good if you’re a marketer or advertiser, but it’s not so good for organizations trying to conduct internal business.

However, ads only in WhatsApp probably won’t cut it for Facebook. $22 billion is a lot of money… a massive investment. And you’d be smart to think that Facebook is going to find multiple ways to earn money on their investment.

… which brings us to the Facebook, Instagram, and WhatsApp messaging merger.

The Merger

Facebook is still in the early stages of merging the backends of its three messaging platforms. Simultaneously, it’s working to gently push ads into the realm of WhatsApp. So, you can reasonably deduce that Facebook is also looking at the longer term strategy of integrating all three platforms to enable easier ad flow and ad spend from one platform to the next.

In addition to being annoyed with ads interrupting your messaging experience or advertisers having access to your personal information, organizations using WhatsApp should be concerned with the bigger leak potentials when dealing with this merger.

That’s not to say that WhatsApp is immune to security concerns – even without the messenger merger. Just this January, a group of researchers uncovered major gaps in WhatsApp’s security that they said could allow unauthorized people to creep into group chats.

And that’s not the only WhatsApp’s security concern…

  • WhatsApp backs up to cloud services like iCloud and Google Drive automatically. So, even if the messages are encrypted during transmission, they save on the cloud in plain text and can be easier targets for thieves looking to steal secrets and proprietary information.
  • WhatsApp has some suspected bugs with its authentication process. As WhatsApp authenticates users through phone numbers, some people have noted receiving messages that weren’t intended for them when they got a new phone number. Those messages were likely meant for the person who had the phone number previously – and messages sent to the wrong user will render any encryption scheme useless.

When you add those types of disparities to Facebook’s whole mess of a security situation and combine that with the integration of two unsecure messaging platforms, you get what is all but certain to be a data privacy nightmare.

I think the formula is something like:

(WhatsApp Mess + Facebook Disaster) x (No Security Instagram + Low Security Messenger) = Data Privacy Debacle

Encryption Mismatch

Here’s the problem, Facebook Messenger has an encryption option, and Instagram messaging doesn’t use end-to-end encryption at all. Basically, they’re both unsecure mediums for communication.

But WhatsApp does use end-to-end encryption (however problematic) – by default.

Mark Zuckerberg did mandate that the new messaging conglomerate will incorporate end-to-end encryption, but what does “incorporate” mean? And how do they plan to make that work?

Let’s imagine a department director is using WhatsApp and his team leader is using Instagram messaging. Does the message lose encryption when it leaves the WhatsApp platform and moves into Instagram land? What about when messages come the other way? Will the communication lines be partially encrypted? Is that even technically possible?

Cryptographers and security experts are raising similar concerns. For end-to-end encryption to be legit, messages and other data can only be decrypted on the actual user device. While the information is in transit and stored on Facebook’s servers, it must be completely unintelligible. There can be no point where Facebook is capable of decrypting the data.

And, users have to kind of “get it” – especially if they have the option to turn the function on and off. Leaving that kind of door open to user error could render any encryption protocols pointless – which is the exact reason security experts have suggested users neglect the immensely popular “encrypted” messaging app, Telegram.

With the mismatch in current encryption protocols and use cases amongst the messaging platforms, how will Facebook be able to ensure information remains encrypted while in transit?

What happens if the team leader accidentally (or intentionally) turns off privacy mode during the chat? Not all organization users will be technical, and there will be mistakes if the protocols are confusing. Worse yet, malicious insiders could intentionally disrupt the encryption sequence if given the opportunity.

One possible solution is to move all three messaging services to end-to-end encryption, right?

But remember – with true end-to-end encryption, Facebook loses the ability to collect information from users. This, in turn, weakens their ability to make money off users.

Keep in mind, though – if your organization is using WhatsApp, Facebook might not be reading your messages, but they probably have access to your phone numbers and your contacts’ phone numbers – and they know what device and operating system you’re using. This change in terms is a result of concessions WhatsApp made after joining Facebook – and that’s even without a messaging merger.

Facebook collecting information on users is just what Facebook does.

And that brings up another concern with this impending merger: user access profiles.

Profile Problems

Security advocates are also concerned about the potential need to centralize user identities across the apps. Currently, the three messaging services require different information from users in order to create a profile and gain access to the platform.

You can sign up for Instagram and WhatsApp with just a phone number, but you have to give up a lot more information for a Facebook account.

So what happens to the profiles when the platforms merge? Will everyone in your organization then be forced to go back and input all of Facebook’s required information even if they don’t have Facebook accounts? And what if you have an account on each of the platforms, but used different information to sign-on for each one? Will you have to create one standard profile?

Let’s say it boils down to a standard profile. How much of your personal information will that profile require you give up?

I’d bet it’s at least enough to target ads to you and your team.

So what could a messaging-merged world look like? Let’s see…

Implications for Users

Individuals sending messages in the merged environment could be in store for a big change. Facebook will likely have to rebuild the backend of each messaging platform and configure identical end-to-end encryption schemes throughout the group. The end result could be a platform that doesn’t work exactly like the app people are used to using.

With that rebuild, users can also expect that there will be some branding “upgrades” to ensure the app group is recognized as being part of the same family.

And they will probably make room for ads.

Think of your Facebook newsfeed…

Sharon got a new job – that’s great. I see my cousin got married… wow, she didn’t even invite me. Oh, Lowe’s is having an end of season sale – 15% off.

How does that look in a message stream?

I bet it looks even more personalized considering WhatsApp’s new business “solutions” messaging and Facebook’s apparent desire to collect user data for analytics tools.

Maybe something like – Mark, you have $7,425 available on your Best Buy card. Come take advantage of our holiday sale! TVs like the one you want are only $985!

And what about businesses, nonprofits, and government entities that use WhatsApp because they think they’re meeting security compliance standards?

You might be paying per message and are likely going to see an onslaught of ads and messaging enticing you to buy ads and send messaging through the shared platform.

Additionally, your internal communications will likely become a lot more convoluted by ads and a lot less secure. But WhatsApp was never really intended for internal enterprise communications – and Facebook isn’t concerned with solving compliance issues and safeguarding proprietary information.

But these are really best case scenarios when you think about how Facebook handles user data. In the worst case, Facebook enables a leak or data breach that causes more than a billion users’ information to fall into the wrong hands.

A breach like that could be detrimental to a business or government operation.

What if Facebook takes shortcuts on encryption and keep records of your organization’s messages – in turn allowing someone else access to those messages?

They already have a history of seemingly unreasonable data collection practices. Did you know Facebook might have records of your text messages? Your phone calls?

And their reasoning? …they need your data to improve “user experience.” Oh, and Facebook claims users knowingly give consent to the data harvesting.

The real problem is that Facebook has not proven a reliable guard of user information. Time and time again, they’ve demonstrated that they want to make money off of you and your information, but don’t really care what happens to it outside of their payday.

And that’s the exact opposite of “no ads, no games, no gimmicks” – which might be why the co-founders of WhatsApp recently left Facebook.

Your Privacy, Sold-out

Both co-founders of WhatsApp, Brian Acton and Jan Koum, quit the company recently. Considering they built it from the ground-up and Acton lost $850 million in his departure, you can imagine that the fallout was about something serious.

Inside sources say that Koum left because he disagreed with Facebook’s desire to profit from user personal data and weaken WhatsApp’s encryption.

Fortunately, we don’t need an inside source to know why Acton left. He made his reasoning clear in a 2018 Forbes interview. In it, he attributed his departure to Facebook’s insistence on monetizing WhatsApp through targeted ads and selling business analytics tools for advertising purposes. He also said Facebook was interested in trying to find ways to collect data analytics in an encrypted environment.

In other words, they want to be able to say the platforms are encrypted, but still want access to your information.

Acton wasn’t having it and left. The best way to sum-up how the WhatsApp co-founder feels about the state of WhatsApp under Facebook’s new initiatives, like the messaging merger, is with his own words:

“At the end of the day, I sold my company. I sold my users’ privacy to a larger benefit. I made a choice and a compromise. And I Iive with that every day.”

Yikes.

Conclusion

So, should enterprise and government organizations trust WhatsApp for their internal communications?

If you care about data privacy, meeting security and compliance standards, and maintaining lines of communication that aren’t corrupted by ads; WhatsApp probably isn’t the platform for your organization.

Unfortunately, what started out as a disruptive technology and a noble attempt to bring end-to-end encryption to the masses has turned into the latest revenue stream for Facebook’s conglomerate.

Cecilia Clark

First introduced to information security while serving as a Signal Officer in the US Army. During my time in the military, I managed information security from all sides of the discipline - as a user, service provider, and culture change agent.

1 Comment

1 Trackback

Leave a Reply

Your email address will not be published. Required fields are marked *