WhatsApp is fighting for the privacy of its users in India. Earlier this week, the Facebook-owned messaging service filed a lawsuit against the Indian government to block new regulations that imposes messaging apps to trace the “first originator” of messages shared on the platform, thus effectively breaking encryption protections.
“Requiring messaging apps to ‘trace’ chats is the equivalent of asking us to keep a fingerprint of every single message sent on WhatsApp, which would break end-to-end encryption and fundamentally undermines people’s right to privacy,” the company said in a statement. “We have consistently joined civil society and experts around the world in opposing requirements that would violate the privacy of our users.”
With over 530 million active users, India is WhatsApp’s biggest market by users.
In response to WhatsApp’s legal challenge to new internet regulations on grounds of violation of user privacy, the government said it is committed to the right to privacy of citizens but added it’s subject to “reasonable restrictions” and “no fundamental right is absolute.”
The government also laid the responsibility on WhatsApp’s doorsteps to find a technical solution that ensures “the Right of Privacy to all its citizens as well as have the means and the information necessary to ensure public order and maintain national security,” whether through encryption or otherwise.
WhatsApp is already facing a similar call from Brazil, its second-largest market after India, while several countries such as Canada, the U.K. and U.S. have also stepped up pressure to weaken its encryption.
Although it is difficult to assess the possible outcomes of the lawsuit, it could potentially have global implications for user privacy, setting a precedent for what other governments would demand from WhatsApp and other secure messaging apps. Complying with the traceability requirement would not just undermine encryption, but would force companies to retain humongous amounts of data.
Put simply, traceability and end-to-end encryption cannot coexist.
What's trending in security?
🔐 In 2011, Chinese spies stole the “crown jewels” of cybersecurity by hacking into a theoretically “air-gapped” system at encryption giant RSA. The theft of the secret keys forming a “crucial ingredient” of its SecurID two-factor authentication devices would go on to “redefine the cybersecurity landscape” with huge implications. 10 years later, RSA executives now recount the hack, which affected millions of users around the world. [WIRED]
⚠️ The hackers behind the SolarWinds attack gained access to the Constant Contact account of the U.S. development agency USAID for what appears to an ongoing, evolving campaign. Microsoft said the attacks targeted approximately 3,000 email accounts at more than 150 different organizations. [WIRED / The Hacker News]
🇷🇺 In a rare interview with the BBC, Sergei Naryshkin, the head of Russia’s Foreign Intelligence Service, denied that his agency was linked to the SolarWinds supply chain hack. Meanwhile, speaking at the 2021 RSA Conference, SolarWinds CEO Sudhakar Ramakrishna said that the company found evidence of reconnaissance as early as January 2019, months before it previously said it first spotted suspicious activity around September/October 2019 which led to its massive supply chain attack. [BBC / CyberScoop]
🇬🇧 The European Court of Human Rights ruled that the UK intelligence agency GCHQ’s methods for bulk interception of online communications violated the right to privacy. [The Guardian]
🚨 Researchers from Google have discovered a new variant of the Rowhammer attack, a data theft technique involves running a piece of malicious code that repeatedly targets a row of DRAM transistors to induce an electrical disturbance that can physically flip a bit in the next row of transistors from 1 to 0 or vice versa. The new attack called Half-Double is novel because it targets rows that aren’t immediate neighbours of the targeted memory row. [The Hacker News]
💲 After Colonial Pipleline paid $4.4 million to regain control of its network, U.S. insurance giant CNA Financial reportedly paid $40 million to a ransomware gang to recover access to its systems following an attack in March, making it one of the most expensive ransoms paid to date.
DarkSide, the criminal gang behind the Colonial Pipeline ransomware attack earlier this month, has since claimed their servers had been seized in a law enforcement operation. DarkSide may drop from sight online, but it might as well be a ruse to deflect attention. It isn’t uncommon for ransomware groups to disband, only resurface later under a different name. It remains to be seen if they are gone for good, or if it’s simply a tactic designed to take the heat off after its widely publicized raid on the pipeline operator. [The Hacker News]
🔑 Facebook’s plans to add end-to-encryption to Messenger is a win for privacy, but how do you combat a problem like child sexual abuse when paedophiles use the platform to their advantage? What’s the right balance? More importantly, can there ever be a balance? [WIRED]
🇨🇳 The European Union extended existing sanctions against Chinese, Russian, and North Korean hackers for another year, until May 18, 2022. [The Record]
💻 Apple’s software engineering head Craig Federighi said macOS has “a level of malware on the Mac that we don’t find acceptable,” adding side-loading apps on iOS would “dramatically” change security on iOS.
Speaking of macOS, Apple’s new M1 chips has been found to contain a flaw dubbed “M1RACLES” (CVE-2021-30747) that allows two or more malicious apps installed in the machine to create a covert channel to exchange data between them, without using memory, sockets, files, or any other normal operating system features. Since the issue is baked into the CPUs, it cannot be fixed. But the possibility that the flaw can be exploited to take over control or steal private information is moot. [The Verge / m1racles]
🛡️ Cybercriminals began to scan the Internet for vulnerable Microsoft Exchange Servers within five minutes of Microsoft’s security advisory going public in early March, according to researchers from Palo Alto Networks. [ZDNet]
👱 Amazon has extended its moratorium on law enforcement use of its Rekognition facial recognition software “until further notice.” [Reuters]
🇧🇪 Belgium government said hackers breached the network of its interior ministry as part of an espionage campaign that began two years ago in April 2019. “The complexity of this attack indicates an actor who has cyber capacities and extensive resources. The perpetrators acted in a targeted manner, which suggests espionage,” the ministry said. [CyberScoop / The Record]
🇮🇩 The Indonesian government blocked access inside its borders to Raid Forums, a well-known cybercrime hub, in an attempt to limit the spread of a sensitive data leak involving the personal data of 279 million Indonesians. [The Record]
🗄️ The past fortnight in data breaches, leaks, and ransomware: Air India, AXA, Bose, Brenntag, CaptureRx, DailyQuiz, Guard.me, Ireland’s Health Service Executive, Mercari, Monday.com, Omiai, Toshiba, and multiple Japanese government agencies.
$1.37 billion
That’s the total amount Russian-language dark web marketplace Hydra made in 2020, making it a hotspot for illicit activities. The transaction volumes up from $9.4 million in 2016, marking a staggering 624% year-over-year jump over a three-year period from 2018 to 2020.