Whether you’re sharing sensitive information or swapping movie ideas with a friend, people are turning to private messaging apps that offer end-to-end encryption to protect the content of their conversations.
When data is transmitted over the Internet, it often travels through a series of networks to reach its destination. Apps such as WhatsApp, owned by social media giant Meta (formerly Facebook), provide such a level of privacy that even government agencies cannot access encrypted conversations.
However, since apps are constantly changing their security and privacy policies, are messages safe from decryption?
Cybersecurity expert Dr. Arash Shagagi of the UNSW School of Computer Science and Engineering and the UNSW Cybersecurity Institute compares encryption to a secret conversation between you and another person.
“To hide our information from prying eyes, we rely on cryptographic algorithms to encrypt our data. Encryption involves converting human-readable plaintext into an encoded format, and the data can only be read after it has been decrypted,” he says.
“Encryption involves using a key to lock a message, while decryption involves using a key to unlock a message.
“Theoretically, if an outsider saw an encrypted conversation, he would not be able to understand it, and in order to decrypt it, he would need the corresponding key.
“Interestingly, with some end-to-end encryption protocols like Signal, even if someone steals the encryption keys and connects to the connection, they won’t be able to decrypt messages already sent. In the language of cryptography, this is called forward secrecy.”
Read more: Camfecting: how hackers attack by gaining access to your webcam
Are our messages completely secure?
Modern encryption algorithms have been combat tested and shown to have no known vulnerabilities. While this does not mean that it cannot be hacked, the process is computationally intensive and can take a significant amount of time. Quantum computers, if advanced enough, could break much of today’s encryption.
Attackers typically target endpoints and their vulnerabilities. This is much simpler than cryptanalysis, the process used to break cryptographic security systems.
For example, last year, attackers targeted a vulnerability related to WhatsApp’s image filter feature, which was triggered when a user opened an attachment containing a malicious image file. More serious and less complex vulnerabilities have been reported targeting WhatsApp clients running on iOS and Android.
Dr. Shagagi says that when you back up your messages on some messaging platforms, your messages are sent to the cloud. This means that all your messages are now stored on someone else’s computer.
“A service provider’s implementation of end-to-end encryption plays an important role in keeping the messaging application secure and private against the provider and attackers,” he says.
“WhatsApp used to back up messages in unencrypted format via iCloud for Apple users and Google Drive for those using WhatsApp on Android. Despite WhatsApp adopting an end-to-end encryption model in 2016, unencrypted backups were vulnerable to government requests, third-party hacking, and disclosure by Apple or Google employees.”
In 2021, WhatsApp made it possible for users to enable end-to-end encryption of their backups. While this was welcomed as a positive step forward, it should be standard for all users and not offered as an option, says Dr. Shagagi.
“Users concerned about the security and privacy of their data should make sure to enable end-to-end encryption backup for WhatsApp and other messaging platforms.”
What about Signal and Telegram?
Unlike WhatsApp and Signal, Telegram does not have end-to-end encryption enabled by default. Only when the “secure chat” feature is enabled does Telegram use the MTProto protocol, an open source protocol specially developed by the messaging provider.
“As far as we know, Signal, Telegram, and WhatsApp provide end-to-end encryption when this option is enabled,” says Dr. Shagagi.
“However, Signal is built with privacy and security as its primary motivation. The source code of the Signals endpoint is also available to the public, allowing anyone to review the code and identify vulnerabilities.
“I believe everyone agrees that Signal is a safer and more secure messaging solution than WhatsApp, Telegram, or Facebook Messenger.”
Dr. Shagagi says there are so many messaging platforms on the market that a few simple steps need to be taken to protect user privacy.
“Messaging platforms contain a lot of personal information, so it’s worth making sure the platform we’re using has a good reputation for keeping its users safe and private,” he says.
“It’s also worth spending a few extra minutes to enable some of the more advanced security features these platforms offer, such as end-to-end backup encryption or multi-factor authentication.
“And whichever platform you choose, it’s best to make sure we’re on the latest version of apps and avoid downloading apps from third-party stores.”
Read more: How Cyberspace Became the New Battlefield of Modern Warfare
Moderation of content exchanged through end-to-end encrypted messaging platforms
Various government organizations have urged that these applications include backdoors that would allow access to data when the authorities deem it necessary.
Recent leaks from the US Federal Bureau of Investigation (FBI) have shown that even with a subpoena, powerful government agencies have limited access to messages exchanged between applications that use end-to-end encryption.
This argument is of particular concern to many users, who are concerned that this is the first step towards abandoning the strong encryption principles they rely on to keep their data secure and private.
There is an ongoing debate in Australia and abroad on this topic.
“From a security point of view, implementing a backdoor is never a good idea,” says Dr. Shagagi.
“There is no guarantee that malicious hackers will also not find out about these backdoors and will not take advantage of them.
“However, those who are in favor of a law enforcement access solution argue that they need access given the growing use of these platforms by criminals.”
Some messaging providers and technology companies have responded by making changes to the platform’s functionality.
“To comply with regulatory requirements, WhatsApp now allows users to flag messages for review by moderators. This has to be initiated by the user, and when a message is flagged, the few messages before it are also forwarded to the WhatsApp moderators,” says Dr. Shagagi.
“Apple has been promoting encrypted messages across its ecosystem and has been fighting law enforcement looking for records.
“In 2021, they announced child safety features that include sexual image detection through iMessage, another platform that uses end-to-end encryption. To implement this feature, Apple plans to implement discovery on the device rather than through an encryption backdoor.
“I think we can balance the need to moderate criminal content and the demands for security and privacy by breaking down the problem into more specific use cases and developing innovative solutions.”