Are your WhatsApp chats secure?
If you live outside of the U.S., you likely already asked yourself that question. In fact, as of 2020, WhatsApp has reached two billion users worldwide, effectively being the global leading messaging app. Time and time again, WhatsApp claimed that its platform is secure thanks to end-to-end encryption guaranteeing that all chats happening on their platform are safe and cannot be accessed by a third party.
What is message encryption?
Encryption is simply a way for two or more users to exchange messages safely.
You can think of an encryption algorithm like a box with two locks. For example, if Alice wants to send her friend Emma a secure message, she puts it in the box and locks it with her key. Then she sends the locked box to Emma, who can open the box and read the message only if she has a valid key of her own. There are various types of encryption algorithms, the oldest one being symmetric encryption, where the message is encrypted by the sender and decrypted by the recipient using the same key. The issue with this algorithm is that you need a secure way of sharing the key between users for each communication: not so practical when you have more than two billion users.
To get over this, each user has a so-called public key available to everyone and a private key that stays with the user. When Emma wants to send a message to Alice, she uses Alice’s public key to encrypt the message that can be read only with Alice’s private key. This algorithm is called asymmetric encryption, which guarantees that no third party can access private messages.
What are the elements and consequences of WhatsApp end-to-end encryption?
WhatsApp uses an additional encryption level where for each new messaging session, a new key is generated. At first, these session keys could be memorized by the company. Then, after 2016, when end-to-end encryption was introduced, WhatsApp stopped keeping track of the keys used by its users, meaning that no one, not even WhatsApp itself, can unlock their messages. Today, the conflict between privacy and security is still going strong. On the one side, national entities ask for a backdoor or to remove end-to-end encryption altogether since it blocks them from intercepting communications that could help prevent crime. On the other side, private companies believe that criminals would create similar personal software for communicating, while ordinary users would lose a significant part of their privacy.
On a concluding note, it is essential to understand that even if end-to-end is considered a gold standard for encryption, it cannot offer 100% security coverage. Your chats are “as safe as your phone is”: if you click on suspicious links or share sensible data on unprotected websites, nothing can prevent a malicious attacker from reading or tampering with your communications.