Your Industry  

App encryption: R U protected?

Calls for the government to share communications surrounding its decision to shut down parliament, some of which were shared on WhatsApp, have put encrypted messaging services in the spotlight again. 

Many people seem to believe their comments will remain private by messaging on apps that offer end-to-end encryption – WhatsApp is the most well-known, but there are other popular ones such as Telegram and Signal.

But, to me, as an investigator, the sense of security these apps engender has always seemed like the emperor’s new clothes.

>Anyone who has access to the handset can read all of the messages as easily as the user can

The end-to-end encryption provided by WhatsApp is very good and strong, my colleagues in cyber security tell me.

So too is the encryption on many similar apps.

However, the fundamental flaw is that the encryption is only end-to-end, so anyone who has access to the handset can read all of the messages as easily as the user can.

If you are arrested, the police will ask you for the passcodes to your phone and may raise it at trial if you do not hand them over.

In some cases, they will seize the phone before you have a chance to lock it.  

The illusion of security from end-to-end encryption at such a moment is laid bare. They can see everything.  

Unencrypted messages, sitting on a handset, are easy prey to less visible actors, too.

Key points

  • Many people use internet messaging services, believing the encryption protects them
  • Law enforcement agencies can force people to open their phone
  • Just throw the phone away if you are really worried

Well-known security flaws have allowed apparently benign apps to monitor messages stored elsewhere on a phone, including inside the so-called encrypted apps.

Then there are the malicious apps, hackers and intelligence services, who share similar techniques to get into phones through software vulnerabilities and back doors.

Once inside, they have the keys to the kingdom and can read everything.

The Financial Times reported this May that malicious code developed by the Israeli company NSO Group could be used to exploit a WhatsApp vulnerability to install surveillance software on to both iPhones and Android phones by calling targets using the app’s phone call function.

There’s a strange anomaly here though, in that deleted messages have become more private rather than less.

Until recently, all deleted messages on phones could be easily recovered.

Now, thanks to security features introduced by both Apple and Android, that ability is profoundly reduced, particularly in the weeks after a software upgrade when the tools need to be updated.

Be warned though: investigators can still see that items were deleted, they often just cannot see what.

So, whether it is on WhatsApp or not, if you send a message you later regret, or think could be a liability,delete it.

But do not delete messages after you have been told not to during an investigation or litigation, because that surely makes it a whole lot worse.

Legal rights

Of course, few of us fear being arrested, or worry too much about criminals or intelligence agencies.

But these are not the only actors who can get access to your unencrypted messages.

In questions of employee wrongdoing, it is common for employers to require access to corporate phones and devices.

Civil courts are now used to granting orders for individuals to hand over personal phones and devices, with their passcodes, during investigations of financial crime, harassment, the theft of trade secrets or regulatory breaches.

In almost all litigation, relevant messages must be considered for discovery no matter where they are written or stored.

As civil investigators, when we review the content of phones, we do so in a manner that provides protection to the individual’s right to privacy, and in compliance with applicable laws, including the EU’s General Data Protection Regulation.

Typically, the requests come to us as a result of a court order where the required steps are explicitly stated.

Normally, all messages are loaded into a review tool that records every step taken within it, and then only messages that involve a carefully chosen group of counterparties, and/or those that only involve a set of keywords are reviewed.

If a messaging service, such as WhatsApp, has only been used for truly private purposes, none of those messages will appear when we review that way.

Such methodology helps to ensure our review is proportionate and does not infringe the individual’s privacy rights, while still ensuring that a comprehensive search has been undertaken.

Protect yourself

An individual’s legal right to privacy has increased over the years, and rightly so.

However, the attentive reader will note that this is the protection an individual has from having their messages read, rather than any specific security measures such as end-to-end encryption.

What protection does end-to-end encryption offer? Well, it is fundamentally a way of making it harder to read intercepted messages.

Interception of messages, such as probes and wire taps, is the almost exclusive preserve of intelligence agencies and law enforcement.

So, does WhatsApp and other similar encryption apps offer protection from intelligence agencies and law enforcement?

I don’t think so. It makes life more difficult for them, but most have already adapted their methodologies to work round this.

They are more likely to physically seize your phone, or that of your counterpart, or to launch a cyber attack against your handset and get your messages that way.

And frankly, if these are the people you are worrying about getting hold of your messages, you are better off just putting the phone in the bin.

So where does that leave us?

Well, as law-abiding citizens I would not worry too much, except to be careful what you write about colleagues, clients and opponents, as they may one day be read by them.

And as investigators, WhatsApp and the false sense of security it brings, will continue to pay dividends.

It has been a long time since I have seen a really incriminating message on an email, but only a few weeks ago we found an explicit discussion about bribery on a WhatsApp message.

A former attorney-general of a developing nation might regret a text he sent to the brother of the president one Monday morning in March, four years ago.

“Hey,” he says, “we are about to approve your contract with XXX. You need to bribe me!!! Otherwise…”

Benedict Hamilton is a managing director at global investigations company, Kroll, a division of Duff & Phelps