Can the Government eavesdrop on WhatsApp conversations?

Anonymous logo, Zimbabwe flag overlay

During the peak times of #thisflag campaign, there were many rumors 
about the government “monitoring WhatsApp chats” in a way to find citizens who were involved in rioting and demonstrations. I wasn’t in Zimbabwe at 
the time, but I could feel how real the fear was among my colleagues. Was 
this paranoia justified? Let’s find out. 
 
Just so you know, there are many ways in which a hacker can get hold of 
your WhatsApp messages. This article is going to focus on what would 
happen after the messages have been obtained. This however does not 
undermine the levels of difficulty involved in obtaining these messages. 
 
You have probably heard of the term encryption, especially on your 
WhatsApp conversations. In short, encryption is scrambling data in such a 
way that only parties with a secret key or password can understand its 
meaning. So every message transmitted on WhatsApp is translated into 
‘gibberish’ and the recipient’s WhatsApp will know the secret code to decrypt the message, which then shows up in your inbox and you can read it. To also improve this security, WhatsApp doesn’t store your conversations 
permanently anymore on their servers, as is the case with Facebook or your 
emails. A WhatsApp message goes straight from your phone to the recipient. 
If the recipient is offline, then the message is temporarily stored on WhatsApp’s servers until the recipient is back online; if it remains undelivered for a certain period of time (nearly 30 days) WhatsApp then deletes the message queue. 
 
All this prevents anyone who might gain access to your messages during 
transmission from understanding what the message is saying, as they would 
need the key to decrypt the message. To get around this, hackers will try to 
guess this key using a technique called Bruteforce. A Bruteforce attack is 
actually guessing many different passwords until one works. Each chat has 
its different ‘scrambling’ method and this is only known by the sender and 
the recipient client application. A good example is trying to guess the PIN 
for your SIM card, because it is a 4 digit password; there are 10⁴ = 10 000 
possible password combinations. Now it would take a human a long time to 
find such a password but a dedicated computer could do it in a matter of 
hours. 
 
Now if our government was to embark on a nationwide WhatsApp 
surveillance program, I have done some research on what it would take:
 
Firstly, modern day standard encryption lies in the 256-bit key space, this 
means to decrypt a WhatsApp message one would need to guess a 256-bit 
key or more. This is the equivalence of 115 quattuorvigintillion or 10⁷⁷ 
possible password combinations! Such an operation is not possible on a 
regular computer since it would take all of eternity for it to be able to 
decrypt the key. For such an operation a supercomputer would be best 
suited. Now, speed of supercomputers is measured in Floating Point 
Operations per Second; FLOPS. This is similar to the personal computers’ 
“Instructions per second”. The world’s fastest Supercomputer, the Sunway 
TaihuLight runs at 93 petaflops, the equivalent of 9.3×10¹⁶ FLOPS. So if 
the world’s fastest computer was assigned to decrypt the message, assuming 
all its FLOPS are going into ‘guessing a password’ this would take 3.948×1052 years. We obtain this by simply dividing the total number of possible passwords by the FLOPs then convert from seconds to years.
 
In most cases when brute forcing a password, the correct one is usually 
found before half of the key space is exhausted, but at 3.948×10⁵² years it 
really makes no difference. So in brief it would take the world’s fastest 
computer longer than the age of the oldest rock at The Great Zimbabwe 
Ruins
to decrypt a single 256-bit encrypted WhatsApp message. That’s the 
time factor. This means it would take way too much time to find out if a 
single WhatsApp message is in fact a threat to National security. Even if the 
time taken was to be as low as a week, it would still be too late for anyone to actually stop a demonstration that would have happened a week before. 
 
Ignoring the time factor, there are also cost implications. The cost of 
acquisition as well as maintenance costs. There is currently only one Sunway Supercomputer in the world, housed at the National Supercomputer Centre 
in China. It costs USD 278 Million, and is not even for sale. So even if the 
money was there, the computer is not available for anyone to buy. Taking a 
look at the energy considerations, this Supercomputer has an efficiency of 
1.55×10⁷ Watts per Second (Calculated from its 6000 Megaflops per Watt) 
this means running the computer for a year would consume approximately 
500 trillion Watts. At ZESA’s current 9.83c per KWh, running such a 
computer would also cost millions of dollars in electricity costs. Evidently the operation is also energy hungry. 
 
 
So, if those are the considerations for cracking a single WhatsApp message 
from one person; imagine the hundreds of thousands of WhatsApp users in 
Zimbabwe? The Billions of messages exchanged in a day? Even if the 
Government could acquire a single Sunway TaihuLight supercomputer per 
WhatsApp user it would still take eternity to find out what each message 
was. The amount of energy required by such an operation annually would be more than what ZISCO, MIMOSA, SABLE and UNKI use combined. The 
amount of physical space taken up by such an operation can easily spark an 
epidemic “Government clearing space for supercomputer farm”. There will 
be a lot of jobs created in the process too, that’s a plus; at least 100 000 
people may be employed. The network infrastructure required is massive, 
comparable to what local ISPs have. It would cost our Government hundreds 
of millions of dollars to crack a single WhatsApp, only to find the message 
saying “Good Morning” 
 
Clearly this was a myth.