I’ll try to keep this short:
Yesterday the Guardian published a breathless accusation that WhatsApp has some manner of “back door”.
My position is that the accusation is without merit, subsequent discussion highlighting that the accusation:
- describes a defensible design decision
- is “implemented” with an user-selectable “off” switch
- would be a blunt, irrational way to serve as a “back door” when control over the entire codebase provides a better opportunity.
A subsequent posting by Moxie Marlinespike at Open Whisper Systems provides a more measured explanation and contextualisation, titled “There is no WhatsApp ‘backdoor’”; Moxie notably is not only a consultant for WhatsApp but also the leading light for the tool (Signal) which critics yesterday were suggesting folk abandon WhatsApp to use.
So, why characterise the Guardian article as “fuckwittage”?
Simple: Because it conveys what we in the tech (and other?) industry call “FUD” — fear, uncertainty and doubt.
Nobody has benefitted from this article, except the author, the newspaper, and the state surveillance industry as a whole.
The Guardian article benefits the surveillance industry?
Per the above, there is no back door in WhatsApp.
We should be vigilant that perhaps some day one or other state agency will work out how to coerce or entice Facebook, Google (etc) into implementing back doors to access E2E-encrypted communications content; but if ever that happens one can be certain that it will be far better-implemented than this proposed hacky bullshit. I speak as a former Facebook engineer; when one has the whole codebase at one’s disposal, once can do marvels that would be far more subtle than the Rube Goldberg / Heath Robinson creation that the article proposes.
But where are we now?
There is international coverage casting aspersions on WhatsApp.
People are seeking alternatives, which is not innately bad, but:
- Perhaps they will give up and go back to SMS because “we heard something bad about WhatsApp a few weeks ago”.
- Perhaps they will just give up and assume that “privacy is impossible”, which is only a step away from “you have no privacy anyway, get over it”.
- Perhaps they will buy into the “Government will keep you safe from the cyber threats” rhetoric
What is the problem?
The biggest threat to privacy comes from the meme that it is “impossible”
The truth is that absolute privacy is impossible — just like absolute security is impossible — but when one seeks privacy or security with a concrete threat model (“I want to be secure against [this]”, “I want privacy from [that]”) then it is fairly easily achieved.
Yesterday a journalist, and a newspaper, through hubris and whatever other motive, without justification, scared a bunch of people into believing that they have no privacy, that their everyday tools are somehow conspiring against them.
It’s all very well to call for vigilance, but to misrepresent a threat?
That is the “cyber” equivalent of crying “Wolf!”