The Hindu Explains | How secure are the messages sent on WhatsApp?

Does end-to-end encryption remove risks?

October 04, 2020 12:17 am | Updated 09:32 am IST

FILE PHOTO: Silhouettes of laptop and mobile device users are seen next to a screen projection of Whatsapp logo in this picture illustration taken March 28, 2018.  REUTERS/Dado Ruvic/Illustration/File Photo

FILE PHOTO: Silhouettes of laptop and mobile device users are seen next to a screen projection of Whatsapp logo in this picture illustration taken March 28, 2018. REUTERS/Dado Ruvic/Illustration/File Photo

The story so far: In recent weeks, television news channels have shared leaked WhatsApp chats of film actors in their coverage of actor Sushant Singh Rajput’s passing away . This has led to questions about whether communication over platforms such as WhatsApp is secure or not. It prompted Facebook-owned WhatsApp to come out with a statement on its use of end-to-end encryption to secure user messages .

Does WhatsApp have access to chats?

No. Since 2016, WhatsApp has installed an end-to-end encryption system , which, as its FAQ section says, “ensures only you and the person you’re communicating with can read what’s sent, and nobody in between, not even WhatsApp”.

Also read | All you need to know about WhatsApp encryption

Governments across the world see end-to-end encryption as a huge issue when it comes to law enforcement. While WhatsApp says it responds to requests from law enforcement agencies “based on applicable law and policy,” it is not clear what kind of data it would have to share. News reports have mentioned that these could be in the nature of metadata such as mobile number, IP address, location, and so on.

How is WhatsApp designed to ensure such secure communication?

WhatsApp uses the encryption protocol developed by Open Whisper Systems, a project known best for its Signal app, which also uses the same open-source framework to ensure privacy. Whistle-blower Edward Snowden’s quote — “I use Signal every day” — is prominently displayed on the application’s homepage. Many closed messaging applications now use the Signal protocol.

What is the technology behind this?

The technology that forms the basis for this is called the ‘ Diffie-Hellman key exchange ’. In a 1976 paper titled, New Directions in Cryptography , Whitfield Diffie and Martin E. Hellman saw the futility of the old ways of sharing a key securely (say, by “sending the key in advance over some secure channel such as private courier or registered mail”) in the emerging digital world. They proposed a way for secure communication via a method of a shared secret key, and that too when the communication is over a not-so-secure channel.

This is all about high math, but one way to understand the broad concept, used by many experts, is by way of colours. In the world of imagination, a shared secret colour is the shared secret key between two communicators, who we will call A and B. (There are many versions of this example on the Internet.) A and B need to communicate without anyone eavesdropping. They first agree on a public colour (say, yellow). The two communicators then choose their own private colour, which is not to be shared with anyone. Say A chooses red and B, blue. They then individually mix their private colour with the public colour and send the mixture to each other. Note that the eavesdroppers can figure out the public colour and the mixtures. But there is one more step. B’s mixture (some sort of green) at A’s end is added with A’s private colour (red), and A’s mixture (some sort of orange) at B’s end is added with B’s private colour (blue). They both arrive at the same secret colour after the final step. There is now a shared secret colour key.

The message that also needs to be understood is that while it is easy to add colours, it is difficult to figure out the original colours that contributed to a mixture. In the math world, that is called a one-way function. Imagine the difficulty in figuring out a key from complex mathematical computations. The Diffie-Hellman paper said: “A third party eavesdropping on this exchange must find it computationally infeasible to compute the key from the information overheard.”

Can’t those who have access to the server read messages?

End-to-end encryption removes this vulnerability. WhatsApp also says it does not store messages on its servers once they are delivered.

An earlier generation of encryption did not secure the entire channel, but secured the communication between a user and the server (of a messaging service). Once the server received a message intended for another user, it would decrypt and again encrypt it before sending it securely to the receiver. But this meant that there was a chance of security being compromised at the level of the server.

Also read | WhatsApp, India? How an app insinuated itself into our lives

Can leaks still happen?

End-to-end encryption cannot prevent leaks from happening if a third party has access to a device which contains these messages. Encryption also does not help in cases wherein the sender or the receiver of a message shares it with others, a member of a group shares it with others, or messages are stored in a different format on a different application or platform open to others.

Also read | WhatsApp pilots ‘forwards’ verification feature to tackle misinformation

Are there other vulnerabilities?

Bugs that lead others to control a user’s phone are an example of such vulnerabilities. For instance, last year, WhatsApp revealed that surveillance technology developed by Israel’s NSO Group had been used to spy on about 1,400 people across the world, including civil rights activists and journalists in India.

0 / 0
Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in

Comments

Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.