A coalition of some of the globe’s top researchers and cryptographers are pleading with The Guardian to retract a story it published last week in which it suggested the encrypted messaging app WhatsApp contained a backdoor.

The article, citing research by Tobias Boelter, a cryptography and security researcher, accused WhatsApp of having a backdoor it that it or Facebook could use to eavesdrop on user messages. The article, published by the media group last Friday, was almost immediately met with criticism, first from WhatsApp – which called the allegations false – then from a collection of researchers who also refuted the claims.

The letter, written by Zeynep Tufekci, a writer and associate professor at the University of North Carolina’s School of Information and Library Science, calls The Guardian piece “reckless” and “uncontextualized,” and is recommending the paper retract the story and issue an apology.

“The behavior described in your article is not a backdoor in WhatsApp. This is the overwhelming consensus of the cryptography and security community. It is also the collective opinion of the cryptography professionals whose names appear below. The behavior you highlight is a measured tradeoff that poses a remote threat in return for real benefits that help keep users secure…” the letter reads.

When reached Friday, a spokesperson for The Guardian said the outlet was aware of Tufekci’s letter and that it had amended its article’s use of the term “backdoor.”

“We ran a series of articles highlighting and discussing a verified vulnerability in WhatsApp and its potential implications.  WhatsApp was approached prior to publication and we included its response in the story, as well as a follow up comment which was received post-publication. While we stand by our reporting we have amended the article’s use of the term ‘backdoor’ in line with the response and footnoted the articles to acknowledge this. We are aware of Zeynep Tufekci’s open letter and have offered her the chance to write a response for the Guardian. This offer remains open and we continue to welcome debate.”

Tufekci’s letter, posted last night, also calls out the The Guardian for failing to reach out to independent security researchers to help corroborate their case. It also urges the media outlet to ensure its reporters don’t report on sensitive issues like this again without seeking the opinion of experts.

“What’s the harm? Why doesn’t WhatsApp just use better settings? Why don’t people just switch to Signal? If your reporters had taken the time to do the research, these questions could be answered… Considering the stakes, security reporting must be measured and well-researched. My unfortunate prediction is that the harm from your story will be real, widespread, and corrections and rebuttals likely minimally reported on,” Tufekci writes.

A number of well-respected researchers have gone on record over the past several days contending claims that the issue is a backdoor.

The Electronic Frontier Foundation’s Joseph Bonneau and Erica Portnoy called The Guardian story sensational, adding that it was “inaccurate to the point of irresponsibility to call this behavior a backdoor.” Researchers such as Moxie Marlinspike, who founded Open Whisper Systems and helped write the Signal protocol – which WhatsApp’s encryption is based on, weighed in on Friday calling the story false, something that any public key cryptography system has to deal with, and called the app a “great choice for users concerned with the privacy of their message content.”

In her letter, Tufekci equates The Guardian running the article to running an article with a headline warning users: “VACCINES KILL PEOPLE.” It’s something she admits may be true in a few scattered instances, but nonetheless diminishes the actual good vaccines do.

“You would have no problem understanding why ‘Vaccines Kill People’ would be a problem headline for a story, especially given the context of anti-vaccination movements,” Tufekci writes, “But your series of stories on WhatsApp does the same disservice and perpetrates a similar public health threat against secure communications.”

A long – and growing – list of respected cryptographers, including Matthew D. Green, a professor at Johns Hopkins University, Bruce Schneier, a fellow at the Berkman Center for Internet and Society at Harvard University, and Matt Blaze, a professor at the University of Pennsylvania, have signed off on Tufekci’s letter. A slew of additional researchers, including Jonathan Zdziarski, Kenneth White, Steven Bellovin, and Katie Moussouris, to name a few, have also signed the letter pledging their support for better security reporting.

Discord over the legitimacy of The Guardian’s reporting comes at a troubling time.

Following the inauguration of Donald Trump as the 45th President of the United States on Friday, more than 200,000 protesters are expected to descend on Washington D.C. Saturday for the Women’s March. A warning, purportedly circulated by a supporting anti-Trump group, DisruptJ20, warned protesters Thursday night against users WhatsApp, citing “a privacy hole.” Instead of WhatsApp, the group encouraged protesters to use Signal, like the The Guardian’s article suggested, to ensure their privacy isn’t compromised.

While Tufekci calls Signal a well-designed app in the letter, she warns that discrediting WhatsApp could cause profound harm and be detrimental to security.

“Telling people to switch away from WhatsApp is very concretely endangering people,” Tufekci wrote, “Signal is not an option for many people. These concerns are concrete, and my alarm is from observing what’s actually been happening since the publication of this story and years of experience in these areas.”

Categories: Cryptography, Privacy

Comments (2)

  1. Brandon Carrington
    1

    It’s not a counsel meeting in the alps .it’s an independent political view of leaving feedback for others to make better judgment . If it works let it work till it’s broke .that will be all.

    Reply
  2. Phh
    2

    I think I’m really missing some piece of information, so I welcome any answer.

    As far as I know, the flaw spotted enables WhatsApp to read messages.
    There are indeed some caveats:
    – The user will be notified when doing so
    – If messages are marked as received on the other side, the user is certain WhatsApp hasn’t tinkered with it.

    But I can still see many cases where this could go wrong.

    Let’s say the police wants to take a look at someone looking suspicious.
    They set his WhatsApp account to MITM-mode: they no longer answer acks, though they do deliver all messages.
    From a user point of view, it is more likely to be a bug than anything else. After all, messages are still transmitted, and security parameters say everything is good!
    And then after one week, they change the key, and they get the whole week’s worth of messages.

    If the user knows this “ack” thing (but seriously, why should he think this is a security feature? except for those news article, there is no reason to think so!), he can still be tricked!

    If police found out that there are daily messages exchanged between two men, but never found what, they just have to trigger the MITM at the right time to be able to read the message.

    If my understanding is correct, I do think this is a flaw, even if I understand why this is done.

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>