Yesterday, information-security firm Open Whisper Systems announced that it had completed integration of its encryption technology into WhatsApp, the popular messaging platform owned and operated by Facebook.
According to the announcement: "Users running the most recent versions of WhatsApp on any platform now get full end to end encryption for every message they send and every WhatsApp call they make when communicating with each other."
This means that any two or more people who communicate using the latest version of WhatsApp will benefit from having their messages, phone calls, and media (photos and videos) strongly encrypted during the communication between them, regardless of whether they are all using the same type of devices to run the app.
While encrypted communications have been around for decades, the new WhatsApp capability represents a major development for several reasons:
1. It is easy to use. Historically speaking, encrypting communications was complicated, leading to a situation in which only a small number of people and organizations actually did so. I have observed this myself: I was an early user of PGP encryption when I was a student two decades ago; the only other people I knew at the time who used it, or understood how it worked and how to use it, were computer scientists. Several years later I used a much more user-friendly version of PGP at Whale Communications, but encrypted email was still not something that many non-technical organizations utilized. It is now a decade later and most organizations still do not use encrypted email.
2. It is ubiquitous. There have been smartphone apps to provide encrypted communications - but, generally speaking, everyone communicating had to use the same app. Since those apps were never extremely popular, that meant that communications with many people could not be done over encrypted channels.
3. Because of the way the encryption is implemented, the computers at WhatsApp and Facebook, and the staff working there, will not be able to decrypt any communications encrypted by their app. This seemingly simple fact is important, because it means that Facebook and WhatsApp will not be able to comply with any court orders that they may receive demanding access to the content of encrypted user communications transmitted via their service. Of course, law enforcement could attempt to demand that WhatsApp modify its product in order to circumvent the encryption as the FBI initially did with Apple, but that would be a much more onerous process, and, as might have happened if the FBI had proceeded to fight Apple in court, may not succeed.
4. It offers better security than many older systems - without going into many technical details, one of the major improvements over some older systems is that each message is encrypted with a new key - so even if somehow a key is stolen, it can be used to decrypt only one message - not all of a user's prior communication.
How governments will react to WhatsApp is still to be determined - but from both the recent FBI action against Apple, as well as from Brazil's recent arrest (and then release) of a Facebook executive as a result of the company's claim that it could not provide the contents of a WhatsApp user's message that the local government demanded it turn over - it is clear that governments are concerned. I have written previously about why the government should not weaken consumer encryption - and my option has not changed.
I should note, however, that while many in the media are hailing the WhatsApp encryption as transforming WhatsApp into a truly private and secure platform for communication - they are incorrect. There remains a major vulnerability for privacy-concerned people using WhatsApp to communicate: The metadata about communications is not secret. The government, could, for example, demand to know from Facebook/WhatsApp with whom a particular user communicated, when he or she did so, and how frequently. They may even be able to tell where the parties to a conversation were located when the conversation took place. Armed with the knowledge of WhatsApp-associated metadata, a government (or criminals) might be able to set up various forms of surveillance to monitor communications. So, while WhatsApp's new encryption is certainly a game changer in terms of the security of the contents of conversations, WhatsApp is not yet a secure, private, warrant-proof platform.