Private chats between two people are largely safe, but group chats are fraught with security risks, cyber experts say.
The leaking of WhatsApp chats between Bollywood actors has led to concerns over the end-to-end encryption promised on chat applications.
A-lister Deepika Padukone and manager Karishma were questioned by the Narcotics Control Bureau on the basis of messages they reportedly exchanged on WhatsApp.
A phrase from Deepika’s 2017 chat allegedly refers to ‘maal’ (stuff). Investigators suspect she was talking about narcotics, and are grilling her.
Chat apps, used for a variety of purposes including intimate conversations and sharing of pictures, often promise end-to-end encryption, but are they really safe from prying eyes?
Metrolife spoke to cyber experts to find out.
Snooping allowed
Gurshabad Grover, research manager, Centre for Internet and Society, says encryption on WhatsApp is safe. “This means that only the two parties involved in the chat will be able to view the message,” he says.
However, interception, monitoring and decryption of electronic information are allowed under ‘specific circumstances’ under Section 69 of Information Technology Act, 2000.
“In December 2018, 10 agencies were allowed electronic snooping, and this includes the Intelligence Bureau and Narcotics Control Bureau,” he says.
The police can also ask to look at your messages, under provisions of the Criminal Procedure Code.
“The police have their own rights and there are different ways to use them. Whatever we do, we have to submit our work to a court and are answerable to it. How things are investigated are the discretion of the investigating officer,” says Kamal Pant, Bengaluru police commissioner.
Every service provider has its own protocol and the time taken to procure information varies, he says. “If a person’s message has any connection or is relevant to an offence or crime, it can be looked into,” he told Metrolife.
“WhatsApp uses the Signal protocol which is open to public scrutiny by security experts,” Grover adds.
Which means the company is willing to submit to public audit.
“End-to-end encryption is used all the time without us even knowing it. Websites with https are examples. Apart from WhatsApp, Signal and Riot are the safest apps,” says Grover, who also recommends online research to understand the security merits of various apps.
Kiran Jonnalagadda, CTO of HasGeek, says privacy on WhatsApp is strong.
“The only way to get such data is if someone has access to your phone or to the backup of those chats,” he says.
He believes the safest chat app at the moment is Signal. “Apps like WhatsApp and Facebook Messenger which follow the Signal protocol also ensure privacy,” he says.
‘Group chats risky’
Tarunima Prabhakar, project lead, Tattle, a civic tech project which works against misinformation on chat apps, vouches for the end-to-end encryption promised by WhatsApp.
“If one is using the original app and not a knockoff like a WhatsApp GB, private conversations are protected,” he says.
She points out that privacy on group conversations can get dicey, as members have the option to post group invite links on other social media platforms.
“If you randomly search for chat.whatsapp.com on Twitter you will find many links. One cannot be 100 per cent sure about privacy, as there could be strangers on the groups sharing details externally,” she says.
Tarunima notes that apps secured via the Play Store and App Store-Apple assure some security, while knockoffs of chat apps can lead to privacy breach.
“Once you have malware on the phone, then everything is hackable. Apps which can remotely access your computers can also be risky,” she says.
Even WhatsApp can’t read your messages
Metrolife contacted WhatsApp to understand more about its privacy.
Here is what a spokesperson said: “WhatsApp’s end-to-end encryption ensures only you and the person you’re communicating with can read what’s sent, and nobody in between, not even WhatsApp. Messages sent are secured with locks, and only the recipient and sender have the special keys needed to unlock and read your messages. All of this happens automatically and there is no need to turn on settings or set up special secret chats to secure your end-to-end encrypted messages.”
Before a message leaves the sender’s device it is secured with a cryptographic lock, and only the recipient has the keys. “In addition, the keys change with every single message that’s sent.”
The chat platform says it does not store private messages on its servers once they’re delivered and “end-to-end encryption means that WhatsApp and third parties can’t read them anyway.”
“For additional security we encourage users to take advantage of the two-step verification to protect against any unauthorised account access,” spokesperson adds.
Safe apps
Signal
Messenger
Riot
(Recommended by cyber
security experts)