For those, like me, who can't keep up with the kids these days and their computer technologies, WhatsApp is an encrypted messaging app now owned by Facebook. Its major selling point is privacy: The end-to-end encryption is supposed to mean that no one — not even WhatsApp employees — can access the messages you send to other users. That promise has helped balloon WhatsApp's customer base to more than a billion people and made it a preferred app of activists and even diplomats who want to keep their communications safe from prying eyes.
It turns out that isn't exactly true. A cryptography researcher from the University of California, Berkeley named Tobias Boelter has discovered a built-in backdoor in WhatsApp that allows some of its privacy protections to be circumvented. The Guardian explains:
WhatsApp's end-to-end encryption relies on the generation of unique security keys, using the acclaimed Signal protocol, developed by Open Whisper Systems, that are traded and verified between users to guarantee communications are secure and cannot be intercepted by a middleman. However, WhatsApp has the ability to force the generation of new encryption keys for offline users, unbeknown to the sender and recipient of the messages, and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered.
The recipient is not made aware of this change in encryption, while the sender is only notified if they have opted-in to encryption warnings in settings, and only after the messages have been re-sent. This re-encryption and rebroadcasting effectively allows WhatsApp to intercept and read users' messages. [The Guardian]
As Boelter summarizes, "If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys." For those looking for an encrypted app which doesn't have this backdoor, there's still Signal, the communications choice of NSA whistleblower Edward Snowden.
Update 11:51 a.m.: WhatsApp disputes The Guardian's report. Here is their statement in full:
The Guardian posted a story this morning claiming that an intentional design decision in WhatsApp that prevents people from losing millions of messages is a "backdoor" allowing governments to force WhatsApp to decrypt message streams. This claim is false.
WhatsApp does not give governments a "backdoor" into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks. WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report.