WhatsApp encryption guarantees your privacy

WhatsApp encryption is now complete and, when using an up-to-date version of WhatsApp, virtually guarantees your privacy with end-to-end encryption and forward secrecy.

WhatsApp_Logo_1Whether you realise it or not, WhatsApp encryption now guarantees your privacy. All you need to do is make sure you are running the latest version of the immensely popular chat app on your mobile device. WhatsApp’s founders published a blog post yesterday announcing the culmination of year and a half journey with Open Whisper Systems:

WhatsApp has always prioritized making your data and communication as secure as possible. And today, we’re proud to announce that we’ve completed a technological development that makes WhatsApp a leader in protecting your private communication: full end-to-end encryption. From now on when you and your contacts use the latest version of the app, every call you make, and every message, photo, video, file, and voice message you send, is end-to-end encrypted by default, including group chats.

WhatsApp encryption, in itself, isn’t new. Open Whisper System’s Moxie Marlinspike summarised the fruit of this journey in his blog post titled “WhatsApp’s Signal Protocol integration is now complete”:

As of today, the integration is fully complete. Users running the most recent versions of WhatsApp on any platform now get full end to end encryption for every message they send and every WhatsApp call they make when communicating with each other. This includes all the benefits of the Signal Protocol – a modern, open source, forward secure, strong encryption protocol for asynchronous messaging systems, designed to make end-to-end encrypted messaging as seamless as possible.

We are still in a transitionary phase at the moment. Conversations will only be encrypted if all the parties to a conversation are using an updated version of WhatsApp. When they are, though, the result is pretty impressive:

  • WhatsApp conversations (voice and text) are fully encrypted. This includes all the attachments. WhatsApp itself can’t decrypt the messages and its servers really only pass the encrypted messages between users.
  • Because WhatsApp uses different encryption keys for each session, older messages can’t be decrypted even if someone manages to seize a current encryption key (this is known as “forward secrecy”).
  • Once your conversations with contacts are encrypted, they remain encrypted and downgrading to an earlier version of WhatsApp won’t make your messages available in an unencrypted form.
  • For the time being, you can see which of your conversations are encrypted by looking to see whether your contact/s is/are using an updated version of the app. You will also be shown a message that indicates that your conversations with a contact are encrypted going forward.

One step for fully encrypted conversations

We have had encrypted messaging apps for a little while now. Apple’s Messages app and the popular Telegram app are encrypted to a degree although neither are encrypted end-to-end like WhatsApp, apparently.

Cade Metz wrote a fascinating article for Wired titled “Forget Apple vs. the FBI: WhatsApp Just Switched on Encryption for a Billion People” which gives a fair amount of background into this development. As he pointed out, the scale of this is remarkable when you consider just how big WhatsApp is:

More than a billion people trade messages, make phone calls, send photos, and swap videos using the service. This means that only Facebook itself runs a larger self-contained communications network.

One of the challenges implementing encrypted solutions is simplifying the process for users enough so the process itself isn’t a deterrent. This migration is literally as simply as updating your app and prompting your contacts to do likewise to ensure that your conversations are encrypted.

Why encrypted WhatsApp is a big deal

Encrypted WhatsApp messages about family dinner plans may not seem a high priority. Consider that WhatsApp is one of the biggest social and communications platforms on the planet used by friends, families, business people and activists, alike. Suddenly you can see the benefits of a service that easily implements strong encryption and protects conversations that are truly sensitive and could, literally, save lives.

The flip side is also true: terrorists and criminals could also use WhatsApp to hide their conversations and may well be doing that. Bear in mind, though, that WhatsApp isn’t the only encrypted communication solution. Publicly available solutions have been around for years and if the bad guys aren’t using WhatsApp, they have many other options available to them.

This is a more significant development for the rest of us because it means that we are less vulnerable to digital attacks by the bad guys. It also means that people who need an assurance of privacy can have it. As the WhatsApp team pointed out in their blog post:

We live in a world where more of our data is digitized than ever before. Every day we see stories about sensitive records being improperly accessed or stolen. And if nothing is done, more of people’s digital information and communication will be vulnerable to attack in the years to come. Fortunately, end-to-end encryption protects us from these vulnerabilities.

I know a few colleagues, lawyers, whose communications with their clients have been intercepted and compromised. They have had to seek out other solutions to protect their privileged conversations (one option has been the Signal app which was also developed by Open Whisper Systems). This development means they can simply stick with WhatsApp and be confident that their privileged conversations remain protected.

WhatsApp becoming fully encrypted is a big deal. It is also a smart move because it means that WhatsApp is simply unable to follow regulators’ directives to hand over users’ data. It places them beyond the fray and leaves governments to figure out how to deal with a substantial proportion of the planet’s population whose communications are protected from their interference. Or, as WhatsApp’s Koum and Acton put it:

Today more than a billion people are using WhatsApp to stay in touch with their friends and family all over the world. And now, every single one of those people can talk freely and securely on WhatsApp.

Image credit: Pixabay

Is WhatsApp violating your privacy rights?

Whatsapp screenshot

Background

The popular mobile and multi-platform messaging service, WhatsApp, was investigated recently by the Office of the Privacy Commissioner of Canada and the Dutch Data Protection Authority for apparent violations of Canadian and Dutch privacy laws. The investigation found a number of violations and the Canadian Privacy Commissioner released an update on 28 January 2013 reporting back on the violations which have since been addressed and those which remain unresolved:

The investigation revealed that WhatsApp was violating certain internationally accepted privacy principles, mainly in relation to the retention, safeguard, and disclosure of personal data. For example:

  • In order to facilitate contact between application users, WhatsApp relies on a user’s address book to populate subscribers’ WhatsApp contacts list. Once users consent to the use of their address book, all phone numbers from the mobile device are transmitted to WhatsApp to assist in the identification of other WhatsApp users. Rather than deleting the mobile numbers of non-users, WhatsApp retains those numbers (in a hash form). This practice contravenes Canadian and Dutch privacy law which holds that information may only be retained for so long as it is required for the fulfilment of an identified purpose. Only iPhone users running iOS6 on their devices have the option of adding contacts manually rather than uploading the mobile address numbers of their address books to company servers automatically.

  • At the time the investigation began, messages sent using WhatsApp’s messenger service were unencrypted, leaving them prone to eavesdropping or interception, especially when sent through unprotected Wi-Fi networks. In September 2012, in partial response to our investigation, WhatsApp introduced encryption to its mobile messaging service.

  • Over the course of the investigation, it was found that WhatsApp was generating passwords for message exchanges using device information that can be relatively easily exposed. This created the risk that a third party may send and receive messages in the name of users without their knowledge. WhatsApp has since strengthened its authentication process in the latest version of its app, using a more secure randomly generated key instead of generating passwords from MAC (Media Acess Control) or IMEI (International Mobile Station Equipment Identity) numbers (which uniquely identify each device on a network) to generate passwords for device to application message exchanges. Anyone who has downloaded WhatsApp, whether they are active users or not, should update to the latest version to benefit from this security upgrade.

WhatsApp’s Privacy Notice

If you are a WhatsApp user, you probably already know that the WhatsApp app lists all your contacts in your phone’s contacts list and reveals which of your contacts use WhatsApp. Aside from the authentication and encryption concerns the Canadian and Dutch authorities raised, this seems to be the source of the currently unresolved concerns the Canadians and the Dutch have.

Essentially, these concerns are that WhatsApp collects details of your contacts automatically (unless your phone is running iOS 6, in which case you would be prompted to allow WhatsApp to access your contacts’ details) and uploads that data to WhatsApp’s servers to be compared to its database of users so it can identify which of your contacts are using WhatsApp and allow you to message them using the app. So far, so good, but WhatsApp doesn’t subsequently discard the data pertaining to non-users after it has compared them to its database.

As the Canadian press releases mentions, this touches on two personal information processing limitations, namely purpose specification and related processing limitations. Specifically, WhatsApp is processing personal information for longer than it requires, given its intended purpose and may be collecting more than it requires. It seems that the concern is specifically about the non-user personal information and the expectation seems to be that WhatsApp discard non-users’ personal information once it establishes that they are, in fact, non-users and that the app prompt users to agree to submitting contacts’ details to WhatsApp when users want to check whether additional contacts are users.

The WhatsApp Privacy Notice deals with this in a couple sections:

The Information WhatsApp Collects

WhatsApp may obtain the following types of information from or concerning you or your mobile phone device, which may include information that can be used to identify you as specified below (“Personally Identifying Information”):

User Provided Information: You provide certain Personally Identifiable Information, such as your mobile phone number, push notification name (if applicable), billing information (if applicable) and mobile device information to WhatsApp when choosing to participate in various uses of the WhatsApp Service, such as registering as a user, updating your status or requesting status for your contacts. In order to provide the WhatsApp Service, WhatsApp will periodically access your address book or contact list on your mobile phone to locate the mobile phone numbers of other WhatsApp users (“in-network” numbers), or otherwise categorize other mobile phone numbers as “out-network” numbers, which are stored as one-way irreversibly hashed values.

and

The Information WhatsApp Does Not Collect

WhatsApp does not collect names, emails, addresses or other contact information from its users’ mobile address book or contact lists other than mobile phone numbers—the WhatsApp mobile application will associate whatever name the WhatsApp user has assigned to the mobile telephone number in his/her mobile address book or contact list — and this occurs dynamically on the mobile device itself and not on WhatsApp’s servers and is not transmitted to WhatsApp. This means that if you have your friend’s mobile phone number associated with the name “Shakespeare” in your mobile address book, that’s the name that will appear for that mobile phone number in your WhatsApp contact list. We do not collect location data, but users may voluntarily share their location with other users via the WhatsApp Service.

The big question is whether WhatsApp should retain non-user phone numbers after it has conducted its comparisons between the captured data through the app and its database?

South African law

At present the main issue in South Africa is whether transmitting your contacts’ personal information to WhatsApp violates their privacy. Our current privacy law is informed by the right to privacy in the Bill of Rights, prevailing case law developed by our courts and legislation like the Electronic Communications and Transactions Act and Consumer Protection Act. The Protection of Personal Information Bill has not yet been passed although I’ll deal with that below.

The answer to this lies in the implicit (or explicit, if you have it) consent you have from your contacts to take the personal information they give you and pass that on to WhatsApp and then contact them through WhatsApp if they are users? This is a tough question to answer in the absence of an explicit preference from your contacts one way or another. Presumably they gave you their contact details or made them available with the expectation that you contact them. Whether a contact would object to being contacted using WhatsApp is a secondary issue. Conceivably some users may object to their personal information being passed to WhatsApp due to concerns about its privacy practices or out of a desire to remain out of that system and where a contact expresses that preferences, you should certainly act appropriately. Absent that express preference, may users assume they have their contacts’ implicit consent? Perhaps.

Under the anticipated Protection of Personal Information Act (I refer to the “Protection of Personal Information Bill” interchangeably with “Protection of Personal Information Act” because it is still going through the legislative process of being passed as an Act of Parliament), the question is ordinarily what sort of consent is given and whether this covers the intended personal information uses. “Consent” is defined as –

any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information

When it comes to individual users, the Protection of Personal Information Act probably won’t require individuals to comply with its restrictions when it comes to compiling their contacts lists where doing so is “in the course of a purely personal or household activity”. WhatsApp wouldn’t be able to take advantage of this exclusion so it would be required to obtain its users’ consent to process their personal information.

Will the Protection of Personal Information Act apply?

You may have noticed that WhatsApp indicates that it stores non-users’ (or “out-network”) phone numbers as “one-way irreversibly hashed values” which, when coupled with improved encryption options make it practically impossible to resolve those hash values back to phone numbers (classified as “personal information” in most jurisdictions).

The Protection of Personal Information Act has a further exception to its application in that it does not apply to personal information “that has been de-identified to the extent that it cannot be re-identified again”. It would be interesting to test whether this exclusion would apply here and would probably be dependent on whether the hashed values could, somehow, be associated with individuals despite the encryption. WhatsApp only collects phone numbers and not names and other details (the association between a number and a name occurs on your device, not on the server) so this exclusion could well apply and get WhatsApp off the hook when it comes to potential Protection of Personal Information Act compliance. It would also likely address residual privacy concerns because the phone numbers will appear to have been practically and irreversibly anonymised.

Even if the Protection of Personal Information Act applies

If this exclusion does not assist WhatsApp, the Protection of Personal Information Bill contains a number of processing limitations along the lines of the limitations the Canadians and Dutch found were exceeded.

One processing limitation is “Minimality” which states that –

  1. Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.

The Protection of Personal Information Bill requires that personal information be collected directly from what it refers to as “data subjects” (in other words, the people the personal information relates to) and one of the exceptions to this is where –

collection of the information from another source would not prejudice a legitimate interest of the data subject

Given the steps taken to disassociate the phone numbers collected and pertaining to non-users with the non-users’ identities, this may be an exception to the general rule that the personal information be collected directly from the non-users concerned. In this case the “other source” would be the WhatsApp user submitting the personal information.

The Protection of Personal Information Bill’s purpose specification limitations include the following which are more appropriate to what WhatsApp is doing:

Collection for specific purpose

  1. (1) Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.
    (2) Steps must be taken in accordance with section 18(1) to ensure that the data subject is aware of the purpose of the collection of the information unless the provisions of section 18(4) are applicable.

Section 18 deals with the necessity for informed consent from data subjects and includes the following exclusion which is similar to the exclusion dealt with above:

non-compliance would not prejudice the legitimate interests of the data subject as set out in terms of this Act

Another processing specification limitation in the Protection of Personal Information Bill which relates to the Canadian and Dutch requirements is the following:

Retention and restriction of records

  1. (1) Subject to subsections (2) and (3), records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed …

Section 14(1) has a number of exclusions which probably won’t apply here but section 14(4) may assist WhatsApp:

A responsible party must destroy or delete a record of personal information or de-identify it as soon as reasonably practicable after the responsible party is no longer authorised to retain the record in terms of subsection (1) or (2).

Section 14(2) deals with personal information processed for “historical, statistical or research purposes” but may not apply here.

On the topic of this retention restriction, its not clear why WhatsApp retains “one-way irreversibly hashed values” based on non-users’ phone numbers? If “one-way irreversibly” means that these phone numbers are not capable of being translated back into phone numbers (as I have assumed) then its not clear what purpose is being served by retaining this data? If these “one-way irreversibly hashed values” can be translated back into phone numbers then the exclusions in the Protection of Personal Information Bill will probably not apply and WhatsApp will be, almost by definition, in violation of the Protection of Personal Information Bill’s processing limitations where it does not obtain consent from non-users to process their phone numbers.

On the other hand, if “one-way irreversibly hashed values” does, in fact, mean they can’t be translated back into phone numbers and will remain as seemingly random data strings, then they will likely not be regarded as “personal information” in the first place as personal information is defined, at least by the Protection of Personal Information Bill, as including “information relating to an identifiable, living,
natural person”. If that is the case then the debate about whether the Protection of Personal Information Act becomes largely academic from WhatsApp’s perspective as non-users’ phone numbers cease to be personal information when they are converted into “one-way irreversibly hashed values”.

Of course, when it comes to WhatsApp users, they are bound by the WhatsApp Privacy Policy and part of that includes their consent to their personal information being processed by WhatsApp in the manner described in the Privacy Policy.

Where does that leave WhatsApp?

So where does this leave WhatsApp? When it comes to South African law, there may be far less of an issue about WhatsApp’s retention of non-users’ personal information in South Africa than the Canadians and Dutch seem to have with the service although if their definitions of personal information are similar, it should, perhaps, be less of an issue for them too if these “one-way irreversibly hashed values” can’t be translated back into phone numbers and will remain as seemingly random data strings.

Is it safe to keep using WhatsApp? In light of the increased security added after the initial Canadian and Dutch investigations, it does seem to be safe to use WhatsApp. At least from this perspective.