Your WhatsApp messages will soon be secure—for real this time
An important change is coming to the way in which copies of your chats are stored in the cloud when you back up your device.
WhatsApp is giving users the ability to encrypt message backups to cloud servers, addressing a long-recognized gap in the Facebook-owned app’s privacy offerings. Mark Zuckerberg announced the update in a post on Friday, nodding to the engineering effort it took to roll out this new feature.
“WhatsApp is the first global messaging service at this scale to offer end-to-end encrypted messaging and backups, and getting there was a really hard technical challenge that required an entirely new framework for key storage and cloud storage across operating systems,” Zuckerberg wrote on Facebook.
WhatsApp already offers end-to-end encryption on messages, which means only the sending and receiving parties can see the content being shared—anyone else who tries to intercept it wouldn’t be able to read the exchange. But tech experts and privacy advocates have warned that vulnerabilities still exist within this framework for WhatsApp users: even if others can’t see your specific messages, the metadata associated with them, such as the time a message exchange took place, could be telling.
The inability to encrypt saved messages to the cloud had been another loophole since those previously encrypted conversations were ultimately saved in an understandable format once they were part of an iPhone’s backup to iCloud, for example. As TechCrunch reported, law enforcement agencies have been known to take advantage of this to access suspects’ WhatsApp messages.
[Related: 6 secure alternatives to WhatsApp]
Now, according to a whitepaper the company released, this next level of encryption would prevent that from happening. Before storing messages to their preferred cloud servers, such as Google Drive or iCloud, users will receive a uniquely generated encryption key (which will be known to WhatsApp) and then have the opportunity to create a password or additional encryption key (which will be unknown to WhatsApp). The paper likens the system to a bank safe deposit box, with the idea that users will have sole access to their box of backup messages thanks to that second password or key, with the first encryption key offering a safety net for those who forget the one they created. A spokesperson for WhatsApp told TechCrunch that the messaging app will also automatically delete any previous backups once the encrypted backup is stored.
The announcement came days after ProPublica published an article looking into WhatsApp’s privacy protections. The investigation found the company has “an extensive monitoring operation,” which gives contractors access to unencrypted messages for moderation purposes if they have been “flagged by users and automatically forwarded to the company as possibly abusive,” ProPublica said. It also cited WhatsApp’s role in providing user data in a case against a federal employee who leaked information to the media.
[Related: Facebook just made some big privacy promises, and they all hinge on encryption]
WhatsApp was already struggling to retain and regain user trust after rolling out a new privacy policy this year that gives it permission to share more data with Facebook. After receiving backlash, the app extended the timeline for users to accept the update, though those who do not do so will ultimately lose functionality. WhatsApp’s loss has been a boon to other messaging services that have pledged privacy as their top priority, including Signal and Telegram.
According to TechCrunch, this new feature will be available in the “coming weeks.”
