Over the past year, Meta has been actively promoting privacy WhatsApp — its encrypted messenger, which is used by 3 billion people a month. For example, one video featured the actors of the American Family series and a simple phrase: “This is private.” Other ads emphasized: “On WhatsApp, no one can see or hear your private messages… not even us.”
However, on Monday, a former WhatsApp security executive filed a federal whistleblower lawsuit. The complaint is pending in the Northern District of California. It outlines a number of alleged security and privacy issues that Meta, according to the plaintiff, not only failed to fix, but also concealed. This may be a violation of the terms of the $5 billion agreement between the then owner of WhatsApp — by Facebook (now Meta) — and the US Federal Trade Commission. The lawsuit was filed by Attaullah Baig, who became WhatsApp’s head of security in 2021. Meta denies all allegations.
Systemic problems
Immediately upon his appointment, Baig discovered serious cybersecurity gaps that posed risks to user data. During test “red teams” that look for vulnerabilities to be fixed, he found that about 1,500 engineers in the messenger division had virtually unlimited access to user data. This included personal information, which was protected by an agreement with the FTC. According to Baig, employees could copy or move this data without any control or audit trail.
In September 2021, he notified WhatsApp executives that such large-scale access was against the agreement with the FTC. Baig even prepared a document where he proposed to create a data classification and processing system that would limit employee access and make information storage more secure. The lawsuit states:
“This was the first real step towards solving WhatsApp’s fundamental data management problems.”
At the same time, Baig himself described Meta’s corporate culture as a “cult” where past decisions cannot be questioned if they have been approved by someone higher up.
Over time, Baig began to regularly contact the company’s top executives. He described not only the problem with access to data, but also other shortcomings: the lack of an inventory of user data (required by California, EU, and FTC laws), the uncertain location of some information, and the absence of access monitoring systems and leak detection mechanisms.
Last year, he allegedly sent a “detailed letter” to Meta CEO Mark Zuckerberg and legal counsel Jennifer Newsted. The letter allegedly addressed alleged violations of the FTC agreement and Securities and Exchange Commission (SEC) rules requiring reporting of security vulnerabilities. Baig also claims that he faced harassment at work and that Meta’s central security department “falsified reports” to hide the decision not to address data breach risks.
Scale of attacks
The lawsuit also mentions the statistics of attacks on WhatsApp. In 2022, according to Baig, about 100 thousand users lost access to their accounts every day due to hacking. And last year, this figure reached 400 thousand cases per day.
A separate problem is scraping (an automated process of extracting data from web pages) of profile data. Baig warned the management that WhatsApp does not have the basic protections that Signal or Apple Messages have. He estimated that photos and names from about 400 million accounts were being copied every day, and this data was being used in profile spoofing scams.
He suggested limiting profile views to those who are already in the user’s contacts, have messaged the user, or are in the same group chat with the user. The lawsuit states:
“WhatsApp is actually giving away protected information about millions, if not billions, of users every day, and yet it barely reports such incidents to the FTC and other regulators.”
Meta rejected this proposal, arguing that the restrictions could hurt the growth of the user base.
The company’s response
In response to the publication of the accusations, WhatsApp posted the following comment:
“Unfortunately, it’s a familiar scenario: a former employee who was fired due to poor performance makes distorted statements in public that do not reflect the work of our team. Security — is a constant struggle, and we are proud of our level of privacy protection.”
In the second letter, the company clarified that the U.S. Department of Labor had rejected Baig’s complaint under the Whistleblower Protection Act. Meta also explained that Baig worked as a software development manager, but formally held the position of a first-level engineer with several directors above him.
“The employee left due to poor performance,” the company added.
According to her, several senior engineers have confirmed that Baig’s performance did not meet expectations. WhatsApp also notes that the idea of ignoring employees’ opinions goes against the company’s culture:
“We are always considering different approaches and actively discussing them to create advanced security features and systems.”
Managers said Baig’s claims were too general and duplicated work already being done by other teams.
Source: arstechnica
Spelling error report
The following text will be sent to our editors: