Network Security

WhatsApp spells problems for IP Bill with end-to-end encryption

The encrypted communication app, WhatsApp, has gone for the nuclear option. The company whose application can be found on one billion devices has switched on end-to-end encryption (e2e2).

In a blogpost written yesterday by WhatsApp's founders, Brian Acton and Jan Koum, the company stated, “We're proud to announce that we've completed a technological development that makes WhatsApp a leader in protecting your private communication: full end-to-end encryption.”

E2e2 means data is encrypted at the point of transmission, transit and reception. Access to the data is restricted to the sender and the person who was meant to receive it. WhatsApp is not the first, nor is it unique: Apple's iMessage system also uses this type of encryption, as does PGP.

The announcement was met warmly by many who put a premium on privacy.

Christopher Weatherhead, technology officer at pressure group, Privacy International told, “WhatsApp's announcement that customers' messages will now be fully end-to-end encrypted is a welcome step. What end-to-end encryption means is that only the sender and recipient of a message can read it, meaning that even WhatsApp will not be able to read the messages.”

If WhatsApp can't look at its customers' messages, that means governments won't be able to snoop on the messages, either.

Not everyone is enamoured of encryption. Encrypted communication technologies like WhatsApp have been slammed by government acolytes and the security-minded as essentially enabling terrorism. Moreover, such arguments point to the fact that known members of terrorist groups actually use apps like WhatsApp, Signal and Telegram to strategise.

That argument goes far beyond mere opinion. A whole array of encryption-breaking legislation currently waits for passage on the assembly floors of the democratic world. In the UK, the much maligned Investigatory Powers Bill (IP bill) will allow security services to request backdoors into the communications of private individuals, organisations and enterprises.

The rejoinder to that argument has traditionally been that if one were to make encryption weak for the government, then one would also have to make that encryption weak for everyone. Weakening encryption, the argument goes, would expose customers who rely on such technologies for privacy to the cyber-criminals who so desire to violate it.

“End-to-end encryption is already posing a problem for intelligence agencies which are pushing for ‘backdoors' to decrypt messages between terrorists, some of which may be exchanged on WhatsApp,” said Richard Anstey, EMEA CTO at Intralinks.

However, added Anstey, “Security experts across the world – including myself – are very reluctant to weaken encryption mechanisms, because this would have a wider knock-on effect in day-to-day life – both personal and professional. It can cause all sorts of sensitive information to become less protected from hackers, criminals and unfriendly nation states.”    

A similar argument was made when Jan Koum announced the introduction of e2e2 in his blog: “While we recognize the important work of law enforcement in keeping people safe, efforts to weaken encryption risk exposing people's information to abuse from cyber-criminals, hackers, and rogue states.”

Koum added: “The desire to protect people's private communication is one of the core beliefs we have at WhatsApp, and for me, it's personal. I grew up in the USSR during communist rule and the fact that people couldn't speak freely is one of the reasons my family moved to the United States.”

So, the question becomes, has WhatsApp essentially outmaneuvered the government on this issue? The company has essentially created a situation in which not even WhatsApp can peer into its customers' private communications.

The FBI certainly has wanted to stop end-to-end encryption in the past. Last year, FBI director James Comey exhorted companies to stop using it, presumably so the FBI can monitor their communications.

Across the Atlantic, Robert Hannigan, head of GCHQ, gave a slightly more ambivalent answer in a speech last month at the Massachusetts institute of Technology. He said such issues were complex and his conclusion was appropriately complex: “Does providing the data in clear endanger the security of others' data? The unwelcome answer which dissatisfies advocates at both ends of the spectrum is: it depends"

Nicola Blackwood, a Conservative MP and chair of the Science and Technology Committee, has worked closely on reviewing the nascent IP bill. Importantly, the committee raised concerns about how the draft bill would affect e2e2 communications.

Blackwood told SC via email, “In some circumstances security services should be able to seek to obtain unencrypted data from communications service providers. But the Science and Technology Committee strongly believes UK businesses must not be placed at a commercial disadvantage by measures to tackle security risks.”  

She added, “This development by WhatsApp raises further questions about the scope [of] the impact of the Investigatory Powers Bill on communication service providers who offer encrypted services. The Government should clarify the precise obligations that the Bill is placing on potential providers of encrypted communication services.” 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.