Communicating Over WhatsApp Isn’t As Secure As You Think
If you have been using WhatsApp, you have been told by the company that “your messages are secured with end-to-end encryption”, which means that only the communicating users can read the messages that are sent and received. However, although Facebook claims that not even their own employees can intercept the messages, new research shows that the company could actually read some messages due to the way WhatsApp has implemented its end-to-end encryption protocol.
Some experts claim that this vulnerability is nothing to worry about, since individuals aren’t targeted in general but the messages that are only sent in certain times are interceptable. This means that the vulnerability does not indicate mass surveillance but does show that end-to-end encryption is not fully reliable.
Privacy campaigners, on the other hand, understandably find the flaw unacceptable and insist that it could be used by governments to gather private information about users who believe their messages are secure.
This issue is especially important because WhatsApp has become an important communication tool for diplomats and dissidents alike, due to the fact that it makes privacy and security its primary selling point. The company will lose numerous customers if word spreads and people lose confidence in the end-to-end encryption system that is used by them.
WhatsApp’s implementation automatically resends an undelivered message with a new key without warning the user in advance or giving them the ability to prevent it, says Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley. Boelter, who discovered this loophole, also says “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.”
Although this problem was reported nearly a year ago(in April 2016), Facebook has probably known about it for a longer time and has already accepted it the way it is. The loophole is not being actively worked on by the company.
However, not all communication apps that use end-to-end encryption suffer from this loophole. “Signal” -the app created by the company that also developed the end-to-end encryption system that is used by WhatsApp- does not suffer from the same problem about security. This means that WhatsApp has simply created this problem by preference and has accepted it afterwards, jeopardizing the privacy of its users including the ones who are living under oppressive regimes and who could be prosecuted by the government in their country because of their WhatsApp messages.
A WhatsApp spokesperson told the Guardian: “In many parts of the world, people frequently change devices and Sim cards. In these situations, we want to make sure people’s messages are delivered, not lost in transit.” Although they insist that this process of resending the message increases usability, it is open to discussion whether or not it is worth the risk.
