As the debate between government and Big Tech rages on, social media platforms are deploying curbs to check for fake messages and videos. While expectations are that messaging companies will do the same, there are limitations on what a WhatsApp or a Telegram can do as far as screening of messages is concerned. Like a Twitter, WhatsApp cannot screen all texts that go via its platform as messages are encrypted at the user level. Another model that is followed by likes of WeChat, encypts messages over servers and provide something called transport encryption.
What is message encryption?
An SMS works on an un-encrypted level. So, anything that is typed can be read by the carrier, government or hacker trying to intercept such messages. On the other hand, chatting apps started deploying encryption in the name of security. What these ensure is that messages can’t be read as there are various levels of encryption deployed and there are, in some cases, only private keys that can be used to access a message. Modern encryptions use algorithms to convert message text into random characters and symbols. This can be decoded only using a key.
What are the different types of encryption?
Before we try to understand encryption, it is important to bear in mind that one of the basic kinds of encryption often used is symmetric encryption. This has been one of the oldest encryption mechanisms, where the message is encrypted using a common method. Ceaser cipher, for instance, meant moving each letter by three. These days systems use a combination of this method, along with asymmetric encryption. As computers have made generation of keys simpler, even the symmetric methods are not easy to decode. The way this is done is easy. As symmetric keys can be decipherable over time, there is a concept of public keys, which are asymmetric. How the system functions is that each time you log on to a service, say WhatsApp, it generates a public key and a private key. The public key is visible for all, and is what the communication is sent over, but private is the real decoding or encoding value. So, a message sent over a public key lands up in another user’s system, where it is decoded using her private key.
Consider a society, while you have an access card of a society most people have that access card to enter the society premises. Much like anybody who enters WhatsApp has the access card for using WhatsApp. What makes it even more secure that the house in society also has a key, which only you have access to. So, your house is secure. This is called end-to-end encryption, and this is what is used by WhatsApp, Telegram, Signal and other messaging services. It uses a mechanism called RSA (Rivest-Shamir-Adleman) along with other systems.
The other system also in use is server-based encryption, where messages instead of being encrypted on the user end are encrypted on the server using a key. This means the messages over the cloud system can easily be decrypted. But only when a government actor wants, or hacker tries to breach server security. This can also have a feature when message is encrypted as it leaves your phone and reaches the server and leaves server and reaches the recipient’s phone.
What does WhatsApp follow?
WhatsApp follows a smilar structure of encryption. Although iMessage has been doing this for years now, the ecosystem of messages is only limited to iOS devices or Apple devices. On the other hand, WhatsApp deploys this for anyone using the app. While WhatsApp security is something that is appreciated by all security experts, Signal has a better standard than WhatsApp, and is considered the gold standard of messaging services. But this does not mean that WhatsApp does not generate metadata, encryption only applies to messages, calls, files, photos and videos over the platform, not to metadata that is generated which can show who you were talking to.
What’s the difference between Telegram and WhatsApp?
While the entire ecosystem of WhatsApp is end-to-end encrypted, Telegram only offers this feature once the service is activated. Besides, not all aspects of Telegram are encrypted. For instance, if someone wishes to use the end-to-end encryption of Telegram, they would need to start secret chat. But Telegram, in secret chat, offers an additional layer of encryption, where messages can get deleted after a specific time. In easy times, Telegram is open unless you do not create a silo to talk to the other person. But Telegram has negatives too as researchers claim that it leaks more metadata than a WhatsApp does. And, the veracity of its security infrastructure is not easy to identify. While WhatsApp uses publicly identifiable and tested security measures, Telegram has its own security codes, which it has not released for the general public. But researchers have been pointing out flaws in this architecture.
What is Signal, and how is it even safer?
Signal is a messaging app like WhatsApp. It uses your mobile phone number to create an account which can then be used to chat with other users having a Signal. The app like WhatsApp generates a code that is the public key and can be verified by the other user. The app encrypts all communication and has an additional feature called disappearing messages. Whatever is on server gets deleted within a few minutes, hours or days, and gets deleted for both users. Signal is so privacy focused that it does not allow to even click screenshots of messages.
Are disappearing messages better?
Now, most people usually keep a back -up of their chats on Google. WhatsApp may be as safe as it is, but a backup on Google means that the chats can be deciphered on the Google server. Disappearing messages ensure that nothing gets saved on any of the servers. Whatever stays will get deleted within a specifiedtime period with no possible way of recovering it. That is also the reason that WhatsApp is trying to incorporate this feature for added privacy.
So, are WhatsApp and Signal completely safe?
Not really, they are as safe as your phone is. If you click on links that are suspicious and can infect your phone with malware, in that case nothing is safe. Besides, a lot also depends on if someone can mask your private key and your public id. In that case, the person or the entity would not change the nature of the messages, but will still be able to read them. So, safety means keeping a clean bill of health. Most companies provide a security key, which people ignore. This ky needs to be verified with the other person to ensure there is no breach. The message on WhatsApp that security message of X changed can either be due to a change in device or owing to change in security key. Two, desktop apps for most manufacturers are not as not safe as you would wish them to be. So, better would be to keep updating them and make sure your computer is protected.
Techsplained @FE features weekly on Mondays. If you wish to send in queries that you want explained, mail us at ishaan.gera@expressindia.com
