Will Google And Facebook Copy WhatsApp’s Encryption Tech?
End-to-end encryption poses a huge threat to the business model of Internet giants.
Now that it encrypts its messages, social media giant WhatsApp has thrown up a major roadblock for the world’s intelligence agencies. But the National Security Agency can take comfort in this, at least: Internet heavyweights such as Facebook and Google are unlikely to embrace similar encryption systems, which would prevent harvesting user information for advertising purposes.
In an era when cybercriminals are hacking into the computers of governments, corporations, and individuals, end-to-end encryption of the type now used by WhatsApp’s more than 1 billion users represents the cutting edge of security know-how. Yet it also radically challenges the business models of some of America’s biggest tech companies that rely on huge troves of data about their users to deliver hyperspecific advertising.
End-to-end encryption generally “would conflict with the advertising model and presumably curtail revenues,” Harvard’s Berkman Center for Internet & Society noted in a February report. It concluded that profit-driven tech firms “have little incentive to veer from this model, making it unlikely that end-to-end encryption will become ubiquitous across applications and services.”
Google’s Gmail, for example, unapologetically scans users’ email messages to serve up ads. “We automatically process your messages to help you sort through the unimportant messages that get in your way,” Google explains on a Gmail help page. “We use a similar approach with ads. For example, if you’ve recently received a lot of messages about photography or cameras, a deal from a local camera store might be interesting.”
Users can disable Gmail from serving ads based on emails, but the default set-up allows the company to scan and harvest that data. It’s deeply in Google’s economic interests to do so: The more information it has, the better it can target users with ads relevant to their interests.
Neither Google nor Facebook responded to questions for this report.
Privacy advocates are deeply suspicious of the business model described as surveillance in the interest of advertising. That makes Facebook’s $22 billion acquisition of WhatsApp all the more fascinating.
WhatsApp doesn’t collect demographic information on its users, and its new encryption technology has erected a mathematical wall between the company and its clients. A 2012 blog post on the company’s website, titled “Why we don’t sell ads,” begins with a quote from the movie Fight Club: “Advertising has us chasing cars and clothes, working jobs we hate so we can buy shit we don’t need.”
“These days companies know literally everything about you, your friends, your interests, and they use it all to sell ads,” WhatsApp founder Jan Koum wrote in that blog post. “Remember, when advertising is involved, you the user are the product.”
The WhatsApp encryption system, developed by the hacker who goes by the name Moxie Marlinspike, blinds the company to its customers’ communications. Users hold the keys to their encrypted data, meaning WhatsApp is powerless to provide the government with the contents of a user’s conversations — even when under court order to do so.
That’s in sharp contrast with the giants of the tech and social media world, as noted in the Harvard report. In the absence of end-to-end encryption, “many Internet companies will continue to have the ability to respond to government orders to provide access to communications of use,” it concluded.
Still, WhatsApp’s system isn’t surveillance-proof.
Chris Soghoian, principal technologist at the American Civil Liberties Union, said WhatsApp allows users to back up their conversations to cloud-based servers. The government may be able to access user content stored there, Soghoian said. User metadata — information about who a person contacted and when, and for how long they communicated — may also be vulnerable to court order.
For a company like Apple, business interests affect how widely it can deploy its encryption. Currently, when presented with a court order, Apple is able to provide the government with iPhone data that has been backed up to the cloud. Apple encrypts that information but holds a key to unscramble it. In the case of the iPhone used by one of the San Bernardino shooters, Apple turned over data stored on the cloud but said it could not access his encrypted phone. The company’s iMessage system is encrypted, but Apple can turn over messages backed up to the cloud.
Apple could in theory deploy end-to-end encryption in the cloud, but at a potentially huge cost to user convenience. If a customer loses his iPhone and has forgotten his password, his data on the cloud would be unavailable to him, Soghoian said. Such a security regime would potentially leave Apple with a large number of angry users. It’s one example of Apple’s ongoing struggle between enhanced security features and user convenience.
Given Facebook’s use of targeted ads, it’s unclear how WhatsApp will balance its own hard-line commitment to user privacy. In an interview last month, Marlinspike told Foreign Policy that WhatsApp is “fiercely independent from Facebook,” but noted that “over time that might not always be true.”
“They are within the Facebook universe, so it remains to be seen what will happen to them,” he said.
Photo credit: JUSTIN SULLIVAN/Getty Images