3 potential holes in WhatsApp’s end-to-end encryption
May 5, 2016
Shah Sheikh (1294 articles)

3 potential holes in WhatsApp’s end-to-end encryption

It’s been almost a month since, right on the heels of the Apple vs FBI showdown, WhatsApp added fresh fuel to the already hot encryption debate when it announced it was enabling end-to-end encryption for all of its 1 billion users.

As of April 5, every message, every video recording, every sound recording, and every photo exchanged via the app is visible by the parties involved in the communication only and no one else. Not WhatsApp itself, not government surveillance agencies, not any potential hackers or snoopers, nobody. From the company’s web site:

“WhatsApp’s end-to-end encryption ensures only you and the person you’re communicating with can read what is sent, and nobody in between, not even WhatsApp. This is because your messages are secured with a lock, and only the recipient and you have the special key needed to unlock and read them. For added protection, every message you send has its own unique lock and key. All of this happens automatically: no need to turn on settings or set up special secret chats to secure your messages.”

With the Brussels attacks painfully fresh in everyone’s minds, the company’s move reignited the larger issue of national security versus individual privacy. This week’s one-day shutdown of WhatsApp in Sergipe, Brazil for law enforcement reasons, shows governments worldwide are concerned about the new level of encryption.

We’ve seen fear-mongering headlines such as “WhatsApp locks out terror police,” as well as reprimands from US senators who stopped just short of saying that the company is responsible for future terrorist attacks:

“I strongly urge WhatsApp and Facebook to reevaluate their decision before they help facilitate another terrorist attack,” said Republican Senator Tom Cotton in a statement made at the time, which is pretty much like telling a car manufacturer that it needs to reevaluate its decision to build a new model before it facilitates another hit and run.

In the tech world, however, WhatsApp got nothing but praise for its newly implemented end-to-end encryption. The news that it used The Signal Protocol designed by Open Whisper System for its encryption lent the move an extra dose of authority and credibility and WhatsApp was hailed as an example to follow, a true privacy trailblazer democratizing encryption by making it available to the masses.

And with good reason.

It was about time someone stepped up to the plate, and who better to do it than a company with 1 billion users all over the world?

That said though, I have some questions. Possibly some doubts as well, but I’ll settle for the answers to these questions for now, if given a choice. Here it goes:

1. What about the metadata?

WhatsApp will still keep records of its users’ metadata. This means that even though the contents of a message cannot be accessed by anyone including WhatsApp itself, the phone numbers involved in the exchange, as well as the timestamps on the messages, are still being stored on the company’s servers. This means that if a court orders WhatsApp to share all the info it has on a particular user, the amount of metadata the company would be handing over would most likely be sufficient to create a profile and draw some strong conclusions. Knowing who someone talked to, at what time, and how many times per day is some pretty powerful information to have, don’t you think?

And it’s not just governments who could get their hands on that data; it’s hackers, too.

2. What about Facebook?

Back in 2014, WhatsApp was acquired by Facebook, which as you probably know by now, is not the most privacy-minded company out there. It makes its money serving you ads, and the more it knows about you, the better it can tailor those ads to your personality and behavior as a consumer.

That’s a necessary evil in today’s hyper-competitive and saturated marketplace and, full disclosure, my company has used Facebook Ads too — but that doesn’t change the fact that users’ privacy is not at the top of the list for Facebook.

Which is why I’m a little bit worried about WhatsApp’s quest to provide privacy to 1 billion people.

Because at some point in the not so distant past, screenshots made public by freelance Android developer Javier Santos of a beta update for WhatsApp showed that the company was planning to ask users to share their WhatsApp account information with Facebook to improve their Facebook experiences. And if that were to happen sometime in the future, then Facebook would get to see all that metadata we mentioned earlier.


Metadata that it could use to create an even more accurate profile on you than the one it has now by analyzing your Facebook activity alone. And then it could proceed to serve you some targeted ads with a side of invasion of privacy.

But even if this never actually happens and your Facebook and WhatsApp accounts remain separate, there still is the issue of Facebook’s quest to get everyone to “secure their account” by adding their phone number to it. And you know what else is associated with that phone number? Exactly, your WhatsApp account.

So you have to wonder if Facebook’s fratboy-in-the-club-like obsession with getting your digits is just them trying to link your Facebook and WhatsApp accounts on their own, without you consenting or even knowing. Because it’s just easier that way.

(Side note: Did you know that you’re searchable on Facebook by phone number, which can undo a lot of the privacy settings you have in place on your account?)

3. What about the money?

Right now, WhatsApp is not making any money; it has no source of revenue. In the beginning, it tried monetizing the service itself — for a very low fee. It has since scrapped that and is now offering the messaging app for free, all features included.

It will probably open up the platform to brands in the near future, but it has made clear that it won’t be to enable brands to advertise to users. It will instead be to help users communicate with companies more easily, without the hassle of having to call, send an email, or fill out a contact form. Want to order a pizza? Send a WhatsApp to the pizza place. Want to make a dinner reservation? Just WhatsApp the restaurant. You get the point.

And while this might be a feature that the company could monetize, will it inject enough cash into the business to keep it viable in the long-run?

Which brings us back to Facebook and to wondering whether some of that ad money will make its way to WhatsApp.

All of this remains to be seen. WhatsApp is now in the spotlight; everyone’s eyes are on the company, watching its every move, putting its claims and its encryption to the test and waiting for its next step.

Whatever happens next, there is no denying that what WhatsApp did is not only a huge step forward for online privacy, but a much needed challenge for every tech company out there. The company has raised the bar for everyone else. It has done its part, and it is now our turn to step up our game in protecting users’ privacy.

Challenge. Accepted.

Source | VentureBeat