The encryption debate has reared its head once more lately with the FBI pushing for Apple to unlock iPhone’s linked to a terrorist murderer and Republican Senator Lindsay Graham seeking to render end-to-end encryption meaningless with his controversial EARN IT Bill.
Such attacks are nothing new and tech companies have got used to coming under attack from politicians and law enforcement agencies over the technology.
What is less common is to see tech companies attacking each other over their use of end-to-end encryption. Less common, but not totally unheard of. And when it does happen, it tends to involve Telegram boss Pavel Durov.
He has been at it again this week with a long blog post provocatively titled ‘Why using WhatsApp is dangerous’.
Durov’s critique of WhatsApp
Durov’s blog post begins by claiming that previous accusations he has levelled against the Facebook-owned messaging service had been proved correct.
A few months back he highlighted a flaw in WhatsApp that allowed hackers to access all data on any phone running the app. Facebook denied this flaw had ever been used but a subsequent leak of private messages and photos from Amazon CEO Jeff Bezos was, according to Durov, evidence to the contrary.
He went even farther in this blog claiming that as the Bezos leak apparently came from a foreign government, it was highly likely that many other people would have fallen victim too.
Facebook has also claimed the issue stemmed from an iOS flaw rather than a problem with WhatsApp. Durov shows this isn’t the case as the problem didn’t affect other messaging apps on iOS devices but did affect WhatsApp on Android and Windows devices.
His conclusion that Bezos wouldn’t have been hacked if he has used Telegram instead of WhatsApp is predictable but difficult to argue with.
Durov also states that both the UN and people in US President Donald Trump’s inner circle have now been advised to remove WhatsApp from their devices or even change smartphone altogether.
End-to-end encryption not a silver bullet
With WhatsApp suitably chastised, Durov then goes on to make some extremely salient points about end-to-end encryption more generally.
He starts by saying, quite rightly, that end-to-end encryption “is not a silver bullet that can guarantee you absolute privacy by itself.”
While it is a crucial component, it can be rendered completely meaningless if other aspects of the messaging app using it are not up to scratch. Durov offers three examples to illustrate this point.
The first is backups. Users often store chat backups in the cloud where they are completely unencrypted and therefore accessible. We reported recently on how the FBI successfully lobbied Apple not to encrypt their iCloud backups.
Durov notes that Telegram doesn’t let its backups be stored on third party cloud backup sites and secret chats on the app are never backed up anywhere.
The second issue is backdoors. Durov claims Telegram has been approached by enforcement agencies about installing backdoors and always refused to cooperate. This is why Telegram is banned in places like Russia and Iran.
He notes that WhatsApp is not banned in these places and suggests this could be because they have been more compliant.
It is a big claim but he backs it up by suggesting WhatsApp is disguising backdoors as accidental security flaws. In the past year, twelve such flaws have been found in WhatsApp, seven of which were critical. Telegram, in contrast, has had no critical security flaws discovered in the past six years.
Lastly, there is how end-to-end encryption is implemented. Durov attacks WhatsApp for hiding its source code and suggests this could be because they don’t use the same level of end-to-end encryption as they claim. By contrast, Telegram is fully open source.
WhatsApp the circus magician
Durov has constructed a compelling argument and it will be interesting to see if anyone at WhatsApp is able to counter his claims.
An obvious retort is that Durov is attacking WhatsApp to promote his own encrypted messenger service. There is no doubt he is highlighting the benefits of Telegram at the expense of WhatsApp but that doesn’t take anything away from the legitimacy of the points he makes.
His conclusion is savage. He describes WhatsApp as “the tech equivalent of circus magicians who’d like to focus your attention on one isolated aspect all while performing their tricks elsewhere”.
What he is implying is that they are using end-to-end encryption as a ruse to get away with other glaring issues in their software that users are unaware of.
“When it comes to security, nobody should take anybody’s word for granted,” he concludes and he is absolutely right about that. WhatsApp certainly has questions to answer as a result of both this blog post and the third-party evidence he cites.
So, if you are a WhatsApp user, what should you do. If security and privacy are your main reason for using WhatsApp, there is no doubt that Telegram is much more secure and therefore a better bet for you.
But the ubiquity of WhatsApp makes it infinitely more useful for many people. Just be aware that while their end-to-end encryption undoubtedly makes your communications more secure, it is not a panacea on its own.