WhatsApp’s encryption service, decoded
On April 12, WhatsApp introduced an end-to-end encryption service for all its users. Most of you probably received a message, saying all chats and calls on the service would henceforth be kept secret. This means that neither WhatsApp nor a third party would be able to read any of your private chats.
But how exactly does this work? And why don’t all our messaging softwares provide this service? Well, most messaging services do offer encryption, but with a catch. They encrypt messages that you send but may still access them, which means that under duress from a third party (like the government), they could provide the full text of your messages.
In WhatsApp’s case, the end-to-end encryption ensures only you and the person you’re communicating with can read what is sent, and nobody in between, not even WhatsApp. This means that even if the government was to come knocking, WhatsApp will find it impossible to comply, since it doesn’t have access to your messages anyway (the decryption key).
There is, however, a catch to this as well. A journalist for The Intercept, Micah Lee, tweeted one innocuous line from WhatsApp’s report that reveals that the service is still able to see some information that could be useful to any rogue attacker. This includes time stamps, recipients, and senders. The government is also allowed to request for this information, as well. Whatsapp however assures us that the text of the messages can not be stored. It says end-to-end encryption helps make communication via WhatsApp private – sort of like a face-to-face conversation.
So what about other telecom providers? Are our regular text messages also protected?
Well, not exactly. Other telecom providers, like Vodafone or Idea, can not encrypt our chats without a license issued by the Department of Telecommunications. The problem is that this license comes with several restrictions, like a fee and requirements for “lawful” interception, which means they’ll have to keep records of the text in the messages anyway. But WhatsApp and other services like Viber or Telegram, are not categorised as telecom providers or internet service providers, they are OTTs (Over-The-Top-Services), which means they are not bound by government regulations… yet.
The government is currently working on a draft policy to place restrictions on OTT services but till that’s done and passed by the TRAI, WhatsApp’s move is completely legal. This guarantee of privacy is bound to create new concerns for the government, since there are about 70 million active Indian users of WhatsApp, that will now be off limits.
In effect, WhatsApp is doing exactly what Apple did in the recent Apple vs FBI battle. While Apple restricted access to users of iPhones only, now practically every user of WhatsApp on any device is protected.