• 1 Post
  • 1 Comment
Joined 1Y ago
cake
Cake day: Jul 07, 2023

help-circle
rss
> After Sunday‘s European elections, the EU is planning to reintroduce indiscriminate communications data retention without suspicion and force manufacturers to allow law enforcement access to digital devices such as smartphones and cars. > Specifically, according to the 42-point surveillance plan, manufacturers are to be legally obliged to make digital devices such as smartphones, smart homes, IoT devices, and cars monitorable at all times (“access by design”). Messenger services that were previously securely encrypted are to be forced to allow for interception. > The secure encryption of metadata and subscriber data is to be prohibited. Where requested by the police, GPS location tracking should be activated by service providers (“tracking switch”). > The EU Commission has already contributed specific proposals to the surveillance plan, according to two presentations obtained by the Pirates. Make sure to vote in the upcoming elections!
fedilink

Tldr: This is a traffic analysis attack, it exposes metadata without help or access to data from whatsapp. Other messengers are vulnerable too. It requires vast resources and access only governments have. It is not a threat model that todays messengers defend against.

The interesting part of the article ist the last one.

According to the internal assessment, the stakes are high: “Inspection and analysis of network traffic is completely invisible to us, yet it reveals the connections between our users: who is in a group together, who is messaging who, and (hardest to hide) who is calling who.”

The analysis notes that a government can easily tell when a person is using WhatsApp, in part because the data must pass through Meta’s readily identifiable corporate servers. A government agency can then unmask specific WhatsApp users by tracing their IP address, a unique number assigned to every connected device, to their internet or cellular service provider account.

WhatsApp’s internal security team has identified several examples of how clever observation of encrypted data can thwart the app’s privacy protections, a technique known as a correlation attack, according to this assessment. In one, a WhatsApp user sends a message to a group, resulting in a burst of data of the exact same size being transmitted to the device of everyone in that group. Another correlation attack involves measuring the time delay between when WhatsApp messages are sent and received between two parties — enough data, the company believes, “to infer the distance to and possibly the location of each recipient.”

Today’s messenger services weren’t designed to hide this metadata from an adversary who can see all sides of the connection,” Green, the cryptography professor, told The Intercept.