How Whatsapp Got End-To-End Encryption
In 2014, Whatsapp quietly adopted the same end-to-end encryption mechanism that TextSecure(now Signal) used at the time. It was only implemented for texts (Whatsapp didn’t support voice calls then) and only worked between Android devices.
Whatsapp has a billion users, the vast majority of which are outside of the U.S., where most people use Android devices, so this was a major benefit. In a way, it’s almost surprising that Whatsapp would be allowed to use end-to-end encryption, which doesn’t even let the company itself see the conversations of its users.
It’s also surprising because Whatsapp was bought by Facebook the same year it adopted end-to-end encryption, and Facebook isn’t exactly known to be a strong defender of privacy -- at least not at the cost of its own monetization strategies (which include data-mining users’ conversations, among other things).
However, Whatsapp seems to have remained relatively autonomous within Facebook so far, which may have allowed its team to keep end-to-end encryption for so long, despite the likely many complaints from governments all over the world.
Whatsapp’s founder, Jan Koum, has talked before about having to flee Ukraine with his mother, decades ago, when the country was under more oppressive and anti-semitic leadership. Therefore, he must understand the real dangers of making communications easily interceptable by governments.
Higher Adoption Of End-To-End Encryption
Before it decided to adopt end-to-end encryption, Whatsapp also began seeing rapid growth of one of its competitors, Telegram, which was promising open source clients and end-to-end encryption. Telegram has its own flaws, including not using end-to-end encryption by default, and using peculiar encryption schemes, but millions of people have bought into the idea of a more secure Whatsapp alternative.
If Whatsapp was considered insecure, likely many millions more would jump ship to Telegram, Signal, Wire, or other messengers that have also adopted end-to-end encryption in the past couple of years. Therefore, at this point, it’s not just about Whatsapp trying to defend its users’ right to privacy, but also about potentially losing those users to the competition. Loyalties to instant messengers have been quite fickle in the past.
This could be why even as the DoJ is preparing to start a big fight between the U.S. government and Whatsapp, the company is rumored to ramp up the adoption of end-to-end encryption to include phone calls.
Signal, which shared its text end-to-end encryption with Whatsapp, has been using end-to-end encryption from the day it appeared on the iOS app store, but it was also doing so years earlier, when it was called RedPhone on the Android app store. Therefore, it makes sense for Whatsapp to adopt its voice encryption protocol, as well.
DoJ Makes Whatsapp Its Next Target
The DoJ is already fighting Apple in the San Bernardino case and (other cases) over the company’s strong encryption and security protections that currently exist in iOS. That fight could determine whether the U.S. government gets the power to compel any company to create and then send malicious software that would disable security protections or the encryption of various applications and services.
The DoJ may wait until that case concludes before it decides what to do in another case involving end-to-end encrypted Whatsapp messages. So far, the DoJ has already obtained a wiretap order, which only compels the company to give the data to law enforcement as-is. However, after that, the DoJ can also ask for another order requiring “technical assistance” from the Whatsapp team to help decrypt those messages.
If the messages were indeed end-to-end encrypted, then there won’t be anything left for Whatsapp to do. Once the messages are encrypted end-to-end, they can only be decrypted by the people in that conversation. However, if the DoJ wins the case against Apple, it could try to compel Whatsapp to disable the end-to-end encryption between two suspects who may still be communicating. Then, the DoJ could intercept their future conversations.
Whatsapp’s encryption already has a security design flaw in that it doesn’t allow users to verify themselves cryptographically, the way you can do in Signal. If it did, then users who verified themselves would notice when something is wrong. However, as it is, Whatsapp could remove their end-to-end encryption, and the people conversing would not know about it.
If Whatsapp upgrades its encryption soon, this verification feature should be a priority, before the DoJ can argue that Whatsapp only adopted it to stop one of its ongoing wiretaps.
Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu.