WhatsApp encryption and its implications
WhatsApp recently launched end-to-end encryption of all its messages, meaning only you and the person you're communicating with can read what is sent.
With many internet users still unclear about what encryption is and how it works, Philip Leone Ganado spoke to Professor Joe Cannataci, who serves as UN Special Rapporteur on Privacy.
Q: What effect will WhatsApp’s announcement of end-to-end encryption have on users?
For complete end-to-end encryption to work, users at both ends of the text or voice exchange need to have downloaded the very latest version of WhatsApp. Then they can use a service which can effectively increase their privacy and security.
In the latest WhatsApp deployment no messages are retained on the servers of the service provider, which is simply acting like an old-fashioned postman merely delivering a message inside a data packet. One of the main differences though is that unlike old-fashioned mail, this digital postman cannot open an envelope and read its contents, since every WhatsApp message is protected by encryption to which only the sender and the receiver have the keys.
This means that not only the message is not stored on their servers but it is also not capable of being read by the WhatsApp Inc. corporation, a subsidiary of Facebook.
Since WhatsApp is available as an app on many different platforms including Apple’s IOS, Google’s Android and Microsoft’s Windows, at one stroke more than a billion users of this app world-wide have just been upgraded to a new level of privacy and security.
This is a case of privacy by default: the users cannot switch off the encryption embedded into the latest version of the app. This level of security is very useful for preventing so-called “man-in-the-middle” attacks and thus can protect the user from all kinds of eavesdropping including attempts at hacking WhatsApp messages by organised crime.
WhatsApp doesn’t collect or store personal information like names, addresses and location-based service data, as all such data is synced to your phone and is not on their servers.
Q: Concerns have been raised over whether the move will make it harder for security and law enforcement agencies to track criminal activity. Is this a valid concern and does it mean WhatsApp’s move is irresponsible?
Individual citizens have a fundamental right to expect that their personal data and their communications are both private and secure. The vast majority of citizens are law abiding, and therefore it is only fair that they would expect that their privacy is properly protected in a democratic society where security (SIS) and law enforcement agencies (LEAs) should not be able intercept communications at will but only in a tiny minority of well-defined circumstances.
This principle of a reasonable suspicion and an independent judicial oversight of surveillance has recently been reinforced across Europe by the pan-European Court of Human Rights in Strasbourg in the case: Zhakarov vs Russia published in December 2015.
While it is possible that apps such as WhatsApp may occasionally make life a bit harder for SIS and LEAs, it is important to put things in context and ask whether this is a worthwhile price to pay in order to live in a society where privacy and security are the default settings.
Likewise the risk must be proportionate to the measure being recommended. How big is the risk? What is the real nature of the risk posed by terrorists in society? When quantifying the risk in order to determine whether a counter-measure is proportionate, one should remember that, in reality, there is a higher risk of being hit by an asteroid than there is of being killed by a terrorist. The odds of being a victim of terrorism are statistically very low indeed, much lower than being struck by lightning or dying in a bath tub or a car accident.
So how proportionate a measure would it be would it be to try to weaken encryption to enable easier access to SIS and LEAs?
In this case it is important to remember a few key factors. First of all, encryption increases security rather than diminishes it. It reduces the risk of unlawful interception by undesirable elements and especially organisations or individuals with criminal intent.
WhatsApp has offered the equivalent of an armoured van, one of those used to ferry cash between banks and shops and bank branches.
Secondly, criminals and terrorists have often shown that they do not need or even think of using highly-encrypted communications such as WhatsApp. For example, in the recent Paris attacks the terrorists appear to have simply used normal mobile telephones which they threw away after use. No amount of weakened encryption on WhatsApp would have helped the police to intercept the terrorists, since the latter did not seem to even bother to use WhatsApp or other encrypted methods of communications.
If WhatsApp [had] accepted to weaken its end-to end encryption it would only have succeeded principally to weaken the privacy and security of the “good guys” – the vast majority of law abiding citizens.
Most terrorist groups and organised crime have enough resources to develop their own very sophisticated encrypted means of communication quite independently from WhatsApp, so being denied strong end-to-end encryption by WhatsApp would mostly if not exclusively put at risk the privacy and security of the overwhelming majority of law-abiding users.
So, to my mind, WhatsApp has not been irresponsible - quite the opposite. It has brought higher levels of privacy and security to over a billion users. It is not a total solution to the end-user’s needs vis-a-vis encryption but it is a step in the right direction.
Q: Casual users don’t often consider encryption in their online activities. Is this a mistake?
That is a huge mistake. I would encourage owners of mobile devices – which are more easily and often lost – to take every opportunity to protect these devices at least as well as they would their laptop and desktop computers at home and, if possible, much more given the higher risk of their being lost or stolen.
Let’s bear in mind the words of US Chief Justice John G. Roberts Jr., writing for the court in Riley v. California, when describing the central role that smartphones play in contemporary life. They are, he said, “such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy.” In that case, the US Supreme Court ruled that no smart phone could be searched without a warrant.
For precisely the same reasons as described by Justice Roberts I dare say that someday in the not so distant future we may have to recognise that since the smart phone is a device with which we entrust our most intimate thoughts and searches we may even go so far so as to declare that it is not a “compellable witness”.
In the same way that a person has, in criminal matters the right to remain silent and not to incriminate himself or herself, a smartphone too may one day be recognised to be too intimate a witness to be subject to search and seizure even if that search is authorised by a court.
Searching a smartphone would, in many cases, render its user worse than naked. Is that really the kind of society that we would like to live in? In many legal systems, when it comes to the criminal courts our standards of decency have been such that we do not compel somebody, even if guilty, to incriminate themselves through words. Yet now we are prepared to let them incriminate themselves through that most intimate of electronic companions, their smartphone?
[Smartphones are] of course much more of a life command and control centre where computer, photography and internet technologies converge – and which also happens to make phone calls.
This is also why smartphone users should remember too that while end-to-end encryption of WhatsApp messages is a useful thing to have, it is only a beginning and not a complete answer to the security needs of the user.
A smartphone too may one day be recognised to be too intimate a witness to be subject to search and seizure
All users should consider the benefits of added protection offered by totally encrypting all of the content on their phone, tablet, laptop or other mobile device. WhatsApp has offered the equivalent of an armoured van, one of those used to ferry cash between banks and shops and bank branches.
It would be useless however for the armoured van to arrive at a location where the securely-transported message is then unloaded into a place which is insecure. Hence the need to encrypt all of the contents – and not just the WhatsApp messages – on the smartphone or other device.
Professor Cannataci is deputy dean of the Faculty of Media and Knowledge Sciences at the University of Malta and head of the Department of Information Policy and Governance within that same Faculty. He co-founded the Security, Technology & e-Privacy Research Group (STeP) at the University of Groningen in the Netherlands, where he holds the chair of European Information Policy and Technology Law. He is also an adjunct Full Professor at the Security Research Institute at Edith Cowan University in Australia.