WhatsApp denies reports that a privacy 'backdoor' to user messages exists

The man behind its security protocol explains how the system works...

WhatsApp has moved to reassure its users that it does have the ability to snoop on conversations, following reports that its privacy system could be compromised. 

Security expert and cypherpunk Moxie Marlinspike is the founder of Open Whisper Systems, the company which helped design WhatsApp's security protocol. On Friday, he responded to the allegations with a detailed blog outlining how the cryptography process works. 

The Guardian's report was based on security researcher Tobias Boelter's concerns that a change in security keys could compromise privacy, allowing for a 'man in the middle' scenario. However, Marlinspike outlines how this was an assumption based on the decision to give users a warning if a messenger changed their security, rather than blocking them entirely and affecting usability...

Marlinspike wrote:

"Most end-to-end encrypted communication systems have something that resembles this type of verification, because otherwise an attacker who compromised the server could lie about a user's public key, and instead advertise a key which the attacker knows the corresponding private key for. This is called a "man in the middle" attack, or MITM, and is endemic to public key cryptography, not just WhatsApp.

"Given the size and scope of WhatsApp's user base, we feel that their choice to display a non-blocking notification is appropriate. It provides transparent and cryptographically guaranteed confidence in the privacy of a user's communication, along with a simple user experience. The choice to make these notifications "blocking" would in some ways make things worse. That would leak information to the server about who has enabled safety number change notifications and who hasn't, effectively telling the server who it could MITM transparently and who it couldn't; something that WhatsApp considered very carefully."

WhatsApp itself told Business Insider in a statement:

The Guardian’s story on an alleged “backdoor” in WhatsApp is false.

WhatsApp does not give governments a “backdoor” into its systems.

WhatsApp would fight any government request to create a backdoor.

Since April 2016, WhatsApp messages and calls are end-to-end encrypted by default. WhatsApp also offers people a security notifications feature that alerts them when people change keys so that they can verify who they are communicating with.

We published a technical white paper our implementation of end-to-end encryption, where you can read more.

Like everything else in WhatsApp, it’s designed to be simple. We built end-to-end encryption with encryption as the default so not a single one of our 1 billion users has to turn on encryption.

This is also true for people who delete and re-install WhatsApp or for those who change their phones. For some people, this can be a frequent occurrence as people manage data charges and phone storage, or share devices with family members.

We want to make sure that people in these situations do not lose access to messages sent to them while they are in the midst of re-installing the app or changing their phones. Because a person's encryption key is changed when WhatsApp is installed on a new phone or re-installed on an old device, we make sure those messages can eventually be read using the new key.

You can choose to be notified using the “Show Security Notifications” setting. When you have turned this setting on, WhatsApp will notify you every time the person you're communicating with changes a key.

Of course, if you are concerned that you're communicating with someone who isn't who they say they are, there are things you can do. If you have “Show Security Notifications” enabled and receive a notification of a key change, send an initial message and wait for the blue checkmarks. You can then verify using a QR code or by comparing a 60-digit number.

We appreciate the interest people have in the security of their messages and calls on WhatsApp. We will continue to set the record straight in the face of baseless accusations about “backdoors” and help people understand how we’ve built WhatsApp with critical security features at such a large scale

Most importantly, we’ll continue investing in technology and building simple features that help protect the privacy and security of messages and calls on WhatsApp.