Whatsapp encryption doesn’t protect you from everything

Even though the FBI finally managed to crack into the iPhone of the San Bernardino killer without help from Apple, the battle over protecting our personal information from third parties has only just begun. On April 5, Whatsapp fired a massive shot in that battle and rolled out end-to-end encryption for all its 1 billion users. But what does that actually mean for you? STUART LEWIS spoke to some experts to find out.

Ever since the dawn of the information age, people have been worried about their personal information being stolen by some balding white dude in wrap-around shades and a Matrix-style leather coat who lives in his mom’s basement (if popular culture representations are anything to go by).

Hacking in Progress

While that doesn’t even come close to describing how hacking actually works (though you should definitely check out the mostly accurate way it’s portrayed in Mr Robot, which is a TV show you should be watching anyway), the fear of a stranger getting to read our most private thoughts or having access to information we would rather stayed private is very real. What makes the fear even worse is how easy it actually is to get that kind of information. Even our credit cards (except those new chip cards) are comically unsecure.

With Whatsapp’s new end-to-end encryption, however, your data just got a little more secure. But what is it, and how does it work?

“The move to an end-to-end model for WhatsApp extends the message encryption so that the message in encrypted on the sender’s device, and only decrypted on the recipient’s device, with WhatsApp or others unable to decrypt the message in between,” explained Dominic White, chief technology officer at digital security firm SensePost.

“Previously, the sender’s connection to WhatsApp would be encrypted, and the recipient’s would also be encrypted, but separately. This meant Whats App was effectively able to read the message, as they were sitting in the middle of the two connections.”

This is a big deal for South Africans, as there are an estimated 10 million users of the Facebook-owned messaging service in the country. The Regulation of Interceptions of Communications and Communication-Related Act (RICA) can force service providers like Telkom, Vodacom or MTN to hand over the keys to your information if they are handed a warrant for it, and these kinds of companies aren’t exactly known for working in the interests of their consumers.

Murray Hunter, who works on the secrecy desk for the Right2Know campaign , said “Governments hate encryption because they say it makes it hard to catch bad guys. Every government in the world is telling its citizens that they must choose between security and privacy. It’s a false choice. One of the most important ways of protecting people’s security is by protecting their privacy – this means protecting people from being spied on by cybercriminals, and their own governments, not to mention foreign governments.”

There are three major ways people can access your personal data, says White. “The actual device (i.e. physical extraction of data), network communications travelling to and from the device, and cloud backups of data on the device. At all three levels, South Africans are as at risk as any other nation.” The risk posed by law enforcement, especially, “seems to be high or at least poorly controlled”, he added, as work by Right2Know and Professor Jane Duncan from the University of Johannesburg has shown.

Both White and Hunter are also quick to point out that Whatsapp’s end-to-end encryption is not infallible. “You will still give off lots of sensitive information about the message (e.g. who you are communicating with, when and where – this is called metadata). It also won’t secure your phone from other security breaches, which could be as simple as someone taking your phone and reading the messages right there. And it won’t protect you from your friends and frenemies taking screenshots of what you’re saying in your private messages,” said Hunter.

“The most obvious weakness would be to not attack the encryption, but to attack the other two areas – the device and the cloud backups. For example, most smartphones are not as well protected as Apple’s iPhone 6/s/+ against the sort of physical extraction the FBI was pursuing. The cloud angle is often forgotten by people. If your Apple or Google account has a password of “Password” or something equally guessable, or a password shared with another service that may leak it, then an attacker (be they law enforcement or otherwise) can get anything from a full backup of your device to a partial one,” said White.

White also added that since WhatsApp’s code is not open source and no reproducible builds of the code (which allow anyone to check the source code for possible weaknesses) exist, their secure system could be made less secure if Whatsapp is ordered by a court to disable encryption for a particular user, similar to what happened in the Lavabit case.

However, there are plenty of further steps that ordinary South Africans can take to protect their data. White advises that you use a different, strong password for every service you use and make use of software like 1Password or KeePassX to assist you, or even going so far as to encrypt all your communication out of the country using Virtual Private Network software like Freedome. It is also very important, he points out, that you are aware of where your data is and how secure it is: “If you put your phone backup in the cloud so you can get it anywhere, then so can others.”

You can also check out the tutorials in the Electronic Frontier Foundation’s Surveillance Self-Defense Guide, which Right2Know recommends.

Featured image via Pixabay