A vulnerability has been found within Facebook’s secure messaging service WhatsApp, which would allow the company and third-parties such as government agencies to intercept and read supposedly encrypted and private messages.
What is WhatsApp?
WhatsApp is a free messaging and calling service that uses the internet to deliver communications. It is used by over 1 billion people across the world including in countries with oppressive regimes. It was bought by Facebook in 2014 for $22bn (£18bn) and implemented end-to-end encryption in April 2016.
What is end-to-end encryption?
Anything said between users with E2EE is guaranteed to be private during transit, unless there’s a backdoor to the encryption.
What is a backdoor?
A backdoor to a technology such as encryption is simply a way for a third-party to access something secure without the primary parties being aware. In this case, it is a way for a third-party such as WhatsApp to read encrypted messages that are supposedly secure against interception.
Your security technology is only as strong as the weakest link. The introduction of a backdoor is the weak link.
What has WhatsApp done?
The Signal encryption protocol has no known weaknesses if it is implemented correctly. WhatsApp has implemented a backdoor into the Signal protocol, giving itself the ability to force the generation of new encryption keys for offline users and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered.
It means that it could generate keys known to WhatsApp or a third-party and therefore read and intercept apparently encrypted messages without the sender or recipients knowledge.
Why is it like it is?
WhatsApp says that it implemented the backdoor to aid usability. If the backdoor is not in place, messages sent to an offline user, who then changes their smartphone or has to re-install WhatsApp and in doing so generates new security keys for themselves, would remain undelivered once the user comes back online.
A WhatsApp spokesperson told the Guardian: “In many parts of the world, people frequently change devices and Sim cards. In these situations, we want to make sure people’s messages are delivered, not lost in transit.”
Should I be worried?
But the same cannot be said for government agencies and actors. A way into a supposedly secure, end-to-end encrypted, private messaging service could be a “goldmine” for surveillance purposes and is “a huge betrayal of user trust”, according to privacy advocates.
The amount of private information sent knowingly or unknowingly through WhatsApp could be vast and therefore is a very attractive target for surveillance.
Should I stop using WhatsApp?
If you use WhatsApp as a way to avoid government surveillance due to its end-to-end encryption service, you should stop using it immediately.
Facebook and WhatsApp could be compelled to give government agencies such as GCHQ and the US National Security Agency access to users’ messages.
What are the alternatives?
There are several alternatives to WhatsApp that use encryption to secure communications against interception. The most recommended is Signal, which was developed by Open Whisper Systems and is the namesake of the Signal E2EE protocol.
It is used and recommended by NSA whistle blower Edward Snowden, and is considered the gold standard for private messaging. It does not have the same backdoor into the E2EE as WhatsApp, and is available for Android and iOS.