I have been asked too many times whether or not the government of Zimbabwe is watching over the trending WhatsApp messages. With some few warnings coming from Potraz on abuse of telecommunications infrastructure and the cyber bill on spying, the question is genuine and needs proper answers.
The governments can not possibly watch everyone online , no amount of server power can do that, of course they can be some trigger words set like, bomb, shutdown Zimbabwe, stay away etc, which can trigger systems to monitor your specific number.
What many people however fail to understand is how secure is the Whatsapp platforms they use to send messages and the implications of such messages should the authorities prove they are guilty.
If the same question was asked few months ago, the answer would be a plain and simple YES!. the Zimbabwean and any government could see and intercept any messages you send over WhatsApp, in as much as it can see any text message you send today and those emails which you are probably sending now, so long as you are not in a secure shell like basic https//.
However, in the past weeks WhatsApp improved its security, it made it very secure as the messaging platforms tries to make privacy a higher priority.
WhatsApp said that it had added the new, stronger measures across its messages because it “has always prioritized making your data and communication as secure as possible”. “From now on when you and your contacts use the latest version of the app, every call you make, and every message, photo, video, file, and voice message you send, is end-to-end encrypted by default, including group chats,” it wrote in a blog post announcing the change.
“The idea is simple: when you send a message, the only person who can read it is the person or group chat that you send that message to,” WhatsApp wrote. “No one can see inside that message. Not cybercriminals. Not hackers. Not oppressive regimes. Not even us. End-to-end encryption helps make communication via WhatsApp private – sort of like a face-to-face conversation.”
But the government does not even need to decrypt
The recent security updates with end to end encryption makes it almost impossible for anyone to intercept the 256 bit inception technology, though in security, absolute security is only a relative word, however even if WhatsApp was 100% secure, its not insured against stupidity.
If you send illegal or subversive messages and your phone falls in the hands of security agents, they do not need to decrypt, as the information is readily available as evidence. Many people post subversive and messages with legal implications openly in Whatsapp groups and this can be easily tracked to them without any technology being enforced.
Zimbabweans can be gullible, in most cases people do not even know or care who else is in the group or atlas advocate that they all keep their phones very secure incase one loses his device or they is forced access and how to avoid it for their own security.
We have witnessed how revenge porn works in Zim and how many videos have been leaked after one loses his or her own phone, the results are devastating, and so are the legal implications.
“Recently there has been a lot of discussion about encrypted services and the work of law enforcement,” it wrote. “While we recognize the important work of law enforcement in keeping people safe, efforts to weaken encryption risk exposing people’s information to abuse from cybercriminals, hackers, and rogue states.”
However, security agencies and mobile networks in Zimbabwe are legally allowed to intercept these encrypted communication services through the lawful Interception of Communications Act through facilities provided by the telecom service providers.
Admittedly i have personally used these spying software for one reason or the other, and yes by actually targeting a certain phone number whether through physically installing a spyware, which most interested parties can easily do without you even noticing or worse off remotely by targeting your number and spoofing the device mac address.
Official tools like Whatsapp Web can be abused to monitor your account if you are not careful to check which devices are listening to your Whatsapp accounts.
This kind of snooping has nothing to do with the encryption as Whatsapp will still deliver messages as plain text to the “intended” recipient. So long as you become a target, with a little effort one can spy on you.
Is this technologically possible considering its a 256bit?
StackExchange had a very informative argument, You can’t trust Facebookor or its Whatsapp!
It’s very unlikely that any government agency would crack the encryption. They would need the key. And the only way they could get that is if Whatsapp had a backdoor or weakness in their software which allowed for such a key to be extracted.
There is, as of today, no direct evidence that such a backdoor exists in Whatsapp. But, since Whatsapp is closed source, it also becomes difficult to make sure such a backdoor does not exist.
However, in terms of information security, what we are interested in is a risk assessment. Considering OP, government agencies are the parties we are being asked about. We should therefore asses that risk. Here is some relevant information regarding that:
Whatsapp’s parent company, Facebook, has been shown to give the NSA direct, unilatateral access to their servers through something called the PRISM Program. While Facebook denies this, it has been proven by leaked documents. This does not, however, mean that the NSA can decrypt Whatsapp messages. I include this information in the risk assessment as an example of Whatsapp’s owner’s relationship to the NSA and privacy transparency in general.
In 2013, information was released regarding: (Source)
• NSA and GCHQ unlock encryption used to protect emails, banking and medical records
• $250m-a-year US program works covertly with tech companies to insert weaknesses into products
Though not absolutely identical, considerably similar things have indeed happened before. Here isone example regarding Skype, Microsoft and the NSA.
Conclusion: It is, at present, difficult to conclude one way or the other. Whatsapp’s parent company (as well as other companies) have demonstrated in the past that they are willing to give the NSA unilateral access to user data. They have also shown a willingness to lie about it. Given this, it seems difficult to take companies under the control of Facebook at their word regarding thisparticular subject.
When we evaluate the degree of risk in regards to malware, a virus, being hacked, data loss, data theft, surveillance, etc, it is not only relevant if something is proven. It is also relevant if something is possible or even likely. While, in this particular case, there may not be sufficient grounds to say that the NSA gaining access to Whatsapp encryption keys is likely, it is definitely possible, given the history of these entities.
This is something people can take into consideration when evaluating such a situation.
The question which many people ask me is can the encryption be broken?
You have asked one question, but I think that you are asking two:
- can Whatsapp encrypted communications be captured, and
- can Whatsapp encrypted communications be captured in “the clear”
The first question, all communications can be captured by legal authorities. It’s actually not that difficult, and there are multiple examples of this happening.
The second question , we can only use the stated facts in evidence, and speculate on the rest. Whatsappstates that they do not have access to the encryption keys, which would mean that they would not be able to hand those keys over to authorities. If true, then the answer to your second question, is “no”.
We can speculate on the vulnerabilities on the key management process, or the truthfulness of Whatsapp’s statements, but until we have evidence one way or another, we can assume that the statements are technically true.
The the truth is not as yet, as far as its in the public domain!