New treaty will allow UK to request data, not backdoor, from US social media companies like WhatsApp
Social media apps like WhatsApp will be obligated to share what they share with the US with the UK under a proposed United States, United Kingdom treaty called the CLOUD Act. From what security experts are gleaming from the law, the CLOUD ACT opens up data requests that WhatsApp usually fills for the US for the UK. More specifically, it allows a path for legitimate requests for data, the kind that are already filled for US law enforcement, from UK law enforcement. Currently, other countries can only officially request basic information, such as IP address, during an investigation. This most recent Act can be seen as a continuation of recent talks by Five Eye nations to plan how they will deal with the “scourge” of end to end encrypted messaging.
Does this force a backdoor to WhatsApp?
The wording has caused some to worry that the language can be used to force WhatsApp to add a backdoor – or share an existing backdoor with the UK. The Times in London first reported this story with titles that left room for interpretation that messages would somehow be decrypted before being sent across the border, and that the sharing would happen without US court oversight.
WhatsApp’s Will Cathcart responded to the story in a Hacker News comment. He clarified WhatsApp’s official stance on this treaty forcing WhatsApp to build a backdoor for UK use:
“We were surprised to read this story and are not aware of discussions that would force us to change our product. We believe people have a fundamental right to have private conversations. End-to-end encryption protects that right for over a billion people every day.
We will always oppose government attempts to build backdoors because they would weaken the security of everyone who uses WhatsApp including governments themselves. In times like these we must stand up both for the security and the privacy of our users everywhere. We will continue do so.”
Is there an existing backdoor to WhatsApp?
The UK has claimed since earlier this year that they have a way to break WhatsApp’s encryption – though most range from suspicious to incredulous regarding that claim. This claim was reported by The Independent, which asked about the specifics of their decryption technique, and was only able to share this answer with the world:
“Details of the method used cannot be disclosed for security reasons, but sources said they now have the technical expertise to repeat the process in future.”
The Cloud ACT will likely lead to sharing of WhatsApp metadata
Even in the status quo scenario where WhatsApp’s encryption isn’t broken by the UK, the metadata that will be shared will still satisfy some of the wants and needs of law enforcement. When Facebook first bought WhatsApp, the thought of WhatsApp’s data on such a large number of users would fall into the unscrupulous hands of Facebook was alarming enough by itself. While this has long since inevitably happened, the further inevitable next step, that any account data – including metadata and potentially-crackable-now-or-in-the-future would then be shared with government(s) is now upon us.
Just metadata alone is enough to break someone’s privacy. For a more in depth look at why the metadata about end to end encrypted messages is still valuable to law enforcement agencies, check out Rick Falkvinge’s 2014 article on the Private Internet Access blog that highlights the value of metadata – for Facebook, not just law enforcement. The fact that law enforcement around the world continually targets this metadata clues in internet users that they need to up their OpSec game.