Facebook, WhatsApp, Messenger and Instagram

So, Facebook is planning to integrate WhatsApp, Messenger and Instagram ( https://www.bbc.co.uk/news/technology-47001460 ). Facebook has owned Instagram since 2010 and WhatsApp since 2014, and Messenger was a Facebook original. What could possibly be wrong with that? I mean, everyone would want them to, right? And they do own them.

However, for me it’s not so much about the doing but how it is done. Taking just WhatsApp, it always marketed itself as encrypted end to end (E2EE). This is a great concept in these days of rampant surveillance but at least currently, this is only true where messages stay within WhatsApp.

One of the founders of WhatsApp quit and announced that we should all delete Facebook. Riding on the wave of the Cambridge Analytica scandal this added flames to the already burning fire.

Now we learn of Facebook’s plans to better integrate WhatsApp, Messenger and Instagram, making it easy for users of each to interact with users of any of the apps. Presumably Facebook will be core to this data merging.  But what of E2EE?

Without searching for documentation on exactly how each app works E2EE is supposed to ensure that messages sent are encrypted before sending and not decrypted until receipt. Ok, this works fine in theory and if apps do what they say on the tin it works in practice provided you remain aware of limitations, not least that once a message is decrypted for display then anything that can get at that display can logically get at the decrypted message.

And here’s the thing. If, say, you send a message from WhatsApp to Messenger then unless the keys are shared between the apps the message will need to be decrypted (and possibly re-encrypted) in order to send between these disparate apps. Think of it this way: The sending WhatsApp app encrypts in a way that the receiving WhatsApp app can decrypt and the message is never touched in between. But if there is an exchange that takes a message from WhatsApp and sends to Instagram then unless Instagram can directly decrypt the encrypted WhatsApp message the exchange needs to decrypt the message prior to sending it onwards. This exchange will presumably be buried deep within Facebook and, if so (and bear in mind this is a worse case scenario – I expect these guys have thought this through and will uphold E2EE. And, yes, pigs really do fly) the decrypted text will be accessible to Facebook. This is my worry here. Mind you, when I want to discuss something in private I do use other means…

There are of course issues with E2EE after a message has been received if, say you synchronise to cloud storage. Messages here will not be re-encrypted by the original app as it is no longer playing. They may be encrypted somehow before storage in the cloud but there are no guarantees here and it will depend entirely on the cloud service being used. However, assuming you are security aware and do not send any such messages off to cloud storage, can one really rely on E2EE in any shape or form once apps begin to pass messages between themselves? I doubt it but time will tell. Maybe I’m being too opsec here…

Again with the photo ID

I need to collect some building supplies. These were ordered online ‘click and collect’, the emails and associated text comes to my phone, and yet I am told I need to bring photographic ID with me. I wonder if they will accept a photo of my passport photo on my phone… if there’s no queue I may well try that out!

Ok I can see the point, after all I already paid for the supplies and I would be really cross if someone faked my name and grabbed them.

Maybe if there was some government-backed ID other than a passport that can prove I am me… oh, wait.

Forcing the ID card debate?

I just caught sight of a document giving instructions to people who are attending an interview and claiming to be under ‘statutory identification rules’ but not giving any reference to them.

Bear in mind that these days we increasingly do everything online and, in some cases it actually now costs to get paper copies of bills when they can be delivered electronically.

First off, the attendee is required to produce either a passport, evidence of UK nationality, or a full driving licence. Af far as I am aware there is no law stating that I must drive or even hold a passport if I don’t travel outside the UK.

Next, two items are required out of a set: bank (etc) statement; credit card statement; original birth or adoption certificate; utility bill or council tax bill but not a mobile phone bill. it would appear that this aims to find out if your address is correct.

Finally you need to provide your National Insurance card or original letter.

So what if you have no passport, no driving licence, and all your bills are electronic? The only winner here is your NI number.

I’ve seen this kind of requirement elsewhere too. It always makes me wonder that either these various departments are so hopelessly out of date with the modern world that they have not yet caught up to the fact that paper bills are rare, or this is a ay to frustrate everyone so much that, if the ID Card debate is ever restarted everyone will accept them willingly!

Facebook woes

Facebook recently hit the headlines due to the Cambridge Analytica event. Along with this came tales of doom and gloom and suggestions that Facebook will lose up to 80% of its members. Of course, news comes and fades, and leaves current memory. People will continue to use Facebook although some small number will close their accounts. And so it goes. Like so many others I’ve always said only put online what you don’t mind the whole world knowing. Anyone sharing nude photos with their partners should take note – a good few celebrities included.

Personally I use Facebook to keep in touch with friends and, as such all my settings are friends-only. I don’t use it to share generally, other of course than where I might click ‘like’ to an open post or share on an open group. To me this is just a part of using Facebook and I do not put anything on there that I would not wish the world to see. Facebook is free and useful and we need to remember that, but also remember to pay attention to those privacy settings and check when Facebook change them.

If I want to have a private conversation I use WhatsApp, Signal or Telegram. If I want it to be really private, well, I go and say it face to face! Yes I hear you, if we want to discuss stuff we should not be spied upon, but we’re in the real world.

Conversational security in smartphones

Can you have a truly private textual conversation where other people have access to your mobile phone?

We have apps that maintain security by end to end encryption – WhatsApp and Signal for example. But the security of your personal data and, in this case perhaps your personal thoughts must start at your finger. In our connected world with apps that log themselves into, for example Facebook, Twitter and such, anyone who has access to your smartphone effectively becomes you. That should be obvious! But the traditional phone was a household appliance that anyone could pick up and use and to some extent the smartphone remains so. Can you imagine the suspicion that would be raised if a wife would not let her husband use her smartphone?

Yes, WhatsApp, Signal and other such apps are easy to use and offer a secure environment but the apps themselves simply open when asked and give access to all the conversations stored in them. Were these to require a keyword or a fingerprint then at least casual non-owner access to one’s smartphone would not yield any private conversations within the apps. Some apps are better thought out. My bank app needs a fingerprint or password, and my password vault is set to work by passwords only. Those passwords are not written down anywhere. This is the basic security that we always implemented before modern smart devices hit the streets.

Of course, there are other issues of even letting someone use your smartphone. I can illustrate one where someone (who will remain nameless!) complained to me that his friend’s fingerprint would open his phone. I headed to Google expecting a news story about a general failure of fingerprint security only to be interrupted when said person updated me – his friend had added his fingerprint when said person lent him their phone to make a call! However, even here password security on apps would still keep private conversations private. And yes, I have made that suggestion to the makers of the apps I use.

Google cloud

There is a story about how Google blocked access to a load of documents in their cloud provision because an automated check determined they are in breach of Google’s terms of service. Of course, everyone reads these don’t they (actually they are written in a fairly easy to understand language unlike many, so no excuse really)

But my interest here is how Google (or any such provider) can protect itself given it can automatically check stuff in the cloud. If something got to court I wonder if a judge would request that Google somehow prove that it did not know a given document was illegal, and how it could prove this.

The ongoing fight against encryption

Once again there are calls to regulate the Internet and ongoing discussions on forcing providers to install back doors in encryption products, especially those offering end-to-end encryption. Once more mention is made of these evil dark spaces in the Internet. But I wonder if they have stopped to think in real-world terms? I mean, we can have these same ‘dark spaces’ formed simply by people meeting behind closed doors. Perhaps the next step is to be able to monitor speech regardless of the communications path? These dark spaces (rooms with curtains and closed doors for example) are no different really to those created by the Internet, except of course people meet face to face. Now, if the argument is that where people physically meet then can be surveilled, it fails to address the fact that the same targeted surveillance can be applied to the Internet. If you are surveilling someone anyway then why are you not already tapping their communications and why have you not installed a key logger to bypass any attempts at encryption?

As to defeating encryption it is surely too late. It is also surely pointless. Governments may well force providers to install back doors and once known anyone that still wants to remain private will move elsewhere, perhaps to use Tor nodes in jurisdictions that refuse to comply to these backdoor requirements, or perhaps to use their own software to provide end-to-end encryption. Or even to use the good old one time pad.

I wonder what the logical progression is here. I can imaging the thought that if they can coerce providers to install backdoors into all encryption products, then what cannot subsequently be decrypted bust be some nefarious hacker or terrorist and can therefore be blocked. But even so, you cannot get past the fact that pre-arranged wordings can be transmitted in clear text and you will only find the meaning by other methods of surveillance, like acquiring codebooks. Nad we’re back to the fact that if you can do that then surely you can install a key logger anyway!

Weaknesses in MAC address randomisation

Typical networked devices, including the ubiquitous smartphone have a now well known address – the IP address used to route information across the Internet. But there is another, less well known address which can be far more revealing of the actual device. This is the MAC (Media Access Control) address. Where the IP address is needed to enable end to end communication across the Internet, the MAC address deals with physically addressing devices on the local network. Unlike the IP address which is stamped on every packet of data, the MAC address does not bother with such things. It is a low level address, in Level 2 of the OSI model, or in the physical layer in IP terms. It deals with moving data – whatever that may be – between connected things. Examples include your smartTV and home router, or your smartphone and a wifi hub. Your smartphone passes data to the wifi hub using the wifi hub’s MAC address and vice versa. The wifi hub in turn passes the data onwards to, say your home router using the home router’s MAC address and vice versa. And so on.

MAC addresses are 48-bit addresses broken into two parts. The first 3 bytes (24 bits) are known as the Organisationally Unique Identifier (OUI) and companies purchase and register these with the controlling body, the Institute of Electrical and Electronics Engineers (IEEE). The second half is a unique serial number assigned to a Network Interface Card (NIC) (or most probably these days a chip, not an actual card).

MAC addresses were designed to be globally unique but the first byte contains a one bit flag to indicate if the address truly is global, or local. Local addresses are by definition not globally unique. A second type of identifier, the Company ID is formed from the same first 3 bytes but with the flag set to local.

Now, the first part of the problem is these first three bytes identify the manufacturer or company, so you can see how a MAC address can be used in a useful way by a surveilling agency. Even with such generic data, when faced with a room full of Android owners the one iPhone owner will stick out.

But there is a far more major issue. Although these MAC addresses are meaningless in wider Internet terms they are nonetheless supposed to be globally unique. And there is the issue. Were a global adversary able to inspect every thing in the Internet looking for MAC addresses then a device, a smartphone say could be traced across the planet.

To get round this issue operating systems can randomise the MAC address. This was intended as a privacy enhancing technique but unfortunately researchers have discovered multiple flaws in the various randomisation techniques used by system makers which enabled them to defeat the randomisation of MAC addresses in 96% of Android phones. They too teir work further to examine an attack method which can identify the global MAC address of a device even when it is in a randomised state.

See https://arxiv.org/pdf/1703.02874v1.pdf

See also http://papers.mathyvanhoef.com/asiaccs2016.pdf and https://lirias.kuleuven.be/bitstream/123456789/547642/1/wisec2016.pdf

Ablative privacy

Here’s something I’ve been thinking of for a while… and there’s a Star Trek link to boot. In Star Trek: Voyager the future Janeway managed to get ablative armour technology back in time to protect a shuttle against the Borg – or something like that, it was a while ago I saw that episode.

Anyway, so how about ‘ablative privacy’, information thrown out there in ways that when people drill into it they get what they think they want, which is actually what little you want to share. Satisfied, they go no further. If one were to put up sufficient information that would lead an aggressor into thinking they had uncovered every last detail, might that protect the real, deeply secured secrets that you really don’t want to share?

Well, maybe, maybe not. Really all I wanted to do was coin the phrase in case I want to make further use of it! You saw it here first folks…