Even though the FBI finally managed to crack into the iPhone of the San Bernardino killer without help from Apple, the battle over protecting our personal information from third parties has only just begun. On April 5, Whatsapp fired a massive shot in that battle and rolled out end-to-end encryption for all its 1 billion users. But what does that actually mean for you? STUART LEWIS spoke to some experts to find out.
Ever since the dawn of the information age, people have been worried about their personal information being stolen by some balding white dude in wrap-around shades and a Matrix-style leather coat who lives in his momâ€™s basement (if popular culture representations are anything to go by).
While that doesnâ€™t even come close to describing how hacking actually works (though you should definitely check out the mostly accurate way itâ€™s portrayed in Mr Robot, which is a TV show you should be watching anyway), the fear of a stranger getting to read our most private thoughts or having access to information we would rather stayed private is very real. What makes the fear even worse is how easy it actually is to get that kind of information. Even our credit cards (except those new chip cards) are comically unsecure.
With Whatsappâ€™s new end-to-end encryption, however, your data just got a little more secure. But what is it, and how does it work?
â€œThe move to an end-to-end model for WhatsApp extends the message encryption so that the message in encrypted on the sender’s device, and only decrypted on the recipientâ€™s device, with WhatsApp or others unable to decrypt the message in between,â€ explained Dominic White, chief technology officer at digital security firm SensePost.
â€œPreviously, the sender’s connection to WhatsApp would be encrypted, and the recipient’s would also be encrypted, but separately. This meant Whats App was effectively able to read the message, as they were sitting in the middle of the two connections.â€
This is a big deal for South Africans, as there are an estimated 10 million usersÂ of the Facebook-owned messaging service in the country. The Regulation of Interceptions of Communications and Communication-Related Act (RICA) can force service providers like Telkom, Vodacom or MTN to hand over the keys to your information if they are handed a warrant for it, and these kinds of companies arenâ€™t exactly knownÂ for working in the interests of their consumers.
Murray Hunter, who works on the secrecy desk for the Right2Know campaignÂ , said â€œGovernments hate encryption because they say it makes it hard to catch bad guys. Every government in the world is telling its citizens that they must choose between security and privacy. It’s a false choice. One of the most important ways of protecting people’s security is by protecting their privacy – this means protecting people from being spied on by cybercriminals, and their own governments, not to mention foreign governments.â€
There are three major ways people can access your personal data, says White. â€œThe actual device (i.e. physical extraction of data), network communications travelling to and from the device, and cloud backups of data on the device. At all three levels, South Africans are as at risk as any other nation.â€ The risk posed by law enforcement, especially, â€œseems to be high or at least poorly controlledâ€, he added, as work by Right2Know and Professor Jane Duncan from the University of Johannesburg has shown.
Both White and Hunter are also quick to point out that Whatsappâ€™s end-to-end encryption is not infallible. â€œYou will still give off lots of sensitive information about the message (e.g. who you are communicating with, when and where – this is called metadata). It also won’t secure your phone from other security breaches, which could be as simple as someone taking your phone and reading the messages right there. And it won’t protect you from your friends and frenemies taking screenshots of what you’re saying in your private messages,â€ said Hunter.
â€œThe most obvious weakness would be to not attack the encryption, but to attack the other two areas – the device and the cloud backups. For example, most smartphones are not as well protected as Apple’s iPhone 6/s/+ against the sort of physical extraction the FBI was pursuing. The cloud angle is often forgotten by people. If your Apple or Google account has a password of “Password” or something equally guessable, or a password shared with another service that may leak it, then an attacker (be they law enforcement or otherwise) can get anything from a full backup of your device to a partial one,â€ said White.
White also added that since WhatsAppâ€™s code is not open source and no reproducible builds of the code (which allow anyone to check the source code for possible weaknesses) exist, their secure system could be made less secure if Whatsapp is ordered by a court to disable encryption for a particular user, similar to what happened in the Lavabit case.
However, there are plenty of further steps that ordinary South Africans can take to protect their data. White advises that you use a different, strong password for every service you use and make use of software like 1PasswordÂ or KeePassXÂ to assist you, or even going so far as to encrypt all your communication out of the country using Virtual Private Network software like Freedome. It is also very important, he points out, that you are aware of where your data is and how secure it is: â€œIf you put your phone backup in the cloud so you can get it anywhere, then so can others.â€
You can also check out the tutorials in the Electronic Frontier Foundationâ€™s Surveillance Self-Defense Guide, which Right2Know recommends.