WhatsApp introduced end-to-end encryption to its messaging service last year in tandem with policies adopted by its parent company Facebook. End-to-End encryption on WhatsApp works by creating two security keys, one private key and another public key. When a message is sent, the private key stays on the sender’s phone. Another public key accompanies the sent message and encrypts it even before the message reaches WhatsApp’s servers. Once the server transmits the message to the receiver, the private key of that user unlocks the sent message.
As per WhatsApp, this process ensures that no one except the sender and receiver can read the messages, not even WhatsApp. Further, each message on WhatsApp is encrypted individually. So even if hackers manages to somehow gain access to a decryption key, they will just be able to access a single message with it.
Sounds pretty secure and private right? Well, chances are that WhatsApp’s Billion plus users are still vulnerable and their data can still end up in the hands of the government, advertisers or worse, hackers. There are a few policy loopholes and features that can be used to extract WhatsApp conversations and critical user data, making the service not so private.
For starters, WhatsApp Software Engineer, Alan Kao tells us that conversational data when backed up to iCloud is not end-to-end encrypted. “One of our guarantees as WhatsApp is that we ensure that our messages in transit are always end-to-end encrypted. With respect to back-ups, once it’s delivered onto the phones of users themselves, it’s up to them to safeguard their privacy of their data. Basically, they have ownership of their messages. When you perform a backup, it’s uploaded to a third-party service, not to a WhatsApp service, and that means that we can’t read those messages,” explains Kao.
So essentially, even though WhatsApp cannot read the backed up messages, Apple can possibly decrypt the same. While the backup of WhatsApp messages happens in an encrypted form when they are sent and stored on iCloud, Apple holds the decryption key and can possibly use it to share user data with governments or authorities if a request for it is ever made. Alternatively cloud hackers can also have access to these conversations if that particular user account is ever breached.
While WhatsApp did acknowledge that Apple and Google both have their own stringent safety measures, representatives of the service could not explain the extent of control these companies have on the backed up WhatsApp data. We were also told to speak to Apple to get further information on how encryption on iCloud backups works. “The encryption that we use for uploading this backup is not end-to-end encrypted, and we make that very clear to our users when they do the backup themselves,” said Kao.
In fact, a security company called Oxygen Forensics recently told Forbes that it has a workaround to decrypt WhatsApp messages stored on iCloud. All that the company needs is a SIM card with the same number (SIM cards can be cloned easily) to gain access to the verification code sent by WhatsApp which generates the iCloud encryption key.
We also asked WhatsApp about their data sharing policies with Facebook, a topic which has instigated a big privacy debate in India. Essentially, WhatsApp’s privacy policy states that the company is working with Facebook to "improve our services and offerings, like fighting spam across apps, making product suggestions, and showing relevant offers and ads on Facebook." It further goes on to say, "Facebook family of companies will still receive and use this information for other purposes."
So what is this information, other than the content of messages, that WhatsApp shares with Facebook? Kao and WhatsApp spokesperson, Carl Woog, tell us that the encrypted WhatsApp messages do accompany metadata such as a person’s phone number, as well as information on the various types of message sent through the service. So if you share an image, a video and a GIF through WhatsApp, the service can tell the difference between them.
“The only things that we collect and we share (with Facebook and its family of companies) is the phone number, potentially a name if you supplied one, your phone’s model number and its operating system. Those are the only things that we share,” said Kao responding to a question by Digit. What bothers us about this statement is that in a previous blog post WhatsApp has written “We won't post or share your WhatsApp number with others, including on Facebook, and we still won't sell, share, or give your phone number to advertisers.” The blog post was put up at the time when WhatsApp's data sharing policies with Facebook were being debated in the Supreme Court of India.
An example of how WhatsApp can be used to target ads at customers on Facebook also violates the authenticity of the previous statement. “For example, if you do business with a flower shop or a bakery, that you already interact with on WhatsApp on a regular basis, that business has your phone number because you’ve been talking to them. If that business wanted to do advertising on Facebook, for them to know what phone numbers they could reach on Facebook, would improve their ability to reach the customer,” explains Woog.
How exactly does an advertiser find a user through their phone number on Facebook? What if the user does not want their phone number to be used to target ads at him/her? What if a user has not linked their Facebook and WhatsApp accounts, in which case he/she has not given WhatsApp the permission to share their number with Facebook? These are some questions that still remain unanswered and did not get a clear response when we put them forth to Woog and Kao. However, we have been promised an answer and will follow up on the same.