When users are concerned about their privacy, technology companies are making encryption mainstream.
On March 31st, 2016, the Facebook-owned messaging service WhatsApp, rolls an update to add end-to-end encryption to its chat and call functionality. With the encryption, the app's over 1 billion active monthly users can hopefully see their concerns gone.
The end-to-end encryption is a strong method of encryption. So when users are chatting, sending files, participating in group chats or initiating calls, WhatsApp will guarantee them a privacy. Encryption in chat messaging is indeed helpful to those enthusiasts, whistleblowers, and practically anyone who wants to stay their conversation limited inside their devices.
On April 4th, the company releases a statement about the underlying cryptographic method. It says that the encryption occurs when users exchange conversations with each other, based on The Signal Protocol developed by Open Whisper Systems. The method utilizes double layer protection to ensure privacy even if session keys are compromised.
This clearly means that when someone is able to obtain the key to decrypt a message, communications made in the past will still be protected. The Signal Protocol uses well-vetted cryptographic building blocks to construct and send messages, including ECDH using Curve25519.
And not just its app that WhatsApp is securing. The encryption between the clients' app and WhatsApp's servers are also encrypted using Noise Pipes from the Noise Protocol Framework.
With this end-to-end encryption, even the company itself cannot view the contents of communications. All the bits sent from one WhatsApp user to another are scrambled in a way that cannot be unscrambled by anyone except the sender and the recipient.
Open Whisper Systems also has its own Signal Private Messenger, previously known as RedPhone. The app is said to be former NSA Edward Snowden's favorite.
Related: WhatsApp Achieves 1 Billion Users Milestone: The Work Isn't Done Yet
A Secured Messaging, A Way To Earn Trust
Users that have used Signal will find WhatsApp's end-to-end encruption workflow similar. Both apps are aiming to the ease of use by hiding the underlying cryptographic away until the user integrates it. When they do, the encryption will work as if nothing happen in the foreground; it works behind the user, leaving users at ease.
The only difference between WhatsApp and Signal is how the authenticity of the encryption is established.
Usually, end-to-end encryption relies on manual verification. For example, if A wants to verify B's identity, A would have to share his verification (QR code or others) as his "fingerprint". B would then need to read this fingerprint on his device to verify. B then needs to do the same thing for A where A will scan B's fingerprint to verify.
WhatsApp works using this method but alters it a little by not repeating the workflow. Instead, the app presents a distinct QR code per interaction that can be shared to both A and B. They will scan the same QR code on each other's devices.
In order to use this feature, both parties should have the latest update from WhatsApp that supports this security feature. Users that have the feature enabled, will have a green lock indicating an encrypted communication on their contact details. Here, others can tap the lock to verify a security code.
Signal has been known to notify changes for encryption keys, and the default is on. On WhatsApp on the other hand, it's optional and is switched off by default.
Then comes the next thing about technology. For it to be known and well-accepted, and also to ensure everyone's "sake", the codes should usually be open-sourced. WhatsApp has a highend security for its end-to-end encryption, but because it remains closed-source, independent reviewers can't review the code to make sure of its security. This doesn't apply to Signal that has its security codes open-sourced.
The Electronic Frontier Foundation for example, has a privacy scorecard for messaging apps, some of which are still technically more trustworthy than WhatsApp. This is mostly due to its lack of independent code review. Those that skip independent review generally do so to protect their trade secrets.
Has Yet To Get Momentum
Announcing the new end-to-end encryption, WhatsApp is taking a bold step towards securing its users' privacy even to itself. This is its bet to negate any unexpected and expected visit from the government that wants it to reveal some personal information about users. The company's blog however, doesn't mention Apple or the FBI by name, instead saying,
Jan Koum, founder of WhatsApp, added that "The desire to protect people's private communication is one of the core beliefs we have at WhatsApp, and for me, it's personal. I grew up in the USSR during communist rule, and the fact that people couldn't speak freely is one of the reasons my family moved to the United States."
In an era when cybercriminals and the governments are all hungrier than ever for people's data, WhatsApp is certainly not the firsts to use encryption in a messaging platform (Apple has it, as well as some others). But WhatsApp's evergrowing user base has made it by far the largest. With the partnership that started in 2014, the app is having the biggest reach of the available end-to-end encryption option.
One interesting bit about the news is that Signal's encryption protocol is built by Open Whisper Systems, a nonprofit software group that is supported by the U.S. Open Technology Fund, a government-funded organization. This means that on one side, the government is trying to get that data and information tech companies have, but on the other side, they're also protecting them.
While this might sounds like the government is trying breach the walls they've funded to build, the fact is that they want to be the only one who can have access to, and not others. They want to be granted that free access.
But here is where end-to-end encryption plays its role: even WhatsApp can't breach it. So the company could not comply to any government requests even if it wants to.
While encryption is becoming a norm in tech, not that many companies by far are embracing the end-to-end encryption. One of the most obvious reason is because this method will generally conflict with their advertising model - putting risks to their business income. For-profit tech companies have not put that much interest to use this method, making it unlikely to become the de facto protocol for information transaction.
WhatsApp doesn't collect demographic information on its users, and with its new encryption technology, the company has created a wall between itself and its users. WhatsApp, just like Jan Koum's statement, "don't sell ads."
"These days companies know literally everything about you, your friends, your interests, and they use it all to sell ads," once wrote Koum in a blog post. "Remember, when advertising is involved, you the user are the product."
Just after WhatsApp rolls out the feature, hundreds of millions of users are starting to communicate with each other using its end-to-end encryption for the very first time.