Hold the (WhatsApp Back)door
There are two competing narratives circulating the interweb and intertweets these days;
•WhatsApp has a backdoor camp and
•“nothing to see here, please disperse” response
TL;DR
The main claim is that WhatsApp can effectively change the encryption keys without user noticing anything.
The main counterclaim is that people can opt-in to client-side notification when those changes occur.
Since our own ZeroPass password&key recovery manager also relays on the end2end encryption between the devices and trusted contacts, I was very interested to see how others navigate the cryptography & good user experience balance.
What’s the service default setting and what are the user expectations about that setting?
My initial response to the backdoor accusations was that;
•If the notification for key change is by default on, that’s not a backdoor.
•If it is by default off, it is.
Let’s check that; I asked my coworker who doesn’t care for privacy and always leaves the default settings on -because he is not dealing the hard drugs at the moment)- his first response was a screenshot;
It looks like it was turned on automatically when they integrated E2E encryption! (in may of 2016)
Good job, WhatsApp.
But then i asked him to show me his default settings….
WhatsUpp with that?!
It turn’s out that the WhatsApp turned the security notification off with auto-update.
That’s the whole new level of backdoor implementation! It looks like an intentional compromise of all WhatsApp users with its auto-update key, after notifying at least some of them that they are end2end encrypted and all key changes would trigger the notification.
Let me know if this is provably false. We only find one instance that confirms the allegations, and no historical instance that refutes it (it has to have key-change around the same time). We still could be wrong!
(add a comment)
In conclusion;
WhatsApp could enable key-change ‘security notifications’ for all its users by default but choose not to because that’s how you enforce your backdoor.
Not only that, it seems that they also choose to switch the notification settings off through an app update, without proper notification.
Will they do it again? On request?
If software is proprietary, this end2end encryption claim regresses back to trusting WhatsApp and not their crypto really fast so that question becomes rhetorical one.
