WhatsApp will finally allow users to encrypt their chat backups in the cloud – TechCrunch

WhatsApp announced on Friday that it will give its two billion users the ability to encrypt their cloud chat backups, taking an important step to end one of the tricky ways of compromising private communication between individuals. on the app.

The Facebook-owned service has had end-to-end encrypted conversations between users for over a decade. But users had no choice but to store their chat backup on their cloud – iCloud on iPhone and Google Drive on Android – in an unencrypted format.

Harnessing these unencrypted WhatsApp chat backups on Google and Apple servers has been one of the well-known ways for law enforcement around the world to gain access to the WhatsApp chats of suspicious individuals for years.

Now WhatsApp says it fixes this weak link in the system.

“WhatsApp is the first global messaging service of this scale to offer end-to-end encrypted messaging and backups, and achieving this was a very difficult technical challenge that required an entirely new framework for key storage and cloud storage. on all operating systems, ”Facebook CEO Mark Zuckerberg said in an article announcing the new feature.

Store your own encryption keys

The company said it has designed a system for WhatsApp users on Android and iOS to lock down their chat backups with encryption keys. WhatsApp says it will offer users two ways to encrypt their cloud backups, and the feature is optional.

In the “coming weeks”, WhatsApp users will see an option to generate a 64-digit encryption key to lock their chat backups in the cloud. Users can store the encryption key offline or in a password manager of their choice, or they can create a password that saves their encryption key in a “backup key vault” based on the. cloud that WhatsApp has developed. The encryption key stored in the cloud cannot be used without the user’s password, which is not known to WhatsApp.

“We know some will prefer the 64-digit encryption key while others want something they can easily remember, so we’ll include both options. Once a user sets their backup password, we don’t know. They can reset it on their original device if they forget it, ”WhatsApp said.

“For the 64-digit key, we will notify users multiple times when they sign up for end-to-end encrypted backups that if they lose their 64-digit key, we will not be able to restore their backup and that they have to write it down. Before the setup is complete, we will ask users to confirm that they have saved their password or 64-digit encryption key.

A spokesperson for WhatsApp told TechCrunch that once an encrypted backup is created, previous copies of the backup will be deleted. “It will happen automatically and there is no action a user will need to take,” the spokesperson added.

Potential regulatory decline?

The decision to introduce this extra layer of privacy is important and could have far-reaching implications.

End-to-end encryption remains a hot topic of discussion as governments continue to push for backdoors. Apple was reportedly forced not to add encryption to iCloud backups after the FBI complaint, and although Google offered users the option to encrypt their data stored in Google Drive, the company reportedly told governments nothing before deploying functionality.

When asked by TechCrunch whether WhatsApp, or its parent company Facebook, consulted with government agencies – or received their support – during the feature’s development process, the company declined to discuss such conversations.

“People’s messages are deeply personal and as we live more of our lives online, we believe businesses should improve the security they provide to their users. By releasing this feature, we are offering our users the ability to add that extra layer of security to their backups if they wish, and we are excited to give our users a significant step forward in the security of their personal messages, ” , the company told TechCrunch.

WhatsApp has also confirmed that it will roll out this optional feature in all markets where its app is operational. It is not uncommon for companies to refuse privacy features for legal and regulatory reasons. Apple’s upcoming encrypted browsing feature, for example, will not be made available to users of certain authoritarian regimes, such as China, Belarus, Egypt, Kazakhstan, Saudi Arabia, Turkmenistan, Uganda and the Philippines.

Regardless, Friday’s announcement comes days after ProPublica reported that end-to-end encrypted private conversations between two users can be read by human contractors when messages are reported by users.

“Creating fully encrypted backups is really difficult, and it’s especially difficult to make them reliable and simple enough for users to use. No other messaging service on this scale has done this and provided this level of security for people’s messages, ”Uzma Barlaskar, product manager for privacy at WhatsApp, told TechCrunch.

“We have been working on this problem for many years, and to build it we had to develop an entirely new framework for key storage and cloud storage that can be used on the largest operating systems in the world and that took a long time.