Forget Apple vs. the FBI: WhatsApp Just Switched on Encryption for a Billion People

 

For most of the past six weeks, the biggest story out of Silicon Valley was Apple’s battle with the FBI over a federal order to unlock the iPhone of a mass shooter. The company’s refusal touched off a searing debate over privacy and security in the digital age. But this morning, at a small office in Mountain View, California, three guys made the scope of that enormous debate look kinda small.
Mountain View is home to WhatsApp, an online messaging service now owned by tech giant Facebook, that has grown into one of the world’s most important applications. More than a billion people trade messages, make phone calls, send photos, and swap videos using the service. This means that only Facebook itself runs a larger self-contained communications network. And today, the enigmatic founders of WhatsApp, Brian Acton and Jan Koum, together with a high-minded coder and cryptographer who goes by the pseudonym Moxie Marlinspike, revealed that the company has added end-to-end encryption to every form of communication on its service.
This means that if any group of people uses the latest version of WhatsApp—whether that group spans two people or ten—the service will encrypt all messages, phone calls, photos, and videos moving among them. And that’s true on any phone that runs the app, from iPhones to Android phones to Windows phones to old school Nokia flip phones. With end-to-end encryption in place, not even WhatsApp’s employees can read the data that’s sent across its network. In other words, WhatsApp has no way of complying with a court order demanding access to the content of any message, phone call, photo, or video traveling through its service. Like Apple, WhatsApp is, in practice, stonewalling the federal government, but it’s doing so on a larger front—one that spans roughly a billion devices.
“Building secure products actually makes for a safer world, (though) many people in law enforcement may not agree with that,” says Acton, who was employee number forty-four at Internet giant Yahoo before co-founding WhatsApp in 2009 alongside Koum, one of his old Yahoo colleagues. With encryption, Acton explains, anyone can conduct business or talk to a doctor without worrying about eavesdroppers. With encryption, he says, you can even be a whistleblower—and not worry.

The FBI and the Justice Department declined to comment for this story. But many inside the government and out are sure to take issue with the company’s move. In late 2014, WhatsApp encrypted a portion of its network. In the months since, its service has apparently been used to facilitate criminal acts, including the terrorist attacks on Paris last year. According to The New York Times, as recently as this month, the Justice Department was considering a court case against the company after a wiretap order (still under seal) ran into WhatsApp’s end-to-end encryption.
“The government doesn’t want to stop encryption,” says Joseph DeMarco, a former federal prosecutor who specializes in cybercrime and has represented various law enforcement agencies backing the Justice Department and the FBI in their battle with Apple. “But the question is: what do you do when a company creates an encryption system that makes it impossible for court-authorized search warrants to be executed? What is the reasonable level of assistance you should ask from that company?”
WhatsApp declined to discuss any particular wiretap orders. But the prospect of a court case doesn’t move Acton and Koum. Espousing an article of faith that’s commonly held among Silicon Valley engineers—sometimes devoutly, sometimes casually—they believe that online privacy must be protected against surveillance of all kinds. “We’re somewhat lucky here in the United States, where we hope that the checks and balances hold out for many years to come and decades to come. But in a lot of countries you don’t have these checks and balances,” says Koum, dressed in his usual T-shirt and hoodie. Coming from Koum, this is not an academic point, as most of WhatsApp’s users are outside the US. “The argument can be made: Maybe you want to trust the government, but you shouldn’t because you don’t know where things are going to go in the future.”


Acton and Koum started adding encryption to WhatsApp back in 2013 and then redoubled their efforts in 2014 after they were contacted by Marlinspike. The dreadlocked coder runs an open source software project, Open Whisper Systems, that provides encryption for messaging services. In tech security and privacy circles, Marlinspike is a well-known idealist. But the stance he has taken alongside Acton and Koum—not to mention the other WhatsApp engineers who worked on the project and the braintrust at Facebook that’s backing the effort—is hardly extreme in the context of Silicon Valley’s wider clash with governments and law enforcement over privacy. In Silicon Valley, strong encryption isn’t really up for debate. Among tech’s most powerful leaders, it’s orthodoxy. And WhatsApp is encryption’s latest champion. It sees itself as fighting the same fight as Apple and so many others.
WhatsApp, more than any company before it, has taken encryption to the masses. What makes this move even more striking is that the company did this with such a tiny group of people. The company employs only about 50 engineers. And it took a team of only 15 of them to bring encryption to the company’s one billion users—a tiny, technologically empowered group of individuals engaging in a new form of asymmetrical resistance to authority, standing up not only to the US government, but all governments. “Technology is an amplifier,” Acton says. “With the right stewards in place, with the right guidance, we can really effect positive change.”
But of course, positive change is in the eye of the beholder. And these are technological stewards in the style of Silicon Valley: billionaires in cargo shorts and T-shirts who did something massive because they wanted to. And because they could.

Connecting the World

Like so many tech startups, WhatsApp’s success seems a bit accidental. Acton and Koum originally conceived of their app as a way for people to broadcast their availability to friends, family, and colleagues: Could they talk or text at that very moment or not? But it soon morphed into a more general messaging app, a way to trade text messages via the Internet without using the SMS networks operated by cellular phone carriers like Verizon and AT&T. But the real genius of the app is that very early on, Acton and Koum targeted the international market.
In the startup’s first year, they offered the service in German, Spanish, French, and Italian, among other languages, and it rapidly took off overseas, where SMS text fees are much higher in than US. Today, the company offers the app in more than 50 languages, and it has grown into the primary social network in so many of the world’s countries, including Brazil, India, and large parts of Europe. In many places, local wireless carriers have signed deals with WhatsApp to offer the service directly to their customers, undermining their own texting services but driving more people to use the wider Internet through their wireless networks—and thus driving more revenue.
By February of 2014, WhatsApp had reached about 450 million users, and Facebook shelled out $19 billion to acquire the startup, with its staff of only 50 people. Since then, with only a slight expansion of staff, WhatsApp has come to serve more than a billion people across the globe.

 

But the app’s two founders, for all their success, have remained in the shadows. They almost never speak with the media. Koum, in particular, is largely uninterested in press or publicity or, for that matter, any human interaction he deems extraneous. “Clearly, you can’t believe everything you read in the press,” he tells me, a reporter. Although the company runs one of the world’s largest online services—and is owned by the world’s biggest social network—it continues to operate almost entirely on its own in an unmarked building in Mountain View that’s fronted by unusually diligent security. And because the app is far more popular overseas than in the US, the typically fervent Silicon Valley tech press has largely left them alone. As a result, the American public hasn’t quite grasped the enormous scope of the company’s encryption project or the motivations behind it.
Koum and Acton share a long history in computer security. They first met at Yahoo while doing a security audit for the company. During this time, Koum was also part of a seminal security collective and think tank called w00w00 (produced “whoo whoo”), a tight online community that used the old IRC chat service to trade ideas related to virtually any aspect of the field. Koum grew up in the Ukraine under Soviet rule before immigrating to the US as a teenager, so he has some intimate familiarity with the challenges of maintaining privacy in the face of an intrusive government. But Koum says that the bigger force behind encrypting WhatsApp was Acton, a comparatively outgoing individual who grew up in Florida. “Brian gets a lot of credit for wanting to do it earlier,” Koum says of WhatsApp encryption.