Thursday, April 7, 2016

WhatsApp End-to-End Encryption

Some very good news came out of the "wire" yesterday that has bigger implications that you might know about by just reading the title.

First, let's go back and look at the history in the last month or more that led up to this:

The FBI wanted to get into iPhone cell phones to get information on criminal and terrorist cell phones.  There was a very large problem for the FBI: all iPhone cell phones now are encrypted by default for very good reasons.  The FBI knew this so they "asked" Apple to create what is called a backdoor on their encryption and give the FBI the master key so they could on-demand get into any phone around the World.  The problem is very simple but complex: say for example Apple gives the FBI the "master key" and what happens if (knock on wood) the FBI gets hacked and boom the master key is lost - now the hackers can on-demand unlock EVERY ios device.

It's not as easy as it sounds though...ios (Apple's mobile operating system) uses very good encryption and with encryption you can't go back and just create a backdoor it doesn't work like that.  You'd have to re-build ios from the floor again and create the backdoor as you built it which would cost Apple a metric ton of money to do.  Just think: ios is on version 9 which means they have re-imagined ios at least 9 times and thousands more that was never released.

Apple said hell no and the FBI dropped the case (mostly dropped it).  This "case" or possible case put in some very big issues that we really haven't dealt with yet: where does a users privacy get replaced with "national security"?  Do we as a end user really want the FBI or Government have access to our devices? I am a very big advocate for using what is called end-to-end encryption on EVERYTHING.  

To be clear just so you know: WhatsApp is an American company that lets users message other users without using any cell phone company texting restrictions. The company is huge in other countries that don't have cell phone service...it's a lot like Telegram just a different company doing the same thing.

What is end-to-end encryption? I'll say this in as few words as I can:

  • By default when you visit: https://www.google.com - the "https" means to us that the site is encrypted.  That means, that the communication between our computer and Google's server is encrypted in a "tunnel" but Google can see what we are doing since they and us both have what are called the public keys. They have the holy grail and if they wanted to could see what we were doing.  When we use say iMessage: that communication IS encrypted BUT Apple has the key so they could "sniff" or "snoop" into the communication between the two users as we message each other.
  • End-to-end encryption is very different: it's still a "tunnel" between the two users or computers BUT Apple or Google DOESN'T have the keys or have access to "sniff" or "snoop" what the users were doing.  So - and this is the key - if say the FBI went to Google and said, "We want all the messages between Ryan and Pacifico" Google's answer would be very simple, "We have no fricken clue what they are saying we have no access to that since we don't have a public key or master key for it".
So, it creates a very complex issue for the FBI and to our rights as a end user: WhatsApp is an American company and by the law has to give access to the FBI for a specific user with a court order but if WhatsApp has no access to any of it what happens? I smell a very large court case between the FBI and WhatsApp and I'm hoping that WhatsApp wins it and I hope end users understand what they are doing when they do anything on a computer.
  • Is it encrypted?
  • Who has access to it?
  • If you install an application on your phone: what information is sent back to the mother ship? Do they really need my contacts if I install a clock application?
I hope this better explains it and if you want more info on it here is WhatsApp's blog post on it: https://blog.whatsapp.com/10000618/end-to-end-encryption