“Simple. Personal. Secure.”
That’s the tagline that sits next to WhatsApp on the PlayStore. But in the past 24 hours, the final word in that promotional message has been challenged by a sophisticated hack.
A simple missed call on WhatsApp from any bad actor using software created by NSO, a company that creates surveillance products for repressive governments, could have exposed your phone to spyware which would have collected information such as your private messages and location data.
It has been described as a “serious security vulnerability” by the Irish Data Protection Commission — and one that will require further investigation to establish whether any of WhatsApp’s 1.5 billion users have been impacted.
Now, you would think in Facebook’s new era of transparency, the company would be straining to let users know about the attack and how to protect themselves. Not quite.
Facebook has known about the hack since early May. And while it is sensible that it works to fix the vulnerability before revealing it to the world, the firm appeared ill-prepared for it going public.
We were told about the hack by the Financial Times, days after Facebook began rolling out a fix for the issue to iPhone, Android, and Windows phone users. The update, incidentally, mentions nothing about security.
“It’s now easier to start group voice and video calls. Just tap the call button in groups or select ‘New group call’ when starting a new call in the call tabs. Group calls support up to 4 participants,” it says on Android.
Facebook furnished the British newspaper and others, including Business Insider, with a statement acknowledging the incident and urging users to update WhatsApp. There’s also an opaque security message on Facebook.
But where is the direct notification sent to WhatsApp users telling them that their data may have been compromised? Where’s the direct prompt to update the app? Were is the blog post outlining the issue? Where’s the advice to worried users?
If you had not seen the news, you would still be in the dark, and still theoretically vulnerable to attack from the bad actors planning a smash and grab on your data.
And I’m not the only one who has noted Facebook’s wall of silence when it comes to notifying its users of the issue directly. “We believe WhatsApp needs to be much more transparent,” a Privacy International spokesman told us. “We haven’t seen a notification on the app itself that would inform users about both, the bug, and the fix.”
I have asked Facebook why it has not communicated the issue directly to users. It has not responded to my question.
It brings to mind Facebook’s catastrophic response to the Cambridge Analytica data breach last year, when CEO Mark Zuckerberg was not seen for five days. In the apology tour that followed, he repeated platitudes about openness and transparency, and there’s no doubt Facebook has improved.
But to not say a word to users about a serious hack more than 12 hours after it makes its way into the public domain shows that Facebook has still not yet fully learnt from its past mistakes.
And what’s worse, it strikes right at the heart of Zuckerberg’s vision for his company. WhatsApp is the centrepiece in his strategy to make Facebook a more private place by building out end-t0-end encryption.
But the WhatsApp hack shows your data is still vulnerable in Facebook’s hands. And Facebook is still reluctant to come clean when bad things happen to that data.