WhatsApp Finishes Rolling Out End-To-End Encryption; Now Covers Group Messages, Media

from the backdoors-salesmen-en-route-to-Congress-as-we-speak dept

More good news on the secure communications front: WhatsApp has finally implemented full end-to-end encryption — for everyone. Late in 2014, WhatsApp began rolling out its end-to-end encryption, but it was limited to one-to-one communications and did not cover messages containing media. Now, it’s everything, including group messages.

This means that if any group of people uses the latest version of WhatsApp—whether that group spans two people or ten—the service will encrypt all messages, phone calls, photos, and videos moving among them. And that’s true on any phone that runs the app, from iPhones to Android phones to Windows phones to old school Nokia flip phones. With end-to-end encryption in place, not even WhatsApp’s employees can read the data that’s sent across its network.

Law enforcement — particularly the Justice Department — can’t be pleased with this full implementation. Even if a warrant is obtained, WhatsApp cannot produce message content in response to these or other court orders. And from what we’ve seen, WhatsApp may be the next target of the FBI and its All Writs wrangling.

While this does have its implications for law enforcement in the US, it will likely have more of an impact in other nations where citizens are protected by fewer privacy-related rights — which is where most of its users are located. Whether or not this will result in more futile arrests of Facebook execs remains to be seen.

As the messaging app’s creators point out, even if you believe your government is basically good, you should still support (and use) encrypted communication options.

The argument can be made: Maybe you want to trust the government, but you shouldn’t because you don’t know where things are going to go in the future.”

As we’ve seen in the aftermath of the Paris and Brussels attacks, governments — including their law enforcement agencies — are often prone to expanding government power and weakening citizens’ rights. It only takes one successful attack to send a nation down previously unimaginable paths. Might as well have your communications protected just in case. And, as for law enforcement’s sudden “lack” of access? It might help to keep in mind that people chatted for hundreds of years without creating permanent records of their conversations and criminals were somehow still arrested and punished.

Filed Under: , , ,
Companies: whatsapp

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “WhatsApp Finishes Rolling Out End-To-End Encryption; Now Covers Group Messages, Media”

Subscribe: RSS Leave a comment
JBDragon (profile) says:

Re: Re:

No Encryption is 100% perfect. You can find holes in the weak spots. It just can’t be 100% encrypted. Otherwise it wouldn’t run. People wouldn’t be able to read their messages, etc.

There’s Pro’s and Con’s to Open Source and Closed Source. It’s a Messaging App. If the FBI breaks in, what are they going to see that you care about? Does it have Nude Pictures of your Girlfriend? Medical History? Banking Info? So on and So on like a Smart phone??? Is someone going to steal your personal Identity breaking into Whatsapp?

If what you’re texting is really important that you don’t want anyone or any Government to see and read it, maybe Whatsapp isn’t the one to use. Especially being Facebook owned!!! It’s almost as bad is Google which flat out is a Advertising Company. All they do is spy on everything you do.

While iMessage is Encrypted and always has been, anything part of iCLoud, Apple still has the keys for and can get into that Data for the FBI. At least for now.

Papa Bogdan says:

How are they unable to decrypt messages?

Whatsapp is encrypting messages for storage and then decrypting messages so users can read them … so given a court order, how are they unable to comply? Is the app creating a unique 256-bit key on each client system? Does that mean my Android Whatsapp is unable to decrypt messages made by my iPhone Whatsapp? Since that’s likely not the case, Whatsapp’s servers contain all these keys.

Anonymous Coward says:

Re: How are they unable to decrypt messages?

What Whatsapp claims is that the messages are indeed encrypted using keys held only by the endpoints. This should mean that you can’t read the messages on any other device.

Apple gets around this with its Messages app by encrypting the key against your AppleID so that while the encryption key might ineed reside on their iCloud server, they can’t decrypt the key to use it without knowing your password. Each device that uses that iCloud account has to register and get its own signing tokens.

Whatsapp could theoretically do this too, but I highly doubt that they have. Someone who runs it on both an Android device and an iOS device could probably clarify one way or the other.

Anonymous Coward says:

>Is the app creating a unique 256-bit key on each client system?

From the description, there would have to be a distinct (not necessarily-256-bit) key for each person and each group. The personal key might well be a public-key scheme.

So the process might go something like:

Alice wants to create a group. She creates a local key for it. The server doesn’t know that key, just knows that there is a group.

Alice sends Bob an invite to the group, including the group key, encrypted via Bob’s public key. The message travels through the server encrypted end to end.

Now Alice and Bob can create content, encrypt it locally using the shared group key, and upload to the server. Anyone invited into the group can download that content from the server, decrypting it locally.

I’m sure professionals could come up with something more sophisticated, and better protected from off-server attacks. And, of course, this is all still trusting the server to honestly transmit public keys between users (it could execute the usual man-in-the-middle attack under some circumstances.)

Ninja (profile) says:

Re: Re:

If you use the public key to transfer the private ones and then destroy the data transferred then it should be mostly ok. Even if the public key is compromised, groups that were created before will be safe. I think it’s a good solution to implement end-to-end encryption without requiring much crypto knowledge from the users. Sure it doesn’t offer the best end-to-end security possible but it’s enough to make Govt abuse and criminal activity against the users quite harder.

That One Guy (profile) says:

And they have only themselves to blame...

Of course the best part about this whole push towards stronger encryption, encryption by default, and encryption that companies cannot themselves crack is that it was primarily in response not to the actions of your average criminals but the actions of governments and police showing absolutely no restraint and grabbing everything that they could, just because they could.

Once it became clear that those that were supposed to be protecting the public had absolutely no interest in protecting the privacy and security of the public, and in fact seemed more interested in undermining both, companies and individuals stepped in to do it themselves, leading to cries of ‘Not fair!’ and ‘You’re not allowed to do that!’ from the voyeurs that are suddenly finding their easy access to private data at risk.

Anonymous Coward says:

Not necessary to create a Group Key

From the description, there would have to be a distinct (not necessarily-256-bit) key for each person and each group. The personal key might well be a public-key scheme.
Not necessarily, it would seem quite possible that the sender could send individual messages to EACH of the group members using their public key. This way you don’t need a key for each group (a group is just multiple individuals).

Eldakka (profile) says:

Re: Not necessary to create a Group Key

The problem with your approach tho is that if you had, say, a group of 50 people, this would mean you’d have to encrypt a single message 49 times, once for each member (apart from yourself).

Encryption is quite an expensive process, running encryption across say a 1MB jpeg 49 times would be very expensive.

Having a unique encryption key just for that group chat, with each group member having a copy, means a single encryption process for every member to receive an encrypted message.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...