How do you solve a problem like Navika? For starters, protect your chats

It’s a tradeoff between convenience and privacy, but it might keep you safe from the prying eyes of the media and law enforcement agencies.

WrittenBy:Vinay Aravind
Date:
Article image

In the absurdist spy comedy Patriot, the protagonists, on their top secret spy mission, use an unusual messaging solution to communicate with each other. They message each other within a Scrabble game, in a Scrabble app on their phones. It’s satirical of course, but it’s an illustration that one way to avoid being spied on is to just use a messaging platform that no one would think to spy on.

Since the rest of us might find a method like that cumbersome, we unfortunately have to seek out other ways to keep our communications safe from the prying eyes of hackers, law enforcement agencies, and Navika Kumar (not necessarily in that order).

Navika’s recent antics on television where she read out WhatsApp chats involving Bollywood celebrities and their alleged drug dealers have renewed the public’s concerns about the privacy of their communications. That what you’re saying on WhatsApp to your friends, or on a group chat, could fall into the hands of an unscrupulous journalist is a galling thought for all of us.

So, here are a few ways that you can ensure that your communications are a little bit more secure.

First, let’s take a step back. Governments have always wanted the ability to intercept communications. For a while now, techniques like phone tapping have been the stock in trade of law enforcement the world over. Journalists, with varying degrees of ethical rigour, have also employed phone hacking to obtain information, most famously illustrated in the UK scandal that led to the closure of the notorious tabloid the News of The World.

Text messaging makes this kind of interception both easier, and more difficult, in different ways. It’s easier in that unlike phone conversations, that require live interception and specific monitoring of a particular line, messaging allows someone to retrospectively intercept communications going back months (or even years). This is because the record of the communications accumulates on the senders’ and recipients’ devices over time, unless deleted. You don’t need to have had any foresight in “tapping” the medium; you just need to decide one fine day that you want to read someone’s chats. And as long as you get access to the device, through means legal or illegal, you can access all the communications.

The difficulty, of course, is that you have to get access to the device.

Now, when you ask anyone the question “how can I secure my communications”, the most common answer is “use Signal!” — and with good reason. The founder of Signal, Moxie Marlinspike, came up with what is known as the “Signal Protocol”, an open-source encryption protocol that encrypts messaging communications end-to-end, which means that the messaging platform itself has no access to the contents of your messages.

WhatsApp also uses the Signal Protocol to encrypt all your messages. This means that law enforcement cannot send a court order to WhatsApp or Signal and get a record of all your conversations, because they themselves have no way of accessing them. Neither can Mark Zuckerberg read your chats on a whim because he’s bored on a Sunday afternoon.

The other way they can get access to these chats, even without access to your device, is if you back them up to Google Drive or Apple’s iCloud. These backups are not encrypted and Google or Apple can quite easily be subpoenaed to hand over these chat records, as Paul Manafort discovered, much to his chagrin. This also means that Sundar Pichai or Tim Cook could, in theory, read your chats on a whim because they’re bored on a Sunday afternoon.

As I mentioned before, the gold standard for keeping your chats secure is to use Signal. Signal not only encrypts the contents of your chats end-to-end, it also encrypts all the metadata, which is information about who you communicate with, at what time, and so on. The latter is something that WhatsApp does not encrypt and is known to hand over to law enforcement.

Essentially, Signal cannot hand over any information to law enforcement agencies other than the time at which you downloaded their app. Signal also offers a facility known as disappearing messages, where you can select a particular time period after which those messages are deleted automatically on all devices.

The major downside to Signal is that most of the people you know are probably not on it. Compared to Signal, WhatsApp has more users worldwide by several orders of magnitude. I don’t have comparative data for their user base in India but as a quick experiment, I downloaded Signal and checked the 20 people I contact most frequently on WhatsApp. Only eight of them are on Signal, of which three are journalists. This isn’t surprising: Signal is very popular among journalists and media organisations because of its reputation for privacy and security. None of my most actively used WhatsApp groups could port to Signal because at least some, if not most, of the members are not on Signal. Therefore, practically speaking, Signal can only be, at best, your secondary messaging app.

There are also options like Telegram, but its encryption protocol is not open-source, and therefore has not been verified by security researchers and the like. Needless to say, other apps like Facebook Messenger and Twitter DMs are completely insecure and should never be used for any sensitive communications.

This brings us to the most important question: How can we use WhatsApp (the primary messaging app for most of us) in the most secure way possible?

As with anything else, this involves a trade off between convenience/utility and privacy.

First, you can stop backups. Backups are stored unencrypted in the cloud, and your cloud service provider can be compelled to hand these over. Yes, this means that you will lose your chats if you switch devices or do a factory reset, but that’s the tradeoff for privacy and you’ll need to take a call on which you prioritise.

Second, you can lock the WhatsApp app itself within your phone, using your fingerprint or your FaceID. These are not foolproof (the iOS one has a documented bypass), but it’s still an additional layer of security in case someone gets access to (or manages to clone) your device.

Third, you can periodically delete your chats manually. Either all of your chats, or chats with specific contacts that you consider sensitive. Remember that unlike Signal’s disappearing messages, this won’t delete the chats from both ends of the conversation but at least on your device, the messages will no longer be easily accessible.

Fourth, you can enable two factor authentication for WhatsApp. This will require you to enter a PIN periodically to verify that you’re the authorised user of that WhatsApp account. Of course, when I tried doing this, I discovered that on the beta version of WhatsApp that I use, it regularly flushes my recently used emojis and I therefore turned it off. A sad indictment of where my priorities lie.

There are also options like checking encryption for specific contacts and turning on security notifications that you can do to further secure your sensitive WhatsApp conversations.

Most of us tend to assume that our conversations are fairly innocuous and many of these precautions may appear over the top. But it’s worth remembering a couple of things. Both law enforcement agencies and the media in India are capable of making out innocuous acts as being evidence of criminality. Many writers and activists are in jail under the Unlawful Activities (Prevention) Act for innocuous acts like owning certain books. And media organisations in India are capable of deftly combining their lack of ethics with a lack of intelligence and declaring a message like “imma bounce” as evidence of banking fraud.

These are extraordinary times in an extraordinary country, and it’s a difficult choice for us to make between privacy and convenience in our communications. None of the suggestions set out above will guarantee the privacy of your communications against a determined intruder. But knowing the risks associated with them, and the options we have to mitigate these risks, is at least a start.

Update: This piece has been updated to reflect that the News of the World scandal involved phone hacking.

***
The media must be free and fair, uninfluenced by corporate or state interests. That's why you, the public, need to pay to keep news free. Support independent media by subscribing to Newslaundry today.

Also see
article imageDeepika, drugs, duplicity: Coming to you from the Republic of Slander Now

Comments

We take comments from subscribers only!  Subscribe now to post comments! 
Already a subscriber?  Login


You may also like