So you’re using WhatsApp for messaging your agency workers jobs and stuff. You have set up a WhatsApp “private” network. WhatsApp is free. So what could possibly go wrong?
First a bit of background (because we have to be quite careful but I’m sure you can read between the lines!): WhatsApp used be a subscription service: a huge $1 per user per year. Now admittedly there were about 700 million reported users so that’s $700M per year revenue. Probably only the likes of Mark Zuckerberg would describe this as “limited”. So Facebook made the app free and now there are reportedly 1.7 Billion users.
Let’s face it Mark Zuckerberg is no slouch when it comes to monetising “free” apps such as Facebook. Does he know something about WhatsApp data security that we don’t or is there something else hidden away in the small print?
Monetising apps can be done in quite a few ways.
One seldom highlighted way to monetise a service is to use an analysis of who communicates with whom and thus determine “valued” groups or networks.
This is known as “Traffic analysis”. It’s a way of extracting information from messages without knowing the content of the message. Sounds bizarre: is this unrealistic or low value? Consider: “Traffic analysis” goes back over seventy years in espionage terms: when the Germans listened to Radio operators in the Allied Bomber force making test transmissions from their aircraft radios. So what? Well it turned out radio operators only warmed up their sets and made test transmissions when they were due to fly that day: essentially this test warming up of radios gave a couple of hours warning and said “prepare for a bombing raid” i.e. please prepare you fighters!
Of course Bletchley park did much the same in reverse when they could not read enemy messages.
To the best of our knowledge “Traffic analysis” is so valuable that still subject NSA non-disclosure agreements.
Another example is very recent. From this headline: Fitness app Strava lights up staff at military bases (in this case individuals were communicating with themselves).
So how does this affect any employment agency communicating to its staff via a private WhatsApp group?
Whist a message carrier (such as WhatsApp) may not divulge or break secure messages; there is certainly information to be garnered from the identity of the participant members in any group. Could through your use of WhatsApp group could Facebook determine a list of your staff? If they can determine a list of your staff could WhatsApp monetise that list by hitting your staff’s Facebook pages with overly well targeted job adverts for rival agencies? Would a rival Agency pay for such targeted advertising? Not a message decoded: just who communicates with whom also know as “Traffic analysis”!
Recent examples of Traffic Analysis
Fitness app Strava lights up staff at military bases:
Image copyright Strava Image caption The movements of soldiers within Bagram air base - the largest US military facility in Afghanistan
An image of the Pentagon on the Strava heatmap: here is the Pentagon and there is frequent traffic to these buildings.
Ditto GCHQ Cheltenaham
Links for more information