WhatsApp encryption and private communication April 9, 2016
Posted by Aonrud ⚘ in Internet security/privacy/information, Technology.trackback
You may have seen during the week that WhatsApp have recently introduced end-to-end encryption, meaning even they (or the company’s owners in Facebook) can’t intercept the content of your communications. With a billion users, WhatsApp have rolled this out quietly to a huge number of people.
Of course the response from state security in its various forms isn’t entirely positive. For example, in the UK, Theresa May’s Investigatory Powers Bill could essentially seek to ban private encrypted communication. There are arguably legitimate cases law enforcement can point to, and there are plenty of unpalatable uses private communication can be put to, but ultimately this sort of choice is quite all-or-nothing. Unfortunately or otherwise, if there’s a back door of any kind, then your messages aren’t private, and guaranteeing only the ‘right’ parties can exploit that is difficult; and if they are properly encrypted, then they can’t be accessed, even in exceptional circumstances. It’ll be interesting to see what sort of pressure WhatsApp experience in the aftermath of this.
That also points to the issue that this service remains proprietary, so there is still a single target which could ostensibly be forced to stop providing it. Even though WhatsApp aren’t storing all your information (like, for example, Facebook are) you still require their software. I heard someone suggest recently that privacy has somewhat replaced the free software (libre, not gratis) movement’s prominence in technology rights. The two are intertwined of course, but WhatsApp points to the problem that removing the service requires only a single target, whereas decentralised, open source methods of communication (of which email, for all its flaws, is an example) are far harder to shut down.
Still, even though I’d prefer a decentralised free software alternative, credit where it’s due to WhatsApp for rolling out fully private communication to a huge swathe of people, many of whom may not have otherwise sought it out.
The Cedar Lounge Revolution 
Not to disparage the move, but isn’t it largely prompted by fears of competition? At a stroke, they take away Telegram’s USP.
LikeLike
Very possibly. Telegram seems to have picked up a fair user base, but it doesn’t cover calls etc., does it?
As mentioned above, I’d prefer an open protocol with a choice of open source clients implementing it, but given the existing options, this is still a positive change.
It puts these arguments into a much more mainstream political debate than the technical niche as well.
LikeLike
That’s key isn’t it, if these become norms rather than exotic add ons then they have the potential to shift things considerably.
LikeLike
Feinstein/Burr have a bill requiring all companies to provide clear text of all encrypted data on their system tot he govt.
This is the Feinstein whose investigation into the CIA was illegally spied on and hacked by the CIA.
But then Feinstein and her husbands corruption at the trough of the US gov is legion and has done nothing to end her political career in California.
LikeLiked by 1 person
I’m sorry to rain on anybody’s parade here, but this is a very slight advance if at all – because Whatsapp is owned by Facebook. Luckily there are alternatives.
Facebook is a capitalist enterprise. When capitalists give anything away you can bet that the maxim ‘the product is you’ applies. It makes no commercial sense in the long term that Facebook should have taken the peer-reviewed end-to-end off-the-record encryption of Open Whisper Systems and not back-doored it at least to the extent that when you type in the phrase:
“The revolution begins on Good Friday in front of the GPO”
they are at least able to direct advertising at you that recouperate the words ‘revolution’ and ‘Good Friday’.
At the most optimistic in terms of real privacy. The actuality is probably worse and involves an agreement with 5 Eyes.
However we have no way to judge this because we have no access to the source code to check what they are doing within the Whatsapp app and on the servers at the back end.
In contrast Open Whisper System‘s own Signal is as good as Whatsapp and all the source is open and available. You can compile and run the apps yourself if you are that paranoid.
Signal is ad-free and free (as in beer and speech). Development is supported by donations. It also supports encrypted Telephony which works pretty well on reasonably high bandwidth / low latency WLAN. I’ve no idea whether Whatsapp or Facebook offer free encrypted phone calls, as does Signal. Don’t try it on mobile data unless you are willing to adapt to an ‘over (pause) and out’ conversational protocol. Voice over LTE hasn’t reached Europe yet.
What’s more they just launched a Desktop App for the open source Browser Chrome that allows you to text people from the desktop on (and I haven’t tested this) I imagine closed source systems like Mac OSX and Windows.
I don’t know anyone in my reasonably wide network of security-savvy people who are not using Signal as their day-to-day instant messaging application, and for encrypted phone calls.
Of course Signal is only as secure as the operating system on which you run it, but to my knowledge Signal running on Open/FreeBSD or Qubes presents fairly high barriers to the usual suspects.
LikeLiked by 1 person
Oh and it’s my belief that the push protocol of Signal offers a certain resistance to Traffic/Metadata analysis especially if is run over Tor or a reliable VPN aggregator.
LikeLike
Link for setting up the Desktop version of Signal. At the present you need to have the Android version installed and registered on a device with a camera first.
LikeLike
I vaguely recall reading that what Facebook gets from Whatsapp is the entire address-book of your Whatsapp which is uploaded onto their servers.
What they do with it afterwards I can only in my darkest dreams imagine.
LikeLike