Manuel Carpio, Director of Information Security and Fraud Prevention of Telefónica
Last week WhatsApp announced that from now on all its traffic on the application will be encrypted end-to-end (up to now that was only the case for Android and not including videos, documents and other files).
While this looks on the outset like just another step in the latest move towards ubiquitous encryption, there are some facts that make it stand out:
- This is arguably the biggest move ever to encrypt personal communications traffic by default we have seen so far; just remember that around 1 billion people worldwide are using Whatsapp and market penetration in some markets is over 90%.
- WhatsApp has been criticised in the past by some NGOs and watchdogs to use weaker encryption and privacy tool; this time the encryption used is said to be “secure for commercial purposes”. This avoids qualifying it as “uncrackable”, which is a relative concept depending upon resources devoted to crack algorithms or protocols, but is a very high standard which ordinary people would call uncrackable.
- Other messaging services by major companies have up to now not used such strong End-to-End encryption because they always also store a copy of the key on their company server, making it possible to access encrypted information in specific cases with their cooperation; this seems not to be possible with the encryption technology used by WhatsApp as the key is only stored on the user’s device (it remains to be confirmed though, given to a lack of sufficient information about the implementation of the Signal protocol, if the key could be retrieved from the server or not). Users will additionally have a way to prove that there was no “man-in-the-middle” of their communication with a person, making the communication even more secure.
These developments lead to some reflections:
- WhatsApp encryption is highly disruptive for the market of encrypted, secure communications, as it is offered for free. It has arguably become the best choice for private commercial and personal communications security, even so maybe not for military, government, or highly confidential information. This means that the market for commercially secure and private communication has overnight a new competitive situation and paid services might struggle going forward.
- It is obvious that we will see many issues with national security and criminal enforcement agencies going forward; not only decent citizens will find out that they now have a fairly secure way to communicate. Combining WhatsApp communication with an encrypted smartphone (like iPhones or devices of other manufacturers where information is stored in encrypted way), makes it difficult to circumvent without consent from the affected person (especially if there is no upload of content to a central cloud). This means the creation of something we could also call a “Dark Communication”-space (similar to the “Dark Web”), which is something we have never seen before in the history of communication on such a massive scale. Just to name an obvious consequence: All the various efforts to improve child safety on the internet and to block paedophile and other globally-illegal content, could become useless as there are is now another, absolute private way to send and receive content.
Encryption without any doubt is a way to help users protect their privacy and private communication and is for good reasons highly protected in all democratic societies. However, for many decades there have also in all free and democratic states existed legally and publicly accepted ways to get access to private communication in specific cases, using due process and respecting the rule-of-law and human rights. Privacy, like all Human Rights, is limited by other Human Rights and there are of course certain cases where it has to stand back behind. Just to be clear: This is not making an argument for unlimited and unlawful mass surveillance, which is not proportionate when it tackles all.
Last week’s move by WhatsApp has resulted in strong end-to-end encryption of communication being accessible to the majority of regular Internet users, for free and by default. The communication of more than 1000 million people will be for the first time in history not be accessible anymore – in no case, no exceptions, period.
The pendulum has swung full backwards: while mass surveillance means governments using Big Data technology to crunch massive amounts of communication (meta) data, encryption is technology to give Internet users absolute and unlimited privacy. Technology is fighting technology, with encryption seeming to have currently the upper hand.
The big unanswered question is: Where will human decision, where will democratic decisions by parliaments (for example: existing law enforcement laws), where will proportionality and balance to other human rights come into that equation?
This is just the start of a long debate which will affect all of our future lives.