SynopsisPrivate chats, group chats, and user profiles from messaging platforms getting leaked is a constant threat. While Big Tech, lawmakers, and privacy advocates know where the holes are, there has been an air of reticence around discussing how to plug them. Can messaging apps alone be held responsible for such leaks? No. There is more to it than meets the eye.
Are your chats secure?
Maybe yes. Maybe no.
2018: Chetan Bhagat’s WhatsApp chats leaked amid the #MeToo movement.
2019: 470,000 WhatsApp group invite links leaked.
2020: Chats of celebrities involved in an narcotics-bureau investigation leaked.
2021: Republic TV anchor Arnab Goswami’s chats with TV-ratings agency BARC’s former CEO Partho Dasgupta leaked.
WhatsApp chats constantly get leaked, but the public comes to know only about a fraction of them. No matter how secure the platform claims to be, there will always be chinks giving away information users hold so dear.
Be it the private chats, group chats, or user profile, they always run the risk of getting leaked. Big Tech knows where the gaps are, so do the lawmakers and privacy advocates. Nevertheless, there has been an air of reticence around discussing them.
But are WhatsApp, Signal, or Telegram alone responsible for such leaks? No. There is more to it than meets the eye.
It is obvious to suspect WhatsApp and similar platforms to be snooping on user data. While that may be the case to an extent, the conversation held in a private chat, stays private. It is only when a device is stolen, withheld for investigative purposes, a clone of it is created, or a user decides to share screenshots of a conversation, or backs up the chat history on Google Drive or iCloud, that these chats may fall into the wrong hands.
If law-enforcement agencies take access of a user’s phone, the messages are out of the encryption loop. Even then, any unauthorised access to someone’s private chats is strictly prohibited under law, as it amounts to data theft and violation of the person’s right to informational privacy, says Kazim Rizvi, founder, The Dialogue, a New Delhi-based public policy think tank.
In addition to a screen lock, WhatsApp provides the option to secure end-to-end encrypted chats and create a backup, but Rizvi suggests that users should avoid doing that, given the likelihood of chats being leaked. “Cloud backups are the big weakness of these systems,” says Matthew Green, associate professor of computer science at Johns Hopkins Information Security Institute.
The backup services integrated with WhatsApp are neither end-to-end encrypted, nor do they use WhatsApp’s encryption feature. This leaves a large chunk of user data and private messages vulnerable to be accessed through wrongful means. “If I can get your Google drive or iCloud password, I can restore your information back on to a new phone,” Green says, adding, “You can turn off backups, but many people like to have them turned on.”
The governments may be after the tech platforms to provide them backdoor access to private chats, but in reality, these platforms cannot do that, by design.
Both WhatsApp and Signal use the same method, called the Signal Protocol, a cryptographic tool to enable end-to-end encryption for calls and messages. When two devices agree on a shared encryption key, the messages sent between the devices use the same key to encrypt the messages. Both WhatsApp and Signal do not see what the messages read since they never receive the key.
Green explains that the protocol has an advantage, whereby, each time a message is sent, the encryption key updates. “So even if someone steals an old copy of your encryption key from a cloud backup, it won’t do them any good,” he says, adding that the server cannot decrypt any of the messages shared between people on Signal or WhatsApp.
But the loophole lies in the device containing the decrypted messages and on the third-party backup service. Both WhatsApp and Green have taken cognisance of the fact. Users with access to the decrypted messages may share screenshots of their chats or record voice messages and calls to later share them with other users or post them on social media.
Similarly, says a WhatsApp spokesperson, “Users may use a data-backup service integrated with our services (like iCloud or Google Drive), which will receive information users share with them, such as their WhatsApp messages.” When third-party services are used, their terms and privacy policies will govern the use of those services and products, the spokesperson adds.
WhatsApp on its FAQ page states that media and messages backed up on Google Drive are not protected by WhatsApp’s end-to-end encryption. Signal does not currently support cloud backups for chats. However, WhatsApp stores the key for backups with Facebook, but puts the encrypted data on Google and/or Apple cloud services.
Plastering the gaps
More work needs to be done to strengthen cloud backup, says Green. “We have been looking at this problem in my research lab, and it’s a hard one.”
Some features by Apple and Google do provide end-to-end encrypted backup services, given that the user knows the device password to restore backup.
Last year in March, WABetaInfo, an independent provider of news about WhatsApp, mentioned that the platform was testing a feature to encrypt Google Drive backup of chats. The feature was stated to be at an alpha stage of development. It would allow users to encrypt their backup using a password, ensuring that not just WhatsApp, but even Google or Apple cloud services will not be able to decrypt the stored content.
Given the nature of this feature, users will not be able to restore chat history upon losing the password used to encrypt the database. “Adding these features to WhatsApp seems like a good place to strengthen the security of these systems,” Green says.
However, adding a layer of security to private chats through backup encryption might not go down well with the government, which has encouraged “lawful interception” and demanded “transparency” from WhatsApp and Facebook.
The government has repeatedly stressed on traceability of message origin and more transparency in tech companies’ data-sharing and data-storage practices. There have even been requests for backdoor access into encrypted conversations for law-enforcement purposes.
“They (governments) want to know who talks to whom, when, where, and for how long. Access to content and messages is also desirable. So they never cease to agitate for it, seeking backdoors, trapdoors, and infiltration points, trying to make it impossible for citizens to have secrets.”
— Mishi Choudhary, legal director, Software Freedom Law CenterOn October 11, 2020, India became one of the six signatories to an international joint statement against end-to-end encryption on social-media platforms. According to the statement, end-to-end encryption precludes lawful access to communication, creating severe risks to public safety. “Tech companies should include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can gain access to data in a readable and usable format,” the statement says.
While WhatsApp has declined such requests of interception from the government, Signal fares better when it comes to providing user information to law-enforcement authorities for investigative purposes. Mishi Choudhary, legal director of the New York-based Software Freedom Law Center, says that services like Signal don’t collect personally identifiable information and, therefore, have nothing to share with anyone.
“Governments that want to control their people and crush dissent seek metadata.” she says. “They want to know who talks to whom, when, where, and for how long. Access to content and messages is also desirable. So, they never cease to agitate for it, seeking backdoors, trapdoors, and infiltration points, trying to make it impossible for citizens to have secrets.”
It is yet to be seen how the Indian government’s stance on end-to-end encryption would affect WhatsApp and Signal’s encrypted-messaging feature.
The bottom line
No doubt the Facebook-owned messaging platform cannot read its users’ chat messages, but it must speed up the process of plugging existing holes before it gets too late. Along the way, cloud-service providers must set their sights on heightened user-data security and privacy.
The time to act is now.