WhatsApp has announced a major privacy update, in which it will now also add end-to-end encryption to chat backups. All messages and calls on the platform are already end-to-end encrypted, which means that no third party, including WhatsApp, can access them. But users rely on backups to preserve their chats and restore them, especially when switching devices. Until now, chat backups were not encrypted and therefore vulnerable to access by others.
WhatsApp says it will add support for this feature in the coming weeks as an extra layer of security for those who want it. “If someone chooses to save their chat history with end-to-end encryption, it will only be accessible to them, and no one will be able to unlock their backup, not even WhatsApp,” the company explains.
But the backup service provider, be it Apple or Google, will need to access either the end-to-end encryption key or their end-to-end encrypted backup. For iOS users, the only option for chat backup is iCloud, while on Android users usually rely on Google Drive.
According to Facebook, this is “a very big step forward in terms of privacy” given their scale of 2 billion users, who send more than 100 billion messages per day. WhatsApp says it believes “this will give our users a significant breakthrough in the security of their personal messages.”
End-to-end encryption will be available as an option for iOS and Android users in the coming weeks. It will therefore not be activated by default. WhatsApp users will need to create a password or use a 64-digit encryption key to access their chats which are encrypted. Also, as the picture above shows, if the user forgets the password, WhatsApp cannot help them recover the account.
WhatsApp has also released a white paper explaining how this feature will work. The backup is encrypted with a user-supplied password, which is unknown to WhatsApp, the user’s mobile device cloud partners, or any third party.
In addition, an encryption key is stored in the Hardware Security Module (HSM) backup key vault, which will allow the user to recover the key in the event of loss or theft of the device and thus to regain access to their account and their discussions. HSM in most phones is “responsible for enforcing password verification attempts and making the key permanently inaccessible after a certain number of failed attempts to access it”.
Facebook says that “these security measures offer protection against brute force attempts to retrieve the key.” If users choose the 64-digit encryption key instead of a password, they will have to make sure that they can remember this encryption key themselves or manually store it somewhere. In this case, the key is not sent to the HSM Backup Key Vault.
- WhatsApp allows users to enable end-to-end encrypted backups
- WhatsApp adds encrypted backups
- WhatsApp will offer ‘end-to-end’ encrypted backups – what you need to know
- WhatsApp’s end-to-end encryption fills a long-standing security hole
- WhatsApp is about to make your messages more secure than ever
- How to take Whatsapp Backup from Google Drive and restore from Google Drive?
- Here’s when WhatsApp sends a “Temporarily Banned” message to a user
- WhatsApp is working on the “Message reactions” feature
- WhatsApp would have a voice message transcription function: how it works