What Does WhatsApp's End-to-End Encryption Mean? Are We Finally Safe?

Two weeks ago I was messaging one of my geeky friends on WhatsApp and saw a strange text notice saying:

"Messages you send to this chat and calls are now secured with end-to-end encryption. Tap for more info"

I immediately thought it was something she had created to her own WhatsApp account and I thought:

"What a privacy freak! Was it really necessary to activate this whole encryption thing to our conversation? This is just an informal talk, nobody is sharing anything secret here"

Then I messaged my father - and the same text appeared. I love my father - who is an amazing and very tech savvy doctor - but I know he has no idea of what is an end-to-end encryption and would never add that himself to his WhatsApp. Something had changed in our beloved app. I went then to my digital source of wisdom - TechCrunch - to check what they had to say about this seemingly "privacy apocalypse" that had just fallen upon our digital chat lives.

Right after that I learned in Whatsapp's FAQ page that they had just finished a one and a half year project to set end-to-end encryption as a default mechanism to all the more than 1 billion (1,000,000,000!) WhatsApp users. The only thing all the users would have to do is to update the app to the latest version.

But wait, I am a high tech lawyer: what is - technically speaking - end-to-end encryption and what does it mean - practically (or legally) - speaking? Let's type it on Google and check if one of those geek blogs can explain it to me. They did. This blog, for example, compared the absence of end-to-end encryption as riding a bike naked on a tunnel. Don't miss their explanation, it's a really good metaphor. Let's use a copyright friendly source to explain it in technical terms. Wikipedia (sorry for everyone who is leaving this post at this exact moment because I'm citing this infamous website, but I believe in the power of the crowd) says:

"End-to-end encryption (E2EE) is a system of communication where only the people communicating can read the messages. No eavesdropper can access the cryptographic keys needed to decrypt the conversation, including telecom providers, Internet providers and the company that runs the messaging service. Surveillance and tampering are impossible because no third-parties can decipher the data being communicated or stored. For example, companies that use end-to-end encryption can’t hand over texts of their customers’ messages to the authorities"

Good, I got it. WhatsApp also offers a QR code or a list of 60 numbers for those who are suspicious and want to really check if the conversation is encrypted. No, thanks, I believe you! I was already OK knowing that anyone could spy me through the cookies on my browsers, my likes on Facebook, my pictures on Instagram, the geolocalization on my phone, my supermarket loyalty cards and other mechanisms that I probably don't know they exist; if you, my beloved WhatsApp, is telling me that I am fully encrypted, thank you very much, I am even happier now :-)

As I lawyer I had to remember the recent FBI vs Apple case (I wrote a post in Portuguese about it in case you are interested) that was bravely solved with the participation of an Israeli company. In that case, the dilemma was that the FBI wanted to investigate serious crimes further, Apple wanted to be a pro-privacy company. None of them won, none of them lost. Freedom of enterprise showed useful and a private company unblocked the device for the FBI. What about the next cases involving the same dilemma privacy x security?

WhatsApp was developing this encryption system for more or less one year and a half, so we know that they weren't directly influenced by the recent Apple vs FBI big case. But we know they were at least slightly influenced by Edward Snowden, an American computer professional, former Central Intelligence Agency (CIA) employee and former contractor for the federal government who copied and leaked classified information from the National Security Agency (NSA) in 2013 without prior authorization. Everybody - at least in the tech world - learned about the case. For many Snowden became a symbol of a new resistance movement. This movement could be synthesized by the following statements:

- We don't want to be spied by the government;
- We want to know what information is stored about us;
- "General public security" is not enough to authorize secret and continuous surveillance of citizens;
- We don't want to live in a Big Brother society;
- We like privacy.

Regardless of Snowden's political views (and regardless of what happened to him afterwards) he heated the debate privacy vs security, the same debate that followed in Apple vs FBI case. After Snowden it was clear that privacy became a very important value in the post-internet era.

The fact is that internet of things (or internet of everything/everywhere/everytime) is advancing fast, and if we are excited by innovations such as a self driving car, an intelligent house, a smart city, an online global public health information (including DNAs!), smarter robots, bank systems on the cloud etc, we have to think more often and more deeply about privacy. And not the "old style privacy", where violation of correspondence was maybe easier to stop. Now - in the online world - borders are almost invisible and we don't know exactly what is trespassing and what is friendly interaction.

Raising too high the walls of privacy is also dangerous. Citizens may benefit from not having their innocent romantic conversations spied, but also criminals will benefit from high levels of privacy, anonymity and end-to-end encryption. What are we going to do then? It is not so easy anymore to define when privacy is good and when it's bad. Society is more divided. In 2016 I would tell we still don't know what is better for us. But we know privacy is important.

***

Going back to the end-to-end encryption and the question I added to the title of this post: are we finally safe? It depends.

From what encryption specialists say, end-to-end encryption is effective and now nobody can spy our communications on WhatsApp, not even the government with a judicial warrant.

But...

Criminals will also have more privacy to act badly and won't need to bother in finding an exclusive encrypting app. They can just use WhatsApp.

What do we prefer? I don't know. But I may confess that I have a slightly pleasant feeling when I read on my WhatsApp chat screen: "messages you send to this chat and calls are now secured with end-to-end encryption. Tap for more info". Sounds good.

***

If you liked this article, don't forget to subscribe.

Best,

Luiza Rezende
High Tech Lawyer, YouTuber and Writer

end-to-end encryption, Whatsapp