A security loophole in the WhatsApp messaging app could allow the UK government to legally read supposedly secure encrypted messages, according to a law firm.
The back door through WhatsApp’s security could potentially be used by the UK government to legally force Facebook, the app’s owner, to give access to messages.
Facebook’s site says “we apply strict legal and privacy requirements” before complying with any requests for access to data from law enforcement officials. However, it could do little to stand in the way of UK officials, according to a law firm.
Patrick Arben, partner at law firm Gowling WLG, said: “In order for it to be done lawfully it would need to be done within the framework of the Investigatory Powers Act which came into force in November of last year.
“The Act goes some way to simplifying the surveillance and investigatory powers and rights that were previously spread across multiple pieces of legislation,” he added.
WhatsApp uses Signal encryption from Open Whisper Systems, a non-profit coding group dedicated to ensuring private communications are possible over the internet.
However, WhatsApp pointed to a feature which allows users to switch phones without losing messages as the reason for the so-called “back door”. The app has a setting in its menu which would allow users to be notified if “a contact's security code has changed”, rather than automatically sending all messages.
A WhatsApp spokesperson said: “The Guardian posted a story this morning claiming that an intentional design decision in WhatsApp that prevents people from losing millions of messages is a 'back door' allowing governments to force WhatsApp to decrypt message streams. This claim is false."
WhatsApp does not give governments a 'back door' into its systems and would fight any government request to create a back door. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks.
"WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report.," the spokesperson added.
To enable notifications if a contact's security code has changed (and whether the conversation could therefore be accessed by a third party), users can tick the "Show Security Notifications" setting. The setting is found under Settings > Account > Security.
Notifications can be triggered by contacts changing phone or SIM card.