The feature went live last year, and ensures that WhatsApp messages can only be read by the sender, receiver, and not anyone else. WhatsApp, government agencies, Facebook, nobody can read or see messages sent on the app. In an interaction with Indianexpress.com, WhatsApp software engineer Alan Kao and spokesperson Carl Woog highlighted some of the key features of the app’s end-to-end encryption.
Why does WhatsApp have end-to-end encryption?
As WhatsApp software engineer Alan Kao explained, privacy is the core of WhatsApp’s product and founder Jan Koum strongly believes in it. “We have seen all sorts of people rely on WhatsApp, including political representatives who are using the app to connect with their constituents. We believe that security and privacy of these conversations is highly important,” said Kao in the interaction. “With WhatsApp, we have delivered encryption for everyone. This has become especially important in India as even police are using to stay in touch with citizens, help keep women safe,” he added.
What exactly is the protocol that WhatsApp is using for its end-to-end (E2E) encryption?
Given the 1 billion user base, WhatsApp’s roll-out of end-to-end encryption in 2016 was the largest ever for such a feature. “Encryption is always on by default, and it is the only option. Every message sent on WhatsApp is encrypted. Only the sender and recipient have the key, which can decrypt the message. The basis of WhatsApp’s E2E encryption is the Signal protocol design by Open Whisper systems, which is a leading software security company and they are deeply respected,” explained WhatsApp’s Software Engineer.
He also pointed out that WhatsApp worked with Open Whisper for two years to bring E2E encryption. “The Signal system has been heavily audited by third-party systems and recommended by the world’s leading security experts. It is also designed to work well from the ground up on mobile. Even the new status feature on WhatsApp is end-to-end encrypted,” explained Kao. WhatsApp uses Advanced Encryption Standard (AES) 256-bit encryption to keep these keys secure and has also put out an open paper explaining how the entire system works.
But can there be a backdoor entry to your WhatsApp messages? Would they create it for a government?
As Kao explained, this would be terribly hard for WhatsApp to do without such a backdoor entry being detected. “Any change in our encryption will be detected very quickly. WhatsApp is one of the most scrutinised apps in the world, security researchers are analysing and reverse engineering our app constantly,” he said. The company says it would be impossible to create a secret backdoor to their app. Also as they point out, they can’t just create a backdoor for one party. Such a system would make them a prime target for hackers.
So, what happens to end-to-end encryption when you rely on third-party back-ups for WhatsApp messages?
WhatsApp says it does not compromise the security and encryption of the message, even when backups are done. However, Kao added, “We make sure that messages are end to end encrypted in transit. Once it is delivered on the phones of the users, then it is up to the user to safeguard their privacy and data.” Also when you perform a backup for WhatsApp messages, these are uploaded to that service’s servers like say Apple iCloud in case of iOS or Google Drive in case of Android. But WhatsApp maintains it still can’t read those messages and the backup is encrypted. However, the decryption keys still remain on the phone.
What about WhatsApp and spreading of inflammatory messages, fake news in India? Can’t they take steps to curb it?
WhatsApp admits that this is a complicated issue, and given they can’t read messages, they don’t have a one-off solution to stop the spread of fake news. Carl Woog, WhatsApp spokesperson, said the idea is to educate users, and help them realise which messages can be trusted. “Users can report the content to us, certainly in cases where there is concern over life, safety. But there is a imitation to what we can provide,” he points out. According to Kao, fake news is a complex problem on WhatsApp and they definitely don’t want to see it on our platform. “We have an issue detecting this and E2E does complicate things. We are exploring different solutions, also looking at possible engineering level effort. We have a few initiatives as well, like user education as well.”
But this doesn’t mean WhatsApp has to be free for all. Kao explained the company does have a dedicated customer service team and in case of harassment people can send screenshots, etc to the team. Depending on the severity of the message, WhatsApp can take decisions to either temporarily ban a user or impose an outright ban. Dealing with law enforcement, especially when there are requests for data.
Given the scale of WhatsApp and its sheer user base in India, there are many reports and instances of how law enforcement agencies want access to some of the messages. WhatsApp’s spokesperson says that while they respect law enforcement, they also have people in place who can respond to governments quickly and swiftly. “We explain to governments why we have deployed end to end encryption, and why this is important, and why we might not able to help with data around messages,” he explained. Also Facebook’s transparency report now includes government requests which are sent to WhatsApp. “Of course, we cannot see what messages are shared on the platform. There’s only limited information that we can provide, and we try and explain this to governments,” Woog added.
WhatsApp with business services in the future: Will that be end-to-end encrypted?
WhatsApp says it won’t comment on future products. But adds that security and privacy is in their DNA, and any new products they launch will keep that mind.
Finally, what data does WhatsApp share with Facebook?
As WhatsApp’s representatives explained, meta-data is what is shared, which would be the mobile number, model of smartphone, platform the user is on etc. Actual messages are not shared with Facebook, maintains the company. Also while the WhatsApp server knows that an image or video or text is sent, it can’t actually see or read the message being shared, says the company.