Letting people communicate securely and privately should be a no-brainer, not a complicated process where users jump through hoops or pay for expensive tools. For more than a billion WhatsApp users around the world, that dream is now reality, as the messaging app now provides end-to-end encryption for all users.
The latest version of WhatsApp, released late last week, lets users send and receive messages, attachments, and voice calls that can only be deciphered by the intended recipient, Jan Koum and Brian Acton, founders of WhatsApp, said in the blog announcement. The encryption feature is turned on for all supported platforms, which means every WhatsApp user on iPhone, Android, Nokia, and BlackBerry devices are protected.
“From now on when you and your contacts use the latest version of the app, every call you make, and every message, photo, video, file, and voice message you send, is end-to-end encrypted by default, including group chats,” Koum and Acton said.
Each user verifies their contacts and all encryption keys are stored locally. Since none of the keys ever touch WhatsApp servers, there is no way WhatsApp can know the contents of users’ messages, even if law enforcement comes knocking with a court order. The only places the messages could be intercepted are on the two devices communicating with each other -- nothing in between.
“All you need to know is that end-to-end encrypted messages can only be read by the recipients you intend,” WhatsApp said.
Transition in progress
The switch from a plaintext to an encrypted world can’t be instantaneous since everyone will not update to the latest version at the same time. But WhatsApp shows the encryption status of every conversation, so no one is ever uncertain about the security of the session. In a group chat, if one of the recipients is still running an older version of the app, then the message doesn’t get encrypted. However, all other members of that group chat would clearly be able to tell the session is not encrypted, as well as the name of the contact who is forcing the message to be sent in its unprotected form.
This way, recipients always know the security of their messages, and they can pressure their friends and counterparts to upgrade to the latest versions. Peer pressure for more security -- why not, if it works?
Once the chat client establishes an end-to-end encrypted session with a contact, it would never allow a plaintext conversation with that contact, even if the contact tries to use a device with the older version of the app. This prevents anyone from performing a downgrade attack.
“Eventually all the pre-e2e capable clients will expire, at which point new versions of the software will no longer transmit or accept plaintext messages at all,” said Moxie Marlinspike, the cryptography researcher behind Open Whisper Systems, which provided the backbone of WhatsApp’s encryption technology.
WhatsApp has been working on the encryption problem for a while, adding encryption as a default for some messages in late 2014. That feature was restricted to certain devices, and it wasn’t easy for users to tell when messages were not protected. Last year, WhatsApp partnered with Open Whisper Systems, the team behind secure messaging app Signal, to integrate the open source Signal Protocol into WhatsApp.
The Signal Protocol is “a modern, open source, forward secure, strong encryption protocol for asynchronous messaging systems, designed to make end-to-end encrypted messaging as seamless as possible,” Marlinspike said.
Marlinspike said Open Whisper Systems is working with other messaging companies to “amplify the impact and scope of private communication even further.” It’s great that Apple encrypts iMessage and FaceTime messages, end to end, but that doesn’t help users who don’t have an expensive iPhone. WhatsApp and other messaging companies coming on board makes it easier for practically anyone to be part of the security mainstream.
Security by default
In regard to encryption, there’s a sense that most people don’t care about online privacy. If they cared, the logic goes, there would be more people using encryption tools that would keep online communications and information safe. The reality is quite different. People want the assurance that their communications with their contacts are private, that what they say or share stays between them. But it can’t be too hard because the default reverts back to insecurity.
Opting in to security typically don't have high rates of adoption. A month ago, Amazon justified removing encryption from its Kindle Fire devices because no one was using it (before it backed down).
Apple made encryption one of the topics iOS users don’t have to think about much. It’s more engineering effort by the company to get encryption to work seamlessly and transparently, but it winds up protecting more people. Security needs to be enabled by default and not a decision left up to the user. WhatsApp’s decision to turn on encryption by default for everyone makes the process easy. Users don’t have to do anything different to protect their conversations. They don’t even have to dig through the app’s settings menu to enable the feature. Use WhatsApp, use encryption. It’s that simple.
Securing online communications should always be that straightforward.
“The desire to protect people’s private communication is one of the core beliefs we have at WhatsApp, and for me, it’s personal,” Koum wrote.
Your turn, government
WhatsApp's announcement comes at an interesting time. A recent New York Times report claimed the Department of Justice was in the middle of court proceedings against WhatsApp regarding intercepting certain messages. Details of the order was hazy, but suggested another legal showdown similar to the recent Apple and the FBI battle was possible.
It’s not only the U.S. government looking askance at secure messaging apps, either. Brazilian authorities recently arrested a Facebook executive for allegedly not providing information from a WhatsApp account potentially relevant to a drug trafficking investigation.
Encryption is one of the most important tools available as more information gets stored on remote servers and various forms of communications move online. Encryption keeps governments, companies, and individuals safe from abuses by cyber criminals, hackers, and rogue nation-states. Over the past few months, governments have claimed that increased use of encryption is impeding criminal investigations, that attackers using encrypted forms of communications make it harder for law enforcement to gather information. But weakening it in the manner various government officials have suggested is a dangerous move and will cause more damage.
“While we recognize the important work of law enforcement in keeping people safe, efforts to weaken encryption risk exposing people's information to abuse from cyber criminals, hackers, and rogue states," Koum said.
More -- and widespread -- encryption is the answer to a safe Internet. With this update, WhatsApp has put the communications of all its users out of the reach of anyone who isn’t the intended recipient. The FBI didn’t like Apple’s approach toward security, and it definitely won't appreciate what the world’s most popular messaging app did.