What (If Anything) Should Worry You About The WhatsApp Privacy Lawsuit
A WhatsApp Messenger logo is pictured on a mobile phone display.
NurPhoto via Getty Images
Last week, Attaullah Baig, the former head of security at WhatsApp, filed a lawsuit against WhatsApp’s parent company and several Meta executives accusing the company of securities fraud covered by Sarbanes Oxley mainly due to a number of alleged violations of a privacy order issued by the FTC in 2020 and ultimately retaliation against him for raising these concerns over the course of several years. Meta, for it’s part, denies the claims and suggest that this is a matter of “…a former employee [that] is dismissed for poor performance and then goes public with distorted claims.”
It’s not clear yet what, if any, part of the allegations are true and the facts of the case and the alleged retaliation will get played out in court (or perhaps an out of court settlement). In the meantime, how concerned about the implications should a WhatsApp user be in the event the allegations about cybersecurity weaknesses are valid?
There are six key accusations in the lawsuit that have been widely covered:
a. Failure to inventory user data: WhatsApp lacked a comprehensive list of all user data elements collected, violating disclosure requirements under California Consumer Privacy Act (CCPA), European Union GDPR, and the 2020 Privacy Order’s mandate for a comprehensive privacy program;
b. Failure to locate data storage: WhatsApp lacked a comprehensive inventory of systems storing user data, preventing proper protection and regulatory disclosure;
c. Unrestricted data access: Approximately 1,500 engineers had unfettered access to Covered Information under the 2020 Privacy Order without business justification, violating FTC requirements for access controls limited to employees with documented business need;
d. Absence of access monitoring: WhatsApp lacked systems to monitor user data access, preventing detection of suspicious activity and violating the 2020 Privacy Order’s requirement for comprehensive privacy program protection;
e. Inability to detect data breaches: WhatsApp lacked 24/7 Security Operations Center capabilities standard for companies of its size and complexity, violating the 2020 Privacy Order’s requirement for information security programs designed to protect Covered Information; and
f. Massive daily account compromises: Approximately 100,000 WhatsApp users daily suffered account takeovers with access to Covered Information, yet WhatsApp failed to implement adequate preventive measures.
In terms of end user concerns, this can be broken down into three key issues: weak or nonexistent security controls on user data, inappropriately broad access to private user data and lack of due care in protecting against account compromises.
Weak Security Controls on User Data
Four of the allegations (Failure to inventory user data, Failure to locate data storage, Absence of access monitoring and inability to detect data breaches) all essentially add up to having a weak or nonexistent security program. This would be disappointing for sure, especially because, if true, it seems like they could be in violation of the 2020 order.
But WhatsApp wouldn’t be the first company to have a weak security program. From the user perspective, understanding the risk begins with understanding what kind of data is involved.
The complaint talks about “…user data, including sensitive personal information covered by the FTC Privacy Order.” The FTC order was written to be deliberately broad and is generally taken to mean *any* piece of information about the user (name, contact detail, group memberships, etc) or the meta data about a message (time of send, who it was sent to or from, delivery status, etc). Importantly, this does not include message contents (with the possible exception of undelivered messages in temporary storage).
For a lot of users, this sort of data being out there might not be a huge, or even new concern. This is in part because the many other breaches of other companies, much of it is already out there via a different source. There are, of course, cases where the meta data itself could be very sensitive. An example might be that executives from a large public company suddenly sending many messages back and forth to a smaller company in the same market might be a signal of a pending acquisition or other significant business relationship and therefore constitute material non public information.
Inappropriately Broad Access to Private User Data
An issue related to a possible weak security program is “Unrestricted data access.” The substance of this is that WhatsApp is allegedly allowing way more (1500+ according to the complaint) engineers to have access to the above-mentioned private user data. A key part of this accusation is that these engineers have access “without business justification.”
It’s not that hard to believe that the two parties in this case might have pretty different views as to what constitutes business justification. While historical users of WhatsApp’s platform, which was famously built on a message of being privacy-first and ad free might disagree, Meta has been pretty clear about their views of what constitutes business justification. As recently as June of this year, Meta announced that they are bringing ads to the WhatsApp platform that will be based essentially on meta data, using “…limited info like your country or city, language, the Channels you’re following and how you interact with the ads you see” In other words some and maybe not all of the categories mentioned above, but *not* message contents. From this perspective, broad access by the engineering team to the meta data could pretty convincingly be portrayed as business justified.
Leaving aside the legal question of what constitutes business justified access to this data. It’s clear that Meta intends for it to be used to serve ads, and also offer other subscription services. For a user, there’s a pretty clear choice: if this isn’t what you want, you’re best / only option would be to stop using WhatsApp and look for another service.
Lack of Due Care in Protecting Against Account Compromises
The last key issue (“Massive daily account compromises”) alleges that 100,000 WhatsApp users suffer account compromises on a daily basis and WhatsApp hasn’t taken the steps it should to prevent that. Further into the complaint, it’s also claimed that Baig and his team had developed two features to help address these issues which was quashed by WhatsApp management.
Again, this is a situation that is not uncommon for peer group platforms of WhatsApp and it’s pretty subjective as to whether WhatsApp’s action would qualify as due care or not. For the end user, it comes back to how they view the damage that a lost account would cause. If the potential for account compromise is substantial following best practices for securing an account…things like using stronger passwords or multi-factor authentication would be a reasonable counter measure only dependent on WhatsApp’s support of these measures (various forms of two step authentication and other account security tips are in the WhatsApp FAQ).
Finally, while not widely covered, besides the six core issues from the complaint, some of the claims made about what Baig’s team built, but was not allowed to release, are pretty interesting.
The complaint claims that:
“Mr. Baig and his team also built a feature to prevent users from being incorrectly banned and reported to National Center for Missing and Exploited Children (NCMEC).”
“Mr. Baig and his team learnt that journalists and at-risk population were being attacked by nation-state actors. They built two product security features to mitigate this risk…”
The main takeaway from this is that not all WhatsApp users have the same security or threat model. For users likely to be targets of online harassment or nation-state actors, the conclusion might be different. But for most mainstream users, the allegations from the WhatsApp privacy lawsuit probably don’t represent much of a change to the state of play more broadly in the market.