“Backdoor” in WhatsApp allows governments, others, to intercept your messages?
When WhatsApp; the most widely-used worldwide app for sending texts, photos, video messages, and so on; announced endto-end encryption of your messages last year - to safeguard them from the prying eyes of governments and others - there was a sigh of relief that your privacy would be intact. Moreover, the proactivity on the part of WhatsApp and the perceived company’s care for consumers, gave it a high score in the minds of folks. It was almost like some kind of social responsibility on the part of WhatsApp, or its current owner, Facebook.
If we can go by an article published on 13 January 2017 by The Guardian, the United Kingdom newspaper, and a couple of follow-on articles, then WhatsApp might have reconsidered its professed absolute commitment to your privacy, apparently cutting some slack to institutions or individuals interested in what you send out to others from your smartphone. With the end-to-end encryption capabilities, there was the suggestion that no one, including WhatsApp, could intercept or read your messages, except the intended recipient(s). However, The Guardian says that “a security vulnerability that can be used to allow Facebook and others to intercept and read encrypted messages has been found within its WhatsApp messaging service.” The article went further to say that “Facebook claims that no one can intercept WhatsApp messages, not even the company and its staff, ensuring privacy for its billion-plus users. But new research shows that the company could in fact read messages due to the way WhatsApp has implemented its end-to-end encryption protocol.” For an app that made security and privacy a selling point, and has therefore positively attracted diplomats, political dissidents, and activists, this revelation will be shocking.
The encryption technique is basically a way of transforming your messages from a readable or audible form into a form that cannot be read or heard. This is done in a manner analogous to the use of codes to represent otherwise legible and audible contents. Decryption enables you to obtain the original (readable, audible) messages via the process of de-coding. Obviously, the code generator has the answer to the de-coding process.
According to The Guardian, WhatsApp’s end-to-end encryption relies on the generation of unique security keys, using the acclaimed Signal protocol, developed by Open Whisper Systems, that are traded and verified between users to guarantee communications are secure and cannot be intercepted by a middleman. However, says The Guardian, “WhatsApp has the ability to force the generation of new encryption keys for offline users, unbeknown to the sender and recipient of the messages, and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered. The recipient is not made aware of this change in encryption, while the sender is only notified if they have opted-in to encryption warnings in settings, and only after the messages have been re-sent. This re-encryption and rebroadcasting effectively allows WhatsApp to intercept and read users’ messages.”
The security loophole was reportedly discovered by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley, USA, who told the Guardian: “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.” Boelter was said to have reported the vulnerability to Facebook in April 2016, but was told that Facebook was aware of the issue, that it was “expected behaviour” and wasn’t being actively worked on. The Guardian says it has verified that the loophole still exists as of less than two weeks ago!
Other IT security experts might have verified Boelter’s findings. For example, Steffen Tor Jensen, head of information security and digital counter-surveillance at the European-Bahraini Organization for Human Rights, was cited by The Guardian as having done so. Tor Jensen is quoted as saying “WhatsApp can effectively continue flipping the security keys when devices are offline and resending the message, without letting users know of the change till after it has been made, providing an extremely insecure platform.”
The reported loophole or vulnerability within WhatsApp’s encryption - whether intentional or otherwise - would certainly appeal to government security agents all over the world, with more serious implications in oppressive governments. For WhatsApp, it’s could be a huge betrayal of user trust. For you, it is potentially a threat to your freedom of speech if someone can intercept your messages to grab your videos or look at what you are sending.
Facebook’s shadiness in matters of personal privacy and what the company does with the humongous data it keeps on you has been a matter of public knowledge. Note that concerns over the privacy of WhatsApp users have been repeatedly highlighted since Facebook acquired the company in 2014. Obviously, the morale of this story is that you need to be careful about what you send through your phone.