WhatsApp Adds Encryption, but It Won't Be A Whistleblower's App of Choice
WhatsApp added end-to-end encryption, so tap that update button and download the latest version of the app. If you think this brand new feature allows you to use the app to blow a whistle on some injustice, or for your little club of dissidents, think twice, and here is why.
Encryption should have been there in the first place. It's PR
While the mainstream media are hailing Facebook, current WhatsApp owner, for innovation and standing up for privacy, let us not be so naive. Encryption is not innovation; it's been on offer in many fine open source messengers for years now. Remember? Even if the first time you heard about encryption was when Edward Snowden files hit the headlines, you had plenty of opportunities to discover user-friendly tools to encrypt your communication for non geeks.
What Facebook just did with encrypting WhatsApp, finally, was fixing a fundamental security hole in its product. Encryption is the Alpha and Omega of the secure, private communication, and the company is trying to keep up with the competitors in the lively market. When Apple took the recent iPhone 6 case vs DoJ to public, the public debate on privacy escalated. So, the move looks forced.
It's not open source, so there is no telling there is no back door
WhatsApp is a closed, proprietary software, so no independent audit can look through the code, test it and confirm there are no back doors built into the software, even with the encryption enabled. For those who seriously treat their privacy, open source vs proprietary is a deal breaker.
The most privacy-invasive company after Google, Facebook's business model is selling user data to marketing agencies. It's also been named as one of the Silicon Valley collaborators with the government mass surveillance program PRISM. It never deletes your data, even if you delete it on your end, even if you delete your entire account. Its facial recognition algorithm is one of the most sophisticated ones in the world, and it places super cookies in several directories in your computer, which respawn if you try to delete them. Oh, it also tracks non-users. Did you know Facebook even got fined for tracking non-users?
Security experts warn about privacy and security risks
Even with the encryption rolled out, WhatsApp is nominally secure and private, while in fact there are a number of possibilities for the breaches. First of all, all parties included in a chat should have the latest version of the app installed for the contents of the chat to be encrypted. If, for example, a single person in your group chat did not update to the latest version, your group chat is not encrypted.
End point security
The metadata thing
The company retains metadata and some “other information” concerning your chats. This means Facebook has the contents of your address book (check the app permissions out of sheer curiosity), the time and date stamp of all your conversations, and the phone numbers if your recipients. In terms of big data processing, metadata is the Holy Grail of surveillance. Here is how experts explain its value: the contents of the chats are huge, unstructured loads of data that requires human or very sophisticated programs to analyze, while metadata is a clean, ordered, tagged and labeled library of human interactions, which allows to establish who talked to whom, where and when. Metadata lets programs analyzing big data establish connections in the communities and globally. This is impossible to achieve through the contents of the messages. If you care to dig deeper, have a look at this Der Spiegel article.
WhatsApp is legally compelled
We have yet to see what hides behind “other information” that WhatsApp retains. WhatsApp’s privacy notice says:
“WhatsApp may retain date and time stamp information associated with successfully delivered messages and the mobile phone numbers involved in the messages, as well as any other information which WhatsApp is legally compelled to collect. Files that are sent through the WhatsApp Service will reside on our servers after delivery for a short period of time, but are deleted and stripped of any identifiable information within a short period of time in accordance with our general retention policies.”
Wrapping up, it's worth noting that the market of chat apps is as booming as never before, and those looking for alternatives that crop up beyond the Five-Eyes jurisdiction now have options. Smaller, non-US-based companies, mostly from Europe, offer features like open source, zero knowledge, no phone number or any personally identifiable information requirements when subscribing – the real private communication. So, if you want to keep up with the community updates, stick to WhatsApp, but if you seek privacy, look at CryptoCat, Threema, Tutanota, Signal or even Telegram.