It’s being called Turkey’s WhatsApp coup – which pretty much says it all. Putting aside the whys and wherefores of the political situation, and viewed purely as a technical issue, the failed coup is a serious black eye for WhatsApp’s claims of security, encryption and privacy protection.
The situation came to light when Turkey’s state-run media outlets published transcripts of the WhatsApp conversations between the high-ranking military officers planning the coup. As the SC Magazine headline says, it absolutely does put “WhatsApp in the spotlight.”
The question remains as to how the Turkish government obtained the messages, with speculation rife as to whether it was a security flaw, device spyware, or, most troubling of all, an undeclared but sanctioned backdoor. Whatever the method, the WhatsApp chat leak put an end to the coup before it had really begun.
Even while this has been going on, WhatsApp is in hot water in South America, as for the third time since December the messaging app was been blocked by the Brazilian judiciary. This time Brazilian federal prosecutors have frozen almost US$12 million of WhatsApp’s assets for failing to turn over messages related to a criminal investigation.
There is a real issue of trust at stake. Brazil’s consumers can’t trust that WhatsApp won’t suddenly be blocked for an unknown amount of time; the Brazilian government can’t trust WhatsApp to keep encrypted messaging out of the hands of criminals; and those involved in the planned coup in Turkey couldn’t trust the app to keep their secret safe.
Individually these problems would be significant – taken together they begin to suggest something even more troubling. How did the government in Turkey obtain the transcripts of the coup conversations? Why, if Brazil is so actively combative about criminal use of WhatsApp, are the rest of the world’s governments seemingly unconcerned? Strangely, perhaps the answer could have just arrived from Russia.
The Russian Federal Security Service (FSB) has just announced that it has the ability to collect encryption keys that enable the creation of a back door for WhatsApp and similar consumer messaging app Telegram. Putin challenged them to achieve this feat on the 7th July – and just two short weeks later the FSB website states they have it sewn up. Did they really manage this in a fortnight, or did they have the capability before? Is it a wind up, and they are secretly still in the dark? Although we can’t know for sure right now, it seems unlikely that if it were the latter, Putin would have made an issue of it so publicly.
Imagine, for the sake of argument, that this wasn’t an isolated ability, and the rest of the world’s governments could access WhatsApp, through a backdoor or by bypassing their encryption. Would that explain what appears to be the global lack of concern?
In fact, theoretically, as a government agency, it would be ideal to allow people to think that the consumer app they are using is a secure, encrypted platform, and therefore speaking freely, all the while knowing that it could be accessed at will.
At CSG we envisaged the issues around making real encryption available anonymously, which is why our Cellcrypt and Seecrypt messaging apps are only available following a screening and vetting process; what we call Responsible Encryption. We can also proudly state that they have never been compromised, and are world leading in certification.
When trying to gain a complete picture of a complex scenario it is always useful to examine not just what is being said, but what isn’t. As for what’s really happening in the world of encrypted consumer apps, in light of the FSB’s revelations, perhaps WhatsApp’s statement will cast more light on the situation. If and when they make one that is.
Harvey Boulter, Group Chairman, Communication Security Group