/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow Us/ciol/media/post_banners/wp-content/uploads/2016/08/whatsapp-fb.jpg)
WhatsApp, the world’s most popular messaging platform that also offers end-to-end encryption to its users has come under scanner after a report from Guardian said that the company is not completely protecting user privacy.
The Guardian reported a security flaw in the Facebook-owned company, dubbed as 'security backdoor’ in its encryption system, which allows the encrypted messages to be interpreted and read by third party companies like Facebook.
Citing Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley, the report claims that the security flaw lies in "how WhatsApp deals with messages, which are sent when the receiver’s security code has changed."
WhatsApp’s encryption methods rely on generating unique security keys — which change on app reinstallation and handset swapping. These security keys are exchanged and verified while sending private messages in the app, thus cutting out the possibility of interception. And that’s where the backdoor lies.
The report claims, “This re-encryption and rebroadcasting effectively allows WhatsApp to intercept and read users’ messages." Boelter told Guardian, "If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys." Boelter also claimed that he had reported Facebook in April 2016, but was told the Facebook responded to the flaw as 'expected behaviour'.
However, WhatsApp rubbished the Guardian report and termed all its claims false. "WhatsApp does not give governments a “backdoor” into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks," the company said.
Open Whisper Systems’ Moxie Marlinspike, a developer of the encryption protocol used by WhatsApp, also posted a blog defending WhatsApp. "The WhatsApp clients have been carefully designed so that they will not re-encrypt messages that have already been delivered. Once the sending client displays a “double check mark,” it can no longer be asked to re-send that message. This prevents anyone who compromises the server from being able to selectively target previously delivered messages for re-encryption,” he wrote.
He also criticised Guardian for its report. “Even though we are the creators of the encryption protocol supposedly “backdoored” by WhatsApp, we were not asked for comment. We believe that it is important to honestly and accurately evaluate the choices that organisations like WhatsApp or Facebook make. There are many things to criticise Facebook for; running a product that deployed end-to-end encryption by default for over a billion people is not one of them,” he added.