In a recent TV news show on the lynching incidents in my home country India due to the fake news spreading over WhatsApp, a technology savvy panelist provided an argument around how WhatsApp should hand over messages to authorities. The conversation was roughly along the following lines:

Anchor: What do you mean? Panelist: If GMail can do this, why can’t WhatsApp? They have good engineers too. GMail shows you ads according to the content of the emails and it can detect spam messages. WhatsApp should read the messages from their server and highlight the messages that may be deemed fake or provocative. They should be reported to police.

This is no fault of the panelist. It’s not always apparent how the underlying systems work (Although the said panelist was called technologist)

The noteworthy aspect of the debate is that WhatsApp is end to end encrypted, while GMail is just encrypted. What this entails: When we send an email or a chat message over Gmail, it is encrypted in transit over public internet. If a malicious hacker sniffs this message in transit they would see random text (which is how it should be). But when message reaches Google’s servers, it has the keys to decrypt the contents of the email. That’s how it can detect spam and show ads in Gmail. Basically the encryption is handled server side.

On the other hand, with end to end encrypted apps like WhatsApp (among many) the difference is in the ownership of encryption keys. WhatsApp does not own keys to decrypt messages on its servers, they are generated on-device for each message and not sent over network. Thus the only data sent over network and through WhatsApp’s servers is encrypted gibberish. The decryption happens on the end user device where the message is targeted.

Any effort to tamper with message in transit would render decryption useless. This is why it’s so difficult to detect spam or hate-speech in WhatsApp. And that’s also why WhatsApp does not save messages on their servers. They provide facility to backup your messages in Google Drive.

People often argue how can one trust WhatsApp’s claims, after all the source code is not open. One consolation is that the verification is done by Signal’s Open Whisper Systems.

There are obviously many many technical details that have been left out of this post for reasons of brevity and simplicity.

I hope this short post clears some of the doubts around that argument. Feel free to shoot any questions at @sid_thinketh on Twitter.