WhatsApp, privacy, security, and risks of foreign surveillance

Image for post
Image for post

Most countries have legislation that authorizes law enforcement and intelligence agencies to monitor telecommunications and internet traffic, and they also have legislation that authorizes surveillance and foreign intelligence gathering. Legislation that forces local corporations to collaborate with these efforts are also very common.

The United States however takes it a couple of steps further with the following legislation:

· Foreign Intelligence Surveillance Act (FISA) authorizes unrestricted global physical and electronic surveillance, monitoring and data collection and obligates U.S. entities to collaborate.

· Clarifying Lawful Overseas Use of Data Act (CLOUD Act) obligates U.S. corporations to provide unrestricted global access to data stored and processed abroad.

· Executive Order 13768 excludes non-U.S. citizens from Privacy Act provisions.

All this sums up to U.S. authorities having the authorization to access data from anyone anywhere anytime, globally! With this we must realize that the vast majority of social media platforms, messaging apps and cloud services are provided by U.S. corporations. Even if they would have local subsidiaries, the CLOUD Act still forces them to handover any data upon order by U.S. authorities. The combination of that is a very serious threat to privacy and creates a vehicle for extra-territorial mass surveillance, and since the Snowden Revelations we know that the U.S. uses this vehicle excessively.

What most people are not aware of is that it also creates a significant security risk. The majority of these corporations use the data they collect for profiling for commercial purposes. For example, for advertisement based on someone’s preferences and online behavior. The collected data and the profiling provide a lot of information about a person. What if that information gets into the wrong hands? A simple look at the data-breach scandals will make crystal clear that this is not unlikely to happen.

Those U.S. authorities which have the authorizations through FISA, Cloud Act and E.O. 13768 to collect data globally through U.S. corporations were all impacted by the SolarWinds breach. This literally means that the information the U.S. collects globally and unrestricted through their own means and by legislative powers is at risk of being tapped into by foreign powers.

And that is a serious security risk, especially for those countries which are dealing with significant security challenges. Let us have a look at this from the Turkish perspective and start by understanding the environment of clear and present dangers.

· In 2016 Turkey barely escaped a violent military coup attempt, which left more than 300 casualties, more than 2,000 people injured and immense damages to buildings and infrastructure.

· Its neighboring countries Syria and Iraq are in a permanent state of war and conflict with foreign military and financial support and both with direct United States involvement.

· Iran is actively involved in all conflicts in the region and continues to increase its military presence and influence.

· Turkey is under permanent risk of terror attacks, like for example the attack on the Atatürk Airport in Istanbul in 2016 and the attack on the Court House in Izmir in 2017, and many more.

Seen against this background, security is understandably of extremely high importance for Turkey and surveillance is evidently a key instrument in prevention of threats. Surveillance is also a key instrument to persecute those responsible for violence against the state and civilians, just like it is in all other countries worldwide. And this is where Turkey is forced to take a backseat to the United States, just like all other countries, and is exposed to unacceptable risks, just like all other countries.

Ask yourself what you would do in the position of Turkey? Allow a foreign nation to have uncontrolled mass surveillance over your citizens while you are trying to deal with the real and present security risks you are facing? Even when the same country is actively involved in at least two military conflicts in neighboring countries? And if that was not controversial enough, the same country that simply imposes mass surveillance on your citizens and state officials got caught with their pants down in the most highly charged foreign intelligence security breach we have seen so far, including the agencies that execute the mass surveillance of your citizens and officials.

Would you allow a foreign corporation that is obliged by law to handover all data to its government to collect data on all your citizens? Now let us take it one step further and look at what Facebook and WhatsApp are attempting to do at this moment and let us do that against the setting that no company collects as much data as Facebook does, and Facebook continuous to be involved in massive data-breaches and privacy abuse cases. Would you simply be a bystander and allow Facebook and others to extend their data collection practices even further, knowing what you now know about the security risks this creates?

Turkey, like many other countries, is currently reviewing the implication of the latest move of Facebook from the perspective of privacy and security. Based on what I explained you about the security risks of the unrestricted data collection, global surveillance, and the impact of the SolarWinds breach, I hope you will better understand it in case Turkey decides to prohibit this move by Facebook and take further steps to mitigate foreign mass surveillance of its citizens. I even hope that other countries will do the same!

Dad, consultant, coach, speaker, author. Mainly Cyber Security, leadership, responsible tech and organizational change. https://johannesdrooghaag.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store