Whether you’re sharing confidential information or brainstorming movie ideas with a friend, people are turning to private messaging apps that offer end-to-end encryption to protect the content of their conversations.
When data is shared over the Internet, it often traverses a series of networks to reach its destination. Apps such as WhatsApp, owned by social media giant Meta (formerly Facebook), offer a level of privacy that prevents even government agencies from accessing encrypted conversations.
However, with apps constantly changing their security and privacy policies, are messages still safe from decryption?
Cybersecurity expert Dr. Arash Shaghaghi from the UNSW School of Computing and Engineering and the UNSW Cybersecurity Institute compares encryption to a secret conversation between you and another person .
“To keep our information safe from prying eyes, we rely on cryptographic algorithms to encrypt our data. Encryption involves converting human-readable plain text into an encoded format and the data can only be read after it has been decrypted,” he explains.
“Encryption involves using a key to lock a message, while decryption uses a key to unlock a message.
“In theory, if a stranger observed an encrypted conversation, they could not understand its meaning, and they would need the appropriate key to decrypt it.
“Interestingly, with some end-to-end encryption protocols, such as Signal, even if someone steals the encryption keys and taps on the connection, they can’t decrypt messages that have already been sent. In cryptography, this is called forward secrecy.
Read more: Camfecting: how hackers attack by accessing your webcam
Are our messages completely secure?
Modern encryption algorithms have been battle tested and have shown no known vulnerabilities. While that doesn’t mean it’s impossible to crack, the process requires significant processing power and can be time-consuming. Quantum computers, if mature enough, will be able to crack much of today’s encryption.
Attackers typically target endpoints and their vulnerabilities. It’s much easier than cryptanalysis which is the process used to breach cryptographic security systems.
For example, last year attackers targeted a vulnerability in WhatsApp’s image filter feature that triggered when a user opened an attachment that contained a maliciously crafted image file. More severe and less complicated vulnerabilities have been reported targeting WhatsApp clients running on iOS and Android.
Dr. Shaghaghi explains that when you save your messages on some messaging platforms, your messages are pushed to the cloud. This means that all your messages are now stored on someone else’s computer.
“The service provider’s implementation of end-to-end encryption plays an important role in keeping a messaging application secure and private against both the provider and attackers,” he says.
“WhatsApp used to keep a backup of messages in an unencrypted format in iCloud for Apple users and Google Drive for those using WhatsApp on Android. Even though WhatsApp adopted an end-to-end encryption model in 2016, unencrypted backups were vulnerable to government requests, third-party hacking, and disclosure by Apple or Google employees.”
In 2021, WhatsApp rolled out an option for users to enable end-to-end encryption for their backups. While this was welcomed as a positive step forward, it should be the default for all users – not offered as an option, says Dr Shaghaghi.
“Users concerned about the security and privacy of their data should make sure to enable end-to-end encryption backup for WhatsApp and other messaging platforms.”
What about signal and telegram?
Unlike WhatsApp and Signal, Telegram does not have end-to-end encryption enabled by default. Only when the “secure chat” function is activated does Telegram apply the MTProto protocol, an open-source protocol and custom-developed by the messaging provider.
“As far as we know, Signal, Telegram and WhatsApp are secure to provide end-to-end encryption, if the option is enabled,” says Dr Shaghaghi.
“However, Signal is built with privacy and security as the primary motivation. The source code for Signals endpoints is also publicly available, allowing anyone to inspect the code and identify vulnerabilities.
“I think the consensus is that Signal is a more secure and privacy-friendly messaging solution compared to WhatsApp, Telegram or Facebook Messenger.”
With so many messaging platforms available in the market, Dr. Shaghaghi says there are a few simple steps to take to help protect a user’s privacy.
“Email platforms hold a lot of private information, so it’s worth making sure the platform we’re using has a good reputation for keeping its users safe and private,” he says.
“It’s also worth spending a few extra minutes to enable some of the more advanced security features offered by these platforms, such as end-to-end backup encryption or multi-factor authentication.
“And whatever platform you decide to use, it’s best to make sure we’re using the latest version of apps and avoid downloading apps from third-party stores.”
Read more: How Cyberspace Became the New Battleground of Modern Warfare
Moderation of content exchanged on end-to-end encrypted messaging platforms
Different government organizations have strongly demanded that these apps include backdoors that would provide access to data when authorities deemed it necessary.
Recent leaks from the US Federal Bureau of Investigation (FBI) have demonstrated that even with a subpoena, powerful government entities have limited access to messages exchanged through apps that use end-to-end encryption.
This argument is particularly worrying for many users who fear that this is a first step towards the strong encryption principles they rely on to keep their data secure and private.
There have been ongoing debates in Australia and overseas on this topic.
“From a security engineering perspective, setting up a backdoor is never a good idea,” says Dr. Shaghaghi.
“There is no guarantee that malicious hackers won’t discover these backdoors and exploit them.
“However, proponents of a solution allowing law enforcement access argue that they need access given the increasing use of these platforms by criminals.”
Some email providers and tech companies have responded by making changes to platform functionality.
“To meet regulatory requirements, WhatsApp now allows users to flag a message for review by their moderators. This must be initiated by a user and when a message is flagged, the few messages preceding it are also forwarded. to WhatsApp moderators,” says Dr Shaghaghi.
“Apple has promoted encrypted messaging in its ecosystem and fought off law enforcement seeking records.
“In 2021, they announced child safety features that include detection of sexually explicit images on iMessage, another platform that uses end-to-end encryption. To implement this feature, Apple plans to implement detection on the device and not through an encryption backdoor.
“I think we can balance the need to moderate criminal content with security and privacy requirements by breaking down the problem into more specific use cases and developing innovative solutions.”