WhatsApp encryption provides users with a false sense of security

The reality is that the vast majority of messaging platforms on the marketplace do not provide users with a satisfactory level of protection for truly sensitive information, but still claim to do so.

Guest author

April 14, 2016

5 Min Read
WhatsApp encryption provides users with a false sense of security

Telecoms.com periodically invites expert third parties to share their views on the industry’s most pressing issues. In this piece Jonathan Parker-Bray, CEO & Founder of Pryvate, questions how effective the recent WhatsApp encryption initiative really is.

WhatsApp’s recent launch of end-to-end encryption on its communication platform is great news. We have always advocated that every messaging service needs more security and it is good to see a large global provider adopting this. The move is indicative of messaging and communications providers’ increasingly realising that encryption is a must-have feature, rather than simply a luxury service to provide to their users, which has to be applauded.

However, the manner in which the majority of these platforms, including WhatsApp, retrospectively include encryption technology within their apps is potentially providing a false sense of security to consumers and business users.

The reality is that the vast majority of messaging platforms on the marketplace do not provide users with a satisfactory level of protection for truly sensitive information, but still claim to do so. Many simply roll out a form of encryption that is more secure than not having anything in place at all, but does not equate to the higher levels of protection that are available.

The danger is that consumers are largely unaware aware of this, as much of the language that apps with lesser security use to describe themselves is identical to those that offer higher levels of security. Terms like end-to-end encryption, for example, have no room for distinction but can apply to vastly different systems. This is a huge risk, as a false sense of security created by believing calls, messages and IMs to have been sent securely can lead consumers to take unnecessary risks.

Businesses and consumers are starting to understand the real risk of a potential breach that exists when they use their smartphones to communicate on a daily basis. More than ever, communication services across email, voice calls, conference calls, video calls and instant messenger need to be protected from cybercriminals, intruders, corporate espionage and hackers.

The encryption utopia

The modern state of cybercrime and the advanced sophistication of hackers, who are out to steal any data they can get their hands on for financial gain, necessitates the need for specialist communication applications with encryption at their core.

Rather than using popular messaging platforms that simply deploy encryption as a bolt-on to their current offerings, end users that truly understand the need to keep their communications secure must look to true end-to-end encryption solutions.

To truly keep communications free from hacking it is vital to deploy applications that are built with security in mind from the ground up and offer top-of-the-line RSA 4096-bit encryption, which ensures all business and personal communications remain totally private. The key difference between these products and other encryption tools on the market is that they set out with the intention of developing a suite of totally secure communication services from the get-go.

These true encryption applications will hold no access to encryption keys and no records of any communications between users. All encryption keys are generated within the user’s app on their device and are automatically thrown away once used with another 4096-bit key generated for each communication session – nothing is seen or held by the provider and their networks are not involved.

Security concerns

This true encryption ideal is in stark contrast to what users are being offered by many providers – with WhatsApp being the most recent example. It freely admits its new encryption service uses ‘derived keys,’ where it has some access to keys before a conversation is initiated and implies that it operates at least some form of temporary storage. This could be a real concern as it has the potential to create a possible gap in security or loopholes that hackers could exploit, as the keys are stored on devices but no mention is made of them ever being deleted or how the private keys are generated.

WhatsApp has also stated that its servers act as forwarding servers for messages, and are stored there until the messages are delivered. Simply put, if the keys are generated by using elements requested from the server and the messages are routed through the server, then it is possible for both the keys and the messages or content to be accessed from a single server.

Upon announcing its launch of end-to-end encryption, a WhatsApp public statement said: “The idea is simple: when you send a message, the only person who can read it is the person or group chat that you send that message to. No one can see inside that message. Not cybercriminals. Not hackers. Not oppressive regimes. Not even us.”

This statement has the potential to lull users into believing their communications are 100% secure when in reality that is not the case. It is indicative of standpoint taken by the rush of messaging platforms wanting to retrospectively include encryption technology within their apps.

In this modern era where hacking and data breaches are rifer than ever before, service providers must be encouraged to think encryption first. But it is equally important that they consider how secure the offering they choose to use for their businesses and personal communications actually is.

The truth of the matter is that a lot of offerings on the market, from some big, well-known businesses, simply don’t cut the mustard when it comes to offering total security and are not impervious to hacking by highly skilled cybercriminals.

It is essential that people take their digital communications seriously to ensure they feel totally secure in their personal mobile communications at home, at work and while travelling.


JPB-1-150x150.jpgJonathan Parker-Bray is a proven entrepreneur and strategist with 15 years’ telecommunications industry experience. Jonathan founded Criptyque in 2013 to develop the Pryvate platform to address the need for reliable, secure, and user-friendly communication. In 2001, Jonathan co-founded Expo Communications and World Wide Connect which merged to become Spiritel Communications Plc. The company was later listed on the Alternative Investment Market in 2003 for £56 million and was acquired by Daisy Group in 2011.  Prior to this Jonathan founded both Peach Technologies and Trans Global Access, which were both successful acquired.

Read more about:

Get the latest news straight to your inbox.
Register for the Telecoms.com newsletter here.

You May Also Like