The Guardian apologizes for flawed reporting on WhatsApp encryption

Thanks to “misinterpretations, mistakes and misunderstandings at several stages of the reporting and editing process,” The Guardian published a story that dramatically overinflated the potential impact of a security flaw in the popular WhatsApp messaging application — and after half a year of investigating, the British news agency has finally put out a mea culpa.

Security concerns were under the microscope in December 2016, when the social media giant was accused of misleading European regulators in advance of its $22 billion acquisition of the messaging app, while WhatsApp users were displeased to find that their information was being shared with Facebook. That relationship grew more complicated after a report from the Guardian in early January, which detailed the discovery in WhatsApp of “a security backdoor that can be used to allow Facebook and others to intercept and read encrypted messages.” But was that report accurate? A group of security researchers penned an open letter a week later asking the Guardian to retract its story, calling it “the equivalent of putting ‘VACCINES KILL PEOPLE’ in a blaring headline over a poorly contextualized piece.”

The crux of the debate: WhatsApp told users last April that it had implemented end-to-end encryption for all messages sent through its platform, but the Guardian’s report suggested that the app neglected to mention a caveat: Facebook can intercept your messages. And if Facebook can do it, then so too can a government agency.

On Wednesday, six months after the controversial Guardian report, the news agency acknowledged flaws in its reporting, admitting that it was wrong to make such claims.

“The Guardian ought to have responded more effectively to the strong criticism the article generated from well-credentialed experts in the arcane field of developing and adapting end-to-end encryption for a large-scale messaging service,” wrote Paul Chadwick, the Guardian’s fourth readers’ editor (a quirky British title for a reader advocate).

The alleged backdoor was brought to light by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley. “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys,” he told the Guardian at the time.

whatsapp business app phone feature

The supposed backdoor, the Guardian had explained, had to do with WhatsApp’s encryption, which depends upon a generated set of unique security keys, using the Signal protocol. These keys are traded and verified between users to ensure that their messages are protected.

However, WhatsApp apparently could generate new encryption keys for offline users without the prior knowledge of either the sender or receiver, and then have the sender re-encrypt messages with new keys to resend them. This process would essentially let WhatsApp intercept and read messages.

Boelter’s findings were further verified by Steffen Tor Jensen, head of information security and digital countersurveillance at the European-Bahraini Organisation for Human Rights. He noted at the time that “WhatsApp can effectively continue flipping the security keys when devices are offline and resending the message, without letting users know of the change till after it has been made, providing an extremely insecure platform.”

WhatsApp was indignant from the start, telling Digital Trends via email in January:

The Guardian posted a story this morning claiming that an intentional design decision in WhatsApp that prevents people from losing millions of messages is a “backdoor” allowing governments to force WhatsApp to decrypt message streams. This claim is false.

WhatsApp does not give governments a “backdoor” into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks.  WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report.

A group of security experts corroborated WhatsApp’s story shortly thereafter. Zeynep Tufekci took the charge on the open letter, which insists, “The behavior described in your article is not a backdoor in WhatsApp. This is the overwhelming consensus of the cryptography and security community,” as it is of Tufekci’s cosigners.

Moreover, the security experts criticized the lack of outside sources cited by the Guardian. “If you had contacted independent security researchers, many of whom, including the EFF, have written pieces calling your story irresponsible, they could have explained the issue to you and suggested how to report it responsibly,” the letter reads. “Your story notably lacks quotes, responses, or explanations by security experts in the field. Instead, it hinges on the claims of a single well-meaning graduate student.”

The Guardian issued its initial response in late January:

We ran a series of articles highlighting and discussing a verified vulnerability in WhatsApp and its potential implications.  WhatsApp was approached prior to publication and we included its response in the story, as well as a follow up comment which was received post-publication. While we stand by our reporting we have amended the article’s use of the term ‘backdoor’ in line with the response and footnoted the articles to acknowledge this. We are aware of Zeynep Tufekci’s open letter and have offered her the chance to write a response for the Guardian. This offer remains open and we continue to welcome debate.

The original article has been amended with the conclusions of the Guardian’s comprehensive review. The news agency also took the opportunity to highlight the strength of its journalism, following up its apology with a request for contributions. “The Guardian’s independent, investigative journalism takes a lot of time, money and hard work to produce,” the article notes.

Update: Added The Guardian’s official retraction in June.

Social Media

Twitter’s latest effort to tackle abusive content focuses on Direct Messages

Twitter has launched a new feature designed to filter out abusive Direct Messages from people you don't follow. The content is collected in one place and can still be viewed if you want to periodically check what's coming in.

Sending SMS messages from your PC is easier than you might think

Texting is a fact of life, but what do you do when you're in the middle of something on your laptop or just don't have your phone handy? Here's how to send a text message from a computer, whether via an email client or Windows 10.
Movies & TV

Who needs sunshine? Stay inside and watch the best movies on Netflix instead

Save yourself from hours wasted scrolling through Netflix's massive library by checking out our picks for the streamer's best movies available right now, whether you're into explosive action, witty humor, or anything else.

Apple says that unauthorized battery warning is all about customer safety

Third-party battery replacements for the newest iPhone models will result in a warning message in the device's settings. The only way to clear it is to take the iPhone to an Apple Store or an Apple Authorized Service Provider.

Sen. Josh Hawley wants to ban infinite scroll and autoplay videos

Sen. Josh Hawley introduced legislation on Tuesday calling for tech giants to curb deceptive techniques that fuel social media addiction.The bill would ban features that he says can be addictive to users like infinite scroll and autoplay.

Facebook’s ‘brain-computer interface’ could let you type with your mind

Facebook talked a couple of years ago about creating technology that lets you type with your mind. Aimed primarily at patients with speech loss due to paralysis, the company recently offered an update on its ambitious project.

WhatsApp has 400 million users in India, but no fix for its fake news problem

WhatsApp is struggling to stem the tide of fake news in India, its biggest market. In the last few years, its platform has been inundated with an around-the-clock avalanche of misinformation -- misleading mobs into lynching innocents and…

Facebook just deleted fake accounts from the Middle East

Facebook removed fake accounts from UAE, Egypt and Saudi Arabia because of coordinated inauthentic behavior. The social network announced in a blog post the removal of pages, groups, and accounts that originated in these countries.

The FTC wants to know exactly why Facebook bought Instagram and WhatsApp

The Federal Trade Commission's antitrust investigation into Facebook will focus in on its acquisition of Instagram and WhatsApp. The FTC wants to know if Facebook tried to acquire its social media rivals before they would become a threat

Facebook is going to add its name to Instagram and WhatsApp

Facebook plans to add its name to both Instagram and WhatsApp as politicians call for the social media giant to be broken apart and the FTC investigates Facebook’s acquisition of both companies.

Were they really that bad? Here are the 10 most disliked videos on YouTube

Ever wondered which videos are the most disliked videos on YouTube? Well, we have the top ten list you’re looking for. Here are the latest videos with the most dislikes currently on YouTube.

Telegram’s new Slow Mode aims to bring order to noisy group chats

Messaging app Telegram has just released some new features that are bound to please. Slow Mode aims to bring some order to group chats, while Silent Messages ensures you won’t wake your buddy if you get in touch late in the day.
Social Media

The EU could hit Facebook with billions in fines over privacy violations

The European Union is reportedly nearing the end of its investigations into some of the cases it has opened against Facebook pertaining to the EU’s General Data Protection Regulation or GDPR. The EU currently has 11 open cases against the…
Social Media

Quit hitting refresh: Twitter is testing a subscribe to tweet replies feature

Soon you might be able to get a push notification when a tweet has been replied to as well. Twitter is currently testing a new feature that will allow users to turn on notifications for a particular thread.