Lawsuit About WhatsApp Security

Bruce Schneier:

Attaullah Baig, WhatsApp’s former head of security, has filed a whistleblower lawsuit alleging that Facebook deliberately failed to fix a bunch of security flaws, in violation of its 2019 settlement agreement with the Federal Trade Commission.

Dan Goodin:

The suit, filed in US District Court for the District of Northern California, recites a litany of purported security and privacy flaws that Meta not only didn’t fix after becoming aware of them, but also kept secret, allegedly in violation of a $5 billion settlement then-Whatsapp parent company Facebook reached with the Federal Trade Commission.

[…]

During a red-team exercise designed to find and exploit security vulnerabilities so they can be fixed, Baig said he found that roughly 1,500 engineers inside the messenger division had “unrestricted access to user data, including personal information covered by the FTC Privacy Order, and could move or steal such data without detection or audit trail.”

[…]

The letter further alleged Meta leaders were retaliating against him and that the central Meta security team had “falsified security reports to cover up decisions not to remediate data exfiltration risks.”

[…]

As a result, the former WhatsApp head estimated that pictures and names of some 400 million user profiles were improperly copied every day, often for use in account impersonation scams.

He says that Meta thought the fixes would hamper user growth. Meta says his claims are distorted and that he was dismissed for poor performance.

Previously:

• WhatsApp and Instagram for iPad, Finally
• WhatsApp v. NSO Group
• FTC Says Facebook Violated 2020 Consent Decree
• WhatsApp More Private Than iMessage
• How a WhatsApp Status Loophole Is Aiding Cyberstalkers

Facebook Federal Trade Commission (FTC) iOS iOS 18 iOS App Lawsuit Legal Meta Privacy WhatsApp

Screen Time Brokenness

I’ve recently been using Screen Time more to manage my son’s Mac and iOS usage, and it’s been really frustrating.

On the Sonoma Mac where he plays Minecraft, we wanted to restrict which Web sites could be viewed. But this doesn’t just affect what you can do in Safari; it also restricts which network connections apps can make. Approving all the various servers that Minecraft uses filled up the Safari bookmarks with junk URLs that are not actual Web sites, and even then Screen Time would keep reporting that Minecraft was trying to access disallowed sites. It also kept trying to block connections macOS itself was trying to make, e.g. via searchparty. The only solution seemed be to turn Screen Time off on the Mac. However, turning it off on the Mac would also (without telling us) turn it off on the iPhone, even though it was set not to sync. Enabling it on the phone would also inevitably enable it on the Mac. The only way I found to prevent this was to sign the Mac out of iCloud. Even that proved to be difficult because Screen Time would try to block that sort of change, even though I knew the passcode and even if I temporarily turned Screen Time off. Eventually, after several restarts, I was able sign out, but that means no access to the photo library or iMessage or Safari bookmark syncing.

On an iOS 18 iPhone, we kept running into problems where Screen Time would be active but did not actually enforce most of the restrictions. It would allow access even during Downtime. When browsing to an unapproved site in Safari, it would show an Allow Website button, and he could just click it and it would add the site to the approved list, without asking a parent or prompting for a passcode. My iPhone continued to show the list of approved sites that I had initially created, not the actual list that was in use on his phone. In fact, his phone even allowed changes to the Screen Time settings without prompting for the passcode. Yet the usage information did sync back to my phone, so it appeared as though things were working, unless I looked more closely to see that the reported usage times and sites were incompatible with the restrictions that were supposedly in place. After many restarts and tours through the settings to try to get Screen Time to work, the solution ended up being on another device. My son’s iCloud account is also signed in on a Mac mini that we use to download everyone’s photos for backup. Even though my phone showed that Screen Time’s passcode was in effect, the Mac mini showed the Lock Screen Time Settings option unchecked. When I enabled the lock there, suddenly the phone started enforcing the restrictions and prompting the passcode.

Previously:

• Screen Time Bugs
• Losing Screen Time Settings
• Screen Time Communication Limits Workaround
• Apple Reverses Course on MDM and Parental Control Apps
• Proposed Screen Time API
• Apple Cracks Down on Screen Time Apps That Use MDM
• Apple Puts Third-party Screen Time Apps on Notice
• Screen Time Issues

Update (2025-09-25): Corentin Cras-Méneur:

The thing is just broken: My youngest can use apps that are supposed to be blocked most of the day and my oldest can’t use apps when everything is supposed to be allowed. I’ve spent sooooo much tie trying to get it to work it’s not even funny!

Craig Grannell:

Too often, the result is a stalemate, with me wanting my kid to stop on the iPad nicely (or risk not having it the next day), and her figuring out the absolute limit of what she can get away with. (For the record: she is a fantastic kid and very well behaved on the whole, but she is also a kid. Any parent reading will know exactly what I mean.) And there have been times when I’ve just had to yank the iPad away.

A lot of this could be resolved with a remote off switch that can be activated immediately, when a line is crossed. Ideally, this would be presented in Screen Time as a massive red button. The Nintendo Switch has this (well, the remote off switch – not the red button), but Apple has determined one is not needed. It really is.

Bug Children iCloud iOS iOS 18 Mac macOS 14 Sonoma macOS 15 Sequoia Minecraft Safari Screen Time Syncing