Explained: What is end-to-end encryption and how WhatsApp chats get leaked

There are backdoors and hacks that allow people other than the sender and the recipient to access WhatsApp messages. Here’s what you need to know.

It’s one thing for WhatsApp chats to be end-to-end encrypted, as the Facebook-owned company says they are, but it is another matter entirely how messages shared via the service regularly end up getting “leaked”. Notwithstanding the impenetrable shield that the company says it uses to keep the chats of its more than 2 billion users private, there are backdoors and hacks that allow people other than the sender and the recipient to access WhatsApp messages.

Here’s what you need to know.

What is the encryption used by WhatsApp?

WhatsApp says it ensures that any content shared via the service — messages, photos, videos, voice messages, documents, and calls — are secured from falling into the wrong hands using end-to-end encryption.

In a white paper on the subject, WhatsApp says it “defines end-to-end encryption as communications that remain encrypted from a device controlled by the sender to one controlled by the recipient”. That means the Facebook-owned company says, that “no third parties, not even WhatsApp or our parent company Facebook, can access the content in between”.

According to WhatsApp, scrambling of chats using the Signal encryption protocol can be likened to messages being “secured with a lock” when it leaves a device with only the sender and the recipient in possession of “the special key needed to unlock and read them”.

The encryption feature, it is added, operates automatically and there is “no need to turn on settings or set up special secret chats to secure your messages”. The Signal encryption is a cryptographic protocol that was developed by Open Whisper Systems in 2013.

However, WhatsApp clarifies that while it “considers all messages from a device controlled by the sender to one whose device is controlled by the recipient to be end-to-end encrypted”, communications with a recipient who uses a vendor to manage their endpoint “are not considered end-to-end encrypted”.

How do chats get leaked?

Often, what is described as a “leak” of WhatsApp messages is nothing more than screenshots of chats that a recipient or somebody with access to a recipient’s phone shares with others. WhatsApp even notes this is in its privacy policy under a subhead called ‘Third-Party Information’.

“You should keep in mind that in general any user can capture screenshots of your chats or messages or make recordings of your calls with them and send them to WhatsApp or anyone else, or post them on another platform,” it says.

The recent cases of Indian law enforcement officials going through chats of Bollywood celebrities such as Rhea Chakraborty and Aryan Khan were enabled by actual access to their phones. The “leak” here was actually a case of phones being handed over to investigators, who were then able to also access deleted chats stored on the device. But there are tech backdoors that exist through which private WhatsApp chats can be accessed.

One such means being via the cloning of a phone which, as the name suggests, enables a copy to be made of all the contents of a particular phone, giving the cloner access to the data.

Then there are spyware that can be installed secretly in a phone, which then provides constant access to all actions performed on the device. The Pegasus spyware developed by an Israeli company managed to reveal all WhatsApp chats to the entity operating the spyware.

But a common mode of accessing WhatsApp chats has been through the backup of chats that WhatsApp stores on the cloud. Now, WhatsApp itself does not provide cloud storage and backs up messages with a third-party cloud provider, like say Google Drive or iCloud. Storage on the cloud is not encrypted and, if a user’s cloud storage is hacked, then access can be obtained to backed up chats.

However, in September, Facebook founder Mark Zuckerberg said that WhatsApp was adding “another layer of privacy and security” to provide “an end-to-end encryption option for the backups people choose to store in Google Drive or iCloud”.

Is there any data WhatsApp has access to?

There is a constant tussle between law enforcement agencies and WhatsApp over access to chats with the former saying it’s important for facilitating investigation into cases and preventing crimes even as the latter argues that doing so would compromise user privacy and security.

But it would not be entirely correct to say that WhatsApp has access to no data from users. While “in the ordinary course… WhatsApp does not store messages once they are delivered or transaction logs of such delivered messages”, its privacy policy states that it “may collect, use, preserve, and share user information if we have a good-faith belief that it is reasonably necessary”. Circumstances in which it may do so may involve a need to “(a) keep our users safe, (b) detect, investigate, and prevent illegal activity, (c) respond to legal process, or to government requests, (d) enforce our terms and policies”, it adds. It notes that “this may include information about how some users interact with others on our service”.

A report by ProPublica in September questioned WhatsApp privacy claims by pointing to its ability to respond to complaints from users regarding messages shared using the service. The report said that the company has about 1,000 staff based in offices Texas, Singapore and Dublin whose job it is to review WhatsApp messages that have been flagged by users. In fact, the company also acknowledges this in its privacy policy, saying that “when a report is made, we collect information on both the reporting user and reported user”.

ProPublica said these reviewers have access to only a specific set of messages when a user reports any exchange, noting that “deploying an army of content reviewers is just one of the ways that… the company’s actions have left WhatsApp… far less private than its users likely understand or expect”.

The report also mentions metadata that WhatsApp collects, which is not subject to encryption and yet can contain significant information about its users, like data related to location, phone numbers, etc. It also shares such metadata upon request with law enforcement agencies, the report said.

Source link

Leave a Comment