WhatsApp doesn't have a 'backdoor', but we need to ask these questions of all our online services
WhatsApp was in the news this week due to a rather inflamatory article from the Guardian:
Privacy campaigners criticise WhatsApp vulnerability as a ‘huge threat to freedom of speech’ and warn it could be exploited by government agencies — Manisha Ganguly
Initial reading is alarming, even going as far as recommending that people trying to avoid government surveillance should stop using it immediately. That sounds really serious.
Signal founder, Moxie Marlinspike, responded on the Signal blog strongly:
Today, the Guardian published a story falsely claiming that WhatsApp’s end to end encryption contains a “backdoor”. … One fact of life in real world cryptography is that these keys will change under normal circumstances. Every time someone gets a new device, or even just reinstalls the app, their identity key pair will change. This is something any public key cryptography system has to deal with. WhatsApp gives users the option to be notified when those changes occur. … The fact that WhatsApp handles key changes is not a “backdoor”, it is how cryptography works. … Given the size and scope of WhatsApp’s user base, we feel that their choice to display a non-blocking notification is appropriate. It provides transparent and cryptographically guaranteed confidence in the privacy of a user’s communication, along with a simple user experience. The choice to make these notifications “blocking” would in some ways make things worse. — Open Whisper Systems
So we can breathe a sigh of relief, right? Not quite. While I’ve got much more faith in the Signal Protocol, than I do the Guardian’s fluid reporting (particularly on tech-related matters) – it does raise an interesting question:
Should we be asking our online services whether they could (or even do, if they are allowed to tell us) provide a backdoor for government entities?
I think so. Without asking this question frequently, we forget that actually these online services usually answer to a higher power, government entities – which means that unless steps are taken to specifically encrypt and avoid inadvertent logging, your messages/emails/photos etc aren’t as private as you think they are.
I’m not suggesting that everyone jumps on VPN or Tor, just to circumvent snooping that may or may not be happening now (or in the future). Nor am I suggesting that everyone is actually breaking the law and needs to avoid this level of encryption - but unless the public understands the consequences of turning a blind eye to government online surveillance, we risk sleepwalking into a less secure and less transparent online world.
I’m off to back up my email somewhere safe - any recommendations?