Skip to content

CONCEPT Cited by 1 source

Non-targetability

Definition

Non-targetability is the security property that an attacker cannot target a specific user for compromise without attempting to compromise the entire system. Equivalently: attack cost scales with the size of the fleet, not with the choice of victim.

Meta states the property verbatim in the WhatsApp Private Processing 2025-04-30 post:

"An attacker should not be able to target a particular user for compromise without attempting to compromise the entire Private Processing system."

And, as a direct operational consequence:

"We seek to eliminate the viability of targeted attacks via routing sessions through a third-party OHTTP relay to prevent an attacker's ability to route a specific user to a specific machine."

Why it's a first-class property

Standard security properties — confidentiality, integrity, availability — are per-message or per-session. Non-targetability is per-user across time: it asks whether an attacker with some compromise capability can spend it on a chosen individual.

Without non-targetability, a compromised host is a per-target weapon: route victim V to compromised host H, read V's plaintext. With non-targetability, the compromise capability becomes a fleet-scale weapon: the attacker has to compromise all hosts (or at least all routing paths) to catch any particular user. That is a categorically different economic problem — and in well-designed confidential-computing fleets, one that can be made prohibitively expensive.

Structural mechanisms

Non-targetability is typically built by removing the attacker's ability to learn who is calling AND where they were routed, at any single choke point:

  1. OHTTP through a third-party relay — the provider's gateway never sees the client IP, so it cannot select routing based on who the caller is.
  2. Anonymous credentials — the application-layer authentication does not re-identify the caller, so the inner request cannot be re-mapped back to a user.
  3. Attested-identity session keys — the client's session key is bound to the TEE binary, not to any particular host, so a malicious operator substituting a different host at routing time causes attestation to fail.
  4. Load-balancing opacity — the provider's load balancer cannot deterministically steer a known user to a chosen host because it doesn't know who the user is.

Any one of these is insufficient: an account token inside an OHTTP tunnel still re-identifies; a non-anonymous auth on top of OHTTP defeats the IP-stripping; an attestation-less TEE can be silently swapped. Non-targetability is the composed property.

Distinguishing sibling properties

  • concepts/unlinkability — two events cannot be correlated to the same user. Necessary but not sufficient for non-targetability (you can be unlinkable between sessions yet still routable to a specific host within a session).
  • Anonymity — identity is unknown. Stronger than unlinkability, weaker than non-targetability when the attacker can still manipulate routing.
  • Blast radius containment — limits damage per compromise. Non-targetability makes the targeted case economically expensive; blast-radius makes the achieved case less harmful.

Canonical wiki instance

WhatsApp Private Processing is the first canonical wiki instance of non-targetability as a named, structurally-realised property. The 2025-04-30 post layers OHTTP + anonymous credentials + attestation-against-ledger to eliminate each re-identification + route-selection channel an attacker would need.

Seen in

Last updated · 319 distilled / 1,201 read