WhatsApp’s landed itself in hot water with privacy advocates over a backdoor that could allow governments to snoop on the chat app’s users. The company’s fighting back against claims that the issue is a vulnerability, asserting that it is in fact a feature.
To recall, WhatsApp introduced end-to-end encryption as a default setting last year. The system involves generating encryption keys for sending messages that can only be decoded by the recipient. However, researcher Tobias Boelter has uncovered a perceived loophole which could force the sender to produce new keys and send their message again if the receiver is offline.
In theory, WhatsApp could take advantage of this without the sender or the recipient finding out about the change. The former would only be notified of the switch if they have activated encryption warnings in Settings. Furthermore, the notification would pop up only after the missive has already been sent.
The Guardian claims that the re-encryption and rebroadcasting process lets WhatsApp intercept and read messages. Boelter says that a government could ask WhatsApp to share a user’s conversation history as a result of the backdoor.
WhatsApp’s encryption is based on the Signal protocol. However, the latter system doesn’t feature the same vulnerability. If a security key is different, the sender’s missive will not be delivered. They’ll further be notified of the change without the message automatically being pushed forward.
WhatsApp’s structure does the opposite, automatically resending the message with a new key. In response to the criticism, the company said that it does so in case someone has switched their phone/SIM card or reinstalled the application. In light of this, the firm thinks it’s more important a message gets conveyed than lost in transit.
WhatsApp also said that it doesn’t give governments a backdoor into its systems and would fight off any request to do so. Signal creator Open Whisper Systems has come out in support of the company’s end-to-end encryption system in a blog post, stating that the Guardian article contains false claims and the app’s system is how cryptography works.