Following the news about WhatsApp backdoor to encryption proposals made by Vera Jourova, Wieland Alge, General Manager EMEA at Barracuda Networks commented below.
Wieland Alge, General Manager EMEA at Barracuda Networks:
While she hasn’t yet revealed exactly what these measures will look like, the idea of the legislation is that they will allow law enforcement authorities to demand information from internet messaging apps.
But in practice, how will this actually work? In my opinion, it’s not viable for messaging apps such as WhatsApp to add a backdoor, because as it currently stands, WhatsApp itself can’t read its users’ messages.
WhatsApp implemented end-to-end client-side encryption, where the sender encrypts the message with the receiver’s public key. Therefore, only the sender and recipient are able to decrypt the message, and even WhatsApp can’t view the message even if it wanted to.
From a security perspective, a “backdoor” by definition is a vulnerability that can provide undesirable access. Asking them to add a backdoor is equivalent to asking them to alter their entire end-to-end encryption protocol, which would require them to significantly reduce the level of security and privacy they currently offer all of their users. An alternative approach would be for police to subpoena the end-user’s device and read the messages on the device itself.
Part of WhatsApp’s appeal is in the level of security they provide with the end-to-end encryption, as well as data privacy and secure data transmission. If WhatsApp removed this, terrorists and/or criminals would most likely simply switch to a different service that offers end-to-end encryption, while the rest of the hundreds of millions of WhatsApp’s users would be less secure and have much weaker privacy guarantees.
As it’s not terribly difficult to implement end-to-end security, so if WhatsApp implemented a backdoor, terrorists could simply build their own secure system that would allow them to hide their communications.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.