Last week, news emerged of an incredible WhatsApp security breach that permitted hackers to turn the target’s smartphone into an all-in-one remote video, audio and text surveillance tool. According to FT, the hack worked by exploiting a security flaw in WhatsApp’s video call feature, enabling a hostile entity to install the dreaded Pegasus mobile surveillance malware on the target’s phone by targeting a missed call at their number. Within a few hours of the flaw going public, WhatsApp rushed out an update that purportedly fixed the hole, and encouraged users to install the update and rest easy – nothing to see here.
Earlier today, Instagram also joined the list of Facebook-owned platforms suffering an ongoing security crisis, with a researcher stumbling across sensitive details linked to 49 million Instagram accounts. Inevitably, there followed the bland corporate statement from Facebook assuring users that it is looking into the breach, and will unravel how the data became public. While these are two very different types of security concerns, they both serve to illustrate a fundamentally true, albeit unpleasant truth about the ‘online security’ movement – nothing that passes through the internet will ever be truly “private” in the absolute sense of the word. Anyone who says otherwise is selling snake oil.
SECURITY NERDS ARE NOT THAT GOOD AT SECURITY
The biggest strength of security nerds offering a variety of fixes, encryptions and workarounds purportedly keeping information secret on the internet is also their greatest weakness – they have a terrible habit of reducing security to a set of narrow technical issues. In the real world, security is a large, multifaceted issue with multiple potential failure points. Governments especially understand this very well. Security nerds however, tend to focus exclusively on fixing specific problems and then declaring “We have fixed internet security forever!”
In actual fact, those with an interest in compromising user security – especially state-backed actors – do not see their mission as merely “hacking WhatsApp” or “penetrating Gmail.” They think of the information they wish to steal, and they devise means of getting to that information that may or may not involve the high tech hacks that the nerds spend all day fighting against. Thus, while they think 3-dimensionally about how to access private information, the internet security person functions within a very narrowly-defined set of parameters that prevents them from actually doing their job well.
WhatsApp for example, spent years crowing about how its end-to-end encryption made it impossible to snoop on users via data interception. To the nerds, the fact that an intercepted WhatsApp message could not be read was proof that fully secure instant messaging had been achieved.
A state actor however, would merely work around this inconvenience by finding a way to install screen-reading malware on the target’s phone or something. In other words, if a suitably resourced actor really wants to spy on your messages, view your pictures and listen to your conversations, they will – regardless of what the security nerds writing Really Intelligent Code tell you.
THE SOLUTION TO TECH-AIDED SPYING IS NOT MORE TECH
This leads to the unavoidable conclusion that nothing on the internet is ever truly secure. As long as it has ever existed on a cloud server, it is safe to assume that whoever wants it badly enough and has the resources to make it happen will get it. No amount of Really Smart Dudes writing endless amounts of code will stop a determined, mid-sized national government for example, from gaining access to whatever information it wants.
If you really want your information to be invisible and bulletproof in this environment, you need to ditch your smartphone and buy a feature phone that cannot access the internet. You also need to get rid of any device or service that requires access to a cloud. If like most ordinary people, these sacrifices are too much for you to make, then you need to accept that you will never be completely “private” in the true sense of it. That ship has sailed, and we might as well deal with it.