Why WhatsApp Will Never Be Secure

Pavel Durov — May 16, 2019

The global community was shocked by the news that WhatsApp had turned any phone into a spying device. Hackers could access all your data, including photos, emails, and SMS, simply because WhatsApp was installed on your phone^[1]. This news didn’t surprise me. Last fall, WhatsApp admitted to a similar issue—just one video call through WhatsApp could give an attacker access to all the data on your phone^[2].

Every time WhatsApp fixes a critical vulnerability, a new one appears in its place. All these vulnerabilities are suspiciously well-suited for surveillance. They look very much like backdoors—deliberately built-in loopholes that allow access to data.

Unlike Telegram, WhatsApp’s code is closed, so independent experts can’t easily check the app for backdoors. WhatsApp not only keeps its code closed, but they also do the opposite: they deliberately obfuscate the code to make it impossible to study.

It’s quite likely that Facebook, which owns WhatsApp, is forced to build in backdoors under the infamous FBI gag orders^[3]. Developing a secure communication app based in the US isn’t easy. In just one week that our team spent in the US in 2016, the FBI tried three times to negotiate “special access” to data^[4][5]. Now imagine what could happen over 10 years with an American company.

I understand that intelligence agencies justify the need for backdoors with anti-terrorism arguments. The problem is, once a backdoor is built in, it can be used by anyone, including criminals and authoritarian regimes. No wonder dictators love WhatsApp. As long as people use it, they can be monitored. That’s why WhatsApp remains available in countries like Russia or Iran, where Telegram is banned by authorities^[6].

I actually started working on Telegram in response to personal pressure from Russian authorities. Back in 2012, WhatsApp was transmitting data over the network without any encryption at all. It was complete madness: not only governments and hackers, but also mobile operators and even WiFi hotspot owners could read all WhatsApp users’ messages^[7][8].

Later, WhatsApp added encryption, but it quickly became clear that this was just a marketing trick: at least several intelligence agencies, including Russian ones, had access keys^[9]. When Telegram started gaining popularity, WhatsApp’s founders sold their company to Facebook and suddenly claimed that “privacy is in their DNA”^[10]. If so, it must have been a recessive or dormant gene.

Three years ago, WhatsApp announced the introduction of end-to-end encryption, claiming that “third parties cannot access messages.” At the same time, the company began urging users to back up their chats to the cloud. WhatsApp didn’t clarify that the new encryption doesn’t apply to backups, so all user messages became accessible to hackers and law enforcement. A great marketing move that has landed many naive people in jail^[11].

Even if you resisted the persistent prompts to enable backups, you can still be monitored on WhatsApp through other means—from accessing your contacts’ backups to stealthily swapping encryption keys in chats^[12]. In addition, WhatsApp provides authorities with streams of user metadata—records of who communicated with whom, when, and where^[13]. Add to this the ever-changing vulnerabilities that make all data on your phone accessible to third parties.

The history of WhatsApp shows a clear pattern—from a complete lack of encryption at launch to a series of vulnerabilities suspiciously suited for surveillance. In all 10 years of WhatsApp’s existence, there hasn’t been a single day when this service was secure. So updating the WhatsApp app is unlikely to make it secure for anyone. To become a truly private service, WhatsApp would have to be ready to lose important markets and clash with authorities at home. They’re unlikely to be ready for that^[14].

Last year, WhatsApp’s founders left the company over concerns about user data privacy^[15]. They’re probably bound by non-disclosure agreements or FBI orders, so they can’t publicly talk about backdoors without risking their money and freedom. However, they did admit that they “sold their users’ privacy”^[16].

I can understand the founders’ reluctance to reveal details. Risking your own comfort isn’t easy. A few years ago, I had to leave my country after refusing to violate VKontakte users’ privacy at the authorities’ request^[17]. It was unpleasant. But would I do something similar again? Absolutely. Each of us will die someday, but as a species, we’ll exist for a long time. So the pursuit of wealth, fame, or power is meaningless. Serving humanity is the only thing that matters in the long run.

And yet, despite all our intentions, I feel that in this WhatsApp surveillance story, we let people down. Many can’t delete WhatsApp because their friends and family are still there. This means Telegram hasn’t managed to get more people to switch messengers. And although we’ve attracted hundreds of millions of users over the past five years, it’s not enough. Most are still hostages of the Facebook/WhatsApp/Instagram empire. Many Telegram users also have WhatsApp installed—which means their device data is still at risk. Even those who have completely abandoned WhatsApp are likely using Facebook or Instagram, and these services think it’s normal to store passwords in plain text^[18][19] (I still can’t believe they did that).

In almost six years of existence, Telegram hasn’t had any data leaks or security holes like those found in WhatsApp every few months. In six years, we haven’t given a single byte of information to third parties, while Facebook and WhatsApp have been leaking streams of personal data to anyone claiming to work for the government^[13].

Outside of the Telegram fan community, not many people realize that almost all new messaging features first appear in Telegram, and only then—down to the smallest implementation details—are copied by WhatsApp. Recently, Facebook went further and tried to borrow Telegram’s entire philosophy. At the F8 conference, Zuckerberg suddenly declared the importance of privacy and speed, practically quoting Telegram’s app description word for word.

But there’s no point in complaining about Facebook’s hypocrisy or lack of creativity. We have to admit that their strategy works. Just look at what they did to Snapchat^[20].

At Telegram, we must acknowledge our responsibility in shaping the future. The future is either us or Facebook’s monopoly. Either freedom and privacy, or greed and hypocrisy. Our team has been competing with Facebook for 13 years. We once beat them in the social networking market in Eastern Europe^[21]. We’ll win again, this time in the global messaging market. We have to.

Winning won’t be easy. Facebook’s marketing department is huge, while Telegram doesn’t do any marketing at all. We don’t want to pay journalists and researchers to talk about Telegram. We rely on you—our millions of users. If you like Telegram, you’ll tell your friends about it. And if every Telegram user convinces three friends to delete WhatsApp and switch to Telegram for good, Telegram will already be more popular than WhatsApp.

The era of greed and hypocrisy will end; the era of freedom and privacy will come. That day is much closer than it seems.

Sources

1. Business Insider – WhatsApp was hacked and attackers installed spyware on people’s phones – May 15, 2019
2. Security Today – WhatsApp Bug Allowed Hackers to Hijack Accounts – October 12, 2018
3. Wikipedia – Gag order – United States
4. Neowin – FBI asked Durov and developer for Telegram backdoor – September 19, 2017
5. The Baffler – The Crypto-Keepers – September 17, 2017
6. New York Times – What Is Telegram, and Why Are Iran and Russia Trying to Ban It? – May 2, 2019
7. YourDailyMac – Whatsapp leaks usernames, telephone numbers and messages – May 19, 2011
8. The H Security – Sniffer tool displays other people’s WhatsApp messages – May 13, 2012
9. FilePerms – WhatsApp is broken, really broken – September 12, 2012
10. International Business Times – Respect for Privacy Is Coded Into WhatsApp’s DNA: Founder Jan Koum – March 18, 2014
11. Slate – https://slate.com/technology/2018/06/paul-manafort-how-did-fbi-access-whatsapp-messages.html – June 5, 2018
12. AppleInsider – WhatsApp backdoor defeats end-to-end encryption, potentially allows Facebook to read messages – January 13, 2017
13. Forbes – Forget About Backdoors, This Is The Data WhatsApp Actually Hands To Cops – January 22, 2017
14. New York Times – Facebook Said to Create Censorship Tool to Get Back Into China – November 22, 2016
15. The Verge – WhatsApp co-founder Jan Koum is leaving Facebook after clashing over data privacy – April 30, 2018
16. CNET – WhatsApp co-founder: ‘I sold my users’ privacy’ with Facebook acquisition – September 25, 2018
17. New York Times – Once celebrated in Russia, programmer Pavel Durov chooses exile – December 2, 2014
18. TechCrunch – Facebook admits it stored ‘hundreds of millions’ of account passwords in plaintext – March 21, 2019
19. Engadget – Facebook stored millions of Instagram passwords in plain text – April 18, 2019
20. Vanity Fair – Snapchat is doing so badly, the feds are getting involved – November 14, 2018
21. HuffPost – Vkontakte, Facebook Competitor In Russia, Dominates – October 26, 2012