

As a private chat forum, WhatsApp has no equal, not in Indian subcontinent, not in the world. Globally, the American freeware, cross-platform messaging service, owned by Facebook, boasts 2 billion users across 180 countries. With an estimated 65 billion messages being transmitted daily apart from 2 billion minutes of voice and video calls being made every day in 2018, it is undoubtedly the world's most popular messaging service.





In Indian subcontinent, its user base of over 500 million makes the country WhatsApp's largest market. Besides being free, WhatsApp is simple to use, allows one to send text, audio and video messages and documents. But, most of all, it promises privacy and secrecy of communication, assuring every user that "messages and calls are end-to-end encrypted. No one outside of this chat, not even WhatsApp, can read or listen to them".





This reputation of confidentiality that the messaging service enjoyed has now come under a cloud in India. Serious concerns are being raised about WhatsApp's ability to protect a person's privacy apart from preventing content from being transmitted and stored on its service from unauthorized access and misuse. Ironically, the erosion of trust began with a series of unrelated recent incidents.





The alarming rate at which law enforcement agencies are accessing and using WhatsApp chats as incriminating evidence is increasingly making users wary of the security and privacy apparatus of this most widely-used messenger platform in the world.Data security experts assert that WhatsApp is not the only messenger platform susceptible to breach. Other popular apps like Telegram, Signal and iMessage are as vulnerable.







Messages sent across these platforms, including WhatsApp, are end-to-end encrypted and cannot be intercepted during transmission. In other words, they claim that when you send a WhatsApp message to someone, the particular message, whether audio, video, image or text, cannot be intercepted by anyone during the time it first travels to the WhatsApp server and from there to the recipient's phone.





WhatsApp has repeatedly claimed that end-to-end encryption ensures only the sender and recipient and nobody in between, not even WhatsApp, can read what's sent. Is it true? "Messages sent on WhatsApp are secured with locks, and only the recipient and sender have the special keys needed to unlock and read your messages.





All of this happens automatically, and there is no need to turn on settings or set up special secret chats to secure your end-to-end encrypted messages," claims a WhatsApp spokesperson. Most cyber experts agree that the interception of these encrypted messages during transmission is near-impossible. "It is not easy to decrypt encrypted messages.





What enforcement agencies are passing off as decrypting messages is more a case of recovering the backup on the user's phone, and accessing the messages," says Jaijit Bhattacharya, president, Centre for Digital Economy Policy Research. In fact, this end-to-end encryption is why WhatsApp has often expressed helplessness to law enforcement agencies about fake news and hate messages transmitted via the app, as it has no way of knowing what is being sent or received.





While traceability is beyond law now, what these message services are silent on are the areas your chats are vulnerable in. All electronic messages transmitted from one phone to another are stored in four places from where data can be retrieved later, the phone memory of the sender as well as of the receiver, the server of the service provider, be it WhatsApp, Telegram, Signal or iMessage, and on the cloud, should the user have allowed it in his settings. Besides, messages are not encrypted in storage, which means anyone with access to the sender/ receiver's phones can read those messages.





Hackers and even government agencies are alleged to be using spyware to spy on targeted phones where decrypted messages can be read live or even retrieved. Several WhatsApp accounts were hacked worldwide by the Pegasus remote surveillance software made by Israel-based cyber tech firm, NSO.







The most famous instance was in 2018, when Jeff Bezos, CEO of Amazon, had his mobile phone hacked after receiving a WhatsApp message purportedly sent from the personal account of the crown prince of Saudi Arabia. "Once a hacker accesses a phone, either through physical possession or through hacking, he or she can virtually collect all the data inside the phone," says cybersecurity expert Subimal Bhattacharjee.





It's equally easy to hack into the cloud backup of such messages. In the case of WhatsApp, if the user activates the backup option, the message gets stored in Google Drive or iCloud. One then only has to uninstal and re-instal WhatsApp on the same phone or another using the same SIM card to retrieve the back-up on Google Drive or iCloud.





Most chat platforms claim they don't store private messages of users on their servers. "WhatsApp does not store private messages on its servers once they're delivered. If a message cannot be delivered immediately (say, if a person is offline), it may be kept on WhatsApp servers for up to 30 days as it tries to deliver it. If a message is still undelivered after 30 days, it is deleted," explains a WhatsApp spokesperson.





In this respect, WhatsApp and Signal score over Telegram, which doesn't have end-to-end encryption as its default setting. Only if the user exercises the "Secret Chat" option are messages transmitted through end-to-end encryption in Telegram. Even so, the choice is not available for group chat. When Secret Chat is not activated, the messages travel encrypted from the sender's device but get decrypted on Telegram's server, which means messages can be read.







Again, the messages are encrypted on the server and sent to the recipient's device, where they are finally decrypted. So, if someone succeeds in hacking into Telegram's server, they can access users' private messages. In theory, law enforcement agencies can also access data stored on Telegram servers with an official request, though the Dubai-based platform is known for not being cooperative with authorities.









---IT





