cutimage - Fotolia

Security industry welcomes WhatsApp encryption

The more encryption becomes ‘the norm’, the less resistance there will be to adopting it in businesses, say information security pundits

Security suppliers and commentators have welcomed the announcement that messaging platform WhatsApp is enabling full end-to-end encryption by default.

This means that in the latest version of WhatsApp, every call, message, photo, video, file, voice message and group chat is encrypted by default.

WhatsApp said the move is aimed at making online communication as private as a face-to-face conversation by blocking access by cyber criminals, hackers, governments and WhatsApp itself.

This means WhatsApp will be unable to access the contents of messages even if ordered to do so by a court, as recently happened to Apple.

WhatsApp will also notify users if messages are encrypted, which means that if anyone in a group chat is using an older version of the app that does not support encrypted group messages, the others will know who is causing the session to remain unencrypted, reports The Guardian.

The move by WhatsApp, which was acquired by Facebook in a $19bn deal two years ago, is the latest by the tech industry to capitalise on the growing demand for privacy by users of online services.

Ever since whistleblower Edward Snowden’s revelations of mass internet surveillance by the US and its allies, US tech firms have sought to distance themselves from links to government snooping.

Many have done so by implementing encryption, but this trend has been resisted and criticised by law enforcement and security services, particularly in the US and UK.

The FBI recently avoided a courtroom showdown with Apple by calling in the help of a third party when Apple refused to help access the iPhone data of San Bernardino gunman Syed Farook.

According to WhatsApp, encryption is one of the most important tools governments, companies and individuals have to promote safety and security in the new digital age.

With reference to the FBI-Apple row, WhatsApp said that although the company recognises the important work of law enforcement in keeping people safe, efforts to weaken encryption risk exposing people’s data to abuse from cyber criminals, hackers and rogue states.

Read more about encryption

“While WhatsApp is among the few communication platforms to build full end-to-end encryption that is on by default for everything you do, we expect it will ultimately represent the future of personal communication,” the company said.

According to independent security consultant Graham Cluley, the WhatsApp implementation of end-to-end encryption is built on solid foundations.

He said a technical paper reveals that it is based on the Signal Protocol, designed by Open Whisper Systems, and he encouraged WhatsApp users to update to the latest version without delay.

“It is very cool what WhatsApp has done – but it is clearly not going to be popular with everyone,” Cluley wrote in a blog post. “If you thought the recent FBI/Apple iPhone debacle in the courts was a big story, you ain’t seen nothing yet.”

Tony Pepper, CEO of Egress Software Technologies, said the WhatsApp move is good news for security in general. “The more encryption becomes ‘the norm’, the less resistance IT will have in getting people to adopt it in a commercial environment,” he said.

According to Pepper, the fact that end–to-end encryption is now being offered in popular apps means that employees will expect, and even push to have, the same level of information security from the data-sharing tools they use for work, such as email and online collaboration.

However, although this could help to create a safer data-sharing environment for everyone, consumer-grade technology does not provide the same level of assurances demanded by the work environment, said Pepper.

“If staff start using such technology at work, employers will still have no way of knowing what information is being shared or how it is being used, and will ultimately fail to protect sensitive customer data, and could cause more problems than it solves,” he said.

Encryption alone is only part of the battle, said Pepper – being able to audit, track and control the lifecycle of data as it is shared is equally important.

“Organisations therefore need to make sure the tools they give to employees are usable as well as secure to avoid them defaulting to personal devices, while also retaining control to ensure sensitive information doesn’t find its way to public platforms or unintended third parties,” he said.

With the likes of WhatsApp and parent company Facebook taking steps to educate users and raise awareness of secure communications, hopefully more will follow suit, said Jacob Ginsberg, senior director at encryption firm Echoworx.

“This is vital as questions mount, particularly in the UK, about people’s right to privacy,” he said. “We have recently seen large technology companies band together over issues with encryption.

“Ultimately, people have a right to communicate securely and end-to-end encryption solutions are one way to give them what they are looking for.”

In February 2016, Ginsberg told Computer Weekly that technology firms are particularly concerned about the severe lack of clarity around encryption and bulk data collection in the UK government’s draft Investigatory Powers Bill.

“Businesses need to be reassured that backdoors will not be built into end-to-end encryption,” he said. “If this is not clearly defined, there will huge financial implications for the UK economy as cloud and hosting companies will simply move their data to jurisdictions that the bill cannot influence.”

According to Ginsberg, whose company has made contingency plans to move its operations to Ireland if necessary, failure to ensure that the final version of the legislation provides enough assurances around privacy could destroy the UK’s data storage market, driving out more than £10bn worth of business.

Read more on Privacy and data protection