Slide: 1 / of 7 .
Caption: WhatsApp founders Jan Koum (L) and Brian Acton (R).Michael Friberg for WIRED
Slide: 2 / of 7 .
Caption: Moxie Marlinspike. Michael Friberg for WIRED
Slide: 3 / of 7 .
Caption: Brian Acton. Michael Friberg for WIRED
Slide: 4 / of 7 .
Caption: WIRED
Slide: 5 / of 7 .
Caption: Jan Koum. Michael Friberg for WIRED
Slide: 6 / of 7 .
Caption: Moxie Marlinspike. Michael Friberg for WIRED
Slide: 7 / of 7 .
Caption: WIRED
For most of the past six weeks, the biggest story out of Silicon Valley was Apples battle with the FBI over a federal order to unlock the iPhone of a mass shooter. The companys refusal touched off a searing debate over privacy and security in the digital age. But this morning, at a small office in Mountain View, California, three guys made the scope of that enormous debate look kinda small.
Mountain View is home to WhatsApp, an online messaging service now owned by tech giant Facebook, that has grown into one of the worlds most important applications. More than a billion people trade messages, make phone calls, send photos, and swap videos using the service. This means that only Facebook itself runs a larger self-contained communications network. And today, the enigmatic founders of WhatsApp, Brian Acton and Jan Koum, together with a high-minded coder and cryptographer who goes by the pseudonym Moxie Marlinspike, revealed that the company has added end-to-end encryption to every form of communication on its service.
This means that if any group of people uses the latest version of WhatsAppwhether that group spans two people or tenthe service will encrypt all messages, phone calls, photos, and videos moving among them. And thats true on any phone that runs the app, from iPhones to Android phones to Windows phones to old school Nokia flip phones. With end-to-end encryption in place, not even WhatsApps employees can read the data thats sent across its network. In other words, WhatsApp has no way of complying with a court order demanding access to the content of any message, phone call, photo, or video traveling through its service. Like Apple, WhatsApp is, in practice, stonewalling the federal government, but its doing so on a larger frontone that spans roughly a billion devices.
Building secure products actually makes for a safer world, (though) many people in law enforcement may not agree with that, says Acton, who was employee number forty-four at Internet giant Yahoo before co-founding WhatsApp in 2009 alongside Koum, one of his old Yahoo colleagues. With encryption, Acton explains, anyone can conduct business or talk to a doctor without worrying about eavesdroppers. With encryption, he says, you can even be a whistleblowerand not worry.
The FBI and the Justice Department declined to comment for this story. But many inside the government and out are sure to take issue with the companys move. In late 2014, WhatsApp encrypted a portion of its network. In the months since, its service has apparently been used to facilitate criminal acts, including the terrorist attacks on Paris last year. According to The New York Times, as recently as this month, the Justice Department was considering a court case against the company after a wiretap order (still under seal) ran into WhatsApps end-to-end encryption.
The government doesnt want to stop encryption, says Joseph DeMarco, a former federal prosecutor who specializes in cybercrime and has represented various law enforcement agencies backing the Justice Department and the FBI in their battle with Apple. But the question is: what do you do when a company creates an encryption system that makes it impossible for court-authorized search warrants to be executed? What is the reasonable level of assistance you should ask from that company?
WhatsApp declined to discuss any particular wiretap orders. But the prospect of a court case doesnt move Acton and Koum. Espousing an article of faith thats commonly held among Silicon Valley engineerssometimes devoutly, sometimes casuallythey believe that online privacy must be protected against surveillance of all kinds. Were somewhat lucky here in the United States, where we hope that the checks and balances hold out for many years to come and decades to come. But in a lot of countries you dont have these checks and balances, says Koum, dressed in his usual T-shirt and hoodie. Coming from Koum, this is not an academic point, as most of WhatsApps users are outside the US. The argument can be made: Maybe you want to trust the government, but you shouldnt because you dont know where things are going to go in the future.
Acton and Koum started adding encryption to WhatsApp back in 2013 and then redoubled their efforts in 2014 after they were contacted by Marlinspike. The dreadlocked coder runs an open source software project, Open Whisper Systems, that provides encryption for messaging services. In tech security and privacy circles, Marlinspike is a well-known idealist. But the stance he has taken alongside Acton and Koumnot to mention the other WhatsApp engineers who worked on the project and the braintrust at Facebook thats backing the effortis hardly extreme in the context of Silicon Valleys wider clash with governments and law enforcement over privacy. In Silicon Valley, strong encryption isnt really up for debate. Among techs most powerful leaders, its orthodoxy. And WhatsApp is encryptions latest champion. It sees itself as fighting the same fight as Apple and so many others.
WhatsApp, more than any company before it, has taken encryption to the masses. What makes this move even more striking is that the company did this with such a tiny group of people. The company employs only about 50 engineers. And it took a team of only 15 of them to bring encryption to the companys one billion usersa tiny, technologically empowered group of individuals engaging in a new form of asymmetrical resistance to authority, standing up not only to the US government, but all governments. Technology is an amplifier, Acton says. With the right stewards in place, with the right guidance, we can really effect positive change.
But of course, positive change is in the eye of the beholder. And these are technological stewards in the style of Silicon Valley: billionaires in cargo shorts and T-shirts who did something massive because they wanted to. And because they could.
Like so many tech startups, WhatsApps success seems a bit accidental. Acton and Koum originally conceived of their app as a way for people to broadcast their availability to friends, family, and colleagues: Could they talk or text at that very moment or not? But it soon morphed into a more general messaging app, a way to trade text messages via the Internet without using the SMS networks operated by cellular phone carriers like Verizon and AT&T. But the real genius of the app is that very early on, Acton and Koum targeted the international market.
In the startups first year, they offered the service in German, Spanish, French, and Italian, among other languages, and it rapidly took off overseas, where SMS text fees are much higher in than US. Today, the company offers the app in more than 50 languages, and it has grown into the primary social network in so many of the worlds countries, including Brazil, India, and large parts of Europe. In many places, local wireless carriers have signed deals with WhatsApp to offer the service directly to their customers, undermining their own texting services but driving more people to use the wider Internet through their wireless networksand thus driving more revenue.
By February of 2014, WhatsApp had reached about 450 million users, and Facebook shelled out $19 billion to acquire the startup, with its staff of only 50 people. Since then, with only a slight expansion of staff, WhatsApp has come to serve more than a billion people across the globe.
But the apps two founders, for all their success, have remained in the shadows. They almost never speak with the media. Koum, in particular, is largely uninterested in press or publicity or, for that matter, any human interaction he deems extraneous. Clearly, you cant believe everything you read in the press, he tells me, a reporter. Although the company runs one of the worlds largest online servicesand is owned by the worlds biggest social networkit continues to operate almost entirely on its own in an unmarked building in Mountain View thats fronted by unusually diligent security. And because the app is far more popular overseas than in the US, the typically fervent Silicon Valley tech press has largely left them alone. As a result, the American public hasnt quite grasped the enormous scope of the companys encryption project or the motivations behind it.
Koum and Acton share a long history in computer security. They first met at Yahoo while doing a security audit for the company. During this time, Koum was also part of a seminal security collective and think tank called w00w00 (pronounced whoo whoo), a tight online community that used the old IRC chat service to trade ideas related to virtually any aspect of the field. Koum grew up in the Ukraine under Soviet rule before immigrating to the US as a teenager, so he has some intimate familiarity with the challenges of maintaining privacy in the face of an intrusive government. But Koum says that the bigger force behind encrypting WhatsApp was Acton, a comparatively outgoing individual who grew up in Florida. Brian gets a lot of credit for wanting to do it earlier, Koum says of WhatsApp encryption.
Indeed, it was Acton who first launched an effort to add encryption to WhatsApp back in 2013. I dont really want to be in the business of observing conversations, he says, adding that people were constantly asking the company for full encryption. This is something our users wanted. Maybe not your average mom in middle America, but people on a worldwide basis. At the start, however, the effort was little more than a prototype driven by a single WhatsApp intern. The project didnt really take off until Moxie Marlinspike remembered a WhatsApp guyan engineer who worked on the version of WhatsApp for Windows phoneshe had met at his girlfriends family reunion.
Moxie Marlinspikes girlfriend comes from a family of Russian physicists, and in 2013, she held a family reunion at the apartment she shared with Marlinspike. The guest list included about 23 Russian physicists and one American guy who worked as an engineer at WhatsApp. (He had married into the family.) Marlinspike chatted briefly with the engineer at the reunion. Then, about a year later, Marlinspike decided it was time to add encryption to WhatsApp, one of the worlds largest messaging services. He sent the guy an email, asking for an introduction to the companys founders.
The debate over encryption has only grown more intense.
When I meet Marlinspike at WhatsApp headquarters, he is somewhat reticent to explain his motivations, which seems typical of the manat least in interviews with the press. Online, however, hes not shy about his views. In the past, he has written that encryption is important because it gives anyone the ability to break the law. But in Mountain View, he is more laconic. WhatsApp is the most popular messaging app in the world, says Marlinspike, who is not just a coder and cryptographer but a sailor and a shipwright. I wanted to get in touch.
Given the reclusive proclivities of WhatsApp, knowing someone who knows someone is particularly important when it comes to making connections there. After the engineer helped make an introduction, Acton met Marlinspike at the Dana Street Roasting Companya popular meeting place for Silicon Valley types. Then, a few weeks later, Marlinspike met with Koum. The two men, it turned out, had plenty in common. Marlinspike had come up in the same world of underground security gurus before joining Twitter in 2011and promptly leaving the company to form Open Whisper Systems. We talked about the IRC days, Koum says of their meeting. How things used to be.
The bond seemed to stick. Soon, Marlinspike was helping to build end-to-end encryption across all of WhatsApp, alongside Acton and Koum and a small team of WhatsApp engineers. Acton says that they got lucky in meeting Marlinspike and that they probably wouldnt have rolled out full encryption if they hadnt. Its part of an intriguing casualness to the way Acton and Koum discuss their seemingly earthshaking undertakingnot to mention the way Marlinspike stays largely silent. They met. They had the means. And they built it. It would take about two years.
The encrypting of WhatsApp was supposed to be finished by the middle of January 2016. Koum and company wanted to unveil a completely encrypted service at the DLD tech media conference in Munich, where he was set to give a proverbial fireside chat. Germany is a country that puts an unusually high value on privacy, both digital and otherwise, and Koum felt the time was ripe to make WhatsApps plans known to the world. Just recently, a Brazilian court had ordered a temporary shutdown of WhatsApp in the country after the company failed to turn over messages to the government that had been sent across a part of the service that was already encrypted. In Germany, Koum could make his counterpoint.
But by the middle of December, it was clear the project wouldnt be finished. The team was intent on encrypting everything on every kind of phone. The last piece was video, Koum says. You need to build for a situation where somebody on Android can send a video to an S40 user. Or somebody on a Blackberry can send to a Windows phone. So the company postponed the announcement. In Germany, Koum talked about WhatsApps new business model instead.
As Koum sees it, slipping a backdoor into an encrypted service would defeat the purpose.
In the meantime, the debate over encryption has only grown more intense. On February 16, Apple CEO Tim Cook released an open letter refusing the court order to unlock a phone that belonged to one of the two shooters who killed 14 people and seriously injured another 22 during a December attack in San Bernardino, California. That day, Acton turned to Koum and said: Tim Cook is my hero. About two weeks later in Brazil, authorities arrested a Facebook vice president because WhatsApp wouldnt turn over messages after a court order. Apparently, the authorities didnt realize that the Facebook employee had nothing to do with WhatsAppor that WhatsApp, thanks to end-to-end encryption, had no way of reading the messages. Two days later, WhatsApp joined Facebook and several other companies in filing an amicus brief in support of Apple in its fight against the FBI.
Clearly, WhatsApp has the support of its much larger parent company. Facebook declined to speak specifically for this story. But Koum, after the WhatsApp acquisition, became a member of the Facebook board. If they were not supportive of us, we wouldnt be here today, he says. But this also wasnt something Facebook imposed on WhatsApp. This is a decision WhatsApp made on its own, before it was acquired. By the time Facebook paid billions of dollars for the company, the transformation was already under way.
Many lawmakers have called for companies like WhatsApp to equip their encryption schemes with a backdoor available only to law enforcement. Theres even been talk of a law that requires these backdoors. But as Koum sees it, slipping a backdoor into an encrypted service would defeat the purpose: you might as well not encrypt it at all. A backdoor would just open the service to abuse by both government and hackers. Besides, if you did add a backdoor, or remove encryption from WhatsApp entirely, that wouldnt stop bad actors. Theyd just go elsewhere. In the age of open source software, encryption tools are freely available to everyone. The encryption genie is out of the bottle, Koum says.
Indeed, even some of those exploring legislation to require backdoors to encrypted digital services acknowledge that the issues in play arent that simple. If we require our companies to build in a door, do we need to let China through the door? Or do we have to build doors for them when these services are used in their countries? asks Adam Schiff, the ranking Democrat on the House Intelligence Committee. And what does that mean in terms of stifling dissent in authoritarian countries that may use it for non-law enforcement purposes?
When asked about reports that terrorists used WhatsApp to plan the attacks on Parisreports that politicians have used to back calls for a backdoorKoum doesnt budge. I think this is politicians, in some ways, using these terrible acts to advance their agendas, he says. If the White House thinks that Twitter can solve their ISIS problem, theyve got (a lot of problems).
Koum is right that encryption is widely available to anyone motivated to use it, but WhatsApp is pushing it much farther into the mainstream than anyone else. Apple, for instance, encrypts the data sitting on an iPhone, and it uses end-to-end encryption to hide the messages that travel over its own iMessage texting service. But iMessage is only available on iPhones. Over the years, Apple has sold about 800 million iPhones. But its hard to know how many are still in use, or how many people who have them are communicating via iMessage anyway. WhatsApp runs on just about every kind of phone. Plus, Apples techniques have some gaping holes. Most notably, many users back up their iMessages to Apples iCloud service, which negates the end-to-end encryption. WhatsApp, meanwhile, has a billion users on its service right now.
Pundits have also made much of the encryption offered by Telegram, a messaging service built by a Russian entrepreneur who travels the world in self-imposed exile. But Telegram doesnt turn on end-to-end encryption by default. And it doesnt do end-to-end encryption for group messaging. And it has only a fraction of the audience of WhatsApp.
In pushing back against end-to-end encryption, the US government argues that its merely trying to maintain the status quothat it has long had the power to issue a warrant for communications data. This is the same principle applied to a different set of facts, says DeMarco, the former federal prospector that has helped law enforcement agencies back the Justice Department against Apple. This is about what companies should do when the government had gone to court and gotten a court order, either a search warrant or a wiretap or a data tap.
When I float this argument to Koum and Acton, they defer to Marlinspikeat first. Though the cryptographer is somewhat reticent to speak, when he does, he speaks with an idealists conviction. In some ways, you can think of end-to-end encryption as honoring what the past looked like, he says. Now, more and more of our communication is done over communication networks rather than face-to-face or other traditionally private means of communicating. Even written correspondence wasnt subject to mass surveillance the way that electronic communication is today.
Dressed in his standard uniform of T-shirt and cargo shorts, Acton agrees. The phone is one hundred, one hundred and ten years old, he says. There was a middle period where the government had a broad ability to surveil, but if you look at human history in total, people evolved and civilizations evolved with private conversations and private speech. If anything, were bringing that back to individuals.
Acton and Koum and Marlinspike believe all this no matter what the government might do or say. Theyre just doing what they want to do, and theyre doing it because they can. Though The New York Times indicates that WhatsApp has received a wiretap order over encrypted data, Acton and Koum say they have had no real interaction with the government. But they probably will soon enough. Acton and Koum have almost complete control of one of the largest communication networks on Earth. Theyve met Moxie Marlinspike. The three of them share Silicon Valleys standard belief in online privacy. And now the government has to contend with something much bigger than a locked iPhone: secrecy for a billion people.
Update: This story has been updated to clarify that Telegram does not do end-to-end encryption by default. It does use other encryption by default, but this does not provide the same level of security as end-to-end.
See original here:
Forget Apple vs. the FBI: WhatsApp Just Switched on ...
