WhatsApp Makes Big Privacy Push, Enables TextSecure’s End-To-End Encryption By Default

Many have been worried about the privacy implications of Facebook buying WhatsApp. Facebook remains one of the tech companies that performs the most intensive data-mining of its users' information. WhatsApp was a chat application that its users could trust, but how can they trust it now when it's owned by Facebook?

Facebook has indeed made some progress in the privacy area lately, by increasing security of its servers against NSA attacks and adopting an .onion address within the Tor network so certain users could anonymously and securely connect to it (which could be a matter of life and death in some countries). Although it hasn't radically changed its privacy/tracking policy, Facebook also tried to make it easier to understand with a recent overhaul, so at least people know how using Facebook can affect their privacy.

Despite all of that, many may still believe it's not enough to trust either Facebook or WhatsApp with their private messages. Today, we discovered from the creators of state-of-the-art end-to-end encryption apps such as TextSecure, RedPhone (Android) and Signal (iOS) that WhatsApp has already been working with them for the past six months to implement the Axolotl protocol that provides the end-to-end encryption in TextSecure.

This move makes WhatsApp, with its over 600 million users, the biggest chat application in the world to have adopted end-to-end encryption. That is to say, encryption that secures the messages in such a way that only the two users talking to each other can see the messages and no one else, not even WhatsApp.

“WhatsApp deserves enormous praise for devoting considerable time and effort to this project. Even though we're still at the beginning of the rollout, we believe this already represents the largest deployment of end-to-end encrypted communication in history. Brian Acton and the WhatsApp engineering team has been amazing to work with. Their devotion to the project as well as their thoroughness in getting this done are inspiring in a world where so many other companies are focused on surveillance instead of privacy," said Moxie Marlinspike, the creator of TextSecure and founder of Open Whisper Systems.

WhatsApp hasn't made any official statement about this so far and wouldn't comment to Tom's Hardware about why the company decided to choose Open Whisper Systems' encryption protocol, but the move was likely done for several reasons: the encryption is open source, so the company can use it freely; WhatsApp trusts the cryptographers behind it to have created a solid protocol; and because Axolotl, unlike the popular OTR or Silent Text's SCIMP protocol, can also do asynchronous messaging. What that means is that if you send someone a message and she’s offline, she can still get the message later.

Facebook-owned WhatsApp seems to have managed to beat popular "privacy" apps such as Snapchat to end-to-end encryption by default (something not even Telegram has), which not many thought they'd ever see, even post-Snowden. Facebook, Google or even Microsoft, who all make money from data-mining of users' data, aren't the first companies one would expect to enable end-to-end encryption. However, hopefully this will be the beginning of a trend, and WhatsApp's move will pressure the others to adopt the same or similarly strong end-to-end encryption in their chat apps as well.

It's important to remember that while WhatsApp is adopting end-to-end encryption, unlike TextSecure, it's not open source. WhatsApp can claim it's using the TextSecure's protocol, but we won't really know what's happening inside the app's code, and it will be hard to verify.

If WhatsApp would allow even yearly independent audits of its code, that would go a long way to reassure users about its security. It should also be interesting to see whether certain governments begin calling out WhatsApp on this move or not. If they don't, that could be seen as suspicious, because even before adopting end-to-end encryption, some governments (where WhatsApp doesn't have any servers) have complained about not being able to intercept their citizens' messages through WhatsApp's SSL encryption.

For now, WhatsApp's end-to-end encryption only works between Android users (it's enabled already, if you're using the latest update), but WhatsApp and Moxie Marlinspike will be working to enable it on iOS, as well. They are also working on enabling end-to-end encryption for WhatsApp group chats (which TextSecure already supports), because right now it only works for one-on-one conversations.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • jackt
    Yeah! now we only spyed by whatsapp and facebook !!! Seriously I dont know how can pepole use whatsapp! And I dropped fb app, Now I use it on the phone browser, and it works perfectly!