jump to navigation

WhatsApp encryption and private communication April 9, 2016

Posted by Aonrud ⚘ in Internet security/privacy/information, Technology.

You may have seen during the week that WhatsApp have recently introduced end-to-end encryption, meaning even they (or the company’s owners in Facebook) can’t intercept the content of your communications.  With a billion users, WhatsApp have rolled this out quietly to a huge number of people.

Of course the response from state security in its various forms isn’t entirely positive.  For example, in the UK, Theresa May’s Investigatory Powers Bill could essentially seek to ban private encrypted communication.  There are arguably legitimate cases law enforcement can point to, and there are plenty of unpalatable uses private communication can be put to, but ultimately this sort of choice is quite all-or-nothing. Unfortunately or otherwise, if there’s a back door of any kind, then your messages aren’t private, and guaranteeing only the ‘right’ parties can exploit that is difficult; and if they are properly encrypted, then they can’t be accessed, even in exceptional circumstances.  It’ll be interesting to see what sort of pressure WhatsApp experience in the aftermath of this.

That also points to the issue that this service remains proprietary, so there is still a single target which could ostensibly be forced to stop providing it.  Even though WhatsApp aren’t storing all your information (like, for example, Facebook are) you still require their software.  I heard someone suggest recently that privacy has somewhat replaced the free software (libre, not gratis) movement’s prominence in technology rights.  The two are intertwined of course, but WhatsApp points to the problem that removing the service requires only a single target, whereas decentralised, open source methods of communication (of which email, for all its flaws, is an example) are far harder to shut down.

Still, even though I’d prefer a decentralised free software alternative, credit where it’s due to WhatsApp for rolling out fully private communication to a huge swathe of people, many of whom may not have otherwise sought it out.


1. lamentreat - April 9, 2016

Not to disparage the move, but isn’t it largely prompted by fears of competition? At a stroke, they take away Telegram’s USP.


Aonrud - April 9, 2016

Very possibly. Telegram seems to have picked up a fair user base, but it doesn’t cover calls etc., does it?

As mentioned above, I’d prefer an open protocol with a choice of open source clients implementing it, but given the existing options, this is still a positive change.

It puts these arguments into a much more mainstream political debate than the technical niche as well.


WorldbyStorm - April 9, 2016

That’s key isn’t it, if these become norms rather than exotic add ons then they have the potential to shift things considerably.


2. gendjinn - April 9, 2016

Feinstein/Burr have a bill requiring all companies to provide clear text of all encrypted data on their system tot he govt.

This is the Feinstein whose investigation into the CIA was illegally spied on and hacked by the CIA.

But then Feinstein and her husbands corruption at the trough of the US gov is legion and has done nothing to end her political career in California.

Liked by 1 person

3. Torheit - April 10, 2016

I’m sorry to rain on anybody’s parade here, but this is a very slight advance if at all – because Whatsapp is owned by Facebook. Luckily there are alternatives.

Facebook is a capitalist enterprise. When capitalists give anything away you can bet that the maxim ‘the product is you’ applies. It makes no commercial sense in the long term that Facebook should have taken the peer-reviewed end-to-end off-the-record encryption of Open Whisper Systems and not back-doored it at least to the extent that when you type in the phrase:

“The revolution begins on Good Friday in front of the GPO”

they are at least able to direct advertising at you that recouperate the words ‘revolution’ and ‘Good Friday’.

At the most optimistic in terms of real privacy. The actuality is probably worse and involves an agreement with 5 Eyes.

However we have no way to judge this because we have no access to the source code to check what they are doing within the Whatsapp app and on the servers at the back end.

In contrast Open Whisper System‘s own Signal is as good as Whatsapp and all the source is open and available. You can compile and run the apps yourself if you are that paranoid.

Signal is ad-free and free (as in beer and speech). Development is supported by donations. It also supports encrypted Telephony which works pretty well on reasonably high bandwidth / low latency WLAN. I’ve no idea whether Whatsapp or Facebook offer free encrypted phone calls, as does Signal. Don’t try it on mobile data unless you are willing to adapt to an ‘over (pause) and out’ conversational protocol. Voice over LTE hasn’t reached Europe yet.

What’s more they just launched a Desktop App for the open source Browser Chrome that allows you to text people from the desktop on (and I haven’t tested this) I imagine closed source systems like Mac OSX and Windows.

I don’t know anyone in my reasonably wide network of security-savvy people who are not using Signal as their day-to-day instant messaging application, and for encrypted phone calls.

Of course Signal is only as secure as the operating system on which you run it, but to my knowledge Signal running on Open/FreeBSD or Qubes presents fairly high barriers to the usual suspects.

Liked by 1 person

Torheit - April 10, 2016

Oh and it’s my belief that the push protocol of Signal offers a certain resistance to Traffic/Metadata analysis especially if is run over Tor or a reliable VPN aggregator.


Torheit - April 10, 2016

Link for setting up the Desktop version of Signal. At the present you need to have the Android version installed and registered on a device with a camera first.


4. Gewerkschaftler - April 11, 2016

I vaguely recall reading that what Facebook gets from Whatsapp is the entire address-book of your Whatsapp which is uploaded onto their servers.

What they do with it afterwards I can only in my darkest dreams imagine.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: