Cybersecurity

Lawful tools make end-to-end encryption an irony

  • Reading time: 4 min
Lawful tools make end-to-end encryption an irony

The end-to-end encryption feature is the most interesting tool that users search for when they download a messaging app. However, some government entities have been trying to ban it. On the other hand, authorities have passed legislation to read citizen’s messages legally.

On November 29, 2016, the United Kingdom passed the Investigatory Powers Act (Known as Snooper’s Charter). The law introduces a new power that can compel internet and mobile providers to store details of your online activity for 12 months. This online activity is accessible to the government. “Under this law, police can plant malware on someone’s device that will either capture the message just before it has been encrypted on the user’s phone- or before it reaches the recipient’s device and gets encrypted there,” said Mark Ryan, professor of Computer Security, Birmingham University.

If you are living in Australia, the government could read your messages. Back to 2018, the Australian Government passed the Telecommunications and Other Legislation Amendment (Assistance And Access) Act that allows Australian spy agencies- ASIO, ASIS, and ASD- to request applications to reveal a specific encrypted message. This legislation gives companies a spying power under which they would be required to build a new function that will help the police to access data.

“I actually deleted WhatsApp from my phone a few months ago,” said James Curran, Associate Professor in the School of IT at the University of Sydney and Academic Director of the Australian Computing Academy. WhatsApp has issued new software but unfortunately, there were some security problems that allowed hackers to install the spyware Pegasus, according to The Australian. Once installed on a smartphone, the hackers will have full access to WhatsApp’s end-to-end encryption. In addition, if you are getting so many spam calls per day, that means you are at risk. With every call, an infection occurs. “That WhatsApp call, even if it’s missed, is enough for that compromise to occur,” said Professor Curran to The Australian.

Imagine that every message you send over WhatsApp is kept on record with your phone number. That’s what India was planning to do. Indian authorities were asking tech companies to screen user posts and messages to make sure that they are not publishing something ‘unlawful’. On December 24, 2018, India published a draft of the “Information technology” rule. Under the Article 5 of this rule, messaging app companies shall when required by lawful order, within 72 hours of communication, provide information or assistance as asked by any government agency or assistance concerning security of the State or cyber security, or investigation or detection or prosecution or prevention of offence(s); protective or cyber security and matters connected with or incidental thereto”. These new rules apply to all the messaging Apps in India including WhatsApp, which is against the change. In fact, “This would require us to re-architect WhatsApp leading us to a different product; one that would not be fundamentally private said a spokesperson from WhatsApp in a statement on Record. “WhatsApp does not have the ability to read these private messages and we do not retain them once they are delivered,” said Chris Daniels, Vice-President of WhatsApp, to the Economic Times. In June 2019, the Indian government asked WhatsApp to digitally fingerprint every message sent on its messaging platform, according to The Economic Times report. In fact, the Indian government wants to track the origins of a message – those who have read and forwarded the message.

On the other hand, on May 8, 2019, Singapore also passed the Protection from Online Falsehoods and Manipulation Bill, an anti-fake news law that allows the government to police the messaging apps and private chat groups.

On October 4, 2019, American, British and Australian governments sent an open letter to Facebook CEO Mark Zuckerberg regarding Facebook’s “Privacy First” proposals. The letter calls on Zuckerberg not to proceed with his plans to implement end-to-end encryption across its messaging services. In fact, Zuckerberg is the owner of three widely used applications: Facebook, Facebook Messenger, WhatsApp and Instagram. In April 2019, Ferdinand Grapperhaus, Dutch Minister for Justice and Security believes that tech companies should be able to provide a key if the examining magistrate asks for it. “The EU needs to look into legislation allowing governments to access encrypted data,” Grapperhaus told Politico. However, In February 2020, the European Commission asked all employees to switch from WhatsApp to Signal for security concerns.

“Your messages are yours, and we can’t read them. When they are end-to-end encrypted, we and third parties can’t read them” states WhatsApp. However, On August 25, 2016, WhatsApp’s terms and privacy policy were updated. WhatsApp published a notice on the blog post to release the end-to-end encryption feature. “Even as we coordinate more with Facebook in the months ahead, your encrypted messages stay private and no one else can read them. Not WhatsApp, not Facebook, nor anyone else” states the notice. By connecting your phone number with Facebook’s systems, Facebook can offer better friend suggestions and show you more relevant ads,” states the notice.

In fact, the end-to-end encryption feature is an irony. End-to-end encryption means that only you and the one who receives your message have a decryption key. However, these platforms may give access to messages for law enforcement reasons. According to WhatsApp “We may collect, use, preserve, and share your information if we have a good-faith belief that it is reasonably necessary to…” However, in the same policy they stated, “Once your messages (including your chats, photos, videos, voice messages, files, and share location information) are delivered, they are deleted from our servers. Your messages are stored on your own device”. If the messages were deleted from WhatsApp servers once reaching their destinations, how is the company able to share these conversations, in compliance with law-enforcement measures, later on?

While these apps have end-to-end encryption features, they all collect metadata, which is your electronic fingerprint. Metadata includes, whom you are talking to and for how long, the device you use and, your IP address. An easy way to block the collection of this kind of personal information is setting up a VPN app on your mobile device.

Backups are the worst thing you can do with your messaging apps. This tool is not end-to-end encrypted and it gives third parties- like Google- access to your messages.

Tags: