Are our WhatsApp message secure enough from hacking or data stealing — remotely or locally. Read on to know more…
Can WhatsApp chats about us can be leaked? Millions of WhatsApp users around the world have raised concerns about privacy of their conversations. However, at several instances, Facebook-owned WhatsApp has clarified that all chats on WhatsApp are safe and private and can’t be accessed by a third party.
WhatsApp Clarification
Last month, a WhatsApp spokesperson said that “WhatsApp protects your messages with end-to-end encryption so that only you and the person you’re communicating with can read what is sent, and nobody in between can access it, not even WhatsApp,”
“WhatsApp follows guidance provided by operating system manufacturers for on-device storage and we encourage people to take advantage of all the security features provided by operating systems such as strong passwords or biometric IDs to prevent third parties from accessing content stored on the device,” the spokesperson said.
About end-to-end Encryption
Explaining end-to-end encryption, Facebook in a blog post said that the end-to-end encryption option on WhatsApp is always activated and there’s no way to turn off the feature.
WhatsApp’s end-to-end encryption is available when you and the people you message use the application.
Many messaging apps only encrypt messages between you and them, but WhatsApp’s end-to-end encryption ensures only you and the person you’re communicating with can read what is sent, and nobody in between, not even WhatsApp. Facebook noted that “This is because your messages are secured with a lock, and only the recipient and the sender have the special key needed to unlock and read them”
For added protection, every message you send has its own unique lock and key. “All of this happens automatically: no need to turn on settings or set up special secret chats to secure your messages”, it added.
Encryption Secret
WhatsApp uses the encryption protocol developed by Open Whisper Systems, a project known best for its Signal app, which also uses the same open-source framework to ensure privacy. Whistle-blower Edward Snowden’s quote — “I use Signal every day” — is prominently displayed on the application’s homepage. Many closed messaging applications now use the Signal protocol.
The technology that forms the basis for this is called the ‘Diffie-Hellman key exchange’. In a 1976 paper titled, New Directions in Cryptography, Whitfield Diffie and Martin E. Hellman saw the futility of the old ways of sharing a key securely (say, by “sending the key in advance over some secure channel such as private courier or registered mail”) in the emerging digital world. They proposed a way for secure communication via a method of a shared secret key, and that too when the communication is over a not-so-secure channel.
Third Party Leaks
In absolute term, no app, service, or network has proven to be unhackable. There’s no doubt, end-to-end encryption makes it much more difficult for hackers to read WhatsApp messages. While WhatsApp is more secure than other messaging apps — but not 100% secure.
End-to-end encryption cannot prevent leaks from happening if a third party has access to a device which contains these messages. Encryption also does not help in cases wherein the sender or the receiver of a message shares it with others, a member of a group shares it with others, or messages are stored in a different format on a different application or platform open to others.
Bugs that lead others to control a user’s phone are an example of such vulnerabilities. For instance, last year, WhatsApp revealed that surveillance technology developed by Israel’s NSO Group had been used to spy on about 1,400 people across the world, including civil rights activists and journalists in India.
Governments across the world see end-to-end encryption as a huge issue when it comes to law enforcement. While WhatsApp says it responds to requests from law enforcement agencies “based on applicable law and policy,” it is not clear what kind of data it would have to share. News reports have mentioned that these could be in the nature of metadata such as mobile number, IP address, location, and so on.