“Users concerned about the security and privacy of their data must make sure to enable the end-to-end encryption backup for WhatsApp and other messaging platforms.”
“The service provider’s implementation of end-to-end encryption plays a significant role in the security and privacy of a messaging app against the provider and attackers,” he says.
Cybersecurity expert Dr Arash Shaghaghi from UNSW School of Computer Science and Engineering and UNSW Institute for Cyber Security compares encryption to having a secret conversation between you and another person.
It is also worth spending a few extra minutes to enable some of the more advanced security features these platforms provide, such as end-to-end backup encryption or multi-factor authentication.
As far as we know, Signal, Telegram and WhatsApp are secure in providing end-to-end encryption if the option is enabled,” says Dr Shaghaghi.
Interestingly, with some end-to-end encryption protocols, such as Signal, even if someone steals the encryption keys and taps over the connection, they cannot decrypt messages already sent. Moderating content exchanged over end-to-end encrypted messaging platforms.
“Messaging platforms contain a lot of private information so it’s worth ensuring that the platform we use has a good reputation for ensuring the security and privacy of its users,” he says. What about Signal and Telegram?
Unlike WhatsApp and Signal, Telegram does not have end-to-end encryption enabled by default.
Whether you’re sharing confidential information or swapping movie ideas with a friend, people are turning to private messaging apps that offer end-to-end encryption to protect the contents of their conversations.
In 2021, they announced child safety features that include detecting sexually explicit pictures over iMessage, another platform using end-to-end encryption. Recent leaks from the US Federal Bureau of Investigation (FBI) demonstrated that even with a subpoena, powerful government entities have limited access to messages exchanged over apps that use end-to-end encryption.
“I think we can balance the need for moderating criminal content and security and privacy requirements by breaking down the problem into more specific use-cases and developing innovative solutions.”
“And whichever platform you decide to use, it’s best practice to ensure we use the latest version of the apps and avoid downloading apps from third-party stores.”
“Encryption involves using a key to lock a message, while decryption is using a key to unlock a message.”
This argument is especially worrying for many users concerned that it’s the first step away from the strong encryption principles they rely on to ensure the security and privacy of their data. “However, those in favour of a solution allowing access for law enforcement agencies argue that they need access given the increasing usage of these platforms by criminals.”
“I believe the consensus is that Signal is a more secure and privacy-friendly messaging solution when compared to WhatsApp, Telegram, or Facebook Messenger.”
“From a security engineering perspective, implementing a backdoor is never a good idea”, says Dr Shaghaghi. Even though WhatsApp adopted an end-to-end encryption model in 2016, unencrypted backups were vulnerable to government requests, third-party hacking, and disclosure by Apple or Google employees.”
Unless your messaging app offers end-to-end encryption, your private conversations may be accessed without your consent. In 2021, WhatsApp rolled out an option for users to enable end-to-end encryption of their backups.
With so many messaging platforms available on the market, Dr Shaghaghi says there are some simple steps to help safeguard a user’s privacy. Dr Shaghaghi says when you back up your messages on some of the messaging platforms, your messages are pushed to the cloud.
Apple has promoted encrypted messaging across its ecosystem and has fought off law enforcement agencies looking for records.
However, Signal is built with privacy and security as the primary motivation. WhatsApp used to keep a backup of the messages in an unencrypted format over iCloud for Apple users and Google Drive for those who used WhatsApp on Android.
To meet regulatory requirements, WhatsApp now allows users to flag a message to be reviewed by their moderators. To keep our information away from prying eyes, we rely on cryptographic algorithms to encrypt our data. In theory, if an outsider observed an encrypted conversation, they could not make sense of it, and they will need the appropriate key to decrypt it. Modern encryption algorithms have been battle-tested and shown to have no known vulnerabilities.
There is no guarantee that malicious hackers do not find out about these backdoors too and exploit them. Some messaging providers and tech companies have responded by changing the platform’s functionality. Encryption involves converting human-readable plaintext into an encoded format, and the data can only be read after decrypted,” he says.
Are our messages fully secure?
When data is shared over the Internet, it often traverses a series of networks to reach its destination. Attackers commonly target endpoints and their vulnerabilities. This needs to be initiated by a user, and when a message is flagged, the few messages before it is also forwarded to WhatsApp moderators,” says Dr Shaghaghi.
There have been ongoing debates in Australia and overseas regarding this topic. However, with the apps constantly changing their security and privacy policies, are the messages still safe from being decrypted? Apps such as WhatsApp, owned by social media giant Meta (formerly Facebook), provide a level of privacy that even challenges Government agencies from accessing encrypted conversations.
When the ‘secure chat’ function is enabled, Telegram applies the MTProto protocol, an open-source and custom-developed protocol by the messaging provider. There have been strong calls by different Government organisations for these apps to include backdoors that would provide data access when authorities deem it required. While this was welcomed as a positive step forward, it should be the default for all users – not offered as an option, says Dr Shaghaghi. To implement this feature, Apple plans to implement the detection on the device and not through an encryption backdoor.
Written by: Supaporn Pholrach (Joom)