WhatsApp is beginning to roll out a new feature that will provide its two billion users the option to encrypt their chat history backup in iCloud or Google Drive, patching a major loophole that has been exploited by governments to obtain and review private communication between individuals.
WhatsApp has long end-to-end encrypted chats between users on its app. But users have had no means to protect the backup of those chats stored in the cloud. (For iPhone users, the chat history is stored in iCloud, and Android users rely on Google Drive.)
It has been widely reported that law enforcement agencies across the globe have been able to access the private communications between suspect individuals on WhatsApp by exploiting this loophole.
WhatsApp, which processes over 100 billion messages a day, is closing that weak link, and tells TechCrunch that it’s providing this new feature to users in every market where the app is operational. The feature is optional, the company said. (It’s not uncommon for companies to withhold privacy features for legal and regulatory reasons. Apple’s new encrypted browsing feature isn’t available to users in certain authoritarian regimes, such as China, Belarus, Egypt, Kazakhstan, Saudi Arabia, Turkmenistan, Uganda and the Philippines.)
Mark Zuckerberg, founder and chief executive of Facebook, noted that WhatsApp is the first global messaging service at this scale to offer end-to-end encrypted messaging and backups. “Proud of the team for continuing to lead on security for your private conversations,” he said in a post on his Facebook page.
WhatsApp began testing the feature with a small group of users last month. The company devised a system to enable WhatsApp users on Android and iOS to lock their chat backups with encryption keys. WhatsApp says it will offer users two ways to encrypt their cloud backups.
Users on WhatsApp will see an option to generate a 64-digit encryption key to protect their chat backups in the cloud. Users can store the encryption key offline or in a password manager of their choice, or they can create a password that backs up their encryption key in a cloud-based “backup key vault” that WhatsApp has developed. The cloud-stored encryption key can’t be used without the user’s password, which isn’t known to WhatsApp.
“While end-to-end encrypted messages you send and receive are stored on your device, many people also want a way to back up their chats in case they lose their phone,” the company wrote in a blog post.
As we wrote last month, the move to introduce this additional layer of privacy is significant and one that can have far-reaching implications.
End-to-end encryption remains a thorny topic of discussion as governments across the globe continue to lobby for backdoors. Apple was pressured to not add encryption to iCloud Backups after the FBI complained, according to Reuters, and while Google has offered users the ability to encrypt their data stored in Google Drive, the company reportedly didn’t tell governments before it rolled out the feature.
India, WhatsApp’s biggest market by users, has introduced a new law that requires the company to devise a way to make “traceability” of questionable messages possible. WhatsApp has sued the Indian government over this new mandate, and said such a requirement effectively mandates “a new form of mass surveillance.”
The UK government — which isn’t exactly a fan of encryption — recently asked messaging apps to not use end-to-end encryption for kids’ accounts. Elsewhere in the world, Australia passed controversial laws three years ago that are designed to force tech companies to provide police and security agencies access to encrypted chats.
WhatsApp declined to discuss whether it had consulted about the new feature with lawmakers or government agencies.
Privacy-focused organizations including Electronic Frontier Foundation have lauded WhatsApp’s move.
“This privacy win from Facebook-owned WhatsApp is striking in its contrast to Apple, which has been under fire recently for its plans for on-device scanning of photos that minors send on Messages, as well as of every photo that any Apple user uploads to iCloud. While Apple has paused to consider more feedback on its plans, there’s still no sign that they will include fixing one of its longstanding privacy pitfalls: no effective encryption across iCloud backups,” the organization wrote.
“WhatsApp is raising the bar, and Apple and others should follow suit.”