WhatsApp Adds Additional Layer of Security With End-to-End Encryption for Chat Backups
A feature that WhatsApp began testing in early July is set to roll out to all users “in the coming weeks,” according to a company spokesperson. Chat backups will now be protected with encryption, as the service’s messages have since 2016.
The feature will likely debut with the next app update, but there is no timetable for that as of yet. When it rolls out, users will be able to opt in to creating a 64-bit encryption key for protecting chat backups that can either be stored manually or accessed server-side with a password.
WhatsApp encryption slated to cover chat backups with next app update
WhatsApp became popular as a top privacy-focused messaging app due to its strong encryption, and end-to-end encryption has been applied by default to all messages since 2016. This is not currently the case with chat backups, however, which are stored in Google Drive or iCloud (depending on the device) without an encryption option.
The forthcoming update will change that, but will require users to opt in. The app will present users with a choice of how to handle the 64-bit encryption key that will be generated to protect chat backups: it can either be stored locally, or stored in the cloud and protected with a separate password (different from the one used to log in to the app). Chat backups will be encrypted locally on the device before being sent on to iCloud or Google Drive for storage, which means that a subpoena served to Apple or Google will not be of much use for those files.
WhatsApp and Google Drive/iCloud will not be able to view or access chat backups once encryption is enabled, but users that opt to store their key locally will need to be careful not to lose it. If the encryption key is lost, access to the chat backups is also permanently lost. If users opt for password protection instead, there is more flexibility but also the small risk of a breach exposing login credentials at some point. Still, the password situation would be a significant improvement from the complete lack of encryption in this area at present.
WhatsApp also recently announced that it will support syncing multiple devices (up to four) through a phone, which would allow continued use of the service on those devices if the phone app is not available for some reason. Encryption will not be available for chat backups on these synced devices; any chat sessions off of the smartphone app will apparently remain unencrypted if they are backed up.
Encryption loophole shut off for law enforcement
The move threatens to shut off one of law enforcement’s favorite sources of encryption workarounds. WhatsApp automatically backs up chats to the local device every day, and less sophisticated users that download it often follow prompts that set up regular Google Drive or iCloud backups. These users may not be aware that unencrypted backups of messages are regularly made; one needs to go into the “Settings” menu in WhatsApp to turn off the backups to cloud services or reduce the frequency once they are enabled.
The move will also likely give WhatsApp an edge of market appeal for the convenience-focused casual user that does not necessarily care about law enforcement access to messages. The app’s chief rivals in the privacy and security space, Telegram and Signal, do not automatically back up chats. Encrypted chat backups can be enabled in Signal, but require a 30-character passphrase to restore.
Global rollout of end-to-encryption for chat backups
Another interesting feature of this update is that WhatsApp says it is rolling it out globally, even in markets where local laws either forbid end-to-end encryption or require that the government have backdoor access to it. WhatsApp was banned in China for this reason in 2017, with the CCP demanding that Facebook provide backdoor access and the power to moderate messages. The messaging app nevertheless has about two million users in the country, who continue to access it (and Facebook) via VPN.
WhatsApp is banned in several other countries for similar reasons, including the United Arab Emirates and Qatar. Some countries, such as Iran, have had temporary bans on WhatsApp in the past that might be reinstated once easy access to stored messages is gone. Iran quickly banned the privacy-focused Signal when WhatsApp users began migrating to it en masse after WhatsApp changed its privacy policy (to expand data sharing with Facebook) earlier this year.
Though WhatsApp’s end-to-end encryption is strong and widely praised as a means of privacy protection when messaging, this story highlights that there are some limitations to it and some of these remain unaddressed. WhatsApp allows message recipients to flag encrypted messages after they are decrypted, which allows the company’s moderators to review them for potential violations of platform rules. There are also widespread rumors that Facebook is looking to develop AI that can infer something of the content of encrypted messages so that relevant advertisements can be served alongside them.
