Why weakening WhatsApp encryption is a terrible idea

As the European Commission considers a new directive on encryption, David Gilbert outlines the dangers of opening a "back door" for Whatsapp

Whatsapp, encryption,

Image: Jonathan Brady / PA Wire/Press Association Images

This week officials from the French and German governments became the latest voices to call for a weakening of the encryption technology which secure messages sent on popular services like WhatsApp and Apple’s iMessage.

A common refrain when governments make these calls is: “Well, I’ve nothing to hide, so why shouldn’t they?”

The problem with this way of thinking is that it lacks an understanding of just how important the technologies those companies have put in place to protect their customers are, and how weakening them puts everyone at risk.

When faced with proposals like these, there are two questions which need to be answered. Firstly, will it help prevent terrorism/criminality? And secondly, will it keep the rest of us safe?

First lets look at what German interior minister Thomas de Maizière and French interior minister Bernard Cazeneuve are asking for.

At a joint press conference this week the pair asked the European Commission to consider issuing a new directive to all EU countries that would force uncooperative communications providers to decrypt messages to help law enforcement agencies as this "constitutes a challenge during investigations."

Image: German Interior Minister Thomas de Maiziere, left, and French Interior Minister Bernard Cazeneuve attend a joint media conference in Paris. AP Photo/Michel Euler

A directive is an EU law which needs to be transposed into national law, meaning Ireland’s legislators would need to incorporate it into the constitution, but Ireland — and all other countries in the EU — will have some wiggle room in how the directive is implemented, meaning that instead of an EU wide law weakening encryption, we could end up with a patchwork of laws, each with their own interpretation of how to tackle encryption.

A spokesperson for the Irish Data Protection Commissioner told Newstalk.com they had no comment to make, but would be monitoring developments in Brussels. However, it is unclear if these proposals are even workable.

"I'm not sure how far these proposals will really get," Danny O'Brien from the Electronic Frontier Foundation told Newstalk.com. "There are plenty of officials and parliamentarians at the EU level who understand that attempting to require companies to decrypt their messaging services won't work, and will undermine the security of millions of European users — and beyond."

In the wake of the atrocities which have been carried out in the name of Islamic State over the last 12 months, it is unsurprising that governments want to be seen to be doing something to stem the tide. The UK is pushing through the Investigatory Powers Bill (better known as a the Snooper's Charter) which also calls for a weakening of encryption, while the US government has been seeking to force Apple to break into an iPhone which was used by one of the shooters at the San Bernardino massacre.

However it’s unclear if what the French and German governments are asking for is even possible, and if it will have any impact on the ISIS reign of terror.

Messaging services like WhatsApp, Telegram and iMessage all employ what is known as end-to-end encryption, which means that once a message leaves your phone it cannot be read by anyone until it is received on the recipient's phone, not even by the company providing the service.

In order to gain access to the messages, the fundamental way the service works would need to change. Messages would have to be stored on a server, and the services would need to have a master key in order to decrypt all messages, essentially building a backdoor through which law enforcement agencies could gain access to certain messages.

While this may work — and indeed does work for a number of services today according to revelations from whistleblower Edward Snowden — there is still no guarantee that it would help prevent terror attacks.

Following the Paris attacks last November, reports suggested that the terrorists were using WhatsApp to communicate, but no concrete evidence of this was ever produced. However, there is evidence that they were using unencrypted SMS messages to communicate.

Even if they were using WhatsApp, weakening the encryption of the platform would simply see ISIS move to another, more secure messaging service. The group uses the dark net extensively to communicate with the wider world, and has shown itself to be adept at utilising technology to both spread its message and stay ahead of the law enforcement community.

"It's still easy for anyone to write a messaging tool that does use strong encryption, and release it for everyone to use," O'Brien said. "Beating such software would require the EU to prohibit some kinds of software, which would require monitoring, filtering and blocking those apps on the internet. So controls on encryption would lead to more surveillance, more censorship, more limits on European technologists, and more vulnerabilities in the European net."

So it’s unclear if weakening encryption will have any impact on the operations of terrorist organisations, but what about the rest of us?

Back in 2010, a highly sophisticated computer worm was developed by the US and Israel and deployed to target a specific computer inside a nuclear enrichment facility in Natanz, Iran. The worm, called Stuxnet, did its job and caused the centrifuges to spin out of control, tearing themselves apart and setting Iran’s nuclear ambitions back years.

This piece of sophisticated malware was never meant to become public, but it did, infecting hundreds of thousands of computers around the world, and giving cyber-criminals a new set of tools with which to target and infect innocent victims.

Weakening encryption and saying that it will only be used to allow law enforcement agencies to access data does not work. Ask pretty much any security expert, and they will tell you that there is no such thing as a secure backdoor.

As a group of the world’s most preeminent cryptographers, computer scientists and security experts said in the wake of the FBI’s call for Apple to install a backdoor in its iPhone software: “Such access will open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend. The costs would be substantial, the damage to innovation severe, and the consequences to economic growth hard to predict. The costs to the developed countries’ soft power and to our moral authority would also be considerable."

You may say that you have nothing to hide from the government, but what about from the cybercriminal who will sneak in the backdoor left ajar by law enforcement officials?

The smartphones we carry around with us contain more valuable information than anything else we own: sensitive work emails and documents; bank accounts and credit card details; login details to our entire digital lives; images and messages from our family and friends.

Protecting these should be a priority and calling for companies like Apple, Facebook and Google to weaken the protections they already have in place just doesn’t make any sense.