Skip to Content

The Whatsapp Scandal

The house with the built-in backdoor

With Whatsapp, if you turn off or break your phone, Facebook holds any messages sent to you. Then, if your phone comes back with a new key, Facebook sends a request to anyone who sent you a message asking them to re-encrypt the message to the new key.

But here's the problem. Say I sent you a bunch of messages using your old key while your phone is turned off. Those messages are stored by Whatsapp and not delivered until you to turn the phone on. When you do that, and the new key is generated, the messages are decrypted by this new key. In other words, the message I sent to your original key (which I know was yours) is now picked up and decrypted by this other key that I don't know and haven't verified.

What's more, Whatsapp doesn't tell you it did this on your phone unless you turn on the notification (which people rarely do) and even then it tells you after it's generated the new key and sent the old messages with it. You learn you've been hacked after they hacked you. Privacy advocates are crying blooding murder: Whatsapp has touted its end to end encryption and now we find that it has a "backdoor" (a way of getting into the app without using normal passcode protection).

Why is this important? Because it's not secure enryption.

The federal government and its spying agencies like the National Security Agency and the FBI have a history of demanding that companies that store data decrypt it when a user's data is encrypted. This is what happened with Apple computer in February, 2016. The government wanted it to decrypt the cell phone of the suspect in the San Bernadino terrorist attacks and Apple said it couldn't break the encryption. The government found a way to do it but, up to then, it had been pressuring Apple to get its developers to develop a decryption method.

That dispute went to court. This time, were a demand made on Facebook for Whatsapp info, there would be no such defense. Facebook has a way of decrypting these messages. All if has to do is generate a new key for a phone and share it with a government spy and wait until the phone is turned off. In fact, cellphones can be disrupted and forced off remotely. The data isn't safe.

Would such a thing happen? That's been one of the two issues being hotly debate over the Internet by the app's developers and just about everyone else.

The debate's been clouded by the developer's assertion that this isn't a backdoor at all. They knew exactly what they were building into the app and did so to make encryption easier: a worthy goal given how complicated encryption can be for the average user.

WhatsApp itself issued a statement to the Guardian: "WhatsApp does not give governments a 'backdoor' into its systems and would fight any government request to create a backdoor."

The problem says my colleague and comrade Jamie McClelland in his superb blog "Current Working Directory" is that the government doesn't have to ask. The backdoor's already there. "...using the default installation, your end-to-end encrypted message could be intercepted and decrypted without you or the party you are communicating with knowing it," he explains. "How is this not a back door?"

story | by Dr. Radut