Can the NSA see text messages

Hacking and espionageIs WhatsApp Safe Enough For Diplomacy?

Brexit ensures digital spring cleaning in Brussels. Because WhatsApp is a popular tool for EU diplomacy, entire working groups in the Council coordinate via the green app. Now the British colleagues are being kicked out of the chat groups, some groups are being founded from scratch - without the British.

What happens in Brussels is not unusual: WhatsApp has become the standard channel for international negotiations. The app has been part of the Facebook group since 2014 and is used by two billion people worldwide.

A few years ago the Guardian spoke of the "rise of international WhatsApp diplomacy".

WhatsApp's popularity is due to the fact that it is encrypted and has a large user base, says Corneliu Bjola. The political scientist conducts research on digital diplomacy at Oxford University and advises diplomats. “Almost everyone has a WhatsApp account,” says Bjola.

But WhatsApp security gaps raise questions. The popularity of the app could also be hurt by the Cryptoleaks revelations. They show that the USA and Germany systematically eavesdropped on the encrypted communication of their allies for decades.

The NSA scandal six years ago shook the image of the parent company Facebook. The affairs stir up doubts as to whether a US free service like WhatsApp is actually taking the necessary measures to protect sensitive exchanges between EU countries from being accessed by secret services and espionage from Russia and China.

Europe must ask itself: is WhatsApp secure enough for the sensitive business of diplomacy?

EU is examining alternatives

A group of experts from the EU Commission apparently doubts this. An internal note, which publishes in full, recommends using the Signal app as a “safer alternative” for exchanging information between colleagues.

On request, the Commission confirms that this recommendation has been sent to its staff. There is no obligation to use a particular service, wrote a spokeswoman.

The Commission does not know to what extent alternatives to WhatsApp are actually used. Informally, WhatsApp can continue to be regarded as the means of choice among diplomats.

Representatives of the EU states emphasize that this is informal communication that is not controlled centrally - therefore it is difficult to control.

Content encrypted, metadata open

Messages on WhatsApp are inherently well secured. They have been end-to-end encrypted as standard since 2016 - so only those who have access to the devices of the sender or recipient can read them.

WhatsApp uses the same encryption protocol as Signal, which is recommended by surveillance opponents such as NSA revelers Edward Snowden. This encryption is difficult to crack with today's technology.

However, this does not apply to the metadata. The metadata is information about the sender and recipient, time and date and message size.

The metadata shows who is communicating with whom. The file size allows conclusions to be drawn as to whether pictures or videos have been sent.

The Facebook group stores metadata centrally on its servers. WhatsApp also regularly accesses the entire phone book in the user's cell phone. WhatsApp shares the data with Facebook.

Signal says it saves as little information as possible about users. The service encrypts metadata and deletes it from its servers as soon as the message is sent.

Schrems: "Metadata will go to US authorities"

Secret services are pushing for the mandatory installation of back doors in messenger services in order to be able to read encrypted message content. WhatsApp, Apple and a broad alliance of companies and NGOs are fighting against it - so far successfully.

However, metadata often reveals just as much as news content. Diplomacy is about networks, confidential agreements. If a French diplomat writes to her German counterpart before the decisive vote, isn't the knowledge just as important as the content?

"For officials from foreign and defense ministries, for example, but also for journalists and human rights activists, this is a considerable risk," says Jan Penfrat from the Brussels-based digital NGO EDRi.

Former NSA boss Michael Hayden put a drastic illustration of the possible consequences of data access by US intelligence services in a nutshell: "We kill people on the basis of metadata".

The German Federal Data Protection Officer Ulrich Kelber sees the use of WhatsApp by the authorities supervised by him "critical", wrote us his press spokesman. Kelber complains that WhatsApp metadata is forwarded to Facebook.

The Austrian data protection advocate Max Schrems put it more drastically in relation to “The metadata goes directly to Facebook and thus also to the American secret services. Only who communicates with whom, when and how often, can allow an extremely large number of conclusions. "

Facebook did not answer's question as to how it would like to effectively protect the metadata of its users from being accessed by US secret services.

USA spied on diplomats

Diplomats and EU officials must generally expect to be overheard. Brussels has been a spy stronghold for years, and it wasn't until January that a prominent German ex-diplomat came under suspicion of alleged espionage for China.

But such cases are rather rare: Most of the espionage is probably electronic.

The 2013 NSA affair revealed a massive US wiretapping program against EU diplomats in Brussels and at the UN headquarters in Vienna and Geneva.

Whistleblower Edward Snowden was stationed at the Swiss headquarters of the United Nations when he was still spying for the US secret service. Snowden later said the US continues to spy in Geneva and other places.

The United States' closest ally in intelligence matters is Great Britain. Together with Canada, Australia and New Zealand, the states form the Five Eyes Alliance.

The EU countries are attractive destinations for the technically upgraded services, especially after Brexit.

The member states have stipulated that in the negotiations on future relations with Great Britain all documents are strictly confidential.

The same applies to trade talks with the USA or international climate negotiations. Whoever knows in advance what the other will say has an advantage. The potential for US intelligence services to access metadata could be that benefit.

Which is for sure

For secure communication in international diplomacy, the bar is higher than for normal users: inside. The security of the metadata on WhatsApp raises unpleasant questions.

Jan Penfrat from EDRi recommends that anyone who, for professional or personal reasons, wants to reduce the possibility of access to metadata by US secret services should use other services such as Signal.

In addition to Signal, the NGO expert mentions services such as the Threema messenger based in Switzerland, the Wire service or the open source project Matrix, whose technology is used by the German Armed Forces, as alternatives.

However, the EU Commission has other plans. In the note we're posting, Signal is intended only as an interim solution. In the longer term, the group recommends Skype for Business, a Microsoft service.

A solution that is independent of US corporations and secret services is apparently even further afield.

Update from February 24, 2020: The article originally stated that both the messenger services Threema and Wire were based in Switzerland. According to a report by, however, Wire recently relocated its headquarters to the USA. The article has been amended accordingly.

Would you like more critical reporting?

Our work at is financed almost exclusively by voluntary donations from our readers. With an editorial staff of currently 15 people, this enables us to journalistically work on many important topics and debates in a digital society. With your support, we can clarify even more, conduct investigative research much more often, provide more background information - and defend even more fundamental digital rights!

You too can support our work now with yours Donation.

About the author

Alexander Fanta

As the Brussels correspondent of, Alexander reports on the digital policy of the European Union. He writes about new laws and does investigative research on large technology companies and their lobbying. He is co-author of the study "Medienmäzen Google" on the group's journalism funding. In 2017 Alexander was a fellow at the Reuters Institute for Journalism Research at Oxford University, where he researched automation in journalism. Before that he was a foreign policy journalist for the Austrian news agency APA. E-mail:[email protected] (PGP). Twitter:@FantaAlexx. WhatsApp / Threema: +32483248596.
Published 02/24/2020 at 8:42 am