WhatsApp Finishes Rolling Out End-To-End Encryption; Now Covers Group Messages, Media
from the backdoors-salesmen-en-route-to-Congress-as-we-speak dept
More good news on the secure communications front: WhatsApp has finally implemented full end-to-end encryption -- for everyone. Late in 2014, WhatsApp began rolling out its end-to-end encryption, but it was limited to one-to-one communications and did not cover messages containing media. Now, it's everything, including group messages.
This means that if any group of people uses the latest version of WhatsApp—whether that group spans two people or ten—the service will encrypt all messages, phone calls, photos, and videos moving among them. And that’s true on any phone that runs the app, from iPhones to Android phones to Windows phones to old school Nokia flip phones. With end-to-end encryption in place, not even WhatsApp’s employees can read the data that’s sent across its network.Law enforcement -- particularly the Justice Department -- can't be pleased with this full implementation. Even if a warrant is obtained, WhatsApp cannot produce message content in response to these or other court orders. And from what we've seen, WhatsApp may be the next target of the FBI and its All Writs wrangling.
While this does have its implications for law enforcement in the US, it will likely have more of an impact in other nations where citizens are protected by fewer privacy-related rights -- which is where most of its users are located. Whether or not this will result in more futile arrests of Facebook execs remains to be seen.
As the messaging app's creators point out, even if you believe your government is basically good, you should still support (and use) encrypted communication options.
The argument can be made: Maybe you want to trust the government, but you shouldn’t because you don’t know where things are going to go in the future.”As we've seen in the aftermath of the Paris and Brussels attacks, governments -- including their law enforcement agencies -- are often prone to expanding government power and weakening citizens' rights. It only takes one successful attack to send a nation down previously unimaginable paths. Might as well have your communications protected just in case. And, as for law enforcement's sudden "lack" of access? It might help to keep in mind that people chatted for hundreds of years without creating permanent records of their conversations and criminals were somehow still arrested and punished.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: encryption, fbi, messaging, privacy
Companies: whatsapp
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
That way the FBI and others who declare jihad against encryption would be declaring jihad against DRM.
[ link to this | view in thread ]
How are they unable to decrypt messages?
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: How are they unable to decrypt messages?
Apple gets around this with its Messages app by encrypting the key against your AppleID so that while the encryption key might ineed reside on their iCloud server, they can't decrypt the key to use it without knowing your password. Each device that uses that iCloud account has to register and get its own signing tokens.
Whatsapp could theoretically do this too, but I highly doubt that they have. Someone who runs it on both an Android device and an iOS device could probably clarify one way or the other.
[ link to this | view in thread ]
From the description, there would have to be a distinct (not necessarily-256-bit) key for each person and each group. The personal key might well be a public-key scheme.
So the process might go something like:
Alice wants to create a group. She creates a local key for it. The server doesn't know that key, just knows that there is a group.
Alice sends Bob an invite to the group, including the group key, encrypted via Bob's public key. The message travels through the server encrypted end to end.
Now Alice and Bob can create content, encrypt it locally using the shared group key, and upload to the server. Anyone invited into the group can download that content from the server, decrypting it locally.
I'm sure professionals could come up with something more sophisticated, and better protected from off-server attacks. And, of course, this is all still trusting the server to honestly transmit public keys between users (it could execute the usual man-in-the-middle attack under some circumstances.)
[ link to this | view in thread ]
Re:
There's Pro's and Con's to Open Source and Closed Source. It's a Messaging App. If the FBI breaks in, what are they going to see that you care about? Does it have Nude Pictures of your Girlfriend? Medical History? Banking Info? So on and So on like a Smart phone??? Is someone going to steal your personal Identity breaking into Whatsapp?
If what you're texting is really important that you don't want anyone or any Government to see and read it, maybe Whatsapp isn't the one to use. Especially being Facebook owned!!! It's almost as bad is Google which flat out is a Advertising Company. All they do is spy on everything you do.
While iMessage is Encrypted and always has been, anything part of iCLoud, Apple still has the keys for and can get into that Data for the FBI. At least for now.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
But, but, but...
[ link to this | view in thread ]
Content is king!
Yes they can. The only catch is the content will be encrypted.
[ link to this | view in thread ]
And they have only themselves to blame...
Once it became clear that those that were supposed to be protecting the public had absolutely no interest in protecting the privacy and security of the public, and in fact seemed more interested in undermining both, companies and individuals stepped in to do it themselves, leading to cries of 'Not fair!' and 'You're not allowed to do that!' from the voyeurs that are suddenly finding their easy access to private data at risk.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Intel Management Engine
AMD has this too: Platform Security Processor
stuff is related to UEFI
it will appear in ARM as sure as sunrise as various commercial and government interests will hike through hell before they give up access to, and control over computers and networks
[ link to this | view in thread ]
Not necessary to create a Group Key
Not necessarily, it would seem quite possible that the sender could send individual messages to EACH of the group members using their public key. This way you don't need a key for each group (a group is just multiple individuals).
[ link to this | view in thread ]
Re:
With end to end encryption, intercepting the message doesn't help. It doesn't matter what server they have compromised, they still wouldn't be able to read any messages. They would have to compromise end user devices.
[ link to this | view in thread ]
Re: Not necessary to create a Group Key
Encryption is quite an expensive process, running encryption across say a 1MB jpeg 49 times would be very expensive.
Having a unique encryption key just for that group chat, with each group member having a copy, means a single encryption process for every member to receive an encrypted message.
[ link to this | view in thread ]