WhatsApp now uses Signal protocol, which was largely funded by US taxpayers. WhatsApp has enabled end-to-end encryption across all versions of its messaging and voice calling software, according to a Tuesday announcement on the company’s website.
Given that WhatsApp is already in use by over 1 billion people worldwide, as users upgrade to the latest version, it will become the most widely used end-to-end crypto tool.
“We live in a world where more of our data is digitized than ever before,” Jan Koum, a WhatsApp co-founder, wrote in a company blog post on Tuesday. “Every day we see stories about sensitive records being improperly accessed or stolen. And if nothing is done, more of people’s digital information and communication will be vulnerable to attack in the years to come. Fortunately, end-to-end encryption protects us from these vulnerabilities.”
As the company explained in a white paper that was released on Monday night, WhatsApp uses the Signal protocol (formerly known as Axolotl), which was created by Moxie Marlinspike’s Open Whisper Systems. (That protocol is also used by Marlinspike’s Signal encrypted messaging and voice app.)
In November 2014, WhatsApp announced that it was using the same encryption as Signal in the Android version of the chat app. Over the next two years, the company worked to roll out strong encryption to iOS and other mobile platforms and to expand the data protected to group chats, voice calls, and media attachments.
The implementation of this crypto protocol is largely thanks to American tax dollars: since 2013, Open Whisper Systems has received a total of $2.25 million from the Open Technology Fund, an umbrella group whose primary funder is the United States government, through agencies such as theBroadcasting Board of Governors and the Department of State.
The move received praise from many privacy advocates and civil libertarians, including Christopher Soghoian of the American Civil Liberties Union.
The WhatsApp paper also points out that the encryption protocol uses perfect forward secrecy, so that “even if encryption keys from a user’s device are ever physically compromised, they cannot be used to go back in time to decrypt previously transmitted messages.”
Specifically, WhatsApp uses Curve25519, and the app now allows users to verify fingerprints for a given chat session, presumably over a secondary communications channel.