Coalition of Cryptographers, Researchers Urge Guardian to Retract WhatsApp Story

A coalition of researchers and cryptographers are urging the Guardian to retract a story it published last week which suggested the encrypted messaging app WhatsApp contained a backdoor.

A coalition of some of the globe’s top researchers and cryptographers are pleading with The Guardian to retract a story it published last week in which it suggested the encrypted messaging app WhatsApp contained a backdoor.

The article, citing research by Tobias Boelter, a cryptography and security researcher, accused WhatsApp of having a backdoor it that it or Facebook could use to eavesdrop on user messages. The article, published by the media group last Friday, was almost immediately met with criticism, first from WhatsApp – which called the allegations false – then from a collection of researchers who also refuted the claims.

The letter, written by Zeynep Tufekci, a writer and associate professor at the University of North Carolina’s School of Information and Library Science, calls The Guardian piece “reckless” and “uncontextualized,” and is recommending the paper retract the story and issue an apology.

“The behavior described in your article is not a backdoor in WhatsApp. This is the overwhelming consensus of the cryptography and security community. It is also the collective opinion of the cryptography professionals whose names appear below. The behavior you highlight is a measured tradeoff that poses a remote threat in return for real benefits that help keep users secure…” the letter reads.

When reached Friday, a spokesperson for The Guardian said the outlet was aware of Tufekci’s letter and that it had amended its article’s use of the term “backdoor.”

“We ran a series of articles highlighting and discussing a verified vulnerability in WhatsApp and its potential implications.  WhatsApp was approached prior to publication and we included its response in the story, as well as a follow up comment which was received post-publication. While we stand by our reporting we have amended the article’s use of the term ‘backdoor’ in line with the response and footnoted the articles to acknowledge this. We are aware of Zeynep Tufekci’s open letter and have offered her the chance to write a response for the Guardian. This offer remains open and we continue to welcome debate.”

Tufekci’s letter, posted last night, also calls out the The Guardian for failing to reach out to independent security researchers to help corroborate their case. It also urges the media outlet to ensure its reporters don’t report on sensitive issues like this again without seeking the opinion of experts.

“What’s the harm? Why doesn’t WhatsApp just use better settings? Why don’t people just switch to Signal? If your reporters had taken the time to do the research, these questions could be answered… Considering the stakes, security reporting must be measured and well-researched. My unfortunate prediction is that the harm from your story will be real, widespread, and corrections and rebuttals likely minimally reported on,” Tufekci writes.

A number of well-respected researchers have gone on record over the past several days contending claims that the issue is a backdoor.

The Electronic Frontier Foundation’s Joseph Bonneau and Erica Portnoy called The Guardian story sensational, adding that it was “inaccurate to the point of irresponsibility to call this behavior a backdoor.” Researchers such as Moxie Marlinspike, who founded Open Whisper Systems and helped write the Signal protocol – which WhatsApp’s encryption is based on, weighed in on Friday calling the story false, something that any public key cryptography system has to deal with, and called the app a “great choice for users concerned with the privacy of their message content.”

In her letter, Tufekci equates The Guardian running the article to running an article with a headline warning users: “VACCINES KILL PEOPLE.” It’s something she admits may be true in a few scattered instances, but nonetheless diminishes the actual good vaccines do.

“You would have no problem understanding why ‘Vaccines Kill People’ would be a problem headline for a story, especially given the context of anti-vaccination movements,” Tufekci writes, “But your series of stories on WhatsApp does the same disservice and perpetrates a similar public health threat against secure communications.”

A long – and growing – list of respected cryptographers, including Matthew D. Green, a professor at Johns Hopkins University, Bruce Schneier, a fellow at the Berkman Center for Internet and Society at Harvard University, and Matt Blaze, a professor at the University of Pennsylvania, have signed off on Tufekci’s letter. A slew of additional researchers, including Jonathan Zdziarski, Kenneth White, Steven Bellovin, and Katie Moussouris, to name a few, have also signed the letter pledging their support for better security reporting.

Discord over the legitimacy of The Guardian’s reporting comes at a troubling time.

Following the inauguration of Donald Trump as the 45th President of the United States on Friday, more than 200,000 protesters are expected to descend on Washington D.C. Saturday for the Women’s March. A warning, purportedly circulated by a supporting anti-Trump group, DisruptJ20, warned protesters Thursday night against users WhatsApp, citing “a privacy hole.” Instead of WhatsApp, the group encouraged protesters to use Signal, like the The Guardian’s article suggested, to ensure their privacy isn’t compromised.

While Tufekci calls Signal a well-designed app in the letter, she warns that discrediting WhatsApp could cause profound harm and be detrimental to security.

“Telling people to switch away from WhatsApp is very concretely endangering people,” Tufekci wrote, “Signal is not an option for many people. These concerns are concrete, and my alarm is from observing what’s actually been happening since the publication of this story and years of experience in these areas.”

Suggested articles