The Guardian article claims that WhatsApp encryption allows backdoor vulnerability


Recently the Guardian published an article titled “WhatsApp vulnerability allows snooping on encrypted messages“, detailing how this can be a huge threat to freedom of speech. According to the article,

WhatsApp’s end-to-end encryption relies on the generation of unique security keys, using the acclaimed Signal protocol, developed by Open Whisper Systems, that are traded and verified between users to guarantee communications are secure and cannot be intercepted by a middleman.

However, WhatsApp has the ability to force the generation of new encryption keys for offline users, unbeknown to the sender and recipient of the messages, and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered.

The recipient is not made aware of this change in encryption, while the sender is only notified if they have opted-in to encryption warnings in settings, and only after the messages have been re-sent. This re-encryption and rebroadcasting effectively allows WhatsApp to intercept and read users’ messages.

There has been an outcry by Open Whisper Systems, the team behind end-to-end encryption in WhatsApp. In a blog post, the begin with:

Today, the Guardian published a story falsely claiming that WhatsApp’s end to end encryption contains a “backdoor.”

The blog post has this to say about the Guardian article:

The way this story has been reported has been disappointing. There are many quotes in the article, but it seems that the Guardian put very little effort into verifying the original technical claims they’ve made. Even though we are the creators of the encryption protocol supposedly “backdoored” by WhatsApp, we were not asked for comment.

Instead, most of the quotes in the story are from policy and advocacy organizations who seem to have been asked “WhatsApp put a backdoor in their encryption, do you think that’s bad?”

We believe that it is important to honestly and accurately evaluate the choices that organizations like WhatsApp or Facebook make. There are many things to criticize Facebook for; running a product that deployed end-to-end encryption by default for over a billion people is not one of them.

It is great that the Guardian thinks privacy is something their readers should be concerned about. However, running a story like this without taking the time to carefully evaluate claims of a “backdoor” will ultimately only hurt their readers. It has the potential to drive them away from a well engineered and carefully considered system to much more dangerous products that make truly false claims. Since the story has been published, we have repeatedly reached out to the author and the editors at the Guardian, but have received no response.

We believe that WhatsApp remains a great choice for users concerned with the privacy of their message content.

What the Guardian article says is that WhatsApp has a security flaw that allows Facebook to snoop  into the messages being exchanged by WhatsApp users. If Facebook can snoop around, then so can government agencies in the name of legitimate security needs.

End-to-end encryption means the message is encrypted as soon as it leaves your mobile phone and it is encrypted even when it reaches the mobile phone of the recipient. Encryption keys are created on both the ends. But, as it happens often, sometimes when someone sends a WhatsApp message, the recipient is off-line. This means the encryption key while works from the sender’s side, does not work at the recipient’s side. During that time the message is in limbo. Then, when the recipient comes online, new encryption key is created. It is this period when the so-called flaw can be exploited by anyone who would like to access the WhatsApp message

Whether it is a hit job or not, I think Guardian has a valid point.  For example, I think this tweet is very brazen about the vulnerability of the encryption technology that is used in WhatsApp:

It’s like saying that it’s too bad  that the WhatsApp encryption vulnerability can be exploited if you don’t verify the keys. It’s too bad that  a recipient is off-line and the complete process of encryption cannot take place. If this really is a vulnerability, it should be addressed.

About Amrit Hallan
Amrit Hallan is the founder of He writes about technology not because "he loves to write about technology", he actually believes that it makes the world a better place. On Twitter you can follow him at @amrithallan

Be the first to comment

Leave a Reply

Your email address will not be published.