WhatsApp will finally let users encrypt their chat backups in the cloud

WhatsApp said on Friday it will give its two billion users the option to encrypt their chat backups to the cloud, taking a significant step to put a lid on one of the tricky ways private communication between individuals on the app can be compromised.

The Facebook-owned service has end-to-end encrypted chats between users for more than a decade. But users have had no option but to store their chat backup to their cloud — iCloud on iPhones and Google Drive on Android — in an unencrypted format.

Tapping these unencrypted WhatsApp chat backups on Google and Apple servers is one of the widely known ways law enforcement agencies across the globe have for years been able to access WhatsApp chats of suspect individuals.

Now WhatsApp says it is patching this weak link in the system.

“WhatsApp is the first global messaging service at this scale to offer end-to-end encrypted messaging and backups, and getting there was a really hard technical challenge that required an entirely new framework for key storage and cloud storage across operating systems,” said Facebook’s chief executive Mark Zuckerberg in a post announcing the new feature.

Store your own encryption keys

The company said it has devised a system to enable WhatsApp users on Android and iOS to lock their chat backups with encryption keys. WhatsApp says it will offer users two ways to encrypt their cloud backups, and the feature is optional.

In the “coming weeks,” users on WhatsApp will see an option to generate a 64-digit encryption key to lock their chat backups in the cloud. Users can store the encryption key offline or in a password manager of their choice, or they can create a password that backs up their encryption key in a cloud-based “backup key vault” that WhatsApp has developed. The cloud-stored encryption key can’t be used without the user’s password, which isn’t known by WhatsApp.

Image Credits: WhatsApp/supplied

“We know that some will prefer the 64-digit encryption key whereas others want something they can easily remember, so we will be including both options. Once a user sets their backup password, it is not known to us. They can reset it on their original device if they forget it,” WhatsApp said.

“For the 64-digit key, we will notify users multiple times when they sign up for end-to-end encrypted backups that if they lose their 64-digit key, we will not be able to restore their backup and that they should write it down. Before the setup is complete, we’ll ask users to affirm that they’ve saved their password or 64-digit encryption key.”

A WhatsApp spokesperson told TechCrunch that once an encrypted backup is created, previous copies of the backup will be deleted. “This will happen automatically and there is no action that a user will need to take,” the spokesperson added.

Potential regulatory pushback?

The move to introduce this added layer of privacy is significant and one that could have far-reaching implications.

End-to-end encryption remains a thorny topic of discussion as governments continue to lobby for backdoors. Apple was reportedly pressured to not add encryption to iCloud Backups after the FBI complained, and while Google has offered users the ability to encrypt their data stored in Google Drive, the company allegedly didn’t tell governments before it rolled out the feature.

When asked by TechCrunch whether WhatsApp, or its parent firm Facebook, had consulted with government bodies — or if it had received their support — during the development process of this feature, the company declined to discuss any such conversations.

“People’s messages are deeply personal and as we live more of our lives online, we believe companies should enhance the security they provide their users. By releasing this feature, we are providing our users with the option to add this additional layer of security for their backups if they’d like to, and we’re excited to give our users a meaningful advancement in the safety of their personal messages,” the company told TechCrunch.

WhatsApp also confirmed that it will be rolling out this optional feature in every market where its app is operational.  It’s not uncommon for companies to withhold privacy features for legal and regulatory reasons. Apple’s upcoming encrypted browsing feature, for instance, won’t be made available to users in certain authoritarian regimes, such as China, Belarus, Egypt, Kazakhstan, Saudi Arabia, Turkmenistan, Uganda, and the Philippines.

At any rate, Friday’s announcement comes days after ProPublica reported that private end-to-end encrypted conversations between two users can be read by human contractors when messages are reported by users.

“Making backups fully encrypted is really hard and it’s particularly hard to make it reliable and simple enough for people to use. No other messaging service at this scale has done this and provided this level of security for people’s messages,” Uzma Barlaskar, product lead for privacy at WhatsApp, told TechCrunch.

“We’ve been working on this problem for many years, and to build this, we had to develop an entirely new framework for key storage and cloud storage that can be used across the world’s largest operating systems and that took time.”

MobileCoin closes on $66 million in equity in Series B round

MobileCoin, a cryptocurrency business that counts founder Moxie Marlinspike of the encrypting messaging app Signal as its earliest technical advisor, has raised $66 million in Series B funding from a long list of investors, including Alameda Research, Berggruen Holdings, BlockTower Capital, Coinbase Ventures, Marc Benioff’s TIME Ventures, Vy Capital, and earlier backers General Catalyst and Future Ventures.

The all-equity round brings the four-year-old, San Francisco-based company’s total funding to $107 million altogether, including a $30 million round led by Binance Labs back in 2018. According to founder and CEO Joshua Goldbard, the newest round values the outfit at $1.066 billion.

As we reported earlier this year, MobileCoin is focused on enabling privacy-protecting payments made through “near instantaneous transactions” over one’s phone. Indeed, a month after we published that piece, Signal rolled out support for MobileCoin as a payment feature that its users (only in the UK for now) can use to pay for a service or product while enjoying greater privacy than might be possible otherwise.

Marlinspike told Wired back in April that because MobileCoin is a so-called privacy coin designed to protect users’ identities and the details of their payments on a blockchain, that it’s an ideal fit for Signal. “There’s a palpable difference in the feeling of what it’s like to communicate over Signal, knowing you’re not being watched or listened to, versus other communication platforms. I would like to get to a world where not only can you feel that when you talk to your therapist over Signal, but also when you pay your therapist for the session over Signal.”

According to Goldbard, MobileCoin is also being used to transact by users of Mixin Messenger, is a China-based open-source private messenger based on Signal Protocol that enables individuals to send cryptocurrencies to their phone contacts.

MobileCoin’s actual digital coins have fluctuated wildly in value since they began trading in December of last year on the cryptocurrency exchange, FTX, run by entrepreneur Sam Bankman-Fried, who also founded the quantitative crypto trading firm Alameda Research (which just invested in MobileCoin).

It is also available to buy and sell on the non-U.S. crypto trading platforms Bitfinex, BigOne, and HotBit. Goldbard says there’s no reason that U.S. exchanges couldn’t also list the coin for trade, though that’s not the case currently.

“It’s entirely up to [them] when they list assets, and no one knows ahead of time when your asset will be listed,” Goldbard offers, dismissing questions about U.S. regulators who’ve cracked down on similar efforts and pointing instead to MobileCoin’s relatively newness as its biggest challenge right now. “Most coins take a long time to list, to be honest.”

As for whether Goldbard or his early team members have sold some of company’s coins — they spiked in price this past spring — he says that “management has not sold any coins.” Asked whether the same is true of Marlinspike, Goldbard says that he “can’t speak for Moxie.” (Marlinspike told Wired in April that neither he nor Signal owned any MobileCoins at the time. We’ve since asked the company whether Marlinspike has ever owned any MobileCoins and also whether he owns or previously owned shares in MobileCoin as an early advisor to the company and have yet to hear back.)

Even assuming that MobileCoin is more secure than other options, it is still not foolproof. Among the risks involved in storing cryptocurrency on a phone are potentially losing it if the phone is left unlocked or the radio on the phone is hacked or if, say, iOS itself is hacked. 

It does offer another advantage, though, argues Goldbard. He says MobileCoin is more environmentally friendly than  cryptocurrencies like Bitcoin that rely on ‘proof of work,’ where individuals on a network compete with computing power to solve cryptographic puzzles and consume large amounts of electricity along the way.

MobileCoin instead relies on a mechanism called a “federated byzantine agreement,” wherein different validators —  people who agree to store data, process transactions, and add new blocks to the blockchain to earn more cryptocurrency — decide which other validators they trust, and when enough circles of trusted validators overlap, consensus is reached. The algorithm requires fewer people and less energy while remaining decentralized, says Goldbard.

MobileCoin currently has 40 employees and is “hiring as fast as possible,” says Goldbard. Tragically, the company’s head of engineering, Toby Segaran, who was previously an engineer with both Google and Reddit, passed away unexpectedly last week. Meanwhile, MobileCoin brought aboard is first head of compliance, David Ackerman, last month.

Signal now lets you choose disappearing messages by default for new chats

The encrypted chat app Signal is adding a few new options for users looking to lock down their messages. The app will now allow anyone to turn on a default timer for disappearing messages, automatically applying the settings to any newly initiated conversations.

Signal’s disappearing messages option deletes chats for both the sender and receiver after a set amount of time passes. Previously, you had to toggle the option on and select an interval for each individual conversation, which made it easy to overlook the extra privacy feature if you had a lot of chats going at once.

Signal is also adding more options for how long disappearing messages stick around before evaporating. The app’s users can now select an interval up to four weeks and as low as 30 seconds. You can even lower than to a single second in the app’s custom time options.

On any chat app, it’s important to remember that disappearing messages vanish from the user interface but that doesn’t mean they’re gone for good. Anything you share online can live on indefinitely via screenshots or through someone taking a photo of an app’s screen with another device.

Signal wants its users to keep this in mind, noting that the disappearing message options are best for saving storage space and keeping conversation history to a minimum, just in case. “This is not for situations where your contact is your adversary,” the company wrote in a blog post.

The app remains one of the most popular end-to-end encrypted messaging options to date and earlier this year even managed to absorb some WhatsApp users who grew skittish over data sharing policy changes at Facebook.

The privacy-minded messaging app is very well regarded for its strong feature set and the company’s independence, though Signal remains relatively small compared to Facebook’s own end-to-end encrypted WhatsApp, which the company acquired in 2014. As of December 2020, Signal boasted around 20 million monthly active users, while WhatsApp hit 2 billion users early last year.

Twitter now in compliance with India’s new IT rules, government says

Twitter is now complying with India’s new IT rules, New Delhi told a court Tuesday, in a move that is expected to ease months-long tension between the American social media network and the government of the key overseas market.

A lawyer representing the Indian government told the Delhi High Court that Twitter’s recent steps — appointment of chief compliance officer, nodal contact person and resident grievance officer in the country — have made the social network “prima facie” compliant with the new law.

A Twitter spokesperson in India didn’t immediately return a text.

India’s new IT rules, which were unveiled in February this year, mandates significant social media firms, among other things, to appoint officials to address on-ground concerns in the country.

Facebook and Google complied with this requirement in May, when the proposed rules went into effect in the South Asian market.

Twitter, which was facing heat from the Indian government for not blocking some tweets that the Indian government had deemed objectionable, had requested additional few months to comply with the new rules and in the meantime filled the required roles with temporary staff.

Tension has been brewing between the two for several months. Twitter labeled a tweet from Sambit Patra, the spokesperson of India’s ruling party BJP, in May as “manipulated media.” Days later, a special squad of Delhi police that investigates terrorism and other crimes made a surprise visit to two of Twitter’s offices in the country to seek information about Twitter’s rationale to term Patra’s tweets as manipulated.

Twitter at the time said it was “concerned by recent events regarding our employees in India and the potential threat to freedom of expression for the people we serve.”

The firm’s slow-efforts to comply with the new IT rules had cost the firm liability protection in the country last month, the Indian government said earlier. Separately, it warned Twitter that the firm was in “total noncompliance” with the law.

Internet services enjoy what is broadly referred to as “safe harbor” protection that say that tech platforms won’t be held liable for the things their users post or share online.

Twitter also received public criticism from several top Indian ministers.

“All social media platforms are welcome to do business in India. They can criticize Ravi Shankar Prasad, my Prime Minister or anyone. The issue is of misuse of social media. Some of them say we are bound by American laws. You operate in India, make good money, but you will take the position that you’ll be governed by American laws. This is plainly not acceptable,” Prasad, who was the IT minister of India until resigning from the position last month, said at a virtual conference early July.

The new rules also require significant social media firms operating encrypted messaging services to devise a way to trace originator of messages for special cases. Several firms including Facebook’s WhatsApp and Signal have not complied with this requirement. WhatsApp has sued the Indian government over this requirement.

This is a developing story. More to follow…

A Silicon Valley VC firm with $1.8B in assets was hit by ransomware

Advanced Technology Ventures, a Silicon Valley venture capital firm with more than $1.8 billion in assets under its management, was hit by a ransomware attack in July that saw cybercriminals steal personal information on the company’s private investors, or limited partners (LPs).

In a letter to the Maine attorney general’s office, ATV said it became aware of the attack on July 9 after its servers storing financial information had been encrypted by ransomware. By July 26, the ATV learned that data had been stolen from the servers before the files were encrypted, a common “double extortion” tactic used by ransomware groups, which then threaten to publish the files online if the ransom to decrypt the files is not paid.

The letter said ATV believes the names, email addresses, phone numbers and Social Security numbers of the individual investors in ATV’s funds were stolen in the attack. Some 300 individuals were affected by the incident, including one person in Maine, according to a listing on the Maine attorney general’s data breach notification portal.

Venture capital firms often do not disclose all of their LPs — the investors who have thrown millions into an investment vehicle — to the public. A number of pre-approved names may be included in an announcement, but overall, a company’s private investors try to stay that way: private. The reasons vary, but it comes down to secrecy and a degree of competitive advantage: The firm may not want competitors to know who is backing them, and an investor may not want others to know where their money is going. This particular attack likely stole key information on a hush-hush part of how venture money works.

ATV said it notified the FBI about the attack. A spokesperson for the FBI did not immediately comment when reached by TechCrunch. ATV’s managing director Mike Carusi did not respond to questions sent by TechCrunch on Monday.

The venture capital firm, based in Menlo Park, California with offices in Boston, was founded in 1979 and invests largely in technology, communications, software and services, and healthcare technology. The company was an early investor in many of the startups from the last decade, like software library Fandango, Host Analytics (now Planfun) and Apptegic (now Evergage). Its more recent investments include Tripwire, which was later sold to cybersecurity company Belden for $710 million; Cedexis, a network traffic monitoring startup acquired by Cisco in 2018; and Actifo, which was sold to Google in 2020.


Natasha Mascarenhas contributed reporting. Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send TechCrunch files or documents using our SecureDrop.

WhatsApp is doing fine despite months-long backlash over policy update

It’s safe to say WhatsApp didn’t have the ideal start to 2021. Less than a week into the new year, the Facebook-owned instant messaging app had already annoyed hundreds of thousands of users with its scary-worded notification about a planned policy update. The backlash grew fast and millions of people, including several high-profile figures, started to explore rival apps Signal and Telegram.

Even governments, including India’s — WhatsApp’s biggest market by users — expressed concerns. (In case of India, also an antitrust probe.) The backlash prompted WhatsApp to offer a series of clarifications and assurances to users, and it also postponed the deadline for enforcing the planned update by three months. Now with the May 15 deadline just a week away, we are able to quantify the real-world impact the aforementioned backlash had on WhatsApp’s user base: Nada.

The vast majority of users that WhatsApp has notified about the planned update in recent months have accepted the update, a WhatsApp spokesperson told TechCrunch. And the app continues to grow, added the spokesperson without sharing the exact figures. The company also didn’t share how many users it has notified about the planned update.

Facebook’s recent earnings call gives us some idea: The company’s family of apps had 3.45 billion monthly active users as of March 31, 2021, up from 3.3 billion on December 31, and 3.21 billion on September 30.

Users who don’t agree to the new terms, as TechCrunch has previously reported, won’t lose access to their accounts or any feature on May 15, WhatsApp said. But after an unspecified number of weeks, such users will lose several core functionalities — though not at the same time.

“We’ll continue to provide reminders to those users within WhatsApp in the weeks to come,” the spokesperson added.

Since 2016, WhatsApp’s privacy policies have granted the service permission to share with Facebook certain metadata such as user phone numbers and device information.

The new terms allow Facebook and WhatsApp to share payment and transaction data in order to help them better target ads as the social juggernaut broadens its e-commerce offerings and looks to merge its messaging platforms.

Signal tests payments in the UK using MobileCoin

Encrypted chat app Signal is adding payments to the services it provides, a long-expected move and one the company is taking its time on. A U.K.-only beta program will allow users to trade the cryptocurrency MobileCoin quickly, easily, and most importantly, privately.

If you’re in the U.K., or have some way to appear to be, you’ll notice a new Signal Payments feature in the app when you update. All you need to do to use it is link a MobileCoin wallet after you buy some on the cryptocurrency exchange FTX, the only one that lists it right now.

Once you link up, you’ll be able to instantly send MOB to anyone else with a linked wallet, pretty much as easily as you’d send a chat. (No word on when the beta will expand to other countries or currencies.)

Just as Signal doesn’t have any kind of access to the messages you send or calls you make, your payments are totally private. MobileCoin, which Signal has been working with for a couple years now, was built from the ground up for speed and privacy, using a zero-knowledge proof system and other innovations to make it as easy as Venmo but as secure as … well, Signal. You can read more about their approach in this paper (PDF).

MobileCoin just snagged a little over $11 million in funding last month as rumors swirled that this integration was nearing readiness. Further whispers propelled the value of MOB into the stratosphere as well, nice for those holding it but not for people who want to use it to pay someone back for a meal. All of a sudden you’ve given your friend a Benjamin (or perhaps now, in the U.K., a Turing) for no good reason, or that the sandwich has depreciated precipitously since lunchtime.

There’s no reason you have to hold the currency, of course, but swapping it for stable or fiat currencies every time seems a chore. Speaking to Wired, Signal co-founder Moxie Marlinspike envisioned an automatic trade-out system, though he is rarely so free with information like that if it is something under active development.

While there is some risk that getting involved with cryptocurrency, with the field’s mixed reputation, may dilute or pollute the goodwill Signal has developed as a secure and disinterested service provider, the team there seems to think it’s inevitable. After all, if popular payment services are being monitored the same way your email and social media are, perhaps we ought to nip this one in the bud and go end-to-end encrypted as quickly as possible.

WhatsApp adds voice and video calling to desktop app

WhatsApp is rolling out support for voice and video calling to its desktop app, the Facebook-owned messaging service said Thursday, providing relief to countless people sitting in front of computers who have had to reach for their phone every time their WhatsApp rang.

For now, WhatsApp said its nearly five-year-old desktop app for Mac and Windows will only support one-to-one calls for now, but that it will be expanding this feature to include group voice and video calls “in the future.”

Video calls work “seamlessly” for both portrait and landscape orientation, and the desktop client is “set to be always on top so you never lose your video chats in a browser tab or stack of open windows,” it said.

Speaking of which, support for voice and video calls is not being extended to WhatsApp Web, the browser version of the service, at the moment, a spokesperson told TechCrunch. (Facebook launched dedicated desktop app for its Messenger service last year, which supports group video calls.)

The new feature support should come in handy to millions of people who use WhatsApp’s desktop client everyday and have had to use Zoom or Google Meet for one-to-one video calls on desktop partly because of convenience.

WhatsApp, used by over 2 billion people, hasn’t shared how popular video and voice calls are on its platform, but said it processed over 1.4 billion calls on New Year’s Eve — the day usage tends to peak on the Facebook-owned platform.

Like the 100 billion messages that WhatsApp processes on its platform each day, voice and video calls are also end-to-end encrypted, it said.

Once known for taking quarters to push a feature improvement to its app, WhatsApp has visibly grown more aggressive with adding new features in the past year. In late January, Facebook added opt-in biometric fingerprint, face, or iris scan authentication for WhatsApp on desktop and the web, an additional protection layer that makes more sense after today’s update.

It rolled out ephemeral messages, photos, and videos that disappear after seven days late last year, and also rolled out its payments service in India, its biggest market by users.

The new feature additions come as WhatsApp is attempting to convince users to agree to its planned changes to privacy policy — which has received some heat on Tech Twitter. Whether those concerns raised by a handful of people on Twitter extend to the larger population remain to be seen.

Jamaica’s Amber Group fixes second JamCOVID security lapse

Amber Group has fixed a second security lapse that exposed private keys and passwords for the government’s JamCOVID app and website.

A security researcher told TechCrunch on Sunday that the Amber Group left a file on the JamCOVID website by mistake, which contained passwords that would have granted access to the backend systems, storage, and databases running the JamCOVID site and app. The researcher asked not to be named for fears of legal repercussions from the Jamaican government.

This file, known as an environment variables (.env) file, is often used to store private keys and passwords for third-party services that are necessary for cloud applications to run. But these files are sometimes inadvertently exposed or uploaded by mistake, but can be abused to gain access to data or services that the cloud application relies on if found by a malicious actor.

The exposed environmental variables file was found in an open directory on the JamCOVID website. Although the JamCOVID domain appears to be on the Ministry of Health’s website, Amber Group controls and maintains the JamCOVID dashboard, app, and website.

The exposed file contained secret credentials for the Amazon Web Services databases and storage servers for JamCOVID. The file also contained a username and password to the SMS gateway used by JamCOVID to send text messages, and credentials for its email-sending server. (TechCrunch did not test or use any of the passwords or keys as doing so would be unlawful.)

A portion of the exposed credentials found on the JamCOVID website, controlled and maintained by Amber Group. (Image: TechCrunch)

TechCrunch contacted Amber Group’s chief executive Dushyant Savadia to alert the company to the security lapse, who pulled the exposed file offline a short time later. We also asked Savadia, who did not comment, to revoke and replace the keys.

Matthew Samuda, a minister in Jamaica’s Ministry of National Security, did not respond to a request for comment or our questions — including if the Jamaican government plans to continue its contract or relationship with Amber Group, and what — if any — security requirements were agreed upon by both the Amber Group and the Jamaican government for the JamCOVID app and website?

Details of the exposure comes just days after Escala 24×7, a cybersecurity firm based in the Caribbean, claimed that it had found no vulnerabilities in the JamCOVID service following the initial security lapse.

Escala’s chief executive Alejandro Planas declined to say if his company was aware of the second security lapse prior to its comments last week, saying only that his company was under a non-disclosure agreement and “is not able to provide any additional information.”

This latest security incident comes less than a week after Amber Group secured a passwordless cloud server hosting immigration records and negative COVID-19 test results for hundreds of thousands of travelers who visited the island over the past year. Travelers visiting the island are required to upload their COVID-19 test results in order to obtain a travel authorization before their flights. Many of the victims whose information was exposed on the server are Americans.

One news report recently quoted Amber’s Savadia as saying that the company developed JamCOVID19 “within three days.”

Neither the Amber Group nor the Jamaican government have commented to TechCrunch, but Samada told local radio that it has launched a criminal investigation into the security lapse.


Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more

WhatsApp details what will happen to users who don’t agree to privacy changes

WhatsApp said earlier this week that it will allow users to review its planned privacy update at “their own pace” and will display a banner to better explain the changes in its terms. But what happens to its users who do not accept the terms by the May 15 deadline?

In an email to one of its merchant partners, reviewed by TechCrunch, Facebook-owned WhatsApp said it will “slowly ask” such users to comply with the new terms “in order to have full functionality of WhatsApp” starting May 15.

If they still don’t accept the terms, “for a short time, these users will be able to receive calls and notifications, but will not be able to read or send messages from the app,” the company added in the note. The company confirmed to TechCrunch that the note accurately characterizes its plan.

The “short time” will span a few weeks. In the note, WhatsApp linked to a newly created FAQ page that says its policy related to inactive users will apply after May 15.

WhatsApp’s policy for inactive users states that accounts are “generally deleted after 120 days of inactivity.”

The instant messaging service received backlash from some of its users — including those in India, its biggest market — last month after an in-app alert said they had until February 8 to agree to the planned privacy terms, which are being made to reflect its recent push into e-commerce, if they wished to continue using the service.

Following backlash, WhatsApp said its planned privacy update had created confusion among some of its users. “We’ve heard from so many people how much confusion there is around our recent update. There’s been a lot of misinformation causing concern and we want to help everyone understand our principles and the facts,” it wrote in a blog post last month.

Since 2016, WhatsApp’s privacy policies have granted the service permission to share with Facebook certain metadata such as user phone numbers and device information. The new terms will allow Facebook and WhatsApp to share payment and transaction data in order to help them better target ads as the social juggernaut broadens its e-commerce offerings and looks to merge its messaging platforms.

WhatsApp, used by over 2 billion users, last month delayed enforcing the new policy by three months and has been explaining its terms to users ever since — though its explanations hadn’t explicitly addressed what it planned to do with users who didn’t accept the terms.