Whether as grave as originally reported or not, security distortions in even the most popular apps should remind us all to be concerned about our privacy.
Thanks to “misinterpretations, mistakes, and misunderstandings at several stages of the reporting and editing process,” The Guardian posted a story that hysterically overinflated the potential impact of a security flaw in the popular WhatsApp messaging application — and after half a year of investigating, the British news agency has finally put out a confession.
Security concerns were under the radar in December 2016, when the social media giant was accused of misguiding European regulators in advance of its $22 billion acquisition of the messaging app, while WhatsApp users were irked to find that their information was being shared with Facebook. That relationship grew more complicated after a report from the Guardian in early January, which elaborated the discovery in WhatsApp of “a security backdoor that can be used to allow Facebook and others to intercept and read encrypted messages.” But was that report authentic? A group of security researchers penned an open letter a week later asking the Guardian to withdraw its story, calling it “the equivalent of putting ‘VACCINES KILL PEOPLE’ in a clamoring headline over a poorly contextualized piece.”
The gist of the debate: WhatsApp told users last April that it had implemented end-to-end encryption for all messages sent through its platform, but the Guardian’s report suggested that the app disregarded to mention a caution: Facebook can intercept your messages. And if Facebook can do it, then so too can a government agency.
On Wednesday, six months after the controversial Guardian report, the news agency admitted distortions in its reporting, acknowledging that it was wrong to make such claims.
“The Guardian ought to have responded more effectively to the strong criticism the article generated from well-credentialed experts in the arcane field of developing and adapting end-to-end encryption for a large-scale messaging service,” wrote Paul Chadwick, the Guardian’s fourth readers’ editor (a quirky British title for a reader advocate).
The professed backdoor was brought to light by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley. “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys,” he told the Guardian at the time.
The so-called backdoor, the Guardian had explained, had to do with Whatsapp’s encryption, which depends upon a generated set of unique security keys, using the Signal protocol. These keys are traded and verified between users to ensure that their messages are protected.
However, WhatsApp apparently could generate new encryption keys for offline users without the prior knowledge of either the sender or receiver, and then have the sender re-encrypt messages with new keys to resend them. This process would essentially let WhatsApp intercept and read messages.
Boelter’s findings were further verified by Steffen Tor Jensen, head of information security and digital countersurveillance at the European-Bahraini Organisation for Human Rights. He noted at the time that “WhatsApp can effectively continue flipping the security keys when devices are offline and resending the message, without letting users know of the change till after it has been made, providing an extremely insecure platform.”