Kudos & Question Marks: Our Take on WhatsApp’s Decision to Encrypt Everything

Photo: CC by microsiervos

Last week, right on the heels of the Apple vs FBI showdown that’s been making headlines for over a month, WhatsApp took the tech world by storm and added fresh oil to an already hot encryption fire when it decided to enable end-to-end encryption (E2EE) for all its 1 billion users.

As of April 5, every message, every video recording, every sound recording, and every photo exchanged via the app is visible by the parties involved in the communication only and no one else. Not WhatsApp itself, not government surveillance agencies, not any potential hackers or snoopers, nobody.
Source: https://blog.whatsapp.com

Not surprisingly, the move breathed new life into the age-old privacy vs security debate and with the Brussels attacks painfully fresh in everyone’s minds, also reignited the larger issue of national security versus individual privacy.

WhatsApp’s decision earned itself some fear-mongering headlines such as “WhatsApp locks out terror police,” as well as reprimands from US senators who stopped just short of saying that the company is responsible for future terrorist attacks:

“I strongly urge WhatsApp and Facebook to reevaluate their decision before they help facilitate another terrorist attack.”

This is what Republican Senator Tom Cotton said in a statement last week, which is pretty much like telling a car manufacturer that they need to reevaluate their decision to build a new model before they facilitate another hit and run.

In the tech world however, WhatsApp got nothing but praise for its newly implemented E2EE. The news that it used The Signal Protocol designed by Open Whisper System for its encryption lent the move a hefty extra dose of authority and credibility and cemented the company being hailed as an example to follow, a true privacy trailblazer democratizing encryption by making it available to the masses.

And with good reason.

As a privacy & security company, we applaud WhatsApp’s decision to enable end-to-end encryption for all its users and we think more (all?) companies should do the same.

We also strongly oppose government-ordered backdoors and believe that stopping encryption will do for putting an end to terrorist attacks about as much as wishful thinking and crossing fingers would. After all, let’s not forget that it wasn’t encryption that the Paris attackers used back in November, but plain-text SMS sent via burner phones.

So Kudos to WhatsApp for stepping up to the plate, we say. It was about time someone did and who better to do it than a company with 1 billion users all over the world?

That being said though, we have some questions. Possibly some doubts as well, but we’ll settle for the answers to these questions for now, if given a choice. So here it goes:

What about the metadata?

WhatsApp will still keep records of its users’ metadata. This means that even though the contents of a message cannot be accessed by anyone including WhatsApp itself, the phone numbers involved in the exchange, as well as the time-stamps on the messages are still being stored on the company’s servers.

This in turn means that if a court of law orders WhatsApp to share all the info it has on a particular user, the amount of metadata the company would be handing over would most likely be sufficient in creating a profile and drawing some strong conclusions.

Knowing who someone talked to, at what time, and how many times per day is some pretty powerful information to have, don’t you think?

And it’s not just governments who could get their hands on that data; it’s hackers, too.

So while we applaud the encryption, we fear that the metadata could poke some really big holes in users’ privacy if by legal or illegal means it ends up in the wrong hands.

What about Facebook?

Back in 2014, WhatsApp was acquired by Facebook, which as you probably know by now, is not the most privacy-minded company out there. They make their money by serving you ads and the more they know about you, the better they can tailor those ads to your personality and behaviour as a consumer.

That’s a necessary evil in today’s hyper-competitive and saturated marketplace and — full disclosure — we have used Facebook Ads ourselves, but that doesn’t change the fact that users’ privacy is not at the top of the list for Facebook.

Which is why we’re a little bit worried about WhatsApp’s quest to provide privacy to 1 billion people.

Because at some point in the not so distant past, screenshots made public by freelance Android developer Javier Santos of a beta update for WhatsApp showed that the company was planning to ask users to “share their WhatsApp account information with Facebook to improve their Facebook experiences.” And if that were to happen sometime in the future, then Facebook would get to see all that metadata we mentioned earlier.
Source: https://plus.google.com/+JavierSantos/posts/PEdTLRS8DgK

Metadata that they could use to create an even more accurate profile on you than the one they have now by analyzing your Facebook activity alone. And then they could proceed to serve you some targeted ads with a side of invasion of privacy — just as revenge, we have a feeling this is served cold.

But even if this never actually happens and your Facebook and WhatsApp accounts remain separate, there still is the issue of Facebook’s quest to get everyone to “secure their account” by adding their phone number to it. And you know what else is associated with that phone number you’d be handing over to them? Exactly, your WhatsApp account.

So one has to wonder if Facebook’s fratboy-in-the-club-like obsession with getting your digits is just them trying to link your Facebook and WhatsApp accounts on their own, without you consenting or even knowing. Because it’s just easier that way.

Before we move on to our last question, a word of warning on the “keeping your account safe” claim that Facebook touts every time it asks for your phone number: it’s basically like if a stranger would ask you to give them the key to your house to keep it safe. Not only would you be giving your house key to a complete stranger, you would also have no idea who else has a copy.

No, your phone number will not keep your account safe. It will just give Facebook another piece of very important information about you, which might or might not be shared with third parties.

Also, did you know that you’re searchable on Facebook by phone number, which can undo a lot of the privacy settings you have in place on your account? Try it, we’ll wait. And then do yourself a favour and delete your number from Facebook.

What about the money?

Right now, WhatsApp is not making any money, it has no source of revenue. In the beginning, they tried monetizing the service itself — for a very low fee. They’ve since scrapped that and are now offering the messaging app for free, all features included.

They’ll probably open up the platform to brands in the near future, but they’ve made it clear that it won’t be to facilitate companies to advertise to users. It will instead be to help users communicate with companies more easily, without the hassle of having to call, send an email, or fill out a contact form. Want to order a pizza? Send a WhatsApp to the pizza place. Want to make a dinner reservation? Just WhatsApp the restaurant. You get the point.

And while this might be a feature that the company could monetize, we can’t help but ask ourselves if that will inject enough cash into the business to keep it viable in the long-run.

Which brings us back to Facebook and to wondering whether some of that ad money will make its way to WhatsApp, provided they lend a hand with the user profiles, that is.

All of this remains to be seen. WhatsApp is now under the spotlight; everyone’s eyes are on them, watching their every move, putting their claims and their encryption to the test and waiting for their next step.

Just like the rest of the world, we’re curious to see what the future brings for and from WhatsApp. Hopefully that last part will include some answers to our questions.

But whatever happens next, there is no denying that what WhatsApp did is not only a huge step forward for online privacy, but a much needed challenge for every tech company out there. They have raised the bar for everyone else. They’ve done their part and it is now our turn to step up our game in protecting users’ privacy.

We have nothing but praise for that. We have nothing to say to that but Kudos, WhatsApp!

OK, maybe we have one more thing to say: Challenge. Accepted.