Happy Tuesday!
Dang, what a story. A graphically bold, featured article splashed across the front page of the Wall Street Journal caught my attention.
Two business rivals, heads of competing private jet companies, caught in a bitter feud for years. One company was a giant of the industry, the other a scrappy smaller competitor.
Both companies carry celebrities, musicians, sports stars and politicians all over the world. These two competitors’ raucous drama played out against the backdrop of a James Bond-inspired seven-story mansion in the Swiss Alps, complete with a rosewood desk that was used in the Bond film From Russia With Love.
The doorbell rings, one CEO answers it, and instantly becomes aware that his bitter, much-larger rival is now suing him in court. His competitor is seeking $422 million in damages, offering as evidence 139 printed pages — almost an entire year’s worth — of his private messages.
Private messaging is supposed to be private. What went wrong?
— Anthony Collette
Founder, Loistava Information Security
Planning and Strategizing on WhatsApp
In September 2021, the smaller, scrappy competitor suffered a crisis that threatened to bring it to its knees. The company received a notice saying their leases on eight planes had been terminated, and demanded the aircraft be grounded by the next day in preparation for their seizure. The company raced to court, and got an emergency injunction to halt the seizure.
There was much concern about exactly who was behind this unexpected crisis.
This painful episode encouraged the CEO of the smaller competitor to create a WhatsApp chat group. He chose a photo of convicted financial fraudster Bernie Madoff as its profile image and added some of his closest confidants to the group.
Over the next 11 months, this determined CEO and his colleagues used the private chat group to discuss their plans. The group chatted about conversations with their rival’s suppliers, conversations with journalists, and “the ways they could spread dirt” on their competitor.
But surprisingly, their much-larger rival knew what they were up to, and was convinced the activities discussed in their private messaging group weren’t just unsavory, they were illegal. That’s what led to the $422 million dollar lawsuit, and that disturbing doorbell chime and document delivery on the CEO’s doorstep.
What are private messaging apps?
Private messaging apps like Signal, WhatsApp, Facebook Messenger and Wire are designed to secure the contents of your messages, so that only you and the person you’re communicating with can receive and read the messages. All these apps use end-to-end encryption, which is a security method that ensures messages and calls are protected from unauthorized access. These apps scramble the contents of your messages so that they’re unreadable. This means that no one, not even the app provider, can read your messages.
That’s the promise.
However, depending on the app, not everything is encrypted. For example, WhatsApp doesn’t encrypt:
Who you messaged
When the message was sent
How frequently you communicate
Device information and IP address
Your phone number
The recipient’s phone number
Group membership (who’s in the group) is not encrypted
What can go wrong?
When thinking about private messaging apps, the peril lies in two piles of problems: people problems, and technical problems.
People Problems:
Someone in your group chat can simply talk about your messages to someone else, which leaves behind no record or paper trail.
Someone in your group chat can take a screenshot, and forward it.
Someone in your group chat can simply hold up their phone and allow someone else to read your messages. This also leaves no record or paper trail.
Unfortunately, there are no solutions for these particular people problems.
Technical problems:
Public telecom networks are increasingly vulnerable to sophisticated attacks, which can expose metadata generated during communications that can be accessed and exploited, revealing user relationships and patterns.
Using links or media in messages can cause problems if third-party servers can access user data, potentially compromising privacy.
If your phone / tablet / laptop is “compromised,” meaning a hacker has placed malicious software on your device, the quality of the encryption is irrelevant. Even if you assume the encryption is perfect, if either your device or the device of the person you’re communicating with are compromised, your messages simply aren't secure. Potentially, the hacker can read them all.
For a skilled and determined hacker, it’s possible to compromise a workstation, phone, laptop or tablet in the general public, because these devices aren’t part of a managed security program inside an organization like a large employer.
There are billions of unmanaged devices in the US alone. There is no technological fix for this problem. Who would manage billions of devices? Who would coordinate it? And who would pay for it?
This is a known and frustrating reality for the technical builders who’ve dedicated a large part of their professional careers to the development of secure messaging. After everything they’ve accomplished — and it’s significant — the painful reality remains: a hacker placing a keylogger onto a device eliminates messaging security.
Back to our private jet competitors. How did the larger competitor get 139 pages of private messages?
My reading of this Wall Street Journal article leans toward a people problem. Take a look and come to your own conclusions. The very idea of seeing almost an entire year’s worth of private messages printed onto paper would be very disturbing, especially if you were convinced no one would ever read them.
What can you do about it?
If the app offers it, choose the option for disappearing messages after a certain time, which will limit exposure, although it certainly doesn’t eliminate the problem entirely. You can’t stop someone from screenshotting your messages, after all.
Be mindful of what you type or dictate into any Internet-connected device. Private messaging apps aren’t perfect, the telecommunications landscape is constantly changing, and there are always uncertainties about technology. It’s better to err on the side of discretion, than have a year’s worth of your exploits splashed across the front page of the Wall Street Journal.
Join us
Weekly resources to help keep you safer online — protecting you from hackers, online scammers, and other Digital Kleptomaniacs™.
No spam. No selling your email. Just factual, actionable information once a week, from people who truly care about online security. You can unsubscribe any time — but we hope you’ll want to stay with us on this journey.
Cybersecurity is a modern form of wealth, and you deserve to keep what you've earned.
Looking forward to connecting again next week.
— Anthony Collette