WhatsApp is an extremely popular mobile messaging service with over 1 billion daily users. That's an amazing figure, and the company prides itself in the apparent security it affords all of those users (provided they are running the latest version of the app).
Below is our guide on how to ensure your WhatsApp messages are fully end-to-end encrypted. However it's also good to be aware that not everyone trusts the company's word, in part because of privacy issues surrounding its parent company Facebook and also its implementation of encryption.
WhatsApp uses part of a security protocol developed by Open Whisper Systems, a company that has its own fully secure messaging app Signal (for iOS and Android). It's very good. It may not be as obsessed with multimedia sharing as WhatsApp but its basic functions are the same - and fully end-to-end encrypted.
WhatsApp has taken a few hits and been in the news recently, and the somewhat limited understanding of encryption means it can be a bit confusing. Here are a few examples of WhatsApp in the news, and what it really means.
Amber Rudd's call for encryption ban
The UK's Home Secretary, Amber Rudd, appeared on the Andrew Marr show on Sunday 26 March in the wake of the Westminster terrorist attack. She made ill-advised comments on banning end-to-end encryption in apps like WhatsApp, saying the government needs to make sure they “don’t provide a secret place for terrorists to communicate with each other.”
Unfortunately this conveys a basic misunderstanding of tech and encryption. Her idea to ban WhatsApp from encrypting all of its one billion users’ messages goes against the virtues of privacy in our society. Rudd’s assertion that “there should be no place for terrorists to hide” is an understandable one, but her misunderstanding of the security implications of banning all WhatsApp encryption is jarring.
Her comments came after it was revealed lone wolf attacker Khalid Masood used WhatsApp at some point before the events at Westminster. It is unclear to what end.
If WhatsApp were forced to create a backdoor into its service that allowed governments to spy on suspected terrorists, it would compromise the security of millions of users data. The Guardian even reported that Brian Paddick, the Liberal Democrat home affairs spokesman said that, “My understanding is there are ways security services could view the content of suspected terrorists’ encrypted messages and establish who they are communicating with.”
By publically stating that WhatsApp shouldn’t encrypt messages in order to uncover terror threats easier, Amber Rudd has let the world know that, once again, those in positions of political power still don’t – or don’t think it’s necessary to – understand technology.
In January 2017 the Guardian reported claims that WhatsApp 'has the ability to force the generation of new encryption keys for offline users, unbeknown to the sender and recipient of the messages, and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered.'
The Guardian claimed that WhatsApp has a 'backdoor'. If WhatsApp covertly changed security keys of a user, the company could, according to Tobias Boelter, a cryptography and security researcher at the University of California, 'disclose its messaging records, it can effectively grant access due to the change in keys' at the request of government agencies.
WhatsApp claims this loophole exists so that if someone changes their phone, and therefore their automatic security key, messages will still send so as not to disrupt service. This is, to be fair, a valid point, as not doing so would disrupt the service of 1 billion people relatively frequently. WhatsApp's full statement can be found here via Reddit.
Open Whisper Systems also issued a statement here. While one can't say for sure who is right, it continues to show that companies that try to promote security are the ones that end up suffering for it publicly.
Despite this, here is our guide on how to turn on WhatsApp encryption in the first place, and also how to opt out of adverts on the platform.
Wikileaks' Vault 7
On Tuesday 7 March 2017 Wikileaks caused a stir by releasing 'Vault 7', thousands of confidential documents it claims are from CIA internal networks. This has raised some concerns that WhatsApp messages, which are end to end encrypted, could be read.
Reporting can be slightly confusing in this instance; it's not actually the encrypted nature of the messages that could be compromised. The reports detail the intelligence agencies' ability to remote control single devices and access them as though they were the user. Obviously in this case, the encryption is still strong, but it is the end user's device that has been compromised.
Therefore since this news, you needn't worry about the validity of the encryption in WhatsApp, worrying though it is that Wikileaks is claiming the CIA and others have the power to hack individual devices.
So that's the news side. Here's the tech side.
WhatsApp encryption information
Chances are you’ve probably sent a fair few WhatsApp messages already today. As of 5 April, all those messages are now encrypted end-to-end – provided you have the most up to date version of the app downloaded on your iPhone, Android, Nokia, Window or BlackBerry smartphone handset. Here we break down what the somewhat confusing issue means for you - what is WhatsApp encryption? Also see: Best WhatsApp Messenger tips and tricks
How to turn on encryption in WhatsApp
WhatApps now securely encrypts every single message, call, picture, video or any other type of file you send so that the only person who can read or view it is the recipient. Not even WhatsApp has the ability to intercept and view those messages.
As a user, you don’t have to turn this feature on, nor can you turn it off. You should receive a message within your chats if you are using the latest version of the app (which is required) to let you know the change has been implemented for you.
If you’d like to learn a bit more about the issue, we’ve broken it down further for you. Also see: Will WhatsApp encryption lead to a WhatsApp ban?
What is encryption?
Encryption is the scrambling of messages from the sender on their journey to the recipient, largely to discourage the interception and reading of those messages by other parties.
This concept dates back thousands of years to coded written message sending, but now, modern forms of communication can be encrypted automatically with complex coding.
Thanks to the smartphone revolution, we now send and receive an awful lot more data between devices. All this data, be it voice calls, text messages or mobile data, is managed by whichever service provider whose service you are using. Whether or not this data is encrypted varies depending on the policy of the company providing the service.
For example, voice calls and text messages are handled by your mobile operator. This operator also provides your 3G or 4G connection to the Internet on your smartphone, but they don’t encrypt all the services you use.
If you tend to message via WhatsApp rather than text message, your mobile operator is not responsible for encrypting that WhatsApp data – it merely provides you with your connection to the wider Internet, the connection that allows apps such as WhatsApp, Facebook and Twitter to send messages all over the world. Also see: How to restore WhatsApp messages from a backup.
How does WhatsApp end-to-end encryption work?
WhatsApp encrypting messages ‘end-to-end’ is a big deal because it means that the company itself has decided to run a system in which even it cannot intercept and read messages sent on its own platform.
When you send a message, it can only be ‘unlocked’ by the intended recipient, thanks to a very complex code that took WhatsApp several years to develop. It’s no mean feat to achieve, particularly given that 1 billion people use the service.
This differs to many messaging apps, which only encrypt messages between you and them. This means that your messages are stored on the services servers, usually not permanently, so hypothetically could be accessed and read.
Why has WhatsApp introduced end-to-end encryption?
Now that WhatsApp has end-to-end encryption, it means that they and no party – governments, police, hackers, other users – can intercept and read your messages.
WhatsApp has done this because as a company they believe in your right to have private conversations when you use their service. Also see: How to avoid WhatsApp scams
Why is end-to-end encryption important?
The reason the decision is getting a lot of attention is because of high profile cases in which communications service providers like Facebook are put upon by authorities to release sensitive personal data.
A high profile case is the FBI asking Apple to unlock an iPhone 5C that was used by one of the San Bernardino shooters, a move which Apple refused, underlining the integral values many large communications companies hold when it comes to personal data, security and encryption.
Does every app have end-to-end encryption?
The short answer is no – but also this is not something to be alarmed about.
WhatsApp’s decision is one of the first of its kind, and is particularly interesting because traditionally smartphone messaging services have played down the importance of security.
Facebook Messenger only encrypts messages between your device and their servers. This means, by law, Facebook could be obliged to divulge private messages. The same applies to Instagram, which Facebook owns, though interestingly, it also owns WhatsApp.
n August 2016 WhatsApp announced that it will start to share data with its parent company Facebook in order to draw in adverts to the platform. Third party companies will be able to send targeted messages directly to WhatsApp users should they accept the new terms and conditions.
Facebook bought WhatsApp in 2014 and the latter will now share users’ phone numbers with Facebook to provide advertisements. It’s a clear sign that the platform is having to monetise its offering after a few years of providing a free service.
It seems if you opt in, Facebook will recieve information in order to better target you with adverts on the Facebook platform. It's a small but significant sign that the Facebook-owned WhatsApp is having to concede some of its privacy values.
If you don't want to share additional information such as your phone number cross-platforms, here's how to opt out of WhatsApp adverts.
You will be given the following screen where you can agree to the changes.
Instead of pressing agree, tap the arrow at the bottom of the screen to read more details. You'll then get this screen, where you uncheck the box, opting out of sharing additional information:
If you've already clicked Agree, you can still reverse your decision for the next 30 days. Simply open WhatsApp and go into Settings > Account, then untick Share my account info.