Should you worry about the backdoor found in WhatsApp’s encryption?

Supposedly private messages could be read by third parties, including state agencies

Some have trusted WhatsApp as a way to avoid government surveillance of communications. Photograph: Reuters

A backdoor has been found within Facebook’s secure messaging service WhatsApp which would allow the company and third parties, such as government agencies, to intercept and read supposedly encrypted and private messages.

This is despite a claim from Facebook that the messages can't be read, even by the company's own staff.

The problem is believed to stem from the way WhatsApp has implemented its “end-to-end” encryption protocol for its more than one billion users.

What is WhatsApp?

WhatsApp is a free messaging and calling service that uses the internet to deliver communications. It is used by more than one billion people across the world, including those in countries with oppressive regimes. It was bought by Facebook in 2014 for $22 billion and implemented end-to-end encryption in April 2016.

READ MORE

What is end-to-end encryption?

End-to-end encryption (E2EE) ensures that a conversation can only be read by the sender and recipient, and not intercepted by a middleman. WhatsApp uses the acclaimed Signal encryption protocol that relies on the exchanging of unique security keys that are verified between users to guarantee communications cannot be intercepted by a middleman.
Anything said between users with E2EE is guaranteed to be private during transit, unless there's a backdoor to the encryption.

What is a backdoor?

A backdoor to a technology such as encryption is simply a way for a third-party to access something secure without the primary parties being aware of this. In this case, it is a way for a third-party such as WhatsApp to read encrypted messages that are supposedly secure against interception.
Your security technology is only as strong as the weakest link. The introduction of a backdoor is the weak link.

What has WhatsApp done?

The Signal encryption protocol has no known weaknesses if it is implemented correctly. WhatsApp has implemented a backdoor into the Signal protocol, giving itself the ability to force the generation of new encryption keys for offline users and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered.
It means that it could generate keys known to WhatsApp or a third party, and therefore read and intercept apparently encrypted messages without the sender's or recipient's knowledge.

Why is it like it is?

WhatsApp says that it implemented the backdoor to aid usability. If the backdoor was not in place, messages sent to an offline user who then changed their smartphone or had to re-install WhatsApp and, in doing so, generated new security keys for themselves, would remain undelivered once the user came back online.
A WhatsApp spokesperson said: "In many parts of the world, people frequently change devices and Sim cards. In these situations, we want to make sure people's messages are delivered, not lost in transit."

Should I be worried?

Unlike most of Facebook's other messaging and social media services, this backdoor is unlikely ever to be used for profiling for advertising purposes. The burden to execute the interception of messages is probably too high to be cost-effective.
But the same cannot be said for government agencies. A backdoor into a supposedly secure end-to-end encrypted private messaging service could be invaluable for surveillance purposes and is "a huge betrayal of user trust", according to privacy advocates.
The amount of private information sent knowingly or unknowingly through WhatsApp could be vast and therefore is a very attractive target for surveillance.

Should I stop using WhatsApp?

If you use WhatsApp as a way to avoid government surveillance due to its end-to-end encryption service, you should stop using it immediately.
Facebook and WhatsApp could be compelled to give government agencies, such as the UK's GCHQ and the US National Security Agency (NSA), access to users' messages.

What are the alternatives?

There are several alternatives to WhatsApp that use encryption to secure communications against interception. The most recommended is Signal, which was developed by Open Whisper Systems and is the namesake of the Signal E2EE protocol. It is used and recommended by NSA whistleblower Edward Snowden and is considered the gold standard for private messaging. It does not have the same backdoor into the E2EE as WhatsApp, and is available for Android and iOS.

– Guardian service