How Israel might be using WhatsApp metadata for targeting in Gaza
In March, WhatsApp’s security team issued a stark internal warning about a vulnerability that, despite the app’s powerful encryption, exposes users to government surveillance. This previously unreported threat assessment, obtained by The Intercept, revealed that while conversations among the app’s 2 billion users remain secure, governments can bypass encryption through “traffic analysis” to determine who is communicating, the membership of private groups, and potentially users’ locations. Traffic analysis, a longstanding network-monitoring technique, relies on surveying internet traffic on a national scale. The document stressed that WhatsApp’s owner, Meta, must prioritize user safety over functionality.
The assessment raised alarms within Meta, particularly given the ongoing war in Gaza. Some employees speculated that Israel might be exploiting this vulnerability to monitor Palestinians and possibly identify targets for assassination. Meta spokesperson Christina LoNigro denied any vulnerabilities in WhatsApp, labeling the assessment as theoretical and not specific to the app. She did not confirm whether Meta had investigated potential exploitation by Israel.
Governments can monitor encrypted communications by analyzing metadata, such as who, when, and where communications occur, even without accessing the message content. This method, akin to observing a mail carrier with a sealed envelope, allows powerful inferences about communication patterns. Although the assessment did not cite specific instances of state actors using this method, it referenced extensive reporting by the New York Times and Amnesty International on global surveillance of encrypted chats, including WhatsApp.
Metadata has become crucial for intelligence, military, and police agencies worldwide. Former NSA chief Michael Hayden famously remarked, “We kill people based on metadata.” However, Matthew Green, a cryptography professor at Johns Hopkins University, warned that metadata correlations, while sometimes accurate, can also be flawed, leading to innocent people being targeted.
Tensions at Meta escalated following the publication of an exposé by +972 Magazine and Local Call about Israel’s data-centric warfare approach. The report revealed that Israel’s army uses a software system called Lavender to algorithmically rate Palestinians in Gaza, potentially marking them for assassination based on various digital behaviors, including WhatsApp usage. This revelation heightened concerns among Meta staff about the potential misuse of WhatsApp metadata.
Efforts within Meta to address the vulnerability and its possible exploitation by Israel have been unfruitful. Meta employees have organized under the campaign Metamates 4 Ceasefire, demanding an end to censorship and more transparency about the company’s knowledge of the vulnerability. Meta spokesperson Andy Stone defended the company’s conduct rules and denied any specific targeting of discussions about the war.
The internal assessment highlighted the high stakes: governments can use network traffic inspection to deduce connections between WhatsApp users, such as who is in a group or who is messaging whom. This capability is due to data passing through Meta’s identifiable servers, allowing governments to trace IP addresses to specific users. WhatsApp’s security team identified several examples of how encrypted data observation could undermine privacy, such as correlation attacks that match message timing or data burst sizes to reveal communication patterns.
Although the assessment noted that these attacks require all participants to be on the same network and within the same country, it acknowledged that countries with advanced surveillance capabilities, like Israel, could exploit this vulnerability. While users in democracies with strong privacy laws might be less vulnerable, the NSA’s use of similar techniques on U.S. soil indicates widespread applicability.
Meta’s engineers understand the severity of the problem but also the challenges in convincing the company to address it. Strengthening security could compromise the app’s performance and user experience, presenting a tradeoff between privacy and usability. Suggestions like adding artificial message delays or transmitting decoy data could deter surveillance but might degrade the app’s functionality and increase costs for users.
Meta has been aware of this threat since last year, and while other messaging apps are also susceptible, addressing traffic analysis attacks is technically complex. The assessment urged Meta to adopt a unified approach to protect at-risk users, proposing a hardened security mode akin to Apple’s “Lockdown Mode” for iOS. However, even enhanced security features could inadvertently highlight users, making them targets.
Meta’s challenge lies in balancing market share and user safety. Protecting a small segment of at-risk users conflicts with the company’s goal of widespread accessibility. As the report concluded, WhatsApp’s security team cannot tackle traffic analysis alone; a concerted effort across the company is required to safeguard vulnerable users without compromising the app’s appeal to its vast user base.
Originally reported by The Intercept
