The Key Facebook Kept

Whether you’re texting your mom happy birthday, shit-talking someone in a group chat, or sending a dick pic to a person who may or may not have asked for it: WhatsApp has been telling you those messages are encrypted, visible only to you and whoever’s on the other end. That was a lie. Facebook can read all of it.

Facebook had always claimed that no one outside of users themselves could decrypt WhatsApp messages, Markus Reuter wrote at Netzpolitik.org. The encryption is based on the Signal protocol from Open Whisper Systems—a system where users exchange cryptographic keys and messages are end-to-end encrypted, meaning in theory only sender and receiver can ever read them.

The catch: the backdoor that was discovered isn’t part of the Signal protocol itself. It allows Facebook to silently generate new encryption keys without notifying the user—and use those keys to read the conversation. Tobias Boelter, a cryptography and security researcher at UC Berkeley, found it. Not a subtle flaw. A door left open on purpose.

This means Facebook has been filling its databases with your private messages, photos, videos. It means that when governments come knocking—and they do—Facebook can hand everything over, despite the company’s staff having repeatedly claimed otherwise. You were lied to, clearly and for years. If that’s enough to make you do something about it, Threema and Signal are the alternatives worth considering. If not, you’ll just have to accept that some bored intelligence contractor can see that dick pic too. Not just the person you sent it to.