The popular WhatsApp instant messenger is now encrypted by default on Android, and it will be rolled out onto the other platforms shortly. This was implemented in partnership with Open Whisper Systems, a company that develops open-source security software.
Encrypted instant messaging has been an option for many years via the use of messengers specially designed just for that (or plugins for existing messengers) such as Hemlis, Pidgin or Adium with an off-the-record (OTR) plugin, Tox, TextSecure, and more.
I don’t consider the encrypted version of WhatsApp to be a replacement for TextSecure, which encrypts your text messages because TextSecure will encrypt your SMS messages. Encrypting WhatsApp has a much greater impact than TextSecure, though, because WhatsApp has already has more than 600 million users.
‘I don’t think that we’re ever going to get an app like TextSecure to be as popular as WhatsApp and really I don’t know that’s where we need to focus our efforts,’ said Moxie Marlinspike, co-founder of Open Whisper Systems in a phone interview. ‘It makes more sense for us to integrate this stuff into existing apps than to try to compete with them.’
Why Did The Age-Old Concept Of Encryption Take So Long To Become Mainstream?
‘Age-old’ may be a bit exaggerated, but encryption is not new. It already common for companies in general to encrypt sensitive information such as payment details being transmitted online. Encryption has been rarely used at best for anything that is not deemed absolutely necessary, and it isn’t that difficult to implement existing encryption systems. So what causes the strong aversion to encryption?
Encryption increases system resource usage. In other words, it needs some of your computer or phone’s processing power, and that will slow it down.
Some Are Changing Their Minds About Encryption
Google and Apple have decided to enable encryption on Android and iOS devices by default. This may be partly due to recent revelations involving the NSA and Edward Snowden. If you haven’t already heard: The NSA has been conducting a surveillance program for years. Supporters of it said that it can provide security benefits such as the ability to catch criminals and stop terrorism plots in their tracks by going through their messages and following other suspicious tracks they leave behind on the Internet to find clues.
Opponents of surveillance say that it is a violation of privacy and that the government is just becoming tyrannical.
Is The Encryption Of WhatsApp A Big Deal?
For most of the people opposed to government surveillance, it is probably great news. For everyone else, it may just be a perk, but bear in mind that privacy and security go hand in hand. Regardless of government surveillance, criminals are out to steal sensitive information, steal your identity and rob you, and stalk you.
Potential, but overlooked security issues:
- Discussing sensitive company information such as intellectual property, pass codes, among other things over conventional unencrypted messaging systems instead of using company-provided encrypted communications, or staying at work. This is one way in which sensitive information can be leaked. Many people use WhatsApp, including people that handle and discuss confidential things.
- Messaging payment details is ridiculous, but it doesn’t mean people don’t do it. Not everyone is cautious. Remember: Some people still leave their doors unlocked in this day and age, so carelessness can be expected.
The Need For Encryption Is Growing
The need for encryption is growing. This isn’t only due to the rise of identity thefts. It is also fuelled by the rise of cloud computing and the use of wireless Internet connections.
Cloud computing entails transmitting a large fraction of your data over the Internet. For example: Downloading documents from a cloud for viewing. In this day and age where wireless Internet connections are common, encryption, cloud computing entails transmitting most of your personal data over the airwaves where they can be intercepted by criminals and used to rob you.
Another reason for encryption is: Cloud servers are online, and therefore accessible to criminals via the Internet. To be fair, people’s personal computers and phones are often connected to the Internet as well, but they at least have the option to disconnect the computer that stores their personal data from the Internet.
Apart from that, cloud services rely on centralized server networks. So once a criminal breaks into a cloud datacentre, they have access to thousands of users’ data. This is why centralized systems are targeted more than individual PCs.
The breach of the PlayStation network and JP Morgan Chase bank helps to explain it: Millions of customers’ data is stored centrally, therefore, all criminals have to do is access that one central location, and they can steal millions of credit card numbers.
Why Do Wireless Internet Connections Increase The Need For Encryption?
Devices with Wi-Fi Internet connections are capable of accepting connections from other devices. Therefore, they can be hacked by a nearby criminal with a laptop. A very common case is the unauthorized use of other people’s Internet connections via Wi-Fi. If that can take place from the street (it can), imagine the other potential threats. A person could literally sit on the street outside your property and steal your data without your knowledge. Please be careful how you store payment details! If you scan any sensitive bank documents, encrypt them.
It Helps To Understand Encryption
Encryption has been a saviour for the many corporations and people that need to transmit and receive sensitive information such as banks, online stores, any website that offers paid services, games with in-app purchasing, and more.
The Bad Side Of Encryption
- Compromised battery life/increased power consumption.
- Reduced OS and app performance.
Encryption can reduce battery life by making your phone’s CPU work harder. The harder your CPU has to work, the more power it has to produce. This is called CPU frequency scaling or CPU throttling. Your CPU tries to keep power consumption at a minimum by throttling itself down as much as it can without affecting your activities. More activity causes it to throttle itself up, which can result in a sharp power consumption increase.
We can see this happening already: Android 5.0 (Lollipop) has encryption enabled by default. It decreases storage and overall device performance.
The Nexus 6 is one of the devices to come equipped with Android 5.0 Lollipop and Full Disk Encryption (FDE). AnandTech conducted a performance test with and without FDE. The results with FDE enabled:
- Random read performance declined by 62.9%.
- Random write performance declined by 50.5%.
- Sequential read performance declined by 80.7%.
AnandTech’s Brandon Chester and Joshua Ho’s comments included:
‘As you can see, there’s a very significant performance penalty that comes with enabling FDE, with a 62.9% drop in random read performance, a 50.5% drop in random write performance, and a staggering 80.7% drop in sequential read performance. This has serious negative implications for device performance in any situation where applications are reading or writing to disk. Google’s move to enable FDE by default also may not be very helpful with real world security without a change in user behaviour, as much of the security comes from the use of a passcode. This poses a problem, because the users that don’t use a passcode doesn’t really benefit from FDE, but they’re still subject to the penalties.’
They also said:
‘To me, the move to enable FDE by default in Lollipop seems like a reactionary move to combat the perception that Android is insecure or more prone to attack than iOS, even if that perception may not actually be accurate. While it’s always good to improve the security of your platform, the current solution results in an unacceptable hit to performance. I hope Google will either reconsider their decision to enable FDE by default, or implement it in a way that doesn’t have as significant of an impact on performance.’
PC World‘s Ian Paul also commented:
‘The issue, says AnandTech, is that many components commonly used in Android devices just aren’t up to the task of incorporating FDE without a performance hit. That will probably change over time, but for now it appears to be a big issue.
For Android encryption to be useful, you also must have the lock screen enabled. Without it, FDE is enabled but it doesn’t kick in—yet the cost penalty remains. In other words, you could be experiencing lag on your device even if you’re not effectively using FDE.’
Every time you download your file, the encryption software has to be run (this requires some of your CPU’s power and your memory capacity), encrypt your software (plenty of CPU usage), and then finally write that to your device’s memory.
One thing that would help is smaller encrypted files. If someone could develop an encryption system that creates smaller files, that could reduce transmission time, and data transfer times within devices, provided that the new system does not require even more power to carry out the encryption process.
Another solution is to improve the efficiency of the Android platform. Since Android can already shut down apps running in the background, maybe they should crack down harder on apps which run in the background unless absolutely necessary (i.e: instant messaging).
PC World’s conclusion was much more positive. They said that its 2.7 GHZ quad-core processor and 3 GB of compensates for the issue, so it is still a fast phone. That is a great deal of RAM and processing power, and the other phone manufacturers are implementing very powerful processors as well. Judging by the rate at which CPU performance and RAM increase, by the time Lollipop is rolled out, you shouldn’t have any performance issues.
For users of older phones and tablets that didn’t come with Lollipop pre-installed, encryption will not be enabled by default. As for budget smartphones under $100 which have single-core processors. They should stick with older versions of Android for now.
Is Google Being Unfair?
Operating systems (whether they are Windows or any other) have greater system requirements (higher CPU clock speed, more cores, more RAM) with every release, and this forces people to retire their old devices eventually. This applies to applications in general. Software is becoming more bloated as time goes by, and people aren’t squealing about that. Not only that, but those bloated apps are not protecting your identity.
They are just tracking your location, downloading updates you probably didn’t request, and constantly checking their servers for notifications to pester you throughout the day to get you to log back in. I think Google has a much better reason than they do for slowing devices down than the third-party app developers do.
Apple also decided to enable it on iOS devices. They said that even they don’t have the encryption keys. This may have motivated Google to enable encryption as well. Apple, among other organizations including Microsoft are not allowing the government to access user data, so Apple locked themselves out of them. I have to admit that this sounds like an awfully odd reaction. I thought they would be better off if they had access to user data, as user data is a tremendously valuable thing which is used for market research to develop more effective advertisements, more enticing products, and better quality products.
Feel free to discuss your thoughts about this in the comment section.
I can only hope that the encryption doesn’t compromise national security, though. I mentioned the benefits of encryption already, but if the supporters of surveillance are correct, it could significantly affect the ability of law enforcement to catch criminals. Both physical and cyber crime have gotten out of control.
According to The Guardian, FBI director James Comey said:
‘Are we no longer a country that is passionate both about the rule of law and about their being no zones in this country beyond the reach of that rule of law? Have we become so mistrustful of government and law enforcement in particular that we are willing to let bad guys walk away, willing to leave victims in search of justice?’
How do you feel about the encryption debate? Let me know in the comment section!
If you would like to encrypt your phone calls, Open Whisper Systems also offers RedPhone for Android and Signal for iOS.