Navigation überspringen
Stay up to date

A Burning House of Cards

Blog / A Burning House of Cards
It’s been a busy two weeks for the PR-Teams at Meta. One can only imagine how tense things must be over at HQ. Why? Because they messed up BIG time (again).
a burning house of cards

A Burning House of Cards

It’s been a busy two weeks for the PR-Teams at Meta. One can only imagine how tense things must be over at HQ. Why? Because they messed up BIG time (again).

by Jonas Schönberger

If you’ve been on the internet this week, you might have noticed a familiar smell. It’s the scent of burning servers and PR teams frantically typing "We value your privacy" emails. In what can only be described as a banner week for "Big Tech," we are once again reminded that our digital lives are currently held together by duct tape, good intentions, and terms of service that nobody reads.

We are witnessing two massive incidents that should—but probably won’t—serve as a wake-up call for every CEO, politician, and IT decision-maker in Europe.

A 3.5 Billion User Phone Book

Let’s talk WhatsApp first. According to recent reports from heise online and researchers at the University of Vienna, a massive security loophole in WhatsApp’s contact discovery mechanism has allowed researchers to scrape the data of 3.5 billion users.

Half of the earth’s population exposed. 

While Meta loves to hide behind the buzzword "End-to-End Encryption" (E2EE), this incident highlights a painful truth I’ve been shouting from the rooftops for the past couple of years, I mean, I wrote a whole book about it (GENESIS, find it on Amazon, friends ;) ): Encryption protects the content of your messages, but it does not protect the metadata. And metadata is where the money is.

The mechanism is absurdly simple: The researchers automated the "contact discovery" process—the feature that scans your address book to tell you which friends are on WhatsApp. By feeding millions of numbers into the system, they effectively turned WhatsApp into a reverse phone book. The server politely replied with the user’s online status, profile picture, and "About" text. Threema, the Swiss secure messaging competitor, put it best in their recent blog post: having a directory of 3.5 billion confirmed active numbers is a goldmine for scammers, spammers, and surveillance states.

I know people are quoting him often, I mean, I do it all the time, but he’s right. Edward Snowden once noted: arguing you have nothing to hide is like saying you don’t care about free speech because you have nothing to say. In the digital world, having a stranger follow you around a mall and watch what you buy would be creepy. Online, however, we’ve accepted that a US corporation knowing exactly who communicates with whom, and when, is just "the price of free.“

Something Else Happened This Week At OpenAI

Then, there was the email many of you (and I) received this morning from OpenAI. The subject line might as well have been "Oops."

The AI giant admitted that user data from their API platform was exposed. The culprit? Not OpenAI themselves, but Mixpanel, a third-party analytics provider they used.The email was a masterclass in corporate damage control:

"Transparency is important to us, so we want to inform you about a recent security incident... This was not a breach of OpenAI’s systems."

When you centralize your infrastructure and chain together a dozen SaaS vendors, you are only as secure as the weakest link in that chain. In this case, that link snapped, exposing names, emails, user IDs, and coarse location data of API users.For a company that is currently trying to build the intelligence that will reshape humanity, relying on a third-party tracking script that gets pwned is, frankly, embarrassing. It highlights the fragility of the "modern" web stack. We build towering castles on foundations made of other people's APIs.

When you centralize your infrastructure and chain together a dozen SaaS vendors, you are only as secure as the weakest link in that chain. In this case, that link snapped, exposing names, emails, user IDs, and coarse location data of API users.

For a company that is currently trying to build the intelligence that will reshape humanity, relying on a third-party tracking script that gets pwned is, frankly, embarrassing. It highlights the fragility of the "modern" web stack. We build towering castles on foundations made of other people's APIs.

Please Direct Your Attention To The German Mittelstand For A Second.

These incidents are not anomalies; they are the standard operating procedure of Web 2.0. Centralized systems are essentially massive honeypots. They collect data in silos, creating single points of failure that are irresistible to attackers.When you store the data of 3.5 billion people in one place (or one network of servers), you aren't building a service; you are building a target.

I want to talk about the German Mittelstand briefly. Recent figures from Bitkom paint a dystopian picture of our economic backbone. According to their 2025 data, 81% of German companies are heavily dependent on US digital imports, with nearly half admitting they couldn't survive for more than 12 months if access to US cloud services was cut off. We are talking about the hidden champions, the machine builders, the specialized service providers—entities that have spent the last decade migrating en masse to the "Cloud." And by "Cloud," we usually mean Amazon Web Services (AWS) or Microsoft Azure.

This dependency is bordering on insanity. We have handed over the keys to our digital factories, our communication channels, and our intellectual property to a handful of US tech giants. As noted in my research on the "Digital Awakening," there is a strange dissonance in Europe: We regulate the "bad guys" (US Tech) with laws like the AI Act or GDPR, yet our institutions and businesses rely on Microsoft 365 and Google for their daily survival.

If Microsoft (or Mr. 45/47) has a bad day, Germany stays home. If AWS pulls the plug (or gets breached), our supply chains collapse. We are sitting on a time bomb, fueled by our most sensitive data, and we are paying American corporations a monthly subscription fee to hold the detonator.

Side note: I am not sure anymore how many times I have written that last sentence in the last couple of years. Should I put it in ALL CAPS OR WHAT?!

Sovereignty Is The Key To Our Digital Survival.

So, what is the alternative? Is it going back to pen and paper? No.The alternative is true digital sovereignty. And that doesn't mean building a "German Facebook." It means rethinking the architecture of the internet itself.

The EU Data Act is pushing us in this direction, demanding data access, portability, and interoperability by September 12, 2025. The regulation targets both companies and state institutions to harmonize data traffic and foster innovation. But regulation alone isn't enough; we need the tools to comply.

The only way to be compliant technologically is through a decentralized approach. The architecture needs to insure interoperability and data sovereignty without needing a central cloud. Traffic is handled through all devices in a network. This can also act as a fail-safe mechanism of sorts. If one server is down, you’re simply rerouted. Also nothing new. We have the technological means at hand to protect ourselves against the looming digital armageddon, excuse my dramatic language. Kinda need to get creative with the phrasing since I feel like I write the same article every damn week.

Nevermind. Clock is ticking, time is running out. And so on, and so forth.
Okay, let me try to end on a positive note here: 

I’ve been to countless events in ’24 and ’25, I’ve spoken to countless people from various industries and domains. They all know about these problems. And they’re working their asses off to make a better digital future a reality. What scares us also unites us. And we mustn’t forget: They are just some Big 5. We are 3.5 billion.