WhatsApp Reneges On Their Promise Of True Message Encryption

WhatsApp’s security was recently hacked by white-hat researchers.  After much click-baiting, it turns out they’re not actually collecting any information they shouldn’t be.  They are, however, protecting it poorly, and they still have access to message content with the ability to share it with Facebook.

Security researchers at Brno University of Technology in the Czech Republic (fun fact: Brno is where Mendel discovered modern genetics) were able to reverse-engineer WhatsApps’s security mechanisms and published their findings in an academic journal. Instantly there was a frenzy of click-baited articles about how WhatsApp was stealing data from users.  Reading the study itself showed that while they are indeed collecting data, that data is reasonable given the service they are providing.  For example, if you start a call with a friend, your WhatsApp client sends your phone number and that of your friend to the server.  In WhatsApp your number is your username, which is needed for the system to know who to connect you with.

A while back we wrote a post about how WhatsApp announced it would be releasing end-to-end encryption for its mobile service.  They had also announced that they themselves would lose access to user messages, with only the sender and recipient being able to decrypt communication.  This confused me because it came just after their $19Bn acquisition by Facebook, presumably for the content of the user communication coursing through their network.  Why on earth were they worth $19Bn to Facebook if the user generated content within WhatsApp was about to disappear within an encrypted channel?  What the Brno hack revealed is that their implementation fell far short of their claims, and Facebook’s investment in the content of WhatsApp’s users’ communication was safe.

In interviews with journalists WhatsApp stated that they would use Public Key Encryption, where only the sender and recipient can unencrypted content.  Indeed they did, but they used the same key for every user.  This makes the Brno hack possible, meaning anyone on the same network as your phone could gain access to the content of your messages.  Also, it means that WhatsApp themselves still have access to all message content.  Moreover, their parent corporation Facebook has access as well and the ability to target you with advertising based on the content of your WhatsApp messaging.  While this is surprising given WhatsApp’s previous PR, it does explain the mysterious $19Bn price tag that Facebook was willing to put on WhatsApp.  In my opinion, fully encrypting all WhatsApp content would make WhatsApp a near worthless asset to Facebook, especially considering the repeal of the $0.99 a year subscription model. We should not expect it any time soon, no matter how many posts like this one appear.