Recommended reading

Whatsapp End-To-End Encrypted Messages May Be Next Privacy Battleground

News
By published

The U.S. Department of Justice seems to already be eyeing the next major fight against encryption, and this time its target is Whatsapp, due to its adoption of end-to-end encryption.

How Whatsapp Got End-To-End Encryption

In 2014, Whatsapp quietly adopted the same end-to-end encryption mechanism that TextSecure(now Signal) used at the time. It was only implemented for texts (Whatsapp didn’t support voice calls then) and only worked between Android devices.

Whatsapp has a billion users, the vast majority of which are outside of the U.S., where most people use Android devices, so this was a major benefit. In a way, it’s almost surprising that Whatsapp would be allowed to use end-to-end encryption, which doesn’t even let the company itself see the conversations of its users.

It’s also surprising because Whatsapp was bought by Facebook the same year it adopted end-to-end encryption, and Facebook isn’t exactly known to be a strong defender of privacy -- at least not at the cost of its own monetization strategies (which include data-mining users’ conversations, among other things).

However, Whatsapp seems to have remained relatively autonomous within Facebook so far, which may have allowed its team to keep end-to-end encryption for so long, despite the likely many complaints from governments all over the world.

Whatsapp’s founder, Jan Koum, has talked before about having to flee Ukraine with his mother, decades ago, when the country was under more oppressive and anti-semitic leadership. Therefore, he must understand the real dangers of making communications easily interceptable by governments.

Higher Adoption Of End-To-End Encryption

Before it decided to adopt end-to-end encryption, Whatsapp also began seeing rapid growth of one of its competitors, Telegram, which was promising open source clients and end-to-end encryption. Telegram has its own flaws, including not using end-to-end encryption by default, and using peculiar encryption schemes, but millions of people have bought into the idea of a more secure Whatsapp alternative.

If Whatsapp was considered insecure, likely many millions more would jump ship to Telegram, Signal, Wire, or other messengers that have also adopted end-to-end encryption in the past couple of years. Therefore, at this point, it’s not just about Whatsapp trying to defend its users’ right to privacy, but also about potentially losing those users to the competition. Loyalties to instant messengers have been quite fickle in the past.

This could be why even as the DoJ is preparing to start a big fight between the U.S. government and Whatsapp, the company is rumored to ramp up the adoption of end-to-end encryption to include phone calls.

Signal, which shared its text end-to-end encryption with Whatsapp, has been using end-to-end encryption from the day it appeared on the iOS app store, but it was also doing so years earlier, when it was called RedPhone on the Android app store. Therefore, it makes sense for Whatsapp to adopt its voice encryption protocol, as well.

DoJ Makes Whatsapp Its Next Target

The DoJ is already fighting Apple in the San Bernardino case and (other cases) over the company’s strong encryption and security protections that currently exist in iOS. That fight could determine whether the U.S. government gets the power to compel any company to create and then send malicious software that would disable security protections or the encryption of various applications and services.

The DoJ may wait until that case concludes before it decides what to do in another case involving end-to-end encrypted Whatsapp messages. So far, the DoJ has already obtained a wiretap order, which only compels the company to give the data to law enforcement as-is. However, after that, the DoJ can also ask for another order requiring “technical assistance” from the Whatsapp team to help decrypt those messages.

If the messages were indeed end-to-end encrypted, then there won’t be anything left for Whatsapp to do. Once the messages are encrypted end-to-end, they can only be decrypted by the people in that conversation. However, if the DoJ wins the case against Apple, it could try to compel Whatsapp to disable the end-to-end encryption between two suspects who may still be communicating. Then, the DoJ could intercept their future conversations.

Whatsapp’s encryption already has a security design flaw in that it doesn’t allow users to verify themselves cryptographically, the way you can do in Signal. If it did, then users who verified themselves would notice when something is wrong. However, as it is, Whatsapp could remove their end-to-end encryption, and the people conversing would not know about it.

If Whatsapp upgrades its encryption soon, this verification feature should be a priority, before the DoJ can argue that Whatsapp only adopted it to stop one of its ongoing wiretaps.

Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu. 

Follow us on FacebookGoogle+, RSS, Twitter and YouTube.

TOPICS
Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
16 Comments Comment from the forums
  • tom10167
    Faulting Telegram for not defaulting to E2E is something I'd expect to read from a Signal tweet. You open the app and you can either start a chat or start a secret chat, it's not like you need to dig through settings to check some obscure box.
    Reply
  • jasonkaler
    Not allowing encryption in whatsapp is a bit like gun control. It will only prevent legitimate use of a security measure, while the bad guys get their guns/comm app from somewhere else.
    Reply
  • uglyduckling81
    Not allowing encryption in whatsapp is a bit like gun control. It will only prevent legitimate use of a security measure, while the bad guys get their guns/comm app from somewhere else.
    Yeah that's the same argument we had from gun lobbyists in Australia before gun control happened. Then we implemented it and guess what... Not another mass killing in Australia since. Very little gun crime at all actually.
    Taking away guns doesn't increase gun crime and violence it reduces it, and reduces it dramatically.
    Australia proved it works so there is no point arguing against it.
    Reply
  • abbadon_34
    Not allowing encryption in whatsapp is a bit like gun control. It will only prevent legitimate use of a security measure, while the bad guys get their guns/comm app from somewhere else.
    Yeah that's the same argument we had from gun lobbyists in Australia before gun control happened. Then we implemented it and guess what... Not another mass killing in Australia since. Very little gun crime at all actually.
    Taking away guns doesn't increase gun crime and violence it reduces it, and reduces it dramatically.
    Australia proved it works so there is no point arguing against it.

    Wait a sec, so you are arguing AGAINST ENCRYPTION ?
    Reply
  • uglyduckling81
    Absolutely not. I'm just answering the inclusion of gun control into the reference material. Encryption should be made mandatory as far as I am concerned
    Reply
  • jasonkaler
    17662313 said:
    Not allowing encryption in whatsapp is a bit like gun control. It will only prevent legitimate use of a security measure, while the bad guys get their guns/comm app from somewhere else.
    Yeah that's the same argument we had from gun lobbyists in Australia before gun control happened. Then we implemented it and guess what... Not another mass killing in Australia since. Very little gun crime at all actually.
    Taking away guns doesn't increase gun crime and violence it reduces it, and reduces it dramatically.
    Australia proved it works so there is no point arguing against it.

    On the original topic of encryption: Would it still work if guns were freely available?
    I doubt it. removing encryption from whatsapp will not prevent encrypted communication.
    I also seriously doubt government officials are allowed to use non-encrypted channels.

    On gun control: Germany implemented gun control in 1938. This was followed by the execution of 11 million people.
    it wouldn't have been possible to march people off like sheep if they had the ability to fight back.
    As far as I know, Australia does not have any form of world domination agenda. Other countries do!

    The underlying question is: What is the intention behind the law?
    Reply
  • aldaia
    Despite that I'm a firearm owner and user, I'm all for strong and restrictive firearms control. Encription however is an entirely different issue.

    Not allowing encryption in whatsapp is a bit like gun control.
    I've never seen someone, who makes a legitimate use of encription, kill somebody by accident or as a result of a temporary rage. However, it is very easy for a legitimate gun owner to kill somebody by accident or as a result of a temporary rage.

    Yeah that's the same argument we had from gun lobbyists in Australia before gun control happened.
    Gun lobbyists fail to understand, that gun control dosn't forbide people the use and ownership of firearms, it actually ensures a legitimate use.
    Spain has a very restrictive firearms law, and still I own a firearm. Different types of licenses are required according to the type of weapon to be used. Only licensed gun owners are allowed to lawfully acquire, possess, or transfer a firearm or ammunition, and may only have ammunition that is suitable for the intended firearm. Applicants for a gun owner’s license are required to legally prove that they have a genuine reason to possess a firearm—for example, hunting, target shooting, collection, self-defense, or security.
    In order to obtain a firearms license, the applicant must:
    1) Submit an updated criminal background check and certification of good behavior. Background checks include consideration of domestic violence records.
    2) Pass a psycological aptitude test conducted in designated medical facilities, whose physicians send a final report to the competent authorities.
    3) Undergo theoretical and practical training and testing to ensure an understanding of firearms safety and applicable legal requirements.
    I bet most gun lobbyists will fail all three :D

    Taking away guns doesn't increase gun crime and violence it reduces it, and reduces it dramatically.
    Absolutely.
    I lived in the US before moving to Spain. Americans are not inherently more violent nor more mentally inestable than Spanish. However, the rate of deaths by firearms in Spain is 0.62 per 100,000, in the US is aproximately 17 times higher, the only explanation is easy gun access.

    Reply
  • videobear
    Your arguments completely ignore the many studies that have shown that in states that have adopted concealed carry laws, crimes involving firearms have markedly decreased. When criminals know their potential victims might defend themselves, they are deterred.

    This does not, of course, address the issue of mentally disturbed people having easy access to firearms...which is is usual cause of mass shooting incidents. I am all for mental health checks, criminal background checks, and required firearms training...we don't let people use that other lethal weapon, the automobile, without training. Why not firearms? However, having passed the above, I am totally against having to show "need" to own a firearm to some government agency. If you are sane and competent, you have a right to own a firearm. At least in the USA.

    But encryption is our issue here. Here's another instance of the government wanting to curtail individual rights and invade their privacy in the name of "security." The government has yet to show where having the ability to snoop on its citizens has prevented a terrorist attack. The individual has an absolute right to privacy. If Apple and Whatsapp and others can provide that, more power to them.
    Reply
  • aldaia
    5th message and we are already playing the nazi card. We propably broke the world record of Godwin's law :D

    17662824 said:
    Germany implemented gun control in 1938. This was followed by the execution of 11 million people. it wouldn't have been possible to march people off like sheep if they had the ability to fight back.
    ?
    Things are not that simple:
    ■ In 1933, persecution of the Jews became an active Nazi policy, Jews became Untermensch
    ■ The Sturmabteilung (SA), the paramilitary Brownshirts had ample acces to weapons, that didn't prevent them from being seized and executed diring the Night of the Long Knives in 1934.
    ■ In 1935 the Reich Citizenship Law was passed. Jews where no longer German citizens. This meant that they had no basic civil rights.
    ■ In 1936, Jews were banned from all professional jobs.All this happened before implementing the 1938 gun control.

    After 1945 gun control in West Germany became even stricter than under the Nazi regime, since then no other people where executed (excepting war criminals). Today Germany is one of the safest countries in the world. The execution of 11 million people has a lot to do with a particular regime and nothing with firearms control.

    Reply
  • turkey3_scratch
    17662241 said:
    Not allowing encryption in whatsapp is a bit like gun control. It will only prevent legitimate use of a security measure, while the bad guys get their guns/comm app from somewhere else.

    There are much better measures against crime than no gun control. Things like people marrying earlier, having less parks, less teenagers working, less protein-rich diets for later puberty, increasing the drivers license age, having less people in mobility, urbanizing more areas.
    Reply