don’t use whatsapp.
as much as one hates whatsapp, the headline is not the most accurate. the article states that it’s not specifically a vulnerability in whatsapp itself that exposes a correlation between a sender of a message and probable recipients.
this is a flaw that can be used regardless of your choice of messaging platform. but, yeah, even if whatsapp itaelf didnt drop the ball in this particular instance, still don’t use it.
Almost every messenger is vulnerable to this attack. This is also how Tor users can ger deanonymised.
There are solutions to this problem, but they involve a significantly worse user experience combined with sending traffic back and forth even when there aren’t any messages to exchange, or message delivery to take very long.
The underlying problem has been known for very long, but there’s no easy fix for it. Few messenger services are going to spend the extra bandwidth costs on dummy traffic to obfuscate messenge exhange and users will first and foremost notice that their phones are draining like crazy because of all the dummy notifications waking up their device’s SoC.
This sounds like just standard traffic analysis. Nothing to do with WhatsApp or any other messaging platform. It’s been in use since at least WWII.
Who is talking to whom? How often? Under what circumstances? How do patterns of communication correlate with events? Who are the hubs of communication (ie leaders)?
The big difference between then and now is that instead of needing rooms full of people drawing graphs by hand, there is software to handle it. In turn, that means it’s not really important to have initial suspects to get started, because the computers are quite happy to tease out interesting signals from total communications. That also increases the likelihood of false positives, but the kinds of people who do traffic analysis at this level aren’t usually the kinds of people who worry about a little collateral damage.
It seems like a pretty tall order to construct a system of communication that is useful for coordinating activities, affordable to operate, and secure against traffic analysis. At best, you’ll end up back in a situation where other intelligence will be required to identify a manageable pool of suspects.