![\"The](\"https:\/\/i.guim.co.uk\/img\/media\/8168bf0de13542fd709bb691c5a643feee74ec0c\/0_112_3364_2019\/master\/3364.jpg?w=620&q=20&auto=format&usm=12&fit=max&dpr=2&s=a1e4183370aab6c28d67b59fea485928)
<\/picture><\/div>\nSteffen Tor Jensen, head of information security and digital counter-surveillance at the European-Bahraini Organisation for Human Rights, verified Boelter\u2019s findings. He said: \u201cWhatsApp can effectively continue flipping the security keys when devices are offline and re-sending the message, without letting users know of the change till after it has been made, providing an extremely insecure platform.\u201d<\/p>\n
Boelter said: \u201c[Some] might say that this vulnerability could only be abused to snoop on \u2018single\u2019 targeted messages, not entire conversations. This is not true if you consider that the WhatsApp server can just forward messages without sending the \u2018message was received by recipient\u2019 notification (or the double tick), which users might not notice. Using the retransmission vulnerability, the WhatsApp server can then later get a transcript of the whole conversation, not just a single message.\u201d<\/p>\n
The vulnerability calls into question the privacy of messages sent across the service, which is used around the world, including by people living in oppressive regimes.<\/p>\n
Professor Kirstie Ball, co-director and founder of the Centre for Research into Information, Surveillance and Privacy, called the existence of a backdoor within WhatsApp\u2019s encryption \u201ca gold mine for security agencies\u201d and \u201ca huge betrayal of user trust\u201d. She added: \u201cIt is a huge threat to freedom of speech, for it to be able to look at what you\u2019re saying if it wants to. Consumers will say, I\u2019ve got nothing to hide, but you don\u2019t know what information is looked for and what connections are being made.\u201d<\/p>\n
In the UK, the recently passed Investigatory Powers Act allows the government to intercept bulk data of users held by private companies, without suspicion of criminal activity, similar to the activity of the US National Security Agency uncovered by the Snowden revelations. The government also has the power to force companies to \u201cmaintain technical capabilities\u201d that allow data collection through hacking and interception, and requires companies to remove \u201celectronic protection\u201d from data. Intentional or not, WhatsApp\u2019s backdoor to the end-to-end encryption could be used in such a way to facilitate government interception.<\/p>\n
Jim Killock, executive director of Open Rights Group, said: \u201cIf companies claim to offer end-to-end encryption, they should come clean if it is found to be compromised \u2013 whether through deliberately installed backdoors or security flaws. In the UK, the Investigatory Powers Act means that technical capability notices could be used to compel companies to introduce flaws \u2013 which could leave people\u2019s data vulnerable.\u201d<\/p>\n
A WhatsApp spokesperson told the Guardian: \u201cOver 1 billion people use WhatsApp today because it is simple, fast, reliable and secure. At WhatsApp, we\u2019ve always believed that people\u2019s conversations should be secure and private. Last year, we gave all our users a better level of security by making every message, photo, video, file and call end-to-end encrypted by default. As we introduce features like end-to-end encryption, we focus on keeping the product simple and take into consideration how it\u2019s used every day around the world.<\/p>\n
\u201cIn WhatsApp\u2019s implementation of the Signal protocol, we have a \u201cShow Security Notifications\u201d setting (option under Settings > Account > Security) that notifies you when a contact\u2019s security code has changed. We know the most common reasons this happens are because someone has switched phones or reinstalled WhatsApp. This is because in many parts of the world, people frequently change devices and sim cards. In these situations, we want to make sure people\u2019s messages are delivered, not lost in transit.\u201d<\/p>\n
Asked to comment specifically on whether Facebook\/WhatApps had accessed users\u2019 messages and whether it had done so at the request of government agencies or other third parties, it directed the Guardian to its site that details aggregate data on government requests by country.<\/p>\n
Concerns over the privacy of WhatsApp users has been repeatedly highlighted since Facebook acquired the company for $22bn in 2014. In August 2015, Facebook announced a change to the privacy policy governing WhatsApp that allowed the social network to merge data from WhatsApp users and Facebook, including phone numbers and app usage, for advertising and development purposes.<\/p>\n
Facebook halted the use of the shared user data for advertising purposes in November after pressure from the pan-European data protection agency groupArticle 29 Working Party in October. The European commission then filed charges against Facebook for providing \u201cmisleading\u201d information in the run-up to the social network\u2019s acquisition of messaging service WhatsApp, following its data-sharing change.<\/p>\n
–<\/p>\n
Source: BBC<\/p>\n","protected":false},"excerpt":{"rendered":"
A security backdoor that can be used to allow Facebook and others to intercept and read encrypted messages has been found within its WhatsApp messaging service. Facebook claims that no one can intercept WhatsApp messages, not even the company and its staff, ensuring privacy for its billion-plus users. But new research shows that the company […]<\/p>\n","protected":false},"author":14,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[106],"tags":[],"yoast_head":"\n