WhatsApp, a messaging app acquired by Facebook in February 2014, is enabling complete, end-to-end encryption by default in its next Android update. This means users’ messages will be encrypted both in storage and in transit, and users won’t need to do a thing to make sure encryption is working. With end-to-end encryption, WhatsApp itself will not have access to users’ messages, making it effectively impossible for them to release user data in response to legal requests.
WhatsApp is using open-source cryptography software called TextSecure, created by nonprofit security company Open Whisper Systems. “I do think this is the largest deployment of end-to-end encryption ever,” Moxie Marlinspike, cofounder of the company, told Wired.
WhatsApp is the latest major company to pick up on the trend of encryption by default among technology giants. Google’s latest edition of the Android operating system, Android Lollipop (also known as Android L or Android 5.0), comes with encryption automatically enabled. Android L will be rolled out by different mobile device manufacturers over the coming months. Similarly, Apple’s recent iOS 8 update provides built-in encryption on a range of their popular services: iMessages, FaceTime conversations, and iCloud storage. On their website, Apple reassures users, “Unlike our competitors, Apple cannot bypass your passcode,” meaning “it’s not technically feasible for us to respond to government warrants for the extraction of [user] data from devices in their possession running iOS 8.”
Apple says they cannot release data from customer devices to government agencies, but does all data stored using Apple services fall under this claim? Not quite: Apple includes the phrase “from devices” for a reason. As of now, data stored on iCloud can be accessed by Apple in response to a government warrant. Users choose whether or not to opt in to iCloud when setting up their devices, so each user can decide whether the convenience of the cloud is worth losing some privacy. (Aside from government requests, iCloud recently ran into trouble with brute-force cyberattacks.)
For privacy advocates, the decision by these companies to enable privacy by default is a major victory. Many political and legal figures, on the other hand, are disturbed by the fact that encryption renders potential digital evidence inaccessible. As the technology industry inclines toward encryption, the digital forensics industry will have to adapt to new methods of extracting data from devices.