Who’s really listening?

When you fire off that text, how sure are you that no one else has their nose in your messaging history?

Portrait of Tammy Strobel

When you fire off that text, how sure are you that no one else has their nose in your messaging history?

My Reading Room

Last January, The Guardian published a piece on a supposed “backdoor” in the messaging app WhatsApp that would allow snooping by the government or other malicious agents. However, after a backlash from security experts, the newspaper amended the headline to refer to a “vulnerability” instead, a more accurate representation since WhatsApp had not actually left a way open for attackers.

My Reading Room

“Trump has made statements supporting mass surveillance of targets like mosques, and also previously called for a boycott of Apple’s products after the company’s refusal to compromise iOS security...”

However, The Guardian chose to leave its story intact, despite an open letter signed by 30 security researchers asking the paper to retract it. 

According to these researchers, the article was misleading people into thinking WhatsApp was less secure than it really was, which might lead them to use more vulnerable messaging apps.

If there’s one thing the episode showed us, it’s that any mention of backdoors or security loop-holes strikes a nerve. In the aftermath of the Snowden revelations and persis-tent headlines about hacking and data leaks, people are understanda-bly concerned about being watched.

But the furor over WhatsApp was a whole lot of white noise that distracted from where the real threats really lie.

This past November, the UK passed the Investigatory Powers Act, a bill giving its intelligence agencies and police vast surveillance powers that are the most extensive in the western world. “It goes further than many autocracies,” tweeted Edward Snowden, the NSA whistleblower.

What’s disturbing is that the bill was passed quietly, with scant resistance from parliament or outside it. Its effect is the legalization of a wide range of tools for snooping or hacking, allowing security agencies to access stored personal data and hack PCs and smartphones, even if an individual is not suspected of a crime. Passages within the bill even demand that telecom firms retain data on the web activity of British citizens for 12 months for authorities to access.    

Across the Atlantic, the election and inauguration of Donald Trump has raised the specter of further encroachment of privacy. Trump has made statements supporting mass surveillance of targets like mosques, and also previously called for a boycott of Apple’s products after the company’s refusal to compromise iOS security and help the FBI access the iPhone of the San Bernardino shooter.      

As president, he also has the power to introduce legislation that would give law enforcement wider access to US citizens’ private communications. Worried federal workers have even begun using Signal and other more secure communication tools to express dissent and organize.

Law-abiding private citizens may think they have nothing to worry about, but they’d be missing the point. While we’re still a long way off from an Orwellian dystopia, we should be concerned when we find that privacy advocates now have to justify themselves to the government, instead of the other way around.

No, you shouldn’t stop using WhatsApp
Whatsapp is still the most secure messaging app for regular users today, thanks to its use of the open-source Signal protocol. here’s an example of how it works, and why The Guardian was calling it a backdoor in the first place: 

1. John sends a message to Mary that is encrypted with Mary’s key. We’ll call this key K1. 

2. The encrypted message is stored on the server until Mary goes online, downloads it, and decrypts it with the associated key. 

3. However, if Mary loses her phone and has to get a new one, the new installation of WhatsApp will generate a new key, which we’ll call K2. 

Two things can happen in this case:
A: The server deletes the stored message since the K1 key no longer exists. Mary will not get to read the message, while John will be notified about Mary’s new key, and be given the option to resend the message. This is what the Signal app does. 

B: The server tells John’s phone about Mary’s new K2 key, and asks it to re-encrypt the message using it. This happens without John knowing, and Mary will automatically get the message. This is what WhatsApp does.

The problem is that it’s possible to trick the server into thinking that mary lost her phone, so third-parties could theoretically intercept messages with a new key. however, this is intended behavior on the part of Whatsapp, meant to improve the user experience and reduce the chances of lost messages. It is not a backdoor, and there is a very slim probability that such an attack will take place. 

My Reading Room

Text by Koh Wanzi Illustration 123rf.com / StaniSlav KozhuKov