Follow ISA on LinkedIn to get notified of the latest cybersecurity news.
WhatsApp privacy announcement uproar
On January 4, WhatsApp published an update to its terms of use and privacy policy. The changes have created a good deal of confusion amongst many of WhatsApp’s userbase of over two billion people. A new pop-up message in the app notifies users that, as of February 8, the new privacy policy will take effect. No opt out is available; in fact, the pop-up invites you to delete the app if you do not accept updates.
The confusion has been caused because, even though changes to policy wording are being made now, WhatsApp has in fact been sharing user data with the Facebook family of companies since 2016. At that time, an announcement was posted notifying users that select data was being shared with Facebook to reduce spam, improve friend suggestions, personal content, and drive targeted advertising and product experiences for users. When that change was made, users were given 30 days to opt out of the data sharing regime. The opt out option then disappeared from the application, so any existing user who did not opt out – and all new users since then – have been sharing data with Facebook. This month’s changes to the privacy policy finally removed the language about the opt-out, which has triggered the confusion and backlash against WhatsApp.
WhatsApp currently shares a wealth of data with the Facebook family of applications, including the user’s phone number, WhatsApp usage logs, transaction and payment data, location information, and device details like IP address, operating system, browser details, battery health information, app version, mobile network, language and time zone.
WhatsApp has clarified that the only procedural changes introduced by the privacy policy wording changes are designed to address business messaging conducted over the WhatsApp application. According to a report in PCMag.com, “Facebook is going to give businesses the option to use Facebook’s secure hosting infrastructure to host WhatsApp chats if they don’t wish to store the messages over their own systems.”
It is notable that users in the European Union did not see the same notification pop-up as WhatsApp subscribers elsewhere in the world. The general warning message says:
“WhatsApp is updating its terms and privacy policy. Key updates include more information about:
– WhatsApp’s service and how we process your data
– How businesses can use Facebook hosted services to store and manage their WhatsApp chats
– How we partner with Facebook to offer integrations across the Facebook Company Products.”
The third bullet on the notification regarding Facebook integrations was not included in the E.U. messaging; due to stronger privacy regulations, WhatsApp does not share data with other Facebook companies in Europe. Though the United Kingdom is leaving the European Union, the restriction will continue to apply to the U.K. at least in the short term.
User privacy concerns are somewhat mitigated by the fact that WhatsApp still offer end-to-end encryption for communications on the system, meaning all content shared through the app is still private to the individuals sharing the data.
Though they can no longer change the setting, long-time users of WhatsApp can determine whether they opted out back in 2016 by checking “Settings > Account > Request account info” in WhatsApp. An account report will be generated within a few days.
Krebs and Stamos form cybersecurity consulting group – SolarWinds becomes their first client
Former CISA director Christopher Krebs and former Facebook CSO Alex Stamos have joined forces to create a new cybersecurity consulting group. The new firm – called simply Krebs Stamos Group – has already signed their first client: the embattled network management software company SolarWinds.
Krebs and Stamos bring impressive resumes and controversial exits from previous employers. On November 17, 2020, Krebs was fired by U.S. President Donald Trump after Krebs rejected Trump’s repeated claims of widespread voter fraud in the November elections. Meanwhile, Stamos left his post at Facebook on August 17, 2018 for a position at Stanford University amid controversy around the handling of Cambridge Analytica/Russian disinformation campaign scandal at Facebook.
SolarWinds is dealing with its own controversy, after the massive supply chain malware hacking incident that was disclosed in December 2020. New SolarWinds CEO Sudhakar Ramakrishna is anxious to change the perceptions of his company, and the hiring of the high-profile consulting firm is part of that strategy. According to a SolarWinds spokesperson, “Armed with what we have learned of this attack, we are also reflecting on our own security practices and seeking opportunities to enhance our posture and policies. We have brought in the expertise of Chris Krebs and Alex Stamos to assist in this review and provide best-in-class guidance on our journey to evolve into an industry–leading secure software development company”.
DDoSecrets publicizes stolen ransomware data
According to a report in Wired, the Distributed Denial of Secrets (DDoSecrets) activist group has just published almost one terabyte of data originally leaked to dark web sites by ransomware operators when their victims refused to pay ransoms.
DDoSecrets also has plans to publish terabytes of additional stolen emails, documents, and photos, previously only available on the dark web. Victimized organizations include those in the financial, pharmaceutical, software, retail, real estate, oil and gas, and manufacturing sectors. DDoSecrets has also indicated that they are privately releasing an additional 1.9 terabytes of stolen data strictly to journalists and academic researchers.
Founded in late 2018, the activist group has come under frequent criticism for publishing the fruits of criminal activities, but they insist that they are doing nothing wrong. Defending their position on their website, they write, “[I]t’s worth noting that DDoSecrets is not receiving or publishing previously unreleased ransomware datasets. All datasets have been previously released on the dark web in one form or another by the hackers. DDoSecrets is simply preserving and making that information available to journalists, researchers and the public.”