As the second WhatsApp co-founder prepares to leave Facebook, many wonder what will happen to the end-to-end encryption technology the communications service has been using for the past two years.
WhatsApp’s End-To-End Encryption Journey
WhatsApp was the first major service with over 100 million users to adopt end-to-end encryption. Unlike Google’s Allo or Facebook Messenger, which only enabled E2E encryption as an option, WhatsApp went all-in and enabled it by default for text, voice, and video calls.
The overall security and privacy of WhatsApp still wasn’t quite as good as Signal, whose encryption protocol WhatsApp was using. Unlike Signal, which minimizes metadata collection to the absolute minimum amount (only the account creation date and the last login time), WhatsApp collects and then shares much more metadata with Facebook. It’s part of the reason why WhatsApp entered in trouble in the European Union (EU).
We also know that WhatsApp doesn’t notify users by default when someone’s “security codes” have been changed (which can indicate that someone else is impersonating your friend, or that someone has changed their phone number).
Furthermore, WhatsApp seems to be able to encrypt the messages with its own keys, at will, thus breaking the end-to-end encryption protocol. The company has justified this as a convenience feature for those users that often change their SIM cards and don’t want to lose the messages they’ve received from friends while switching the cards.
Some have criticized this as being effectively a backdoor that the company could also use this same feature to fulfill government interception requests, for instance. However, there hasn’t been any evidence that WhatsApp has been doing that so far.
Concerns That WhatsApp Will Drop E2E Encryption
According to a Washington Post report, WhatsApp CEO and Facebook board member Jan Koum is leaving the company. Koum seems to have clashed with Facebook's leadership, which seems interested in weakening the app's encryption and having it share more data with Facebook.
This conflict may have been brewing for some time, as the Washington Post said that Koum has been showing up less frequently at work. The other WhatsApp co-founder, Brian Acton, quit Facebook last fall, so he may have already been made aware of Facebook’s plans for WhatsApp.
Acton recently called on everyone to “delete Facebook,” and he also announced that he will be joining and leading the “Signal Foundation.” Acton donated $50 million of his own money to the foundation to help build “the most trusted communications experience on the planet.”
Both Koum and Acton seem to have had a distaste for advertising business models and a strong belief in privacy from the beginning. However, Facebook has been increasingly pushing WhatsApp to share more data, and giving users little choice in the matter, which has created a "culture clash" between the WhatsApp founders and Facebook's leadership.
With the two founders out of the way, Facebook may expand its plans to share WhatsApp users' data with Facebook. According to the Washington Post report, Facebook executives wanted to build new tools for businesses that would ultimately require a weakening of the app's encryption. It's not clear yet how far Facebook is willing to weaken that encryption, but we do know that the company analyzes all Facebook Messenger posts for advertising or crime prevention purposes, so something similar may come to WhatsApp.
The French government has also lost confidence in WhatsApp's security, which is why it now plans to build its own secure chat messenger with Signal-like end-to-end encryption.
According to the Washington Post’s sources, other WhatsApp employees plan to leave in November, when they can exercise their stock options under the terms made when Facebook acquired WhatsApp.