Adding End-To-End Encryption To WhatsApp Is Great...But Not Quite As Secure As People May Think

from the human-error-is-the-intelligence-agency's-friend dept

Encryption is one of the most important tools governments, companies, and individuals have to promote safety and security in the new digital age. Recently there has been a lot of discussion about encrypted services and the work of law enforcement. While we recognize the important work of law enforcement in keeping people safe, efforts to weaken encryption risk exposing people's information to abuse from cybercriminals, hackers, and rogue states.



While WhatsApp is among the few communication platforms to build full end-to-end encryption that is on by default for everything you do, we expect that it will ultimately represent the future of personal communication.

Techdirt has just written about WhatsApp finishing the roll-out of end-to-end encryption to its billion users worldwide, including for group chats. That's obviously pretty big news. As the Whatsapp blog post announcing the move notes That's likely, even with governments around the world muttering vague threats to weaken or backdoor crypto. And equally, there are bound to be plenty who will decry this latest move as "helping the terrorists" or "creating a safe space", with all the hand-wringing and emotional blackmail that accompanies such pronouncements. But an article in the German news magazine Der Spiegel does a great job in explaining that even with strong, end-to-end crypto, WhatsApp conversations aren't as secure as they might seem ( Google Translate of original German ).

Der Spiegel notes that end-to-end encryption is only available if all the participants in a conversation are using the latest version of the software. If one of them isn't, group chats will be unencrypted. That lack of consistency will make it very easy to communicate in the mistaken belief that everything is hidden, when in fact it is taking place out in the open.

That problem is unlikely to affect many chats, but the second issue raised by the German article most certainly will. Der Spiegel points out that even with strong, end-to-end encryption in place, the accompanying metadata is still leaking important information about who you are communicating with, and when. Aggregating such metadata provides hugely valuable information about your network of acquaintances, and the patterns of your life.

Indeed, message metadata is arguably even more revealing than the content, because it already comes with computer-readable tags like sender, recipient, time, etc. It also scales: with a powerful enough computer you can work out the social interrelationships of thousands or even millions of people. That's simply not possible looking at the content of messages, which needs to be parsed first -- still a difficult task for machines -- before it is analyzed en masse, also hard.

Der Spiegel reminds us that even though it is based on the open Signal Protocol, WhatsApp's new encryption features are not open source. There is no way to know whether WhatsApp's parent company, Facebook, has added backdoors -- or might be forced to add them at a later date. Strong crypto doesn't provide much protection if it has been subtly and invisibly compromised.

The article also notes that end-to-end encryption does not protect you from malware that is capturing your keystrokes and sending them over the Internet, or from slips like accidentally storing a screenshot of sensitive chats. Similarly, your super-secure chat may not actually be with the person you think it is: perhaps a smartphone was stolen, or was left unattended for a while. Group chats increase the risk that there are unwanted participants listening in to supposedly secret conversations.

Individually, those points may not be huge risks. But collectively, they mean that using strong, end-to-end encryption is not a magic formula that guarantees perfect online privacy for its users. As a result, they underline once more why the increasing deployment of encryption is a boon, not a bane -- something governments should welcome for the enhanced security it brings ordinary users. In particular, they should not worry that it will not make things "go dark" for intelligence services. There are so many ways encryption can -- and will -- go wrong, that even in the unlikely event of terrorists using it for their communications, key information will always leak out.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: encryption, privacy

Companies: facebook, whatsapp