Nettime mailing list archives

<nettime> end-to-end encryption for the masses
Felix Stalder on Wed, 19 Nov 2014 18:31:15 +0100 (CET)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

<nettime> end-to-end encryption for the masses


Growing up in Soviet Ukraine in the 1980s, Whatsapp founder Jan Koum
learned to distrust the government and detest its surveillance. After he
emigrated to the U.S. and created his ultra-popular messaging system
decades later, he vowed that Whatsapp would never make eavesdropping
easy for anyone. Now, Whatsapp is following through on that
anti-snooping promise at an unprecedented scale.

On Tuesday, Whatsapp announced that it's implementing end-to-end
encryption, an upgrade to its privacy protections that makes it nearly
impossible for anyone to read users' messages -- even the company itself.
Whatsapp will integrate the open-source software Textsecure, created by
privacy-focused non-profit Open Whisper Systems, which scrambles
messages with a cryptographic key that only the user can access and
never leaves his or her device. The result is practically uncrackable
encryption for hundreds of millions of phones and tablets that have
Whatsapp installed -- by some measures the world's largest-ever
implementation of this standard of encryption in a messaging service.

"Whatsapp is integrating Textsecure into the most popular messaging app
in the world, where people exchange billions of messages a day," says
Moxie Marlinspike, Open Whisper System's creator and a well known
software developer in the cryptography community. "I do think this is
the largest deployment of end-to-end encryption ever."

Textsecure has actually already been quietly encrypting Whatsapp
messages between Android devices for a week. The new encryption scheme
means Whatsapp messages will now travel all the way to the recipients'
device before being decrypted, rather than merely being encrypted
between the user's device and Whatsapp's server. The change is nearly
invisible, though Marlinspike says Whatsapp will soon add a feature to
allow users to verify each others' identities based on their
cryptographic key, a defense against man-in-the-middle attacks that
intercept conversations. "Ordinary users won't know the difference,"
says Marlinspike. "It's totally frictionless."
"This is the largest deployment of end-to-end encryption ever."

In its initial phase, though, Whatsapp's messaging encryption is limited
to Android, and doesn't yet apply to group messages, photos or video
messages. Marlinspike says that Whatsapp plans to expand its Textsecure
rollout into those other features and other platforms, including Apple's
iOS, soon. He wouldn't specify an exact time frame, and Whatsapp
staffers declined to comment on the new encryption features. Marlinspike
says the Textsecure implementation has been in the works for six months,
since shortly after Whatsapp was acquired by Facebook last February.

Whatsapp's Android users alone represent a massive new user base for
end-to-end encrypted messaging: Whatsapp's page in the Google Play store
lists more than 500 million downloads. Textsecure had previously been
installed on only around 10 million gadgets running the Cyanogen mod
variant of Android and about 500,000 other devices.

The only encrypted messaging system that compares in size is Apple's
iMessage, which also claims to use a version of end-to-end encryption.
Compared with Textsecure, however, Apple's iMessage security has some
serious shortcomings. iMessage doesn't track which devices'
cryptographic keys are associated with a certain user, so Apple could
simply create a new key the user wasn't aware of to start intercepting
his or her messages. Additionally, many users unwittingly back up their
stored iMessages to Apple's iCloud, which renders any end-to-end
encryption moot. Plus, unlike Textsecure, iMessage doesn't use a feature
called "forward secrecy" that creates a new encryption key for each
message sent. This means that anyone who collects a user's encrypted
messages and successfully cracks a user's key can decrypt all their
communications, not just the one message that uses that key.

Whatsapp's rollout of strong encryption to hundreds of millions of users
may be an unpopular move among governments around the world, whose
surveillance it could make far more difficult. Whatsapp's user base is
highly international, with large populations of users in Europe and
India. But Whatsapp founder Jan Koum has been vocal about his opposition
to cooperating with government snooping. "I grew up in a society where
everything you did was eavesdropped on, recorded, snitched on," he told
Wired UK earlier this year. "Nobody should have the right to eavesdrop,
or you become a totalitarian state -- the kind of state I escaped as a kid
to come to this country where you have democracy and freedom of speech.
Our goal is to protect it."

#  distributed via <nettime>: no commercial use without permission
#  <nettime>  is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: http://mx.kein.org/mailman/listinfo/nettime-l
#  archive: http://www.nettime.org contact: nettime {AT} kein.org