Part 2: WhatsApp, encryption and the battle with law enforcement
As communications companies strengthen their encryption standards to the point where it’s virtually impossible for law enforcement to access user data, irrespective of the justification, the question arises whether there are any options available to circumnavigate end-to-end encryption.
The answer to is yes, at least in theory. Given that apps run on a user’s device, a company like WhatsApp should be able to create a version which enables communication content capture between two or more persons or phone numbers of interest to law enforcement. The means to implement these features are numerous and relatively simple, but costly and not without risk.
A hypothetical example of how this hidden functionality within the application could be implemented would look something like this:
- Law enforcement requests the legal right to monitor one or more targets.
- A judge issues a court order to WhatsApp.
- WhatsApp, through its legal access to the internal system (which would need to be built), permits the targeting of specific telephone numbers and/or application IDs, and from that point onward captures any conversations.
- Each time a connection to WhatsApp servers is made, a query is conducted to see if the number or ID connecting is on a list of monitored numbers. If so, every message sent and received by that number/ID from that point on is sent without end-to-end encryption to WhatsApp servers or with a cryptographic key that WhatsApp has access to. This would be another feature that would have to be built into the application. In addition, investigation targets would need to have updated their version of WhatsApp to incorporate these changes.
- The content of these conversations could then be stored in a location accessible only by law enforcement or the WhatsApp department responsible for meeting judicial obligations.
The cost involved alone is doing this would be significant, including construction of an internal monitoring system, construction of functionality to monitor specific targets and construction of supporting functionality on the server side, for example. And the purpose of this hypothetical monitoring system is ultimately at odds with WhatsApp’s stated goal of strictly safeguarding user privacy.
However, while WhatsApp cannot save the content of users’ messages, that does not necessarily mean they do not have access to communications metadata indicating who has talked to whom, how long specific interactions lasted, potential connections between suspected targets and the volume of data between one suspect and another. While no substitute for the content of messages, these data certainly have potential value for law enforcement.
Right now, it appears we are at a stalemate with technology communications companies opting to prioritize the protection of user privacy over the interests of law enforcement investigating potential criminal or terrorist activity. And so far many of these companies appear unmoved by law enforcement pleas, regardless of the potential threat at hand. Given that many of these same companies effectively monetize user metadata for marketing purposes, their claims to be upholding absolute privacy for their customers are not likely to persuade those who advocate a more cooperation stance vis-à-vis law enforcement.
As digital communications become near-ubiquitous, the idea that all such communications should be “private” and inaccessible under any circumstances is unfathomable to many. Stay tuned: This battle is far from over.