What’s up with WhatsApp: legal implications of the potential security flaw

A security flaw found in the popular messaging app could allow others to intercept your encrypted messages.

Earlier this month there was widespread reporting in both the tech and mainstream media of the discovery of a potential security vulnerability in Facebook's WhatsApp messaging service.  Coverage of the likely flaw, which was reportedly discovered by researchers at Berkeley University in California, was a blow to Facebook given that WhatsApp places privacy and security at the heart of its service by providing end-to-end encryption of user's messages and photos, preventing third parties including its own staff from accessing them.    

In a nutshell the potential security flaw would theoretically allow WhatsApp to intercept some users' messages, which would appear to them to be encrypted. This has resulted in considerable speculation that government agencies could exploit this vulnerability as a means of covert surveillance, by targeting specific individuals' messages or on a bulk extraction basis.    

Whilst WhatsApp have publically stated that it does not allow government any access to its customers' communications and would resist any request to do so, this has not stopped speculation from freedom of speech and privacy campaigners that the vulnerability could be exploited. So should WhatsApp users be concerned? 

From a regulatory perspective in order for any interception or extraction of communications to be done lawfully, it would need to be undertaken within the framework of the Investigatory Powers Act (the "Act") which came into force in November of last year. The Act goes some way to simplifying the surveillance and investigatory powers and rights that were previously spread across multiple pieces of legislation. This area of the law was ripe for reform in light of the Edward Snowden revelations and the European Court of Justice's finding that the Data Retention Directive was invalid in 2014, which led to the Data Retention and Investigatory Powers Act 2014 being rushed through Parliament in just three days. 

The Act no longer contains the worst offending provisions requiring tech companies to build governmental back doors into their systems, which earned it the nickname of the 'snooper's charter'. Instead the Act has been amended to offer more protection against abuse of surveillance and interception powers, which are understandably the primary concerns of privacy campaigners given the potential chilling effect on freedom of speech that such access might have. There is also more judicial oversight of interception warrants, although these do not go as far as the measures proposed by the Independent Reviewer of Terrorism Legislation.   

During the course of the Act’s passage through Parliament the government has had to wrestle with balancing its national security concerns with individual rights of privacy enshrined in Article 8 of the European Convention on Human rights. Whether the government has managed to square this circle remains to be seen now the Act has come into force. The European Court of Human Rights accepts that targeted secret surveillance can be found to be in compliance with Article 8 but only where strictly necessary for the safeguarding of democratic institutions assessed on a case by case basis. However, the Act which legalises the bulk collection and storage of communications data is anything but a targeted approach. 

Subsequent comments from security experts following the revelation of the WhatsApp vulnerability suggest that the risk is limited to targeted communications and that bulk extraction would not be possible in any event. This ought to be some comfort to WhatsApp users and privacy campaigner alike. However the wider issue is whether the safeguards built into the Act will be found to be in compliance with Article 8 if and when they come to be tested in the Courts. 

The Act requires communications service providers to store records of their users' communications and related data like websites visited for 12 months for potential access by police, security services and other public bodies upon issue of a warrant. Whether access to private individuals’ communications is granted to the authorities will need both ministerial and judicial authorisation, the so called "double lock". This new regulatory regime will be overseen by the newly created Investigatory Powers Commissioner (IPC) which combines a number of pre-existing oversight bodies to create a single unified enforcer. It will be the job of the IPC to oversee the use of the state's investigatory powers and hold the security services to account.  Whilst greater resources have been promised in order to make this happen this will nevertheless be a challenging but vital role. 

Even if this new framework for state surveillance is found to be Article 8 compliant, it is possible that individual warrants could be challenged through the judicial review process – most likely by service providers like Facebook anxious to preserve their reputations for guarding their users' privacy and security. 

Patrick Arben, Partner at Gowling WLG 

Image Credit: Endermasali / Shutterstock

ABOUT THE AUTHOR

Patrick Arben is a dispute resolution partner with Gowling WLG. He specialises in the technology sector and leads the firm’s IT & Outsourcing Dispute Resolution team.