6

I have not been able to find this answer, because most of the talk is about the content of communications, but my question is:

Can a government intelligence agency somehow see who I am communicating with over WhatsApp? So generally, I know if I message Bob, they cannot see what I sent, but can they somehow see that I have messaged Bob?

I am asking a 'general' question regarding the published security protocols of WhatsApp, whether it is known or unknown to protect that specific information. I do realize that the intelligence potential of the US government, for instance, is, but in terms of a 'general' type of surveillance, is this probable?

From a technical perspective, it sounds like the metadata is only available by warrant, so if it were a government (other than US or UK) could not produce a legitimate warrant, then would it be safe to say that that information would not be accessible to that government? Most of the conversation around this assumes the PRISM program or a legitimate warrant, but if those are missing, is that data still somehow accessible?

lawdawg
  • 73
  • 1
  • 5
  • 1
    See also [Can governments intercept end-to-end encrypted Whatsapp communication through lawful interception?](https://security.stackexchange.com/questions/121968/can-governments-intercept-end-to-end-encrypted-whatsapp-communication-through-la/122025#122025) – Sjoerd Apr 02 '17 at 15:38
  • 2
    They can tell who, when, and where, but not what. – dandavis Apr 02 '17 at 18:46
  • Possible duplicate of [Can governments intercept end-to-end encrypted Whatsapp communication through lawful interception?](https://security.stackexchange.com/questions/121968/can-governments-intercept-end-to-end-encrypted-whatsapp-communication-through-la) – Serge Ballesta Apr 02 '17 at 21:19

3 Answers3

5

Yes, says Forbes:

Hence one order (published below) sent to WhatsApp in May 2016, a month after the full rollout of end-to-end encryption was complete. [...] The date, time and duration of comms would be recorded, as would the numbers involved.

However, this article on Softpedia indicates that historical metadata is encrypted:

As it stands right now, if the FBI would want access to any encrypted WhatsApp data or metadata, Facebook looks poised to put up a fight, just like Apple.

WhatsApp necessarily has the metadata of who communicates with whom, and being a US company they have no choice but to cooperate with warrants that order them to turn over the data.

Note also that metadata is enough to get a conviction. From BBC:

Sterling was convicted for the most part entirely on phone and email records with no content attached.

Sjoerd
  • 28,897
  • 12
  • 76
  • 102
  • Thanks @sjoerd, from a technical perspective, it sounds like the metadata is only available by warrant, so if it were a government (other than US or UK) could not produce a legitimate warrant, then would it be safe to say that that information would not be accessible to that government? Most of the conversation around this assumes the PRISM program or a legitimate warrant, but if those are missing, is that data still somehow accessible? – lawdawg Apr 02 '17 at 20:17
  • The TLAs would be getting the meta data real time, and would only need to worry about the legalities if they are building evidence for an actual trial. WhatsApp couldn't secure users meta data by encrypting it later (really they should be able to just delete it later), but it would need to build some plausible deniability into it, for example have encrypted fake messages that are sent to a list of random users that are ignored when received for example. – daniel Apr 03 '17 at 07:15
3

The conservative answer to this question has to be yes. The key is to understand that even if Whatsapp's encryption and message authentication are sound, and they protect not just the message content but also the application-level metadata, that doesn't protect against all possible forms of traffic analysis.

An agency that eavesdrops on the Whatsapp servers's network traffic can see the IP addresses of incoming and outgoing packets. Encryption protects the packets' payloads' contents, but not their sizes or times. If the agency can connect Alice and Bob to specific IP addresses, and they suspect that they are using Whatsapp to communicate, it could try to test that hypothesis by correlating the times and sizes of the packets that their IP addresses send to Whatsapp servers with those of the packets from the Whatsapp servers to the other party. I'm not the only one to have reached this conclusion:

For every messaging app built on mobile operating systems the supporting infrastructure is able to see the message traffic flows. This metadata is sufficient to conduct traffic analysis and build social network graphs. Strong encryption, and Signal has the best encryption available, only provides confidentiality. Mobile messenger apps provide no anonymity. Worse, the apps’ accounts and associated devices are frequently very strongly connected to a real personal identity through phone numbers.

Even using the most secure privacy conscious mobile messaging app — Signal — there’s still plenty of data for SIGINT.

We can't rule out that techniques for doing this might scale up to support "big data" analysis of traffic, so that the agency might not even need to deliberately target Alice and Bob to discover that they are talking through Whatsapp, but rather discover it from routine analysis of untargeted data collection products.

Luis Casillas
  • 10,361
  • 2
  • 28
  • 42
1

Whatsapp needs to know where to send your encrypted messages, so they know who you're talking to. If they store this information long-term, it can be accessed by governments and hackers later on; otherwise it's simply not there anymore.

An attacker (government or otherwise) could perform a man in the middle attack to get this information in real time with 100% accuracy.

As for the contents of the messages, that's never known to whatsapp or governments at any time. If an attacker performs a mitm attack, and you haven't validated that the person you're talking to is the person you think it is, through an offline channel, message contents can be grabbed/altered as well. Keys used to encrypt/decrypt messages are removed as soon as possible, and only used for a single message, according to the protocol. If whatsapp actually deletes keys right away or not is not known (but why would they keep them?). If keys are gone, no number of previously captured messages can be decrypted by a third party.

Filip Haglund
  • 1,593
  • 1
  • 11
  • 20
  • How would the attacker perform a man-in-the-middle attack against the Signal protocol? – Luis Casillas Apr 03 '17 at 18:13
  • @LuisCasillas Intercepting the first connection is the simple option. If you haven't done out-of-band validation that you're talking to who you think you're talking to, many attacks are possible. This was known when designing the protocol. The protection is that the attacker doesn't know who will detect a MITM and who wouldn't, i.e. which connections are verified and which are not. – Filip Haglund Apr 03 '17 at 19:43
  • The way I read the question, I think it's presupposing that the message sender truly does know that they are communicating with Bob: "I know **if I message Bob**, they cannot see what I sent, but can they somehow see that I have messaged Bob?" There's some wiggle room for interpretation here over whether a MitM connection counts as "messaging Bob" or "messaging an attacker who messages Bob," but IMHO your MitM scenario tends to infirm the antecdent of that conditional. – Luis Casillas Apr 03 '17 at 20:31
  • @LuisCasillas "if I message Bob" could just be used referring to a standard facebook chat message as well, and those are absolutely not end-to-end encrypted. Pointing out errors and assumptions in things you "know" is even more important than answering the question, in the case of cryptographic security. You don't want people teaching incorrect facts. – Filip Haglund Apr 03 '17 at 20:37