The Guardian’s reportage of a supposed loophole in social messaging application WhatsApp’s encryption system has drawn flack from security experts.
The Guardian has drawn the ire of a large number of cryptography and security experts by publishing a story claiming that WhatsApp has a security backdoor that would allow it, or governments, to snoop on encrypted messages. The group of experts, led by associate professor Zeynep Tufekci have written an open letter demanding that the article be retracted and for The Guardian to issue an apology for the misleading claims.
The article, written by freelance journalist Manisha Ganguly reported claims originally made by a University of California, Berkeley, PhD student Tobias Boelter last year. He showed that under certain conditions a government could, with the cooperation of WhatsApp, gain access to the content of a small number of messages.
The consensus of 40 of the most respected people from the security and cryptographic community however was that the behaviour described by PhD student Tobias Boelter and sensationalised in The Guardian article, was simply a design decision taken by WhatsApp developers and represented a very small risk, if any, to the vast majority of users.
The Guardian has so far refused the demands of professor Tufekci and her colleagues and simply updated the article changing the word “backdoor” for “vulnerability” and including a statement from WhatsApp stating categorically that “WhatsApp does not give governments a ‘backdoor’ into its systems and would fight any government request to create a backdoor.”
Tufekci made the point that The Guardian’s article had endangered people because they would switch to less secure forms of communication over concerns that governments could be potentially listening into conversations. The suggestion that people should use the potentially more secure app Signal was not going to work for most people because it was less user-friendly and simply by using an app like Signal could actually alert government agencies that they had something to hide.
The Guardian article took the claims of a PhD student and failed to get input into the issue from a single recognised security or cryptography expert. The opinions quoted in the article came from three people who, although involved with privacy at the policy and user level, were by no means subject matter experts and couldn’t possibly have claimed to understand what had been implemented.
In fact, Moxie Marlinspike, the developer behind Signal, the protocol that gives WhatsApp its end-to-end encryption also came out emphatically supporting WhatsApp’s implementation of the Signal Protocol.
It is important to note that this story was not picked up and reported independently by other reputable mainstream media sites – a sure indication that other journalists weren’t buying into the claims. Even the tech media didn’t report on it other than some sites simply reporting what The Guardian had claimed.
The Guardian however claimed it as an “exclusive” and used an incendiary headline that had real world consequences. At least one group protesting on the Women’s March in Washington DC last weekend was reported to have warned protesters about using WhatsApp because of ‘a privacy hole’. The concerns expressed by Tufekci however go beyond the anti-Trump protesters to dissidents in Turkey who she claimed were at much graver risk if they were not to use secure communication because of concerns spread by The Guardian and picked up by local media.
Professor Tufekci called The Guardian article irresponsible and misleading, however in many respects it qualifies as fake news. Taking a real observation but then misrepresenting it as having dire consequences was an essential element of the types of stories circulated during the US election. The WhatsApp story is no different in essence from claims by that Hillary Clinton was dying from an incurable neurological disease because she coughed a great deal during a speech.
If The Guardian had simply got expert commentary on the WhatsApp protocol it could have still presented the story as a potential concern but putting the risk in proportion. Just using the basic principle of presenting both sides of the argument would have gone a long way to making up for the fact that it was clear that the editorial staff didn’t understand what the article was actually claiming.
For those readers interested in reading the details of the issues raised in the article, start with Zeynep Tufekci’s letter, Moxie Marlinspike’s explanation and the Electronic Frontier Foundation’s (EFF) opinion.
David Glance, Director of UWA Centre for Software Practice, University of Western Australia