As online threats multiply, who’s the hacker now?

March was a tough month for hackers.

First we learned from WikiLeaks that the CIA has an arsenal of code designed to break into the world’s phones, cars and TVs, not to mention old-fashioned computers. Then the US authorities announced indictments in the largest hacking case on record: the breach of half a billion Yahoo accounts in 2014. Two of the men charged are Russian spies.

The Kremlin is becoming particularly adept at blending high espionage and lowdown criminal pursuits like the online theft of other people’s data. The king of that particular castle is Evgeniy Bogachev, the guy opposite with his Bengal cat and matching pyjamas. They say he’s extremely wealthy, and once had upwards of half a million computers under his command. He’s also a criminal standout for having a $3 million FBI bounty on his close cropped head. Back home in his redoubt on the Black Sea, however, Bogachev is a popular asset among intelligence operatives.

In the previous post, we saw how easy it is for well-intentioned reporting on security to sow confusion. Like, WhatsApp has a backdoor. Actually, it doesn’t. Ok, it’s a security “compromise.” Yes, but affecting very few users. (Sure, but wait till we get to the metadata.)

Along comes the CIA/ WikiLeaks story with more apparent bad news about WhatsApp. Initial reports based on the WikiLeaks dump claimed the CIA had managed to crack WhatsApp. It didn’t. Unfortunately, the wrong version of the story traveled halfway around the world while the other version was still booting up.

It hardly matters whether this was news of the f-word persuasion or an honest mistake. These stories are compelling and important, mistakes and all. The problem is that news dominated by state security issues works against end-user interests, especially when the headline is: “Spies have cracked your secure messaging platform.” The fatalistic idea that nothing can make you safe online makes people hopeless about their own welfare. The very idea of focusing on hacking steers the audience away from risks that may be less obvious but potentially more serious.

I hear people say they’re worried about their online welfare. Yet many find the technical aspects of defending themselves too damn complicated. They’re not alone. A recent US survey asked online adults a dozen questions about cybersecurity concepts, such as strong passwords and two-factor authentication. A substantial majority were able to answer just two of them correctly.

This knowledge gap is reflected in the deep ambivalence felt by social media users. Americans have little faith that any of their social media providers are safeguarding their personal information – less faith than they have in credit card companies, cellphone carriers, email providers, retailers or the government. And yet, despite this mistrust, use of social media has not declined.

Pew Research Center, Nov 2016, “Social Media Update 2016

In the case of the world’s largest social media platform, Facebook, use has actually been growing. An astonishing 4 in 5 American onliners (79%) visit Facebook regularly. That makes it a handy talking point – in addition to the fact that Facebook happens to own WhatsApp (purchased in 2014 for $19 billion).

Last time I mentioned that WhatsApp says your information is safe from intruders – but doesn’t say it’s also safe from Facebook. In fact, the WhatsApp FAQ says exactly the opposite:

“While WhatsApp will continue to operate as a separate service from Facebook, we plan to share some information with Facebook and the Facebook family of companies that will allow us to coordinate more and improve experiences across our services and those of Facebook and the Facebook family.”

Any time a major Web destination says it wants “some information” to “improve experiences,” you can be confident they mean “we need to monetize this sucker.” There’s a second factor. Facebook didn’t earn 2016 revenue of $28 billion by being deferential about your privacy. It has a lousy record for the inadequacies of its ever-shifting privacy policies, stretching all the way back to 2006.

The third leg of this stool is where things get more complicated. If my encrypted messages can’t be read by anyone but my recipient, how is Facebook getting information on me? That was the tipoff in my previous post: WhatsApp encrypts message content but not activity records, including transmission data like your phone number and location – data about your data. Metadata. Like the label on the can that tells you there are beans in there.

When explained in plain English, “metadata” doesn’t sound so mystifying. But my point here is that understanding the technology – tough as that may be – isn’t enough by itself to understand what your risks are as a user. That takes a different kind of soul-searching…

What can actually be learned about me from the trail of metadata I leave across the Internet every day? What does Facebook in particular do with that kind of information? And is being spied on by Facebook any better or worse than being spied on by break-and-enter intruders? Not many people are going to embrace newer, safer online habits before getting familiar with the effects of their current online habits.