Experts warn users about WhatsApp end-to-end encryption flaws
WhatsApp's end-to-end encryption feature is definitely a step forward in securing digital communication but there are certain loopholes.
Mumbai: Ever since Facebook-owned WhatsApp publicized its new end-to-end encryption feature, it has been receiving plaudits from its large global user base but a number of experts have pointed out several ambiguities in the new security feature.
While the on-going encryption clash between Apple and the US Government proved to be an ideal platform for the messaging app to lure in the ovation, there is lot more to it than meets the eye.
Also Read: WhatsApp end-to-end encryption: a boon or bane?
A security engineer and journalist at the Intercept, Micah Lee, pointed out that WhatsApp is encrypted but according to its privacy notice, WhatsApp may (does) retain date and time stamp information associated with successfully delivered messages and the mobile phone numbers involved in a text exchange.
Also Read: WhatsApp could soon get banned in India: Report
Moreover, the messaging app will also collect “any other information” which it is legally compelled to collect. On the contrary, WhatsApp claimed earlier that no data regarding the chats or any information related to it will be stored on its servers.
Awesome that @WhatsApp is encrypted, but keep in mind it doesn't hide who you're texting https://t.co/i8G61TUo9i pic.twitter.com/PbXN3IF8UJ
— Micah Lee (@micahflee) April 5, 2016
WhatsApp’s privacy notice said: “WhatsApp may retain date and time stamp information associated with successfully delivered messages and the mobile phone numbers involved in the messages, as well as any other information which WhatsApp is legally compelled to collect. Files that are sent through the WhatsApp Service will reside on our servers after delivery for a short period of time, but are deleted and stripped of any identifiable information within a short period of time in accordance with our general retention policies.”
For online privacy advocates who thought that the new encryption feature will check malicious hackers and government intrusion, this is a reason of concern as rogue attackers will still be able to identify the recipient, sender, and even the time stamp. Also, the government can certainly ask for this information, which the company has to comply with.
WhatsApp is owned by Facebook
While the world-wide messaging app’s initiative is a step forward in the field of digital communication, the fact that it is owned by the largest social media networking site raises myriad questions regarding WhatsApp’s privacy.
In the past, there have been many instances which have proved that Facebook monitors and tracks user data to augment its own offerings, and a 2014 report from the White House clearly hinted that the networking site also shares collected data with the government.
Moreover, you will find numerous articles like this one on the Internet, which draws a clear picture of Facebook’s monitoring activities.
Considering the fact that Facebook mines user metadata, it is safe to assume that it will do the same for WhatsApp; thus 100 per cent privacy is unachievable from a user’s point of view.
A Twitter user by the name YourAnonNews (not known whether related to Anonymous) warned users to not get excited about the end-to-end encryption feature as its parent company is Facebook.
Don't get excited about #WhatsApp encryption, they probably have a backdoor, they're still owned by #Facebook (government contractor)
— Anonymous (@YourAnonNews) April 5, 2016
End point security at risk
Another prominent Lebanese hacker Jed Ismael in his private blog described the new end-to-end encryption feature to be vague and explained that the new security feature is still vulnerable when it comes to end point security.
Ismael explained that end-to-end encryption is useless unless the device itself is secure and that is exactly what hackers and cyber-criminals will target.
He pointed out that the encryption feature does not matter if the end point devices—phones, tablets, and computers—are not encrypted. “Even the most perfectly encrypted platform’s communications are as secure as the user’s devices, and with the rise of new malwares every single day, nobody is safe,” Ismael said.
While WhatsApp is responsible for safely carrying the data from one user to the other, it is still not enough to protect end point devices from getting hacked. On the other hand, Apple’s encryption issue with the FBI was different; the device itself was encrypted rather than any third-party service, making the FBI’s job extremely difficult.
In the wake of increased security issues, the step taken by WhatsApp is definitely a step forward in securing digital communication but the question still remains: Is end-to-end encryption possible?
We have also reached out to WhatsApp for a comment and the story will be updated once we get a reply.