Friday Digest #4: FB Messenger, WhatsApp Security & Push Notification Surveillance
Hey, it’s Sam back again this week with our fourth edition of Top10VPN’s Week in Review.
It’s cold and grey here in London and the news seems to be getting more depressing by the day. So this week, we’re going to focus on some good news from the world of internet privacy.
If there’s a news story or research you think we should include in next week’s newsletter, please get in touch at research@top10vpn.com
Facebook Messenger is finally rolling out default end-to-end encryption (E2EE) for all two-party chats in what constitutes the biggest improvement of the app since its inception. The app, which has 1.3 billion users, has had an opt-in encryption feature since 2016.
There’s an almost endless list of reasons to be skeptical of relying on a company like Meta to protect our digital privacy but given its huge user base, any progress on this front should be encouraged and scrutinized accordingly.
In a blog post detailing the new feature, Facebook said the project involved “fundamentally rebuilding many aspects of the application protocols to improve privacy, security, and safety.” You can read more about the Labyrinth protocol in this white paper published by Facebook.
Other features include: disappearing messages, improved image quality and read receipt control. You can also now listen back to those long, awkward voice messages at 1.5x or 2x speed.
Many people and governments are going to criticize Messenger’s implementation of E2EE, citing child safety, online harassment and other legitimate concerns. A perfect example comes from British MP, Sajid Javid, who wrote on Twitter: “By implementing end-to-end encryption, @Meta risks turning a blind eye to child sexual abuse.”
The introduction of E2EE will bring an end to governments’ ability to request access to users’ conversations from the platform. While it’s understandable this is a cause for concern for many, the development should be seen as a huge win for our collective right to privacy.
A little thought experiment from Alec Muffett provides a useful way of thinking about it:
you’re out with a friend, go to a pub, and as you sit down or prop up the bar the publican places a discreet microphone just in case you say something which might constitute child abuse.
If you walk into a park – heck, if you walk together into a farmer’s field – there’s a person with a clipboard there to check how old you are, to log your identity, and (again) to fit you with microphones in order to record what you say (“…it’s all analysed by an AI, dear, nobody is spying on you…”) just in case you are a child abuser.
This totalitarian vision demonstrates precisely why E2EE is important and highlights how permanent monitoring despite a lack of evidence erodes our most basic rights.
One refrain I expect we’re going to hear a lot is: “if you’ve got nothing to hide, it shouldn’t matter if someone can see what you’re doing online.” If you’re looking for a easy, accessible way to respond, I highly recommend this blog post from Amnesty International from back in 2015.
The introduction of E2EE isn’t going to happen overnight. Facebook says it will take a number of months for everyone to get the upgraded capabilities, while there’s also plans to introduce E2EE on Instagram chats in the future too.
In another positive step, Meta’s WhatsApp has launched a new "Secret Code" feature, allowing users to protect sensitive conversations with a custom password. The security enhancement builds on the previously introduced "Chat Lock" feature, providing an additional layer of privacy by enabling users to hide their locked chats and access them only by typing a secret code in the search bar.
Despite these positive developments, there’s still a lot to be done to protect our privacy online and, as many of the stories below demonstrate, messaging apps are just one avenue in which our right to privacy is put at risk.
What We’ve Been Reading
WIRED: Why It Took Meta 7 Years to Turn on End-to-End Encryption for All Chats
This deep-dive into Meta’s decision to bring E2EE to Messenger traces the technical and political challenges the company faced and the huge amount of work required to adapt its platforms. It shows how this complex process was driven by a commitment to balancing user privacy with the technical intricacies of securing vast amounts of communication data.
Washington Post: Federal government is using data from push notifications to track contacts
U.S. government investigators have been using push notification data from smartphones to track individuals, Senator Ron Wyden revealed in a letter to the Justice Department. This technique, which utilizes data generated when users receive alerts from messaging or email apps, was employed to gather information about suspects in various cases, including the January 6 Capitol riots, and the tech companies involved were previously prohibited from discussing these requests publicly.
The Markup: He Wanted Privacy. His College Gave Him None
This article traces the extensive data tracking and surveillance common in many US schools and colleges. It tracks Eric Natividad as he experiences various technologies — including learning management systems, automated license plate readers and online proctoring tools — that collect a vast amount of data on students' activities and movements, raising significant concerns about privacy and the impact of surveillance on student life.
WIRED: Inside America’s School Internet Censorship Machine
A WIRED investigation into U.S. schools' internet censorship practices reveals widespread use of filters that often block students' access to crucial information about health, identity, and other topics.This investigation, particularly focusing on Albuquerque Public Schools, found that even searches for vital resources like suicide prevention hotlines were blocked, reflecting a broader issue of automated web filters censoring important educational and personal development content in schools.
Reset Australia: Australians for Sale: Targeted Advertising, Data Brokering and Consumer Manipulation
This report examines the exploitation of consumers through targeted advertising and data brokering. It highlights how personal data, encompassing details from online behavior to financial activities, is used to identify vulnerabilities and manipulate consumer choices.
TechCrunch: 23andMe Confirms Hackers Stole Ancestry Data on 6.9 Million Users
23andMe, a genetic testing company, announced that hackers accessed personal data of about 14,000 customers and extensive profile information of 6.9 million users. The breach, initially disclosed in early October, involved data including names, birth years, DNA shared with relatives, ancestry reports, and self-reported locations, significantly impacting roughly half of the company’s 14 million customers.
Top10VPN.com in the News
This week our Head of Research, Simon Migliano, spoke to the BBC about plans to introduce new age-checks on adult content in the UK as a result of the Online Safety Bill. Although the plans are in their infancy, we know what happens when invasive age-checks have been introduced elsewhere around the world. Often, people turn to VPN apps to bypass the restrictions, with people uncomfortable sharing PII to access adult platforms. Not only are these plans unlikely to work because of circumvention tech, they fail to address the root issues while posing a huge risk to some of our most sensitive data.
Tools of the Week
Internet Society: InterNOT
Explore the impact of internet fragmentation with this interactive game developed by Internet Society. It highlights how simple tasks like booking flights are influenced by the way the internet is regulated around the world. For more info, read their guide on the core features and players of internet fragmentation.
SplinterCon: Knowledge Base
If, like me, you’re sadly not in Montreal this week for SplinterCon, it’s well worth checking out their resource library. It contains vital information on internet shutdowns, internet fragmentation, and guides on how to stay connected during internet restrictions.
OONI: Censorship Findings Platform
Search through OONI’s reports on internet censorship with this new platform released by the organization this week. It has details on internet shutdowns from Guinea to Turkey, all published in the past week.