WhatsApp announced Friday that it will offer its two billion users encryption of their chat backups to cloud. This is a significant step in preventing one of the many ways private communications between people on the app could be compromised.
Facebook's service allows end-to-end encryption of chats between users for over a decade. Users have been forced to backup their chats to the iCloud on iPhones or Google Drive on Android.
These unencrypted WhatsApp Chat Backups on Google and Apple servers are one of the most well-known ways that law enforcement agencies around the world have been able for years to access WhatsApp conversations of suspects.
WhatsApp now claims it is fixing this weak link in its system.
WhatsApp is the first messaging service to offer encrypted messaging and backups at an end-to-end scale. This was achieved by a very difficult technical challenge, according to Mark Zuckerberg, Facebook chief executive. He announced the new feature in a blog post.
Your own encryption keys
According to the company, it has created a system that allows WhatsApp users to secure their chat backups using encryption keys on both Android and iOS. WhatsApp claims it will provide two options for users to encrypt cloud backups. The feature can be used as an optional option.
WhatsApp users will soon be able to generate a 64-digit encryption code to protect their chat backups. The encryption key can be stored offline, in a password manager they choose, or it can be encrypted in a cloud-based backup vault that WhatsApp has created. WhatsApp doesn't know the password of users who store their cloud-stored encryption keys.
We are aware that not everyone will want the 64-digit encryption key. Others will prefer something simpler and more readable. We do not know the backup password once a user has set it. WhatsApp stated that they can reset their backup password on their original device if necessary.
We will notify users several times when they sign up to end-to-end encrypted back-ups. If they lose their 64-digit keys, we won't be able restore their backup. Users should also make sure they keep it. Before we complete the setup, we ask users to confirm that they have saved their password and 64-digit encryption keys.
TechCrunch was told by a WhatsApp spokesperson that backups created using encrypted encryption will erase any previous backups. The spokesperson explained that this will occur automatically and users will not need to do anything.
Possible regulatory pushback
This important move to add an extra layer of privacy could have profound implications.
As governments lobby for backdoors, end-to-end encryption is still a controversial topic. After the FBI complained to Apple, they reportedly forced it to remove encryption from iCloud Backups. While Google offers users the option to encrypt data stored in Google Drive, Google allegedly did not inform governments before rolling out the feature.
TechCrunch asked WhatsApp if it had consulted with the government or received support from them during the development of this feature. The company declined to answer any questions.
We value the privacy of people's messages and believe that companies should improve security for their users as we spend more time online. We are offering our users the ability to add an additional layer of protection to their backups. This feature is available to them if they wish. TechCrunch was informed by the company.
WhatsApp confirmed that this feature will be available in all markets where it is present. Companies are not known for withholding privacy features due to legal or regulatory reasons. Apple's forthcoming encrypted browsing feature won't be available to users in countries like China, Egypt, Kazakhstan and Saudi Arabia.
Friday's announcement is a result of ProPublica reporting that human contractors can read encrypted private conversations between two users when users report them.
It is difficult to fully secure backups and it is even more difficult to make them reliable and easy to use. Uzma Barlaskar (product lead privacy at WhatsApp), stated that no other messaging service has achieved this level of encryption and provided such security for users' messages.
This problem has been a problem for years. To solve it, we needed to create a new framework for key storage, cloud storage, that could be used across all the largest operating systems in the world. That took time.