27

Recently there have been a lot of news articles which say that Facebook will very soon add advertising to WhatsApp, yet will keep the end-to-end encryption (source):

[M]essages will remain end-to-end encrypted. There are no plans to change that.

I am trying to understand how advertisement is possible while keeping end-to-end encryption. I understand that there are several options:

  1. Advertisements are not targeted according to words used in messages, just general ads.

  2. It is possible to send additional/duplicate packets with the same information to the server, which also uses "end-to-end encryption". Yet, if that's the case, it's sort of "telling the truth but not all the truth". I find it hard to believe that such a method would be used.

Are there other ways to do both ads and e2e encryption that you can think of?

WΑF
  • 107
  • 5
ransh
  • 515
  • 6
  • 11
  • 3
    What prevents them from injecting an ad in between encrypted messages? – forest Dec 23 '18 at 09:33
  • Not sure I understand. Do you mean without them knowing what (words) I was interested in ? Just general ads ? – ransh Dec 23 '18 at 09:37
  • 5
    Well, I can't see anything about targeted ads, just regular ads. – forest Dec 23 '18 at 09:38
  • 1
    So what's the reason why WhatsApp couldn't do this? – forest Dec 23 '18 at 09:40
  • 2
    If it is general ads, then you're totally right. They can do it. – ransh Dec 23 '18 at 09:41
  • While I don't think they will use the contents of the messages and just rely on your profile, one idea I can think of is to hash interesting words (>8 characters?) and send them to the server. When an advertiser provides a list of keywords, each one is hashed and matched to your words. So if a hash matches, then it shows that ad. It would certainly be less secure but with a sheen of crypto. By the way, Facebook advertising doesn't even have keyword matching. They use demographics, affinities, interest groups, page likes, etc. – Chloe Dec 24 '18 at 04:27
  • 3
    They could also send a pile of ads to your phone, then _on device_ your phone matches the ad that best selects your content. The field is currently moving in that direction, using on-device machine learning and such whatnot. – Mooing Duck Dec 24 '18 at 06:03
  • @forest It seems to me that the OP is talking about targeted adverts, which would require breaching the end to end encryption (in the OP's mind) because Whatsapp would have to know the content of the messages in order to tailor the adverts to you. – Jon Bentley Dec 25 '18 at 03:33
  • They could ask Google, which hosts the backup of all WhatsApp messages in plain text by default. – Eric Duminil Dec 25 '18 at 18:12

4 Answers4

42

Your WhatsApp account is linked to your Facebook account. They know lots about you from your Facebook activity, and can use that to direct targeted ads at you on WhatsApp, without knowing anything at all about the content of your WhatsApp messages.

Mike Scott
  • 10,118
  • 1
  • 27
  • 35
  • 11
    unless you're an european citizen. Then it's illegal for facebook to connect the two services (for now). – BlueWizard Dec 23 '18 at 20:29
  • 11
    @BlueWizard source? Because as far as I'm aware of that is perfectly legal when it is listed in both privacy statements under GDPR. – Kevin Dec 24 '18 at 02:50
  • 9
    @KevinVoorn In March 2018 they [reached an agreement with the UK's ICO](https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/03/blog-a-win-for-the-data-protection-of-uk-consumers/) "that it shall not, from the date of the undertaking, share personal data with companies in the Facebook family, for Facebook’s own purposes, until it can satisfy the requirements of the GDPR." I don't think there has been an update since then. – Jan Fabry Dec 24 '18 at 12:44
  • 1
    @JanFabry Of course, it's not as if Facebook has been wildly successful at [abiding by these agreements](https://bgr.com/2017/05/18/facebook-whatsapp-privacy-fine/) thus far! So I wouldn't necessarily rule it out.. – Lightness Races in Orbit Dec 24 '18 at 16:52
  • 8
    Can you provide a source for *"Your WhatsApp account is linked to your Facebook account"*. E.g. on my phone I do not use Facebook, and I do not store my mobile number in my Facebook account. I assume I am not the only person. Are you suggesting that they use some other data analysis techniques to link my accounts regardless? If not, perhaps the answer should be amended to "may be linked" instead of "is linked" (which would of course affect the rest of the answer). – Jon Bentley Dec 25 '18 at 03:39
11

End-to-end encryption is not peer-to-peer. There is a centralised XMPP server which handles delivery of messages. What's app client communicates with the server to send and receive messages between you and your contacts.

This server can also push ads to the WhatsApp client without interfering with message delivery system. WhatsApp will likely put ads on Status tab. Your contacts' status is also end to end encrypted and only you can decipher their status media. Without interfering with E2E, WhatsApp client can use a separate channel to download ads.

Targeted advertisement can work without reading your messages. Users give Location access to WhatsApp to share their live location so ads based on location is still possible. How much time you spend on WhatsApp and what is the best time you likely to use WhatsApp can be used to fingerprint your online behaviour. I'm not saying that they will make WhatsApp that much intrusive to display ads but possibilities exist and metadata information is enough for them.

Personalized ads which are only shown to you may not be that much accurate if you are not a facebook user but if they want to monetize the service just to keep it funding, then they don't have to be accurate.

defalt
  • 6,231
  • 2
  • 22
  • 37
8

I don't know if WhatsApp uses this technique---and I hope not, but technically, the app can and already does decrypt your messages once they're on your device. You could then:

  • Send the raw decrypted messages back to the WhatsApp servers, a terrible choice but nevertheless technically possible;
  • Do some machine learning on-device, creating a local advertising profile tailored to your preferences, and send limited data based on this data. This means Facebook could know you're interested in cats without actually knowing the exact content of any of your messages.
Baptiste Candellier
  • 183
  • 4
  • 3
    This is the most obvious choice. Whatever you type is plaintext _before_ the app encrypts it, so... end-to-end encryption is really a joke if you consider it's done by an app supplied by an openly malicious (yet legal) service provider. If nothing else they can filter out most common filter words and send hashes of all others to their ad server. Or maintain a frequently-used-not-fillword database on your device. Doesn't take but a few kilobytes. Nobody notices. – Damon Dec 24 '18 at 11:14
  • You don't even need machine learning. The system sends a list of keywords, the app reports back what keywords occurred in the message. – Loren Pechtel Dec 25 '18 at 22:32
7

Added to the above answers.

Whatsapp also knows your contacts network (namely the numbers of the people you speak to), because that information is necessary for routing text.

That said, you may or may not have linked Whatsapp to Facebook. Your friends may or may not have done that as well, but like some did. @MikeScott answer applies. I also want to add that Whatsapp Inc. knows how often you text to whom.

Social network analysis combines marketing preferences of known profiled individuals to target an unknown subject based on affinity.

Here is an example: regardless that you speak about cats (contents is encrypted), if you speak often with people that Whatsapp Inc. deems interested in cats by other means, you may see an ad about a cat shelter.

Enjoy your targeted pet!

usr-local-ΕΨΗΕΛΩΝ
  • 5,310
  • 2
  • 17
  • 35
  • Even if you’ve not formally linked your Facebook account to your WhatsApp account, it’s a safe bet that Facebook can link them anyway. It’s only if you don’t have a Facebook account at all that they can’t use it to target ads to you. – Mike Scott Dec 23 '18 at 16:16
  • I would really love to understand how. FYI I disable 3rd party cookies and use Adblockers (including rooted Android phone) – usr-local-ΕΨΗΕΛΩΝ Dec 23 '18 at 16:16
  • 1
    Even if you’re rooted and the apps can’t get a phone ID, they can still see use of your WhatsApp account and your Facebook account from the same IP address at similar times. – Mike Scott Dec 23 '18 at 16:20
  • @usr-local-ΕΨΗΕΛΩΝ in theory your device can be linked because of a wide variety of settings, plugins etc. Am I unique? has a really good website to demonstrate this behaviour: https://amiunique.org/ – Kevin Dec 24 '18 at 02:52
  • @MikeScott I remember something from a few years ago that facebook was even collecting data on people who didn't have an account with them. FB could do this based on their network, e.g. they appear in contact lists of people who do have a FB account, and who provide this contact list to FB. – craq Aug 05 '20 at 01:22