Can the Government eavesdrop on WhatsApp conversations?
During the peak times of #thisflag campaign, there were many rumors
about the government “monitoring WhatsApp chats” in a way to find citizens who were involved in rioting and demonstrations. I wasn’t in Zimbabwe at
the time, but I could feel how real the fear was among my colleagues. Was
this paranoia justified? Let’s find out.
Just so you know, there are many ways in which a hacker can get hold of
your WhatsApp messages. This article is going to focus on what would
happen after the messages have been obtained. This however does not
undermine the levels of difficulty involved in obtaining these messages.
You have probably heard of the term encryption, especially on your
WhatsApp conversations. In short, encryption is scrambling data in such a
way that only parties with a secret key or password can understand its
meaning. So every message transmitted on WhatsApp is translated into
‘gibberish’ and the recipient’s WhatsApp will know the secret code to decrypt the message, which then shows up in your inbox and you can read it. To also improve this security, WhatsApp doesn’t store your conversations
permanently anymore on their servers, as is the case with Facebook or your
emails. A WhatsApp message goes straight from your phone to the recipient.
If the recipient is offline, then the message is temporarily stored on WhatsApp’s servers until the recipient is back online; if it remains undelivered for a certain period of time (nearly 30 days) WhatsApp then deletes the message queue.
All this prevents anyone who might gain access to your messages during
transmission from understanding what the message is saying, as they would
need the key to decrypt the message. To get around this, hackers will try to
guess this key using a technique called Bruteforce. A Bruteforce attack is
actually guessing many different passwords until one works. Each chat has
its different ‘scrambling’ method and this is only known by the sender and
the recipient client application. A good example is trying to guess the PIN
for your SIM card, because it is a 4 digit password; there are 10⁴ = 10 000
possible password combinations. Now it would take a human a long time to
find such a password but a dedicated computer could do it in a matter of
Now if our government was to embark on a nationwide WhatsApp
surveillance program, I have done some research on what it would take:
Firstly, modern day standard encryption lies in the 256-bit key space, this
means to decrypt a WhatsApp message one would need to guess a 256-bit
key or more. This is the equivalence of 115 quattuorvigintillion or 10⁷⁷
possible password combinations! Such an operation is not possible on a
regular computer since it would take all of eternity for it to be able to
decrypt the key. For such an operation a supercomputer would be best
suited. Now, speed of supercomputers is measured in Floating Point
Operations per Second; FLOPS. This is similar to the personal computers’
“Instructions per second”. The world’s fastest Supercomputer, the Sunway
TaihuLight runs at 93 petaflops, the equivalent of 9.3×10¹⁶ FLOPS. So if
the world’s fastest computer was assigned to decrypt the message, assuming
all its FLOPS are going into ‘guessing a password’ this would take 3.948×1052 years. We obtain this by simply dividing the total number of possible passwords by the FLOPs then convert from seconds to years.
In most cases when brute forcing a password, the correct one is usually
found before half of the key space is exhausted, but at 3.948×10⁵² years it
really makes no difference. So in brief it would take the world’s fastest
computer longer than the age of the oldest rock at The Great Zimbabwe
Ruins to decrypt a single 256-bit encrypted WhatsApp message. That’s the
time factor. This means it would take way too much time to find out if a
single WhatsApp message is in fact a threat to National security. Even if the
time taken was to be as low as a week, it would still be too late for anyone to actually stop a demonstration that would have happened a week before.
Ignoring the time factor, there are also cost implications. The cost of
acquisition as well as maintenance costs. There is currently only one Sunway Supercomputer in the world, housed at the National Supercomputer Centre
in China. It costs USD 278 Million, and is not even for sale. So even if the
money was there, the computer is not available for anyone to buy. Taking a
look at the energy considerations, this Supercomputer has an efficiency of
1.55×10⁷ Watts per Second (Calculated from its 6000 Megaflops per Watt)
this means running the computer for a year would consume approximately
500 trillion Watts. At ZESA’s current 9.83c per KWh, running such a
computer would also cost millions of dollars in electricity costs. Evidently the operation is also energy hungry.
So, if those are the considerations for cracking a single WhatsApp message
from one person; imagine the hundreds of thousands of WhatsApp users in
Zimbabwe? The Billions of messages exchanged in a day? Even if the
Government could acquire a single Sunway TaihuLight supercomputer per
WhatsApp user it would still take eternity to find out what each message
was. The amount of energy required by such an operation annually would be more than what ZISCO, MIMOSA, SABLE and UNKI use combined. The
amount of physical space taken up by such an operation can easily spark an
epidemic “Government clearing space for supercomputer farm”. There will
be a lot of jobs created in the process too, that’s a plus; at least 100 000
people may be employed. The network infrastructure required is massive,
comparable to what local ISPs have. It would cost our Government hundreds
of millions of dollars to crack a single WhatsApp, only to find the message
saying “Good Morning”
Clearly this was a myth.