Is encryption to blame for WhatsApp snooping?
Blaming WhatsApp's end-to-end encryption?
WhatsApp provides end-to-end encryption by default, which means only the sender and recipient can view the messages. But the piece of NSO Group software exploited WhatsApp's video calling system by installing the spyware via missed calls to snoop on the selected users.
This raised questions about the utility of encryption, which also prohibits security agencies from tracing the origin of messages. Traceability of WhatsApp messages is a key demand that India has put forward.
Right kind of spyware
"But once anyone can get to your handset, whether a human or a piece of software, the encryption doesn't matter any more. Because on your handset, it's all decrypted," he explained. "There's plain text on your screen, and plain audio or video in your camera. The right kind of spyware in your handset can read those messages or even listen in on your phone's mic to what someone is saying in the room, or see what's happening around, with the camera.
"If that happens then all apps are affected, not just WhatsApp. The spyware doesn't care about the app -- it just reads the screen. So, the recent incident has not changed the fact that E2EE apps/platforms are secure. Or the fact that spyware on your handset (which has many vectors: this time it was WhatsApp, but it is usually SMS or email) can compromise your entire handset and all its apps," Roy said.
"The encryption is solid and the algorithms behave as expected, however risks are still there, especially ones that originate from the surrounding operating system, which cannot be controlled or expected by any of the instant messaging software providers," he said.