How WhatsApp encryption works – and why there shouldn’t be a backdoor

This system guarantees that there is no single key that will give access to all the data sent between Alice and Bob in the past or future. In other words, even if a key is compromised, it will only unlock a few messages before it becomes useless.

However, WhatsApp’s previous system meant that the company was able to access the keys and so in theory could easily unlock the messages, breaching Alice’s privacy. Last year, the company introduced what’s called “end-to-end encryption,” which seems to have solved this problem. Alice and Bob now use keys that WhatsApp doesn’t keep specific details of, meaning only Alice and Bob can unlock their messages.

What government wants
The way WhatsApp now works makes it impossible for a third party to unlock the messages that Alice and Bob exchange. The only way a third party, such as the police or intelligence services, can access users’ messages is if WhatsApp removes the end-to-end encryption and switches back to the old version of the software, or if a backdoor is installed.

A backdoor can be seen as software built into the app that allows you to circumvent or undermine security protections and surreptitiously access systems and data. In WhatsApp’s case, this would be software that gives access to all keys that users are generating. Governments argue that such a mechanism would be only activated if there was a warrant to access the messages of a suspicious user. Upon activation of the backdoor, WhatsApp would recover the keys that were generated by the corresponding users in order to decrypt their messages. This would allow WhatsApp to reveal all the information sent by a particular user.

But backdoors also create a vulnerability in the software or system that intruders can use to gain access to a system or users’ private data. As a result, if WhatsApp adds a backdoor to the software then it would no longer be a secure way to communicate and so it would lose a key part of its appeal. It’s also likely that installing such a mechanism would mean that intelligence agencies would be knocking on WhatApp’s door every day asking them to reveal someone’s messages.

Ultimately, if someone thinks that removing WhatsApp encryption would be the solution, then they don’t understand the actual problem. Even if you were to remove the end-to-end encryption from WhatsApp, criminals could create their own, similar, software that would allow them to communicate securely, while ordinary users would lose the ability to send genuinely private messages.

Antonis Michalas is Lecturer in Cyber Security, University of Westminster. This article is published courtesy of The Conversation (under Creative Commons-Attribution / No derivative).