WhatsApp locks in security with encryption of messages

In late March, the debate over data privacy between tech firms and governments looked like it was dying down for the time being.

Six weeks in to its bitter public row with Apple, the US FBI announced that it had, after all, found a way to access the iPhone of the San Bernardino gunman Syed Rizwan Farook.

The bureau dropped its case against Apple and it appeared as if the heated public debate about data encryption and online privacy that had gripped the tech community and a fair proportion of the general public was about to slip off newspaper front pages, and out of the public consciousness, at least for a while.

The respite was short-lived, however. Just over a week later, WhatsApp users started getting the following notification message:

“Messages you send to this group are now secured with end-to-end encryption. Tap for more info.”

With no warning, WhatsApp announced on April 5 that it had turned on full end-to-end encryption for all communications over its network.

“The idea is simple: when you send a message, the only person who can read it is the person or group chat that you send that message to,” said WhatsApp’s founders Jan Koum and Brian Acton in a blogpost announcing the move.

“No one can see inside that message. Not cybercriminals. Not hackers. Not oppressive regimes. Not even us. End-to-end encryption helps make communication via WhatsApp private – sort of like a face-to-face conversation.”

By rolling out end-to-end encryption for its vast user base, WhatsApp has thrown down the gauntlet on behalf of the tech industry, as disputes over online privacy with government agencies around the world become more heated.

End-to-end encryption for messaging services is not a new phenomenon; WhatsApp began offering the feature for users of its Android app in November 2014. And the feature is already available via a series of messaging apps including Telegram, ChatSecure and Signal, the personal choice of the US National Security Agency whistleblower Edward Snowden.

But what makes WhatsApp’s move this month so important is the sheer number of people affected. The messaging service, launched just six years ago, now has more than 1 billion regular users around the world.

And while WhatsApp can still provide metadata to authorities (including the identities of people receiving messages and the date and time of communication) now every single message sent over the most recent version of the software is encrypted end-to-end.

“It’s big news because it has brought encryption to the masses,” says the UK-based online security expert Graham Cluley.

“By turning the feature on by default and being so transparent about what they’re doing they are helping the average Joe realise the benefit of encryption. In short, encryption isn’t just for boffins and nerds [anymore].”

Of course, Messrs Koum and Acton naturally did not mention that non-oppressive regimes and law enforcement agencies trying to prevent criminal acts also cannot see inside those messages either. And that might prove to be a bit of a problem, with the relationship between tech companies and governments becoming increasingly fraught.

Even before its April 5 move, WhatsApp found itself in trouble with authorities eager to tap into the contents of messages across its network.

Last month police in Brazil arrested Diego Dzodan, the vice president of Facebook for Latin America, after WhatsApp, which was bought by Facebook in 2014 for US$22 billion, allegedly failed to comply with a court order to hand over messages relating to a drug investigation.

“WhatsApp cannot provide information we do not have,” the messaging service said following Mr Dzodan’s arrest (he was released 24 hours later), suggesting that the messages authorities sought were sent via end-to-end encryption, and were therefore unreadable by anyone other than the sender and receivers.

And WhatsApp’s new encryption protocols have already been raising eyebrows in India, one of the service’s largest markets.

Local regulations stipulate that private companies offering communications services are only permitted to offer 40-bit encryption or lower (WhatsApp’s new service uses 256-bit encryption), unless they receive explicit permission to do so from the authorities.

Once such permission is granted, messaging services offering higher than 40-bit encryption are required to hand over decryption keys to the authorities. As in the Brazilian case, WhatsApp may plead that such keys do not exist, and therefore cannot be handed over to authorities or anyone else.

Blackberry, meanwhile, has for many years been at the centre of the privacy dispute between the tech world and governments, its Blackberry Enterprise Server was for many years the most secure mainstream communications solution available.

Most recently, the company announced in November that it was exiting the Pakistan market, after receiving demands from authorities for official access to the company’s encryption systems. The government eventually relented in January, enabling BlackBerry to continue operating.

Many will, of course, remember how Blackberry’s services were nearly outlawed in the UAE and Saudi Arabia in 2010, with regulators citing security concerns about the use of Blackberry Messenger and other services.

The UAE’s Telecommunications Regulatory Authority did not respond to requests for comment on whether WhatsApp’s higher encryption standards would affect whether the messaging service is allowed to continue operating in this country.

Following WhatsApp’s move, Microsoft has become the latest tech firm to take the fight to the authorities.

Last Thursday the software behemoth announced it was suing the US government, over the right to notify its customers of authorities’ requests to access their private data.

“We believe that, with rare exceptions, consumers and businesses have a right to know when the government accesses their emails or records,” said Microsoft’s chief legal officer Brad Smith in a blogpost last week.

“Yet it’s becoming routine for the US government to issue orders that require email providers to keep these types of legal demands secret. We believe that this goes too far and we are asking the courts to address the situation.”

Such moves by Microsoft and WhatsApp are only likely to intensify the debate over online privacy and government oversight for years to come.


Follow The National’s Business section on Twitter

Share This Post