A coalition of cryptographers and researchers have come together to demand the retraction of a Guardian article. The article contends that WhatsApp contains a security vulnerability which allows “Facebook (WhatsApp's parent company) and others to intercept and read encrypted messages”.
Now, an open letter has been written and signed by an array of leading security experts demanding the retraction of the Guardian's article. Penned by Zeynep Tufekci, an associate professor at the University of North Carolina's School of Information and Library Science, the letter damns the Guardian's reporting and recommends a retraction and an apology.
It adds that the conclusions of the article could be dangerous as journalists and activists heed the article as factual and begin switching from a secure messaging system like WhatsApp to more insecure means like SMS or Messenger.
The letter is signed by Bruce Schneier and Bart Preneel, two of the world's leading cryptographers and security experts among a host of others including members of the Freedom of the Press Foundation, the Committee to Protect Journalists and the Electronic Frontier Foundation.
The Guardian have since removed the word ‘backdoor', but stand by the ultimate story. A Guardian spokesperson told SC that “WhatsApp was approached prior to publication and we included their response in the story, as well as a follow up comment which was received post-publication. While we stand by our reporting we have amended the article's use of the term 'backdoor' in line with the response and footnoted the articles to acknowledge this.”
Drawing from the work of German security researcher, Tobias Boelter, the Guardian's article says that there is in fact a backdoor in the famous private, end to end encrypted messaging system. WhatsApp's encryption is underpinned by security keys produced by the Signal protocol. But WhatsApp, the article claims, retains the ability to force-generate new keys without the knowledge of users. The generation of these keys is supposed to allow the re-encryption and sending of messages which failed to deliver to their recipient.
Boelter, added to the Guardian that, “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.”
The claims were met with quick and widespread controversy, with many in the security research community dismissed them, saying that Boelter's discovery was not a real backdoor, but rather a vulnerability that is very unlikely to be exploited.
Preneel, a signatory of the letter told SC that “there is no backdoor in WhatsApp. The so-called backdoor is a deliberate design decision that improves usability. It deals with what happens when a message remains undelivered when it is sent to a user who just got a new smart phone or SIM card.”
WhatsApp, added Preneel, provides a convenient way for users to recover those messages, “the price paid is a tiny increase in vulnerability to a very sophisticated attack that only applies in the short window when users switch smart phones or SIM cards. For the large majority of users the decision made by WhatsApp is perfectly fine.”
WhatsApp have also dismissed the claims of the article, “WhatsApp does not give governments a ‘backdoor' into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks."
Boelter and Tufekci did not respond for comment in time for publication.