{"id":14526,"date":"2019-02-07T10:10:06","date_gmt":"2019-02-07T18:10:06","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/02\/07\/news-8276\/"},"modified":"2019-02-07T10:10:06","modified_gmt":"2019-02-07T18:10:06","slug":"news-8276","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2019\/02\/07\/news-8276\/","title":{"rendered":"Merging Facebook Messenger, WhatsApp, and Instagram: a technical, reputational hurdle"},"content":{"rendered":"

Credit to Author: davidruiz| Date: Thu, 07 Feb 2019 16:53:35 +0000<\/strong><\/p>\n

Secure messaging is supposed to be just that\u2014secure. That means no backdoors, strong encryption, private messages staying private, and, for some users, the ability to securely communicate without giving up tons of personal data.<\/p>\n

So, when news broke that scandal-ridden, online privacy pariah Facebook would expand secure messaging across its Messenger, WhatsApp, and Instagram apps, a broad community of cryptographers, lawmakers, and users asked: Wait, what? <\/em><\/p>\n

Not only is the technology difficult to implement, the company implementing it has a poor track record with both user privacy and online security.<\/p>\n

On January 25, the New York Times reported<\/a> that Facebook CEO Mark Zuckerberg had begun plans to integrate the company\u2019s three messaging platforms into one service, allowing users to potentially communicate with one another across its separate mobile apps. According to the New York Times, Zuckerberg \u201cordered that the apps all incorporate end-to-end\u00a0encryption.\u201d<\/p>\n

The initial response was harsh.<\/p>\n

Abroad, Ireland\u2019s Data Protection Commission, which regulates Facebook in the European Union, immediately asked<\/a> for an \u201curgent briefing\u201d from the company, warning that previous data-sharing proposals raised \u201csignificant data protection concerns.\u201d<\/p>\n

In the United States, Democratic Senator Ed Markey for Massachusetts said in a statement<\/a>: \u201cWe cannot allow platform integration to become privacy disintegration.\u201d<\/p>\n

Cybersecurity technologists swayed between cautious optimism and just plain caution.<\/p>\n

Some professionals focused on the clear benefits of enabling end-to-end encryption across Facebook\u2019s messaging platforms, emphasizing that any end-to-end encryption is better than none.<\/p>\n

Former Facebook software engineer Alec Muffet, who led the team that added end-to-end encryption to Facebook Messenger<\/a>, said on Twitter that the integration plan \u201cclearly maximises the privacy afforded to the greatest [number] of people and is a good idea.\u201d<\/p>\n

\"\"<\/p>\n

Others questioned Facebook\u2019s motives and reputation, scrutinizing the company\u2019s established business model of hoovering up mass quantities of user data to deliver targeted ads.<\/p>\n

John Hopkins University Associate Professor and cryptographer Matthew Green said on Twitter that \u201cthis move could potentially be good or bad for security\/privacy. But given recent history and financial motivations of Facebook, I wouldn\u2019t bet my lunch money on \u2018good.\u2019\u201d<\/p>\n

\"\"<\/p>\n

On January 30, Zuckerberg confirmed the integration plan during a quarterly earnings call. The company hopes to complete the project either this year or in early 2020.<\/p>\n

It\u2019s going to be an uphill battle.<\/p>\n

Three applications, one bad reputation<\/h3>\n

Merging three separate messaging apps is easier said than done.<\/p>\n

In a phone interview, Green said Facebook\u2019s immediate technological hurdle will be integrating \u201cthree different systems\u2014one that doesn\u2019t have any end-to-end encryption, one where it’s default, and one with an optional feature.\u201d<\/p>\n

Currently, the messaging services across WhatsApp, Facebook Messenger, and Instagram have varying degrees of end-to-end encryption. WhatsApp provides default end-to-end encryption, whereas Facebook Messenger provides optional end-to-end encryption if users turn on \u201cSecret Conversations.\u201d Instagram provides no end-to-end encryption in its messaging service.<\/p>\n

Further, Facebook Messenger, WhatsApp, and Instagram all have separate features\u2014like Facebook Messenger\u2019s ability to support more than one device and WhatsApp\u2019s support for group conversations\u2014along with separate desktop or web clients.<\/p>\n

Green said to imagine someone using Facebook Messenger\u2019s web client\u2014which doesn\u2019t currently support end-to-end encryption\u2014starting a conversation with a WhatsApp user, where encryption is set by default. These lapses in default encryption, Green said, could create vulnerabilities. The challenge is in pulling together all those systems with all those variables.<\/p>\n

\u201cFirst, Facebook will have to likely make one platform, then move all those different systems into one somewhat compatible system, which, as far as I can tell, would include centralizing key servers, using the same protocol, and a bunch of technical development that has to happen,\u201d Green said. \u201cIt\u2019s not impossible. Just hard.\u201d<\/p>\n

But there\u2019s more to Facebook\u2019s success than the technical know-how of its engineers. There\u2019s also its reputation, which, as of late, portrays the company as a modern-day data baron, faceplanting into privacy failure after privacy failure.<\/p>\n

After the 2016 US presidential election, Facebook refused to call the surreptitious collection of 50 million users\u2019 personal information<\/a> a \u201cbreach.\u201d When brought before Congress to testify about his company\u2019s role in a potential international disinformation campaign, Zuckerberg deflected difficult questions and repeatedly claimed the company does not \u201csell\u201d user data to advertisers. But less than one year later, a British parliamentary committee released documents<\/a> that showed how Facebook gave some companies, including Airbnb and Netflix, access to its platform in exchange for favors\u2014no selling required.<\/p>\n

Five months ago, Facebook\u2019s Onavo app was booted from the Apple App Store for gathering app data, and early this year, Facebook reportedly paid users as young as 13-years-old to install the \u201cFacebook Research\u201d app on their own devices, an app intended strictly for Facebook employee use. Facebook pulled the app, but Apple had extra repercussions in mind: It removed Facebook\u2019s enterprise certificate, <\/a>which the company relied on to run its internal developer apps.<\/p>\n

These repeated privacy failures are enough for some users to avoid Facebook\u2019s end-to-end encryption experiment entirely.<\/p>\n

\u201cIf you don\u2019t trust Facebook, the place to worry is not about them screwing up the encryption,\u201d Green said. \u201cThey want to know who\u2019s talking to who and when. Encryption doesn\u2019t protect that at all.\u201d<\/p>\n

If not Facebook, then who?<\/h3>\n

Reputationally, there are at least two companies that users look to for both strong end-to-end encryption and strong support of user privacy and security\u2014Apple and Signal, which respectively run the iMessage and Signal Messenger apps.<\/p>\n

In 2013, Open Whisper Systems developed the Signal Protocol. This encryption protocol provides end-to-end encryption for voice calls, video calls, and instant messaging, and is implemented by WhatsApp, Facebook Messenger, Google\u2019s Allo, and Microsoft\u2019s Skype to varying degrees. Journalists, privacy advocates, cryptographers, and cybersecurity researchers routinely praise Signal Messenger, the Signal Protocol, and Open Whisper Systems.<\/p>\n

\u201cUse anything by Open Whisper Systems,\u201d said former NSA defense contractor and government whistleblower Edward Snowden.<\/p>\n

\u201c[Signal is] my first choice for an encrypted conversation,\u201d said cybersecurity researcher and digital privacy advocate Bruce Schneier.<\/p>\n

Separately, Apple has proved its commitment to user privacy and security through statements made by company executives, updates pushed to fix vulnerabilities, and legal action taken in US courts.<\/p>\n

In 2016, Apple fought back against a government request that the company design an operating system capable of allowing the FBI to crack an individual iPhone. Such an exploit, Apple argued, would be too dangerous to create. Earlier last year, when an American startup began selling iPhone-cracking devices\u2014called GrayKey<\/a>\u2014Apple fixed the vulnerability through an iOS update.<\/p>\n

Repeatedly, Apple CEO Tim Cook has supported user security and privacy, saying in 2015: \u201cWe believe that people have a fundamental right to privacy. The American people demand it, the constitution demands it, morality demands it.\u201d<\/p>\n

But even with these sterling reputations, the truth is, cybersecurity is hard to get right.<\/p>\n

Last year, cybersecurity researchers found a critical vulnerability in Signal\u2019s desktop app that allowed threat actors to obtain users\u2019 plaintext messages. Signal\u2019s developers fixed the vulnerability within a reported five hours<\/a>.<\/p>\n

Last week, Apple\u2019s FaceTime app, which encrypts video calls between users, suffered a privacy bug that allowed threat actors to briefly spy on victims<\/a>. Apple fixed the bug after news of the vulnerability spread.<\/p>\n

In fact, several secure messaging apps, including Telegram<\/a>, Viber<\/a>, Confide<\/a>, Allo<\/a>, and WhatsApp<\/a> have all reportedly experienced security vulnerabilities, while several others, including Wire<\/a>, have previously drawn ire because of data storage practices.<\/p>\n

But vulnerabilities should not scare people from using end-to-end encryption altogether. On the contrary, they should spur people into finding the right end-to-end encrypted messaging app for themselves.<\/p>\n

No one-size-fits-all, and that\u2019s okay<\/h3>\n

There is no such thing as a perfect, one-size-fits-all secure messaging app, said Electronic Frontier Foundation Associate Director of Research Gennie Gebhart, because there\u2019s no such thing as a perfect, one-size-fits-all definition of secure.<\/p>\n

\u201cIn practice, for some people, secure means the government cannot intercept their messages,\u201d Gebhart said. \u201cFor others, secure means a partner in their physical space can\u2019t grab their device and read their messages. Those are two completely different tasks for one app to accomplish.\u201d<\/p>\n

In choosing the right secure messaging app for themselves, Gebhart said people should ask what they need and what they want<\/a>. Are they worried about governments or service providers intercepting their messages? Are they worried about people in their physical environment gaining access to their messages? Are they worried about giving up their phone number and losing some anonymity?<\/p>\n

In addition, it\u2019s worth asking: What are the risks of an accident, like, say, mistakenly sending an unencrypted message that should have been encrypted? And, of course, what app are friends and family using?<\/p>\n

As for the constant news of vulnerabilities in secure messaging apps, Gebhart advised not to overreact. The good news is, if you\u2019re reading about a vulnerability in a secure messaging tool, then the people building that tool know about the vulnerability, too. (Indeed, developers fixed the majority of the security vulnerabilities listed above.) The best advice in that situation, Gebhart said, is to update your software.<\/p>\n

\u201cThat\u2019s number one,\u201d Gebhart said, explaining that, though this line of defense is \u201ctedious and maybe boring,\u201d sometimes boring advice just works. \u201cBrush your teeth, lock your door, update your software.\u201d<\/p>\n

Cybersecurity is many things. It\u2019s difficult, it\u2019s complex, and it\u2019s a team sport. That team includes you, the user. Before you use a messenger service, or go online at all, remember to follow the boring advice. You’ll better secure yourself and your privacy.<\/p>\n

The post Merging Facebook Messenger, WhatsApp, and Instagram: a technical, reputational hurdle<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: davidruiz| Date: Thu, 07 Feb 2019 16:53:35 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
Facebook’s plan to integrate secure messaging across Messenger, WhatsApp, and Instagram will demand technical know-how and a fierce commitment to user privacy. <\/p>\n

Categories: <\/p>\n