Messaging giant WhatsApp has finally completed rolling-out end-to-end encryption to all of its customers, in a move which will be welcomed by users but not law enforcement and intelligence services.
The Facebook subsidiary revealed in a blog post that encryption would be on by default for users on the latest version of the platform, which passed over one billion global active users earlier this year.
“From now on when you and your contacts use the latest version of the app, every call you make, and every message, photo, video, file, and voice message you send, is end-to-end encrypted by default, including group chats,” explained co-founders Brian Acton and Jan Koum.
“The idea is simple: when you send a message, the only person who can read it is the person or group chat that you send that message to. No one can see inside that message. Not cyber-criminals. Not hackers. Not oppressive regimes. Not even us.”
There was even time for Koum to get a quick shot in at the US authorities – who have placed themselves firmly against strong encryption (without backdoors) in the recent FBI vs Apple saga and public statements from senior officials.
“I grew up in the USSR during communist rule and the fact that people couldn't speak freely is one of the reasons my family moved to the United States,” he said.
The move comes as increasing pressure is being placed on Silicon Valley companies around the world to allow investigators access to such platforms and hardware.
Facebook’s most senior representative in Brazil was arrested by police recently after WhatsApp failed to comply with an access request forcing it to reveal messages related to a suspected drug-trafficking ring.
The firm claimed it could not provide the content of messages as it had already switched on end-to-end encryption in the country.
In the US, the Justice Department is said to be mulling how to proceed in a criminal investigation in which a federal judge has approved a wiretap request but law enforcers have been confounded by WhatsApp’s encryption technology.
There are suggestions it could mount a legal challenge, as the FBI did in the case of the San Bernardino shooter versus Apple.
F-Secure security adviser, Sean Sullivan, told Infosecurity that WhatsApp’s implementation of end-to-end encryption is likely more secure than Apple’s iMessage, which last month was exposed by John Hopkins researchers.
“As I understand it, because Apple controls both the platform and the app, it could in theory circumvent iMessage security by adding a ‘phantom’ device to your set of iOS devices,” he added.
WhatsApp’s move to encrypt all of its services for customers was broadly welcomed by Tony Pepper, CEO of encryption firm Egress.
“The fact that end–to-end encryption is now being offered in popular apps means that employees will expect, and even push to have, the same level of information security from the data sharing tools they use for work, such as email and online collaboration,” he said. “This could help to create a safer data sharing environment for everyone.”
However, Pepper voiced concerns that it could hamper IT’s attempts to manage the flow of sensitive information in and out of the organization.
“Encryption alone is only part of the battle – being able to audit, track and control the lifecycle of data as it is shared is equally important,” he argued.
“Organizations therefore need to make sure the tools they give to employees are usable as well as secure to avoid them defaulting to personal devices, while also retaining control to ensure sensitive information doesn’t find its way to public platforms or unintended third parties.”