A thirty-strong group of security researchers have co-signed an open letter calling for the Guardian to retract a story it published last week that had claimed mobile messaging app WhatsApp contains a “backdoor”.
“Unfortunately, your story was the equivalent of putting “VACCINES KILL PEOPLE” in a blaring headline over a poorly contextualized piece,” writes academic Zeynep Tufekci, who organized the open letter .
The letter goes on to argue the Guardian’s assertions are “very concretely endangering people”.
“My alarm is from observing what’s actually been happening since the publication of this story and years of experience in these areas,” writes Tufekci, adding: “You never should have reported on such a crucial issue without interviewing a wide range of experts.”
She has also made her views on the Guardian’s report and the potential consequences for at risk users of WhatsApp amply clear on Twitter…
WhatsApp also robustly rejected the Guardian’s claims of a “backdoor” in its platform as false when we contacted them last week for comment, telling us: “WhatsApp does not give governments a “backdoor” into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks.”
We also contacted the author of the Signal Protocol, Moxie Marlinspike — who last year worked with WhatsApp to roll out the end-to-end encryption in a landmark move for security by expanding access to the robust and respected crypto across such a mainstream messaging platform.
In his email to TechCrunch Marlinspike dubbed the Guardian story “supremely inaccurate”.
The newspaper’s report is based on research by independent security researcher Tobias Boelter , who in April 2016 published details of what he described as a “retransmission vulnerability” in the way WhatsApp handles key exchanges when a message has not been delivered.
Users of the WhatsApp platform do have an option to turn on notifications for when a key has been changed — although this warning will only be delivered after the message itself has been sent. Hence Boelter arguing there’s a security risk for WhatsApp users.
Boelter said he flagged the issue to WhatsApp’s parent company Facebook at the time he wrote about it but was told it was “expected behaviour”.
Last week WhatsApp asserted the key retransmission process is a design decision — intended to minimize the risk of messages being lost in transit when, for example, someone gets a new phone or swaps out their SIM.
