WhatsApp Encryption Ups Privacy Ante

WhatsApp on Tuesday told its 1 billion users that their communications would be better protected from prying eyes with end-to-end encryption.

The company always has made data and communication security a priority, according to Jan Koum and Brian Acton, the founders of WhatsApp, which Facebook bought for US$19 billion in 2014.

“From now on when you and your contacts use the latest version of the app, every call you make, and every message, photo, video, file, and voice message you send, is end to end encrypted by default, including group chats,” they wrote in a blog post.

Signal Protocol

WhatsApp’s end-to-end encryption is accomplished through the use of the Signal Protocol, developed byOpen Whisper Systems.

The company has been working with WhatsApp for a year to integrate the technology with all the platforms WhatsApp works on, including chats, group chats, attachments, voice notes and voice calls across Android, iPhone, Windows Phone, Nokia S40, Nokia S60, BlackBerry and BB10.

During the transition period while users upgrade to the new version of WhatsApp, there will be some unencrypted text, also known as plaintext, on the system, said Moxie Marlinspike, a member of Open Whisper’s management team.

“To make this transition as clear as possible,” he said, “WhatsApp clients notify users when their chats become end to end encrypted.”

User Alerts

Starting Tuesday, WhatsApp users began seeing notices on their conversation screens, as well as under a chat’s preference screen, when an individual or group chat is end to end encrypted.

“Once a client recognizes a contact as being fully e2e capable, it will not permit transmitting plaintext to that contact, even if that contact were to downgrade to a version of the software that is not fully e2e capable. This prevents the server or a network attacker from being able to perform a downgrade attack,” Marlinspike said.

The Signal Protocol has more than a billion monthly active users worldwide, he added.

“Over the next year,” Marlinspike added, “we will continue to work with additional messengers to amplify the impact and scope of private communication.”

Appropriate Response

More companies should emulate WhatsApp’s attitude toward encryption, maintained Richard Stiennon, chief research analyst atIT-Harvest.

“It’s the appropriate response of vendors of communication tools that need privacy,” he told TechNewsWorld.

“It pushes the care and feeding of the encryption keys to the users. That offloads discovery and all the hassles with requests from law enforcement to decrypt captured data,” Stiennon said.

“It’s the only economically viable solution for anyone who does this,” he added.

Conflicting Interests

Although WhatsApp recognized that end-to-end encryption can be a barrier to effective law enforcement, Koum and Acton defended the company’s use of the technology, asserting that efforts to weaken encryption risk exposing users’ information to abuse from cybercriminals and rogue countries.

“While WhatsApp is among the few communication platforms to build full end-to-end encryption that is on by default for everything you do, we expect that it will ultimately represent the future of personal communication,” the pair added.

If that happens, however, confrontations between tech companies and law enforcement agencies likely will escalate.

“We’re definitely going to see more incidents,” said Matthew Green, a professor specializing in cryptography atJohns Hopkins University.

“Law enforcement is hugely dependent on wiretaps,” he told TechNewsWorld. “Since we’ve only begun to see data encrypted, we’re only at the beginning of this controversy.”

Imperfect Protection

While end-to-end encryption is a strong measure to protect privacy, the messages of WhatsApp users still can be exposed in other ways, warned Cris Thomas, a strategist withTenable Network Security.

“If you’re using an unencrypted iCloud backup or someone has access to your Android device, your messages are still readable,” he told TechNewsWorld.

End-to-end encryption is akin to transporting valuables in an armored car, Thomas said. “The messages while in transit are secure, but the endpoints are still vulnerable.”

In addition, although WhatsApp can’t decrypt the data on users’ phones, it still has the metadata about their activity — their phone numbers, who they messaged and when they message them.

“All of that is still subject to subpoena,” Thomas said. “It’s just the content that is now protected.”

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels