WhatsApp Encryption: Why it’s bad?

WhatsApp made a hoopla about the encryption. It was to suggest that dissidents using WhatsApp would automatically “get protection” because of “end to end encryption”. It has been touted as a “magic bullet” designed to protect you from snooping eyes.

This interestingly comes at the backdrop of several vulnerabilities reported in WhatsApp; including subject of several dissertation theses which have reverse engineered the application and discovered major flaws. This doesn’t absolve them from the coding horrors; unencrypted messages on their servers and unprotected back ups are susceptible to abuse anyway. This wrapped with their “own implementation” of an open source protocol (Signal) leaves several questions unanswered.

A proper encryption protocol, is akin to deep fancy mathematics; you have to leave out the protocol to be audited and checked in real life scenarios. The potential “security holes” are in its implementation and the “master key” that leaves the chats vulnerable to decryption. Although Signal is well documented in the cryptographic community, its funding source leaves open more questions than answers. Signal has been funded by US Government (? by proxy- NSA) that is open for interpretation. Tor is similarly funded by US Government and one of the exit nodes was compromised by the intelligence agencies- proving that it’s not infallible for “secure communications”. The exact methodology is unlikely to come out in public domain but if its important for greater public good, its invaluable for access.

One of the biggest myths is related to the content of the messages, that the content can be read in real time to spy on the users; it is not. There’s something more valuable than actual message- metadata. The app accesses your location time stamps, your microphone/ camera etc- all the samples come coded with meta-data or “data about data”. This is more structured and machine readable. This means that machine learning algorithms have the potential ability to sift out meaningful trends in the data, find out your associates, with whom you interact the most and your purported location at any given instant. This meta-data can reveal vast treasure trove information about your habits (and proclivities) that makes it worse off to deny who you actually are. This can be translated to a group of individuals or to millions of users worldwide. There’s no way you can “really hide”. The new desktop applications exist that seek to tunnel the data through Tor and remove your metadata but they are cumbersome.

Transparency is important in our public and personal domain, but the effect is something that we control; it’s called as taking control over our lives that effects our inter-personal relationships. Facebook (and WhatsApp) is slowly eroding this fundamental aspect of our beings; something that we collectively (and as individuals) are unable to cope up with anticipated changes. The result is friction in the relationships.

Your phone number assumes your identity making it possible to track you irrespective of the encryption. The back ups are not encrypted that can be retrieved by variety of tools, that renders everything useless.

The basic assumption of trust with these corporations is flawed. Communication is fundamental to human existence- Why not use safe and secure chat applications like Threema and BBM instead? Threema is truly de-centralised. BBM, although goes through its haloed NoC’s, encrypts everything, by default, including the transit. BlackBerry has a stated position on what it defines “lawful access”, that makes it possible to cooperate with the law enforcement.

The privacy debate is skewed against the idea of Governments taking control and the resultant shrillness associated with it is unfortunate. This is because, the real culprits are Facebook, Google or whatever social networks you fancy. Data is the new currency; you have given it away so easily.  What privacy does a terrorist have? Matters of national security mandate access to the data; the larger question is that of corporations tracking your user data, in real time. These two aspects need to be understood in clear context.

WhatsApp deserves to be condemned; get rid of your network effect and shift solely to BBM. This is because BlackBerry is not invested in profit making by selling your data to data brokers or nameless advertisers. They are not inclined to track you down to sell you a product. They don’t care with whom you interact and offer the best options for safe and secure communication. In essence, they are based on trust and this is something that they uphold very seriously.

You, the readers, have to take the onus to “educate” users about falling in this trap of “secure communications” when neither the code implementation or the app source code has been validated by independent agencies.  This is unlike BlackBerry or BBM which has been vetted and given the highest possible security clearances for safe communication between the decision makers. If it’s good for them, it’s good for us, the ordinary users! WhatsApp is unlikely to get coveted certifications, despite the EFF having given them good score on their chat applications chart. It’s naiveté of the highest order- basing your trust on the basis of “chart”.

EFF isn’t the custodian of your privacy.

You are.