privacy-flickr

“In short, we value your privacy…”

— WhatsApp’s FAQ, before the company sold to Facebook

Ever since news of the WhatsApp/Facebook deal broke, members of the tech press have been heaping crazy amounts of praise on founder Jan Koum for his anti-commercialism and his intense dedication to safeguarding user privacy — which they attribute to his experience growing up under constant Big Brother surveillance in Soviet Ukraine.

“WhatsApp co-founder’s Ukraine years are why app has strong focus on users’ privacy,” declared the Washington Post. “WhatsApp grew up in Silicon Valley, but its founder’s background in Eastern Europe gave it its DNA,” wrote Reuters.

Wired UK magazine, which just published a hagiographic account of WhatsApp’s sudden rise and triumph, got the privacy story directly from Koum:

I grew up in a society where everything you did was eavesdropped on, recorded, snitched on. I had friends when we were kids getting into trouble for telling anecdotes about Communist leaders. I remember hearing stories from my parents of dissidents like Andrei Sakharov, sentenced to exile because of his political views, like Solzhenitsyn, even local dissidents who got fed up with the constant bullshit. Nobody should have the right to eavesdrop, or you become a totalitarian state — the kind of state I escaped as a kid to come to this country where you have democracy and freedom of speech. Our goal is to protect it. We have encryption between our client and our server. We don’t save any messages on our servers, we don’t store your chat history. They’re all on your phone.

Koum’s spiel about his childhood experience inspiring him to create WhatsApp certainly makes for good PR. The story imbues his insanely overpriced mobile texting app with a moral force and historical significance — especially with images of Kiev burning and news of Ukraine on the brink of civil war.

But there’s a slight problem with Koum’s dramatic narrative: It’s just not true.

In fact, since Koum launched WhatsApp in the summer of 2009, the company’s privacy track record has been horrible: It’s been aggressively incompetent and careless with user data. It has also repeatedly failed to provide users with even the most rudimentary security measures. As a result, WhatsApp left its messaging data wide open for potential surveillance and interception by intel agencies, scammers and Internet lurkers with basic hacker skills.

How bad was the problem?

It wasn’t till three years after the company’s launch — the end of 2012 — that Koum even bothered securing WhatsApp messages with the most basic encryption. From WhatsApp’s launch in 2009 to the end of 2012, the app transmitted messages and sensitive data over the Internet in simple text, allowing anyone with a basic sniffing tool to intercept and read everything its users were sending.

The fact that WhatsApp sent messages in the clear was widely known. In fact, intercepting WhatsApp data was so damn easy someone created an Android app that did just that. It was called “WhatsAppSniffer” and allowed users to grab WhatsApp text messages — including video and picture attachments — sent by anyone connected to the same Wi-Fi network.

WhatsAppSniffer was more of a prank than anything else, but it demonstrated that WhatsApp’s shoddy security standards could be abused in all sorts of creepy and damaging ways: a lurker could spy on underage kids flirting and sending pictures through a Wi-Fi network in a cafe, an employer could monitor workers texting over a corporate network, scammers could siphon off personal information from someone texting personal financial information while connected to a public network… and of course, intelligence agencies could just vacuum up text, image and location data as it bounced around the Internet unencrypted.

This security problem was discovered and made public at least as early as 2011, but WhatsApp seemed in no rush to do anything about it. It took the company a full year to finally start encrypting its messages — and it very well might have taken WhatsApp much longer if Dutch and Canadian officials hadn’t launched an investigation into WhatsApp’s data and privacy practices.

WhatsApp’s security problems didn’t end there. Last year, security researchers discovered that the company was using a half-baked encryption method that can be easily cracked.

Forget true end-to-end encryption — the only real way to get privacy on the Internet: WhatsApp inept engineers couldn’t properly implement encryption at all.

PC World reported on the security flaw, which was discovered by a researcher from Utrecht University in October 2013:

The problem is that the same key is used to encrypt both outgoing and incoming streams between the client and the WhatsApp server, said Thijs Alkemade, a computer science and mathematics student at Utrecht University in the Netherlands and lead developer of the open-source Adium instant messaging client for Mac OS X.

Because of this, if two messages are encrypted with the same key and an attacker can intercept them, like on an open wireless network, he can analyze them to cancel out the key and eventually recover the original plaintext information.

Reusing the key in this manner is a basic crypto implementation error that the WhatsApp developers should have been aware of, Alkemade said Wednesday. It’s a mistake made by the Soviets in the 1950s and by Microsoft in its VPN software in 1995, he said.

The Soviets made the same mistake in the 1950s? Perhaps that’s what Koum meant when he said WhatsApps’s attitude to privacy was informed by his days in the Soviet Union.

WhatsApp dismissed Thijs Alkemade’s findings, telling PC World that this security flaw was “theoretical in nature” and would not occur in the real world. It’s not clear whether the company ever fixed the vulnerability.

And WhatsApp’s encryption and privacy problems just kept on coming.

In early 2013, Canada’s Privacy Commissioner and the Dutch Data Protection Authority released the results of their joint investigation into WhatsApp’s data handling. They ruled that the company violated several Canadian and Dutch privacy laws.

One of the violations had to do with WhatsApp’s practice of forcing users to upload their phone’s entire contact list in order to discover other WhatsApp users.

Among other things, the investigation found that WhatsApp permanently stores phone numbers of non-users and then fails to properly protect or anonymize the information. Canadian and Dutch privacy investigators tested the company’s internal encryption and found it to be generally useless. It was so weak that it could be cracked in under three minutes using a “standard, low-power desktop computer.”

That’s right, an off-the-shelf PC can crack WhatsApp’s encryption in a matter of minutes. As Edward Snowden’s leaks have taught us, there’s no way to make any web service completely safe from government eavesdropping. What’s remarkable is how little effort WhatsApp appears to have made to protect its users, even from a bored teenage hacker in a coffee shop.

And yet, thanks to some careful phrasing, Koum was able to confidently boast to Wired magazine that WhatsApp is safe from NSA surveillance:

There really is no key to give … People need to differentiate us from companies like Yahoo! and Facebook that collect your data and have it sitting on their servers. We want to know as little about our users as possible. We don’t know your name, your gender … We designed our system to be as anonymous as possible. We’re not advertisement-driven so we don’t need personal databases.

Interestingly, for all that talk about anonymity and privacy, WhatsApp’s terms of service spend a lot of words talking about how the company may collect and analyze users’ “personally identifiable information”…

We may use both your Personally Identifiable Information and certain non-personally-identifiable information (such as anonymous user usage data, cookies, IP addresses, browser type, clickstream data, etc.) to improve the quality and design of the WhatsApp Site and WhatsApp Service and to create new features, promotions, functionality, and services by storing, tracking, and analyzing user preferences and trends. Hopefully we improve the WhatsApp Site and Service and don’t make it suck worse. We may use cookies and log file information to: (a) remember information so that you will not have to re-enter it during your visit or the next time you use the WhatsApp Service or WhatsApp Site; (b) provide custom, personalized content and information; (c) monitor individual and aggregate metrics such as total number of visitors, pages viewed, etc.; and (d) track your entries, submissions, views and such.

And yet, thanks to this week’s big news, all of that is in the past. WhatsApp might have played fast and loose with the security of its hundreds of millions of users up to now, but that’s about to change. After all, if there’s one company WhatsApp users can trust to safeguard their privacy, surely that company is… uh… Facebook.