Although WhatsApp uses strong encryption to protect the privacy of calls and conversations, and has been touted as an important tool for protecting personal privacy, the popular communications app can be hacked and used to spy on its users.
This fact, confirmed by the company yesterday, will rightly alarm users of the Facebook-owned messaging app, who are being told to update the app on their devices immediately. This will install a fix to block the exploit, which uses a brief moment of exposure before an encrypted connection is fully established on calls between WhatsApp users. In that gap, a spyware programme named Pegasus can be uploaded into the recipient device to surreptitiously monitor calls and messages. It even can turn on a device’s microphone and camera remotely.
While the discovery of any such weakness must rightly concern every WhatsApp user, the wider context exposes a dark and hidden truth about technology companies and surveillance that demands broad, international government and regulatory response. WhatsApp has confirmed that the spyware used for the hack was not developed by criminal hackers, but by a secretive Israeli company that sells commercial surveillance products to governments and security agencies.
The Financial Times, which first reported the breach, says a leading human rights lawyer in the UK was targeted recently by the exploit. Pegasus is just one small part of a lucrative global market for spy technologies. The company that created it has claimed it can break Apple’s iPhone encryption as well.
While vendors of such technologies say they carefully screen buyers, past reports cast doubt on such claims and have indicated the tools are utilised by some of the worst human rights-violating countries and government agencies. In fact, even if such tools were only used by carefully-approved buyers, information about the exploits, or the tools themselves, can too easily slip out accidentally, or be sold on by rogue employees.
More than 1.5 billion people use WhatsApp. Because of its encryption, the freely available app is widely used by vulnerable human rights defenders around the world, whose lives – and those of their fellow campaigners, and of friends, co-workers and family on their contacts list – may depend on the app’s security. For such individuals, the existence of Pegasus is deeply worrying. But ultimately, such exploits expose us all collectively, because the target is not just select individuals, but civil society and democracy.
The disclosure of this WhatsApp weakness could have an important upside. By shining needed light on a reprehensible, yet legal market, it may finally galvanise a necessary global response to better monitor and regulate this dangerous and deplorable side of the technology industry.