Sophos Cloud Optix
A new update to the Android version of WhatsApp includes an unexpected but pleasant surprise: end-to-end encryption that is enabled by default.
WhatsApp has a chequered past when it comes to privacy.
Despite co-founder Jan Koum’s understandable desire to protect the privacy of users’ communications, the company has previously been investigated over claims it violated privacy acts in both Canada and The Netherlands, has received criticism over poor implementation of cryptography, and has been pulled up over the way it communicated with Google Maps.
Now, however, the Facebook-owned chat app has partnered with Open Whisper Systems, and will be using software called TextSecure to encrypt WhatsApp messages.
Even though the move is described by Open Whisper Systems as “the largest deployment of end-to-end encrypted communication in history,” it isn’t yet all-encompassing.
For now, as the name TextSecure suggests, only text messages sent by WhatsApp users will be encrypted, and only on Android.
Photos, videos and group messages are not currently covered by encryption and the company says it is still working on the verification required to identify the recipient of each message, meaning man-in-the-middle attacks are still a possibility.
The open-source TextSecure software will allow users to send messages that cannot be decrypted by WhatsApp itself, even if law enforcement comes knocking with a warrant. Instead, only the sender and receiver of a message will have the key.
Additionally, the encryption provides forward secrecy by using new AES keys for each message. An attacker who recovers the key for one message won’t be able to use that knowledge to decrypt any others.
In a blog post published yesterday, Open Whisper Systems revealed it had been working with WhatsApp for the last six months, but pointed out that it still has some way to go in terms of supporting any platform but Android.
In the meantime, the only other comparable messaging system is Apple’s iMessage.
Apple says that communications via iMessage are “protected by end-to-end encryption so no one but the sender and receiver can access them. Apple cannot decrypt the data.”
While the WhatsApp encryption rollout may prove popular with users, the various surveillance agencies of the world are unlikely to be quite so chuffed about it.
In a speech last month, FBI Director James Comey said law enforcement is “struggling to keep up” with criminals who employ encryption, bemoaning the fact that large companies such as Apple and Google were now providing such technology which was enabled by default.
Lastly, I do wonder about Facebook’s motives in enabling such encryption in WhatsApp.
After spending $19 billion on its acquisition, surely those millions of messages being sent every day offered the company a great opportunity for data mining or tailoring ads to its users, so why is it giving that away so easily?
Maybe, just maybe, Facebook sees the adoption of end-to-end encryption on WhatsApp as an opportunity to improve its own place in the public’s opinion of its privacy practices?
Lee Munson wrote “Lastly, I do wonder about Facebook’s motives in enabling such encryption in WhatsApp.”
It’s simple. By doing this, they won’t have to respond to (or fight) any law enforcement requests for the messages of their clients. They merely respond “The content of our clients’ messages are not available to us.”
I’m sure they currently have a lot of staff responding to court orders and subpoenas and such. This is the first of (presumably) many steps to preserve their clients’ privacy and save them some expense.
You say “In the meantime, the only other comparable messaging system is Apple’s iMessage.”
But, what about Threema?
For me it’s the best All Secure Messaging App.