With more than 1 billion users, WhatsApp is the second biggest communication environment in the world after its owner Facebook. So when the messaging, talk, and video service makes a change, it affects a whole lot of people. And on Tuesday, WhatsApp announced that it will now provide end-to-end encryption for every communication on the platform.
The service has been working on expanding this security feature since it announced end-to-end encryption for chat messages in November 2014. Now, beyond just messages, every type of WhatsApp communication will be encrypted locally by the sender, travel in encrypted form, and be decrypted only by the receiver. It all happens automatically to make it easy on users, and WhatsApp itself won’t have the keys to decrypt any of the data moving across its network.
Law enforcement agencies have long brought warrants to tech companies asking for user data. Companies have generally complied, but there is sometimes tension as Apple’s recent fight with the FBI shows. Though it is not a protection in every scenario, end-to-end encryption is seen as a way for companies to avoid many instances in which they might be asked to act as an intermediary. If a company can’t itself decrypt user communications, it can’t do it for law enforcement.
WhatsApp founders Jan Koum and Brian Acton wrote on Tuesday:
Recently there has been a lot of discussion about encrypted services and the work of law enforcement. While we recognize the important work of law enforcement in keeping people safe, efforts to weaken encryption risk exposing people’s information to abuse from cybercriminals, hackers, and rogue states.
While WhatsApp is among the few communication platforms to build full end-to-end encryption that is on by default for everything you do, we expect that it will ultimately represent the future of personal communication.
The company and its parent Facebook have already been tested on these issues. In March, Facebook’s vice president for Latin America, Diego Dzodan, was arrested in São Paulo, Brazil, for “repeated non-compliance with court orders” to provide communications from WhatsApp. A Brazilian judge ordered Dzodan’s release a day later, noting that “the extreme measure of imprisonment was hurried,” according to the Agence France-Presse. WhatsApp said in a statement at the time that, “We are disappointed that law enforcement took this extreme step. WhatsApp cannot provide information we do not have.”
The company still uses some careful language to hedge what it’s doing, though. As Micah Lee, a founder of the Freedom of the Press Foundation, pointed out on Twitter, WhatsApp’s legal information page still says that it reserves the right to collect message metadata. “WhatsApp may retain date and time stamp information associated with successfully delivered messages and the mobile phone numbers involved in the messages, as well as any other information which WhatsApp is legally compelled to collect.” Similarly, in its mobile app’s security section, WhatsApp says that it uses end-to-end encryption for communications “when possible.”
There may be things WhatsApp can do to heighten its user security even more, but implementing end-to-end encryption at all is an ambitious project. It has clearly been a priority for WhatsApp given the timeframe in which the company delivered it. Now, WhatsApp’s 1 billion international users may become guinea pigs as the debate over strong encryption continues.