Security experts call story about WhatsApp 'backdoor' totally 'false'
Last week, The Guardian published a bombshell "exclusive" report claiming to reveal disturbing information about a "backdoor" into WhatsApp's encrypted messaging platform. According to the story, the vulnerability could potentially expose the service's user base of over a billion to "snooping" by prying eyes.
SEE ALSO: Sad! Trump reportedly forced to give up the phone he tweets with
The article was met with near-immediate backlash from information security experts and cryptologists, who took to Twitter to voice their complaints. Many alleged the article misrepresented a feature of the encryption WhatsApp's parent company, Facebook, called "expected behavior."
Statements from WhatsApp and Open Whisper Systems, the development team behind WhatsApp's encryption, decried the story as well, calling it "false" and "disappointing."
Now, many of those critical voices are calling for action. An open letter signed by 40 security experts requests that The Guardian retract the story, issue an apology and make efforts to ensure that similar reports won't be filed in the future without proper due diligence.
View image on TwitterView image on TwitterView image on Twitter
Follow
Zeynep Tufekci ✔ @zeynep
Secure communication is crucial. Plea from cryptographers & researchers on Guardian's irresponsible WhatsApp piece: http://technosociology.org/?page_id=1687
6:35 AM - 20 Jan 2017
812 812 Retweets 654 654 likes
The letter addressed to the "Guardian Editors" was written by sociologist Zeynep Tufekci, who characterizes the report as being "the equivalent of putting 'VACCINES KILL PEOPLE' in a blaring headline over a poorly contextualized piece."
She later claims the story has already led to real-world ramifications, citing reports of the Turkish media labeling WhatsApp as unsafe, prompting concerned users to move their vulnerable communications to "services that are strictly less secure than WhatsApp."
"People’s lives and safety are at stake," she writes.
16 Jan
Zeynep Tufekci ✔ @zeynep
That's what false scaremongering about privacy is like. Polio, almost eradicated, is still around because it survived in Pakistan-Peshawar.
Follow
Zeynep Tufekci ✔ @zeynep
Thanks to Guardian's irresponsible & baseless WhatsApp reporting, I'm flooded w reports of vulnerable folk switching to less secure options.
5:19 PM - 16 Jan 2017
66 66 Retweets 54 54 likes
According to Tufekci, the problem here isn't just the tone of The Guardian's story — the information contained within is either willfully or unintentionally misleading its audience.
"The behavior described in your article is not a backdoor in WhatsApp [emphasis hers]," she writes, claiming that her position holds the "overwhelming consensus of the cryptography and security community."
The Guardian's article cites findings from UC Berkley doctorate student Tobias Boelter. He claims that WhatsApp's vulnerability stems from its end-to-end encryption's handling of messages sent to offline users in the event of a change of phone or SIM card. Rather than requiring its users to reconfirm their security keys in order for the message to be received, WhatsApp sends along the undelivered message automatically, informing the recipient afterward that the security key changed.
He (and then The Guardian) compared that system to another secure messaging app, Signal, which is held by many to be the gold standard for end-to-end encryption. Rather than letting the messages through, Signal blocks them until the keys can be reconfirmed.
That said, Signal and WhatsApp's end-to-end encryptions use the same protocol from Open Whisper Systems — this is the only way their systems differ.
And according to Tufecki, this isn't a "backdoor" — it's a means to increase reliability for WhatsApp users, who often have different priorities than those depending on Signal. "The very thing that makes Signal a recommendation for people at high risk — that it drops messages at any sign of hiccup — prevents a large number of ordinary people from adopting it," she writes.
She calls Boelter "a single well-meaning graduate student," whose inexperience and enthusiasm at finding a potential issue with one of the world's most popular app's security likely led him to "overestimate the practical impact" of the vulnerability.
Rather than holding him responsible, she criticizes The Guardian for its lack of due diligence in confirming Boelter's findings with other experts (both WhatsApp and Open Whisper Systems claimed they were not contacted before the article was published) and calls for the publication, which she still says she harbors "great respect for," to retract the story.
When reached for comment by Mashable, a Guardian spokesperson provided us with this statement:
"We ran a series of articles highlighting and discussing a verified vulnerability in WhatsApp and its potential implications. WhatsApp was approached prior to publication and we included its response in the story, as well as a follow up comment which was received post-publication. While we stand by our reporting we have amended the article's use of the term 'backdoor' in line with the response and footnoted the articles to acknowledge this. We are aware of Zeynep Tufekci's open letter and have offered her the chance to write a response for the Guardian. This offer remains open and we continue to welcome debate."
We were unable to reach Tufecki for comment, but a recent Tweet makes her position on The Guardian's offer to write a response clear:
6h
Zeynep Tufekci ✔ @zeynep
As an update to thread: an open letter to the Guardian signed by some of world's top cryptographers & researchers http://technosociology.org/?page_id=1687 pic.twitter.com/jCA4eVUxVu
Follow
Zeynep Tufekci ✔ @zeynep
My writing a piece for the Guardian is not the answer. Guardian needs to retract, explain, learn from. https://twitter.com/Mike_Mimoso/status/822542695390474241 …
10:36 PM - 20 Jan 2017
10 10 Retweets 16 16 likes
With interest in secure messaging high in today's turbulent political climate, it's important for users to educate themselves on the systems they trust with their most vulnerable information. While the response to The Guardian's report from the security community was strong and swift, the potential vulnerability to WhatsApp still exists, even if it is tiny. To help decide if WhatsApp's system works for you, we suggest reading more about it in the Electronic Frontier Foundation's report on the topic.
BONUS: The best way to understand encryption is through this tale of love and mystery
0 Comments