A U.S. researcher claims to have discovered a security backdoor that can allow Mark Zuckerberg’s staff to intercept and read encrypted WhatsApp messages, a claim the messaging app says is false.
Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley, told The Guardian that due to the way WhatsApp has implemented its end-to-end encryption protocol, Facebook can intercept and read users’ messages.
The article explains that WhatsApp’s encryption relies on the “generation of unique security keys,” which are traded and verified between users to ensure that communications are secure and cannot be intercepted.
But Facebook (FB), which owns WhatsApp, has the ability to resend undelivered messages with a new security key, effectively allowing the company to access the ‘encrypted’ messages without the sender or recipient being aware or able to prevent it from happening. (The sender is alerted after the fact if they have opted in to encryption warnings.)
“If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys,” Boelter, who reported the security vulnerability to Facebook in 2016, told The Guardian.
WhatsApp has denied The Guardian‘s claim, calling the story “false”. A spokesperson told Fortune in an email that the design decision exposed by Boelter does not “give governments a ‘backdoor’ into its systems” and instead “prevents millions of messages from being lost.”
“WhatsApp… would fight any government request to create a backdoor,” the statement reads. “The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks.”
It continues: “WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report.”
This revelation has concerned privacy campaigners, including Professor Kirstie Ball, co-director and founder of the Centre for Research into Information, Surveillance and Privacy, who told the paper that the vulnerability was “a huge threat” to freedom of speech. “If you’re using WhatsApp to avoid government surveillance, stop now,” warned one Twitter user.
In April 2016, Open Whisper Systems, the privacy-focused nonprofit software group, revealed in a blog post that it had completed work to integrate its encryption technology into WhatsApp. All chats, group chats, attachments, voice notes, and voice calls on Android, iPhone, Windows Phone, Nokia S40, Nokia S60, Blackberry, and BB10 devices were said to be protected with strong encryption when users ran the latest version of the app.
The app also announced plans to make it clear whether a message is encrypted or not; for instance, members of a WhatsApp group would be notified about which messages were encrypted and which weren’t.
This article has been updated to reflect comment from WhatsApp
