In an FAQ, messaging platform WhatsApp has given details of a deal that allows users to backup to Google Drive without worrying about storage costs. It will only apply to users that run the app on Android. Heavy users of the app will welcome this move. It will free up space on their device and allow them to restore to another device. To sweeten the announcement, backups won’t count towards Google Drive limits.
Like anything that sounds too good to be true, so it this. About halfway down the FAQ that gives details on how to backup WhatsApp adds the line:
Important: Media and messages you back up aren’t protected by WhatsApp end-to-end encryption while in Google Drive.
For anyone who relies on WhatsApp to communicate securely, this backup option is not for you. It is likely to have businesses, journalists and rights activists looking for an alternative. None of these groups will want their messages suddenly accessible by hackers or anyone who can get to a users Google Drive account.
This is yet another piece of bad news for WhatsApp after researchers said they could hack into the app earlier this month.
A bonus for law enforcement and governments
The only people who will be breaking open the champagne here are law enforcement and governments. They have often complained that WhatsApp is being used by criminals and terrorists and the encryption is hampering their work.
In India, the government has a long running battle with WhatsApp arguing that it is stopping them investigating rapes and murders. They also accuse it of spreading misinformation and provocative content. In July, WhatsApp said it was looking at ways to limit the number of times messages could be forwarded.
This move now allows authorities to issue a warrant to Google in order to access a users messaging backup. If successful, they would be able to see all the chats that a user has backed up. Intelligence services may not even wait for a warrant. They could choose to simply hack into a users Google Drive account and copy the data. The same could be done by other hackers looking for information that they could exploit.
What cannot be done is to backup a seized phone and then access the data. This is because the setup process requires access to WhatsApp on the local device. The user has to be logged in to create the backup process.
What could WhatsApp have done?
Transferring the message store “as is” from the device was one option. However, the key used to encrypt the data is stored on the device. Extracting and saving it is not the simplest of tasks. WhatsApp could have written a utility that would have helped the user do this but then it would need to store the key securely in Google Drive.
Another option would have been to provide the user with a way to encrypt the data themselves. This could be as simple as asking for a password before the data was transferred.
A third option would have been to create a proper backup app. This could help the users encrypt their data and even setup multi-factor authentication in order to access it later. They would also have the ability to backup wherever they wanted – Google, Microsoft, Box, Dropbox, company server, home computer, etc. Such a wider set of options seems like a missed opportunity.
What does this mean
WhatsApp has made its mark as a secure messaging application. Users like it because it keeps all their conversations secret. Only those involved in a conversation can see the messages. Despite pressure from many governments, most recently India, WhatsApp has made it clear it cannot decrypt messages.
There is a question over why Google Drive and why only Google Drive. It could be that it was the easiest option given that this only applies to Android devices running WhatsApp. However, there are suggestions in Internet chat groups that this could be a more sinister move.
Last year, Google was caught monitoring what people were storing in its apps. In what Google later blamed on a botched update, some users were locked out of their accounts for violating the company’s content policies. Like many Internet companies, Google is under pressure to scan for unacceptable content and block it. It comes as no surprise, therefore, that it would be doing some form of scanning.
The vast majority of content inside WhatsApp backups is likely to be mundane. However there will be messages that are not so innocent. Photos sent between two individuals, business users exchanging confidential data and journalists talking to sources. None of these would expect Google or anyone else to be mining their WhatsApp backup. But if it isn’t encrypted then it’s fair game.
There is still time for WhatsApp to fix this between now and November 12. Let’s hope it does so.