WhatsApp will let its more than 2 billion users fully encrypt their message backups.
The plans are detailed by WhatsApp before rolling out to users on iOS and Android in the coming weeks.
This is meant to secure backups that WhatsApp users have already sent to Google Drive or Apple’s iCloud, making them unreadable without the encryption key.
WhatsApp users who choose an encrypted backup will be asked to save a 64-digit encryption key or create a password associated with the key.
“WhatsApp is the first global messaging service at this scale to offer end-to-end encrypted messaging and backup, and achieving this is a very difficult technical challenge that requires an entirely new framework for key storage and cloud storage across operating systems,” writes. Facebook CEO Mark Zuckerberg in a statement.
If someone creates a password associated with their account’s encryption key, WhatsApp will store the associated key in a physical hardware security module or HSM.
This lock is managed by Facebook and is unlocked only when the correct password is entered in WhatsApp.
The HSM acts like a vault to encrypt and decrypt digital keys.
Once unlocked with the associated password in WhatsApp, the HSM provides the encryption key which in turn decrypts the account backup stored on Apple or Google servers.
A key stored in one of the WhatsApp HSM vaults cannot be permanently accessed if repeated password attempts are made.
The hardware itself is located in Facebook-owned data centers around the world to protect against internet outages.
The system is designed so that no one other than the account owner can gain access to the backup, WhatsApp head Will Cathcart told The Verge, Sunday (12/9/2021).
He said the goal of letting people create simpler passwords was to make encrypted backups more accessible.
WhatsApp will only know that there is a key on the HSM, not the key itself or the associated password to unlock it.
WhatsApp’s move comes as governments around the world such as India, WhatsApp’s biggest market, are threatening to undermine the way encryption works.
“We expect to be criticized by some for this. It’s nothing new to us … I firmly believe that the government should encourage us to have more security and not do otherwise,” Cathcart said.
WhatsApp’s announcement means the app goes a step further than Apple, which encrypts iMessages but still holds the key to encrypted backups.
This means that Apple can help with recovery, but it can also be forced to hand over the keys to law enforcement.
Cathcart said WhatsApp has been working to make encrypted backups a reality for the past few years.