6 min read
Can WhatsApp see your personal and group messages? The answer is very clear: YES.
So how can an application that claims to use E2EE (End-to-End Encryption) do this? Let's examine the technical vulnerabilities that make this possible.
1. Public Shared Key Problem
The Public Shared Key is used in cryptology for PQR (Post-Quantum Resistance). It ensures that the key used for encryption/decryption is generated to be resistant to Quantum computers, thanks to Bernstein's work.
You send an average of 100 PreShared-Keys to WhatsApp every week. This means: "These are my Public Keys for those who want to communicate with me. Please communicate with me using these public keys." As these keys run low, you send your new public keys to WhatsApp servers.
But there's a critical problem: we don't know if the public key of the person we're talking to is really their public key. If WhatsApp gives us one of its own keys as Bob's Pre-Shared Key, it's directly performing a MITM (Man-In-The-Middle) attack.
WhatsApp offers a solution to verify this, saying, "Check your Root key generated from the pre-shared key with your friend. If it's not the same, the person you're talking to is not that person." That's why when someone uninstalls and reinstalls WhatsApp, it warns, "The security code of the person you're talking to has changed. Please check."
This requires distributed and independent PreSharedKey servers, but of course, WhatsApp doesn't support this and won't until they come up with a solution against it.
2. Multi-device Problem
You can now use WhatsApp on multiple devices, even just the Desktop application without scanning a QR code.
A problem arises here. The information that you've logged in on another device is information that comes to you from WhatsApp servers, and if WhatsApp doesn't send you this information, a problem arises where it can read your messages on other devices as well.
Signal developed the "Sesame Algorithm" as a precaution for this. However, there's no information that WhatsApp uses this protocol.
When you use multiple devices, each device needs to safely receive encryption keys. Without a proper protocol like Sesame, this makes security vulnerabilities.
3. Fast-Forward Problem
After you send someone a large file, when you forward that file to someone else, it goes instantly. WhatsApp explains that they do this for optimization on their servers, but this explanation isn't convincing or realistic.
In a truly end-to-end encrypted system, forwarding should require re-encryption with the new recipient's keys, which takes time for large files. The instant forwarding suggests WhatsApp may have access to unencrypted content.
4. Group Messaging Problem
Group E2EE has been a long-discussed problem. Signal had previously found a very primitive solution to this problem, establishing E2EE with each person separately and sending the message to each one individually. So if there were 20 people in the group, your message was encrypted and sent separately to 20 people.
Later, the MLS (Messaging Layer Security) protocol was developed as a solution for this problem. WhatsApp doesn't use the MLS protocol, but rather an intermediate solution called Session Based Key. Briefly, you can think of it as the group administrator distributing the group's key to other members.
This approach introduces potential vulnerabilities in how group encryption keys are managed and distributed.
5. Group Video Conference Problem
Video conferencing and encryption is one of the biggest challenges in the streaming world.
When you have a video conference on WhatsApp or Zoom, your video images are combined on Media Streaming servers and sent to other Peers as a single video. This process requires the server to have access to unencrypted video streams.
Signal, by contrast, streams separately to each Peer. Because the data is encrypted, it can't be processed on the server side. The MLS solution can't be used here as in group messaging.
That's why Signal supports video conferencing for a limited number of people. This approach brings many optimization challenges, battery problems, and network issues, but maintains true end-to-end encryption.
6. Revenue Problem
It's estimated that about 100 billion messages are sent daily via WhatsApp. You can more or less guess the money needed to operate servers that handle such enormous demand.
The problem is this: Why is WhatsApp providing such a service for free?
Could it be that Meta (formerly Facebook), with its business model built on data harvesting, is spending this money for people to message comfortably and safely, while it could be making money from such information?
7. Metadata Issue
Some other end-to-end encrypted applications claim that WhatsApp processes meta-data and makes inferences from it, claiming that they don't do such a thing. But this is probably one of the last sources of information for WhatsApp.
Even with perfect message encryption, metadata analysis can reveal who you talk to, when, how often, and patterns of communication that can be highly revealing.
8. Real-life Anomalies
A businessman I personally spoke to told me that when he went abroad, authorities put all his WhatsApp correspondence in front of him, and he didn't even know he had corresponded with so many people.
Also, WhatsApp correspondences appearing in court cases have become quite common.
Some might argue that the other person's device was compromised, but it's not that simple. WhatsApp claims to implement "Deniability" - you should be able to cryptologically deny your correspondence with the person you're talking to. But unfortunately, this doesn't seem to be achieved in practice.
Some might wonder, "Will WhatsApp follow me specifically?" No, they're not tracking individuals in isolation. But you're part of the whole, and they're conducting data analysis from big-data for marketing purposes.
Conclusion
No messaging application connected to a server is truly secure. As I've written before, what we need is not E2EE but P2PE (Peer-to-Peer Encryption). True security comes from eliminating the server as a potential point of vulnerability.
In a P2PE system, messages would travel directly between users without passing through or being stored on central servers. This would eliminate many of the vulnerabilities described above and give users true control over their communications.
Until we achieve that, we should maintain healthy skepticism about claims of "unbreakable" encryption from any service that maintains central servers and a business model that doesn't transparently explain how they cover their enormous operational costs.