Home > Social Media > Can WhatsApp intercept and read your messages?

Can WhatsApp intercept and read your messages?

Security experts' open letter decries report on WhatsApp security flaws

Why it matters to you

A security flaw in an app used by a billion people should remind us all to keep tabs on our privacy.

The relationship between Facebook and WhatsApp has been … complicated. In December, the social media giant was accused of misleading European regulators in advance of its $22 billion acquisition of the messaging app, while WhatsApp users were displeased to find that their information was being shared with Facebook.

That relationship grew more complicated after a report from the Guardian last week, which said that “a security backdoor that can be used to allow Facebook and others to intercept and read encrypted messages has been found within its WhatsApp messaging service.” But was that report accurate? A group of security reachers have just penned an open letter asking the Guardian to retract its story, calling it “the equivalent of putting ‘VACCINES KILL PEOPLE’ in a blaring headline over a poorly contextualized piece.”

The crux of the debate: WhatsApp told users last April that it had implemented end-to-end encryption for all messages sent through its platform, but the Guardian’s report suggested that the app neglected to mention a caveat — Facebook can intercept your messages. And if Facebook can do it, then so too can a government agency.

The alleged backdoor was brought to light by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley. “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys,” he told the Guardian.

The supposed backdoor, the Guardian explained, had to do with WhatsApp’s encryption, which depends upon a generated set of unique security keys, using the Signal protocol. These keys are traded and verified between users to ensure that their messages are protected.

However, WhatsApp apparently could generate new encryption keys for offline users without the prior knowledge of either the sender or receiver, and then have the sender re-encrypt messages with new keys to resend them. This process would essentially let WhatsApp intercept and read messages.

Boelter’s findings were further verified by Steffen Tor Jensen, head of information security and digital counter-surveillance at the European-Bahraini Organisation for Human Rights. He noted, “WhatsApp can effectively continue flipping the security keys when devices are offline and re-sending the message, without letting users know of the change till after it has been made, providing an extremely insecure platform.”

WhatsApp was indignant from the start, telling Digital Trends via email last week:

The Guardian posted a story this morning claiming that an intentional design decision in WhatsApp that prevents people from losing millions of messages is a “backdoor” allowing governments to force WhatsApp to decrypt message streams. This claim is false.

WhatsApp does not give governments a “backdoor” into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks.  WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report.

This weekend a group of security experts corroborated WhatsApp’s story. Zeynep Tufekci took the charge on the open letter, which insists, “The behavior described in your article is not a backdoor in WhatsApp. This is the overwhelming consensus of the cryptography and security community,” as it is of Tufekci’s cosigners.

Moreover, the security experts criticize the lack of outside sources cited by the Guardian. “If you had contacted independent security researchers, many of whom, including the EFF, have written pieces calling your story irresponsible, they could have explained the issue to you and suggested how to report it responsibly,” the letter reads. “Your story notably lacks quotes, responses, or explanations by security experts in the field. Instead, it hinges on the claims of a single well-meaning graduate student.”

The Guardian has since issued a response of its own:

We ran a series of articles highlighting and discussing a verified vulnerability in WhatsApp and its potential implications.  WhatsApp was approached prior to publication and we included its response in the story, as well as a follow up comment which was received post-publication. While we stand by our reporting we have amended the article’s use of the term ‘backdoor’ in line with the response and footnoted the articles to acknowledge this. We are aware of Zeynep Tufekci’s open letter and have offered her the chance to write a response for the Guardian. This offer remains open and we continue to welcome debate.

The newspaper has not retracted the piece, though it has added an editorial note to reflect a statement from WhatsApp.

Article originally published in January 2017. Updated on 01-21-2017: Added news of an open letter from security experts calling for the retraction of the Guardian piece.