About a week ago, WhatsApp rolled out end-to-end encryption to its mega-popular chat app, and we have to give credit to Facebook, the company did it with a lot of fanfare and pomp, as everything it does publicly. Major tech outlets did their share of singing odes to the technical genius of folks behind the app, and the one billion of WhatsApp users went to bed happy and content that night, knowing their little sexcrets are safe with WhatsApp. In the meantime, dozens of previously hesitant whistleblowers eagerly downloaded the app and started leaking government secrets to journalists via the brand-new encrypted channel. You do feel the sarcasm, right?
To a regular user, encryption may still sound like nerd gibberish, even though we live in post-Snowden era. In layman terms, encryption does not prevent your communication from being intercepted. However, it scrambles the contents of your messages to unintelligible gibber, so anyone intercepting it won’t see anything but a mish-mash of symbols. It is possible to decrypt encrypted data with the encryption key, and provided the key is safely stored, chances are the contents of the encrypted chats are scrambled well enough for third parties to take years to brute force.
However, in the case with WhatsApp encryption, security experts warn about several little details that might have skipped your attention, and we want to enumerate them, just in case if you were wondering if all is now tip-top with WhatsApp. Here are a few things that are not:
#1. Meta data
WhatsApp collects and stores indefinitely your meta data. In this case, it’s the phone numbers – yours and the entire contents of your phone book, and anyone you’re talking to via the app. The date and time stamps go along with the messages. Hence, the meta data reveals:
- who you chat with
- when you chat with them and how often
- where you are, where your recipients are
- the circles of people you know (combined with the frequency of chats, and the data volumes, meta data also allows to figure out the people in your close circles and those you are simply acquainted with)
In mass surveillance terms, meta data is a lot more valuable than the contents of your chats. Here is why. Think of the sheer volumes of data in the text of the messages, and how is any agency to process and analyze that? Right. They can’t, at least not yet. Meta data, on the other hand, allows the non-human algorithms to establish inter-connectivity of the billion WhatsApp users, all over the world. Meta data is the library of human lives, tagged and categorized by phone numbers, locations, dates, frequencies. Combined with Facebook data, WhatsApp’s wealth of information is a surveillance gold mine. Here comes the second issue.
#2. WhatsApp shares your profile info with Facebook
You do know Facebook owns WhatsApp? A couple of months ago, a GitHub user who was into testing the early Beta builds of WhatsApp found a new setting in the app. The new setting was only accessible from the terminal, but it revealed the app was sharing user profile info with Facebook for better Facebook experience. A Reddit thread confirmed this could be the case since a user recounted how he was chatting to another user in WhatsApp. They had no mutual friends on Facebook, spoke different languages and lived on different continents. And yet, the next day Facebook suggested he should befriend the person. As of now, there is no such setting in WhatsApp, but the precedent exists, and knowing Facebook’s stance on privacy, you don’t get to have any.
#3. It’s not open source
Most privacy-focused products opt to open their source code to the public, so that security experts can review the code for flaws, bugs and back doors, among other things. Even though WhatsApp uses the open source encryption algorithm of Open Whisper Systems, the company behind Signal, the WhatsApp source code is proprietary. There is no way of knowing there are no back doors built into the product. Nor is there a way for security experts to audit the very implementation of the encryption to tell if it’s flawed, or not.
#4. End-point devices are not secured
iPhones might be, but not all Android or Windows Phone devices are encrypted. Hence, if your messages are encrypted in transit, they might be at risk at the end point – your very own device. If you have malware or spyware preying on your data, you are not secure.
#5. Some other information
#6. WhatsApp has a bad track record in privacy. But so does Facebook…
Ever since the app became popular, before Facebook, WhatsApp was scrutinized for poor security practices. No encryption, weak encryption, access to phone books, storing non-user data. Canadian authorities even investigated WhatsApp for violating Canadian privacy laws. Of course, under the wise command of Facebook wizards, it all changed.
One final frown about WhatsApp’s encryption – what took them so long? The reluctant implementation comes years after companies like Threema, Signal, Wickr or BBM offered encryption, and at least 3 years after PRISM revelations.
While you are enjoying your newly encrypted messenger, make sure everyone you’re chatting with has upgraded to the latest version of WhatsApp. Otherwise, your chats are not encrypted.
What do you say? Do you trust WhatsApp to keep your meta data secure? To what extent do you trust Facebook to protect your privacy? What chat apps are you using when you need a secure environment?