WhatsApp Encryption Won’t Keep Your Messages Secret Unless You Also Do This
Privacy activists shouldn't get excited just yet.
WhatsApp made waves yesterday with its decision to switch on end-to-end encryption for all its billion-plus users. “End-to-end” means the communication is encrypted before it leaves your phone and decrypted only after it reaches the other person’s phone, so nobody else, not even WhatsApp itself, can read or listen to it.
Predictably, privacy activists are delighted and law-enforcement types are worried (though ironically, U.S. government money helped fund the encryption technique WhatsApp uses).
But before you start using WhatsApp to plot your overthrow of the global capitalist regime, bear in mind that intercepting your messages in transit is just one—indeed, possibly the least likely—of the ways a hostile party might try to snoop on you. Encryption alone isn’t much help unless all the following things are happening as well.
You’re not storing messages on your phone
If you really need a message to stay secret, delete it after it’s read. If someone gets hold of your phone (e.g. by stealing it) and can get into it—as the FBI has now done with the iPhone used by the San Bernardino shooter—everything that’s on there will still be accessible.
Some messaging apps, such as Telegram, have an “auto-destruct” feature that deletes messages from the phone after a set period of time. WhatsApp currently doesn’t. (Telegram, on the other hand, doesn’t use end-to-end encryption by default; you have to choose it.)
You’re not backing up messages to the cloud
WhatsApp doesn’t store your messages on its servers. But in an iPhone, for instance, you can tell WhatsApp to keep a backup of messages in iCloud, Apple’s cloud storage service. Once the information is in the cloud, it could be subpoenaed by a government.
@csoghoian Here's the flaw, the average user will enable this - putting the other side at risk pic.twitter.com/3qU8vNbfIo
— Justin Cauchon (@Cauchon) April 5, 2016
Signal is an app popular with privacy activists, and its encryption technology is the same used in WhatsApp. It doesn’t back up to the cloud.
Way to go WhatsApp, but I'm not ready to give up Signal. I fear that many of my WhatsApp friends have enabled unencrypted cloud backups.
— Christopher Soghoian (@csoghoian) April 5, 2016
And it should go without saying, but if you take a screenshot of a message exchange for safekeeping before deleting it from the app, that too will be vulnerable if your phone backs up its photo gallery to the cloud or falls into the wrong hands.
Nobody’s looking at your screen
If somebody can see your screen while you’re sending messages, encryption is pointless. And given the rapid spread of high-quality cellphone cameras, the only way to be sure is to be out of any possible line of sight and with no reflecting surfaces anywhere near your screen—which could include glasses and perhaps even
The person you’re communicating with is taking all the same precautions
Obviously.
NEXT STORY: GAO says mostly good news on cloud contracts