Leave behind Apple vs. the FBI: WhatsApp Just Switched on Encryption for a Billion People
Get The
6 months for $Five – plus a FREE Portable
WIRED’s fattest stories, delivered to your inbox.
- 16 mins
A year after he set the world record for holding his breath, he broke it again: twenty four minutes and three seconds. Here’s how bit.ly/2wsVJxq
Go after Us
Don’t miss our latest news, features and movies.
We’re On
See what’s inspiring us.
Go after Us
Don’t miss out on WIRED’s latest movies.
Slide: one / of seven . Caption: Caption: WhatsApp founders Jan Koum (L) and Brian Acton (R). Michael Friberg for WIRED
Slide: two / of seven . Caption: Caption: Moxie Marlinspike. Michael Friberg for WIRED
Slide: three / of seven . Caption: Caption: Brian Acton. Michael Friberg for WIRED
Slide: four / of seven . Caption: WIRED
Slide: five / of seven . Caption: Caption: Jan Koum. Michael Friberg for WIRED
Slide: six / of seven . Caption: Caption: Moxie Marlinspike. Michael Friberg for WIRED
Slide: seven / of seven . Caption: WIRED
Leave behind Apple vs. the FBI: WhatsApp Just Switched on Encryption for a Billion People
For most of the past six weeks, the thickest story out of Silicon Valley was Apple’s battle with the FBI over a federal order to unlock the iPhone of a mass shooter. The company’s refusal touched off a searing debate over privacy and security in the digital age. But this morning, at a petite office in Mountain View, California, three guys made the scope of that enormous debate look kinda puny.
Mountain View is home to WhatsApp, an online messaging service now possessed by tech giant Facebook, that has grown into one of the world’s most significant applications. More than a billion people trade messages, make phone calls, send photos, and interchange movies using the service. This means that only Facebook itself runs a larger self-contained communications network. And today, the enigmatic founders of WhatsApp, Brian Acton and Jan Koum, together with a high-minded coder and cryptographer who goes by the pseudonym Moxie Marlinspike, exposed that the company has added end-to-end encryption to every form of communication on its service.
This means that if any group of people uses the latest version of WhatsApp—whether that group spans two people or ten—the service will encrypt all messages, phone calls, photos, and movies moving among them. And that’s true on any phone that runs the app, from iPhones to Android phones to Windows phones to old school Nokia spin phones. With end-to-end encryption in place, not even WhatsApp’s employees can read the data that’s sent across its network. In other words, WhatsApp has no way of serving with a court order requesting access to the content of any message, phone call, photo, or movie traveling through its service. Like Apple, WhatsApp is, in practice, stonewalling the federal government, but it’s doing so on a larger front—one that spans harshly a billion devices.
“Building secure products actually makes for a safer world, (tho’) many people in law enforcement may not agree with that,” says Acton, who was employee number forty-four at Internet giant Yahoo before co-founding WhatsApp in two thousand nine alongside Koum, one of his old Yahoo colleagues. With encryption, Acton explains, anyone can conduct business or talk to a doctor without worrying about eavesdroppers. With encryption, he says, you can even be a whistleblower—and not worry.
The FBI and the Justice Department declined to comment for this story. But many inwards the government and out are sure to take issue with the company’s stir. In late 2014, WhatsApp encrypted a portion of its network. In the months since, its service has evidently been used to facilitate criminal acts, including the terrorist attacks on Paris last year. According to The Fresh York Times, as recently as this month, the Justice Department was considering a court case against the company after a wiretap order (still under seal) ran into WhatsApp’s end-to-end encryption.
“The government doesn’t want to stop encryption,” says Joseph DeMarco, a former federal prosecutor who specializes in cybercrime and has represented various law enforcement agencies backing the Justice Department and the FBI in their battle with Apple. “But the question is: what do you do when a company creates an encryption system that makes it unlikely for court-authorized search warrants to be executed? What is the reasonable level of assistance you should ask from that company?”
WhatsApp declined to discuss any particular wiretap orders. But the prospect of a court case doesn’t budge Acton and Koum. Espousing an article of faith that’s commonly held among Silicon Valley engineers—sometimes devoutly, sometimes casually—they believe that online privacy must be protected against surveillance of all kinds. “We’re somewhat fortunate here in the United States, where we hope that the checks and balances hold out for many years to come and decades to come. But in a lot of countries you don’t have these checks and balances,” says Koum, dressed in his usual T-shirt and hoodie. Coming from Koum, this is not an academic point, as most of WhatsApp’s users are outside the US. “The argument can be made: Maybe you want to trust the government, but you shouldn’t because you don’t know where things are going to go in the future.”
Acton and Koum commenced adding encryption to WhatsApp back in two thousand thirteen and then redoubled their efforts in two thousand fourteen after they were contacted by Marlinspike. The dreadlocked coder runs an open source software project, Open Whisper Systems, that provides encryption for messaging services. In tech security and privacy circles, Marlinspike is a well-known idealist. But the stance he has taken alongside Acton and Koum—not to mention the other WhatsApp engineers who worked on the project and the braintrust at Facebook that’s backing the effort—is hardly extreme in the context of Silicon Valley’s broader clash with governments and law enforcement over privacy. In Silicon Valley, strong encryption isn’t indeed up for debate. Among tech’s most powerful leaders, it’s orthodoxy. And WhatsApp is encryption’s latest champ. It sees itself as fighting the same fight as Apple and so many others.
WhatsApp, more than any company before it, has taken encryption to the masses. What makes this budge even more striking is that the company did this with such a little group of people. The company employs only about fifty engineers. And it took a team of only fifteen of them to bring encryption to the company’s one billion users—a little, technologically empowered group of individuals engaging in a fresh form of asymmetrical resistance to authority, standing up not only to the US government, but all governments. “Technology is an amplifier,” Acton says. “With the right stewards in place, with the right guidance, we can indeed effect positive switch.”
But of course, positive switch is in the eye of the beholder. And these are technological stewards in the style of Silicon Valley: billionaires in cargo cut-offs and T-shirts who did something massive because they dreamed to. And because they could.
Connecting the World
Like so many tech startups, WhatsApp’s success seems a bit accidental. Acton and Koum originally conceived of their app as a way for people to broadcast their availability to friends, family, and colleagues: Could they talk or text at that very moment or not? But it soon morphed into a more general messaging app, a way to trade text messages via the Internet without using the SMS networks operated by cellular phone carriers like Verizon and AT&T. But the real genius of the app is that very early on, Acton and Koum targeted the international market.
In the startup’s very first year, they suggested the service in German, Spanish, French, and Italian, among other languages, and it rapidly took off overseas, where SMS text fees are much higher in than US. Today, the company offers the app in more than fifty languages, and it has grown into the primary social network in so many of the world’s countries, including Brazil, India, and large parts of Europe. In many places, local wireless carriers have signed deals with WhatsApp to suggest the service directly to their customers, undermining their own texting services but driving more people to use the broader Internet through their wireless networks—and thus driving more revenue.
By February of 2014, WhatsApp had reached about four hundred fifty million users, and Facebook shelled out $Nineteen billion to acquire the startup, with its staff of only fifty people. Since then, with only a slight expansion of staff, WhatsApp has come to serve more than a billion people across the globe.
But the app’s two founders, for all their success, have remained in the shadows. They almost never speak with the media. Koum, in particular, is largely uninterested in press or publicity or, for that matter, any human interaction he deems extraneous. “Clearly, you can’t believe everything you read in the press,” he tells me, a reporter. Albeit the company runs one of the world’s largest online services—and is possessed by the world’s thickest social network—it proceeds to operate almost entirely on its own in an unmarked building in Mountain View that’s fronted by unusually diligent security. And because the app is far more popular overseas than in the US, the typically fervent Silicon Valley tech press has largely left them alone. As a result, the American public hasn’t fairly grabbed the enormous scope of the company’s encryption project or the motivations behind it.
Koum and Acton share a long history in computer security. They very first met at Yahoo while doing a security audit for the company. During this time, Koum was also part of a seminal security collective and think tank called w00w00 (pronounced “whoo whoo”), a taut online community that used the old IRC talk service to trade ideas related to virtually any aspect of the field. Koum grew up in the Ukraine under Soviet rule before immigrating to the US as a teenager, so he has some intimate familiarity with the challenges of maintaining privacy in the face of an intrusive government. But Koum says that the fatter force behind encrypting WhatsApp was Acton, a comparatively outgoing individual who grew up in Florida. “Brian gets a lot of credit for wanting to do it earlier,” Koum says of WhatsApp encryption.
Indeed, it was Acton who very first launched an effort to add encryption to WhatsApp back in 2013. “I don’t truly want to be in the business of observing conversations,” he says, adding that people were permanently asking the company for utter encryption. “This is something our users wished. Maybe not your average mom in middle America, but people on a worldwide basis.” At the commence, however, the effort was little more than a prototype driven by a single WhatsApp intern. The project didn’t indeed take off until Moxie Marlinspike remembered a WhatsApp fellow—an engineer who worked on the version of WhatsApp for Windows phones—he had met at his gf’s family reunion.
Meeting Moxie
Moxie Marlinspike’s gf comes from a family of Russian physicists, and in 2013, she held a family reunion at the apartment she collective with Marlinspike. The guest list included about twenty three Russian physicists and one American stud who worked as an engineer at WhatsApp. (He had married into the family.) Marlinspike chatted shortly with the engineer at the reunion. Then, about a year later, Marlinspike determined it was time to add encryption to WhatsApp, one of the world’s largest messaging services. He sent the fellow an email, asking for an introduction to the company’s founders.
The debate over encryption has only grown more intense.
When I meet Marlinspike at WhatsApp headquarters, he is somewhat reticent to explain his motivations, which seems typical of the man—at least in interviews with the press. Online, however, he’s not bashful about his views. In the past, he has written that encryption is significant because it gives anyone the capability to break the law. But in Mountain View, he is more laconic. “WhatsApp is the most popular messaging app in the world,” says Marlinspike, who is not just a coder and cryptographer but a sailor and a shipwright. “I desired to get in touch.”
Given the reclusive proclivities of WhatsApp, knowing someone who knows someone is particularly significant when it comes to making connections there. After the engineer helped make an introduction, Acton met Marlinspike at the Dana Street Roasting Company—a popular meeting place for Silicon Valley types. Then, a few weeks later, Marlinspike met with Koum. The two dudes, it turned out, had slew in common. Marlinspike had come up in the same world of underground security gurus before joining Twitter in 2011—and promptly leaving the company to form Open Whisper Systems. “We talked about the IRC days,” Koum says of their meeting. “How things used to be.”
The bond seemed to stick. Soon, Marlinspike was helping to build end-to-end encryption across all of WhatsApp, alongside Acton and Koum and a petite team of WhatsApp engineers. Acton says that they got “fortunate” in meeting Marlinspike and that they most likely wouldn’t have flipped out total encryption if they hadn’t. It’s part of an intriguing casualness to the way Acton and Koum discuss their seemingly earthshaking undertaking—not to mention the way Marlinspike stays largely silent. They met. They had the means. And they built it. It would take about two years.
An Intensifying Debate
The encrypting of WhatsApp was supposed to be finished by the middle of January 2016. Koum and company dreamed to unveil a downright encrypted service at the DLD tech media conference in Munich, where he was set to give a proverbial fireside talk. Germany is a country that puts an unusually high value on privacy, both digital and otherwise, and Koum felt the time was ripe to make WhatsApp’s plans known to the world. Just recently, a Brazilian court had ordered a makeshift shutdown of WhatsApp in the country after the company failed to turn over messages to the government that had been sent across a part of the service that was already encrypted. In Germany, Koum could make his counterpoint.
But by the middle of December, it was clear the project wouldn’t be finished. The team was intent on encrypting everything on every kind of phone. “The last chunk was movie,” Koum says. “You need to build for a situation where somebody on Android can send a movie to an S40 user. Or somebody on a Blackberry can send to a Windows phone.” So the company postponed the announcement. In Germany, Koum talked about WhatsApp’s fresh business model instead.
As Koum sees it, slipping a backdoor into an encrypted service would defeat the purpose.
In the meantime, the debate over encryption has only grown more intense. On February 16, Apple CEO Tim Cook released an open letter refusing the court order to unlock a phone that belonged to one of the two shooters who killed fourteen people and gravely injured another twenty two during a December attack in San Bernardino, California. That day, Acton turned to Koum and said: “Tim Cook is my hero.” About two weeks later in Brazil, authorities arrested a Facebook vice president because WhatsApp wouldn’t turn over messages after a court order. Evidently, the authorities didn’t realize that the Facebook employee had nothing to do with WhatsApp—or that WhatsApp, thanks to end-to-end encryption, had no way of reading the messages. Two days later, WhatsApp joined Facebook and several other companies in filing an amicus brief in support of Apple in its fight against the FBI.
Clearly, WhatsApp has the support of its much larger parent company. Facebook declined to speak specifically for this story. But Koum, after the WhatsApp acquisition, became a member of the Facebook board. “If they were not supportive of us, we wouldn’t be here today,” he says. But this also wasn’t something Facebook imposed on WhatsApp. This is a decision WhatsApp made on its own, before it was acquired. By the time Facebook paid billions of dollars for the company, the transformation was already under way.
No Backdoor
Many lawmakers have called for companies like WhatsApp to equip their encryption schemes with a backdoor available only to law enforcement. There’s even been talk of a law that requires these backdoors. But as Koum sees it, slipping a backdoor into an encrypted service would defeat the purpose: you might as well not encrypt it at all. A backdoor would just open the service to manhandle by both government and hackers. Besides, if you did add a backdoor, or liquidate encryption from WhatsApp entirely, that wouldn’t stop bad actors. They’d just go elsewhere. In the age of open source software, encryption devices are loosely available to everyone. “The encryption genie is out of the bottle,” Koum says.
Indeed, even some of those exploring legislation to require backdoors to encrypted digital services acknowledge that the issues in play aren’t that elementary. “If we require our companies to build in a door, do we need to let China through the door? Or do we have to build doors for them when these services are used in their countries?” asks Adam Schiff, the ranking Democrat on the House Intelligence Committee. “And what does that mean in terms of stifling dissent in authoritarian countries that may use it for non-law enforcement purposes?”
When asked about reports that terrorists used WhatsApp to plan the attacks on Paris—reports that politicians have used to back calls for a backdoor—Koum doesn’t budge. “I think this is politicians, in some ways, using these terrible acts to advance their agendas,” he says. “If the White House thinks that Twitter can solve their ISIS problem, they’ve got (a lot of problems).”
Koum is right that encryption is widely available to anyone motivated to use it, but WhatsApp is pushing it much further into the mainstream than anyone else. Apple, for example, encrypts the data sitting on an iPhone, and it uses end-to-end encryption to hide the messages that travel over its own iMessage texting service. But iMessage is only available on iPhones. Over the years, Apple has sold about eight hundred million iPhones. But it’s hard to know how many are still in use, or how many people who have them are communicating via iMessage anyway. WhatsApp runs on just about every kind of phone. Plus, Apple’s mechanisms have some gaping fuckholes. Most notably, many users back up their iMessages to Apple’s iCloud service, which negates the end-to-end encryption. WhatsApp, meantime, has a billion users on its service right now.
Pundits have also made much of the encryption suggested by Telegram, a messaging service built by a Russian entrepreneur who travels the world in self-imposed exile. But Telegram doesn’t turn on end-to-end encryption by default. And it doesn’t do end-to-end encryption for group messaging. And it has only a fraction of the audience of WhatsApp.
The Fresh Status Quo
In pushing back against end-to-end encryption, the US government argues that it’s merely attempting to maintain the status quo—that it has long had the power to issue a warrant for communications data. “This is the same principle applied to a different set of facts,” says DeMarco, the former federal prospector that has helped law enforcement agencies back the Justice Department against Apple. “This is about what companies should do when the government had gone to court and gotten a court order, either a search warrant or a wiretap or a data tap.”
Leave behind Apple vs
Leave behind Apple vs. the FBI: WhatsApp Just Switched on Encryption for a Billion People
Get The
6 months for $Five – plus a FREE Portable
WIRED’s largest stories, delivered to your inbox.
- 16 mins
A year after he set the world record for holding his breath, he broke it again: twenty four minutes and three seconds. Here’s how bit.ly/2wsVJxq
Go after Us
Don’t miss our latest news, features and movies.
We’re On
See what’s inspiring us.
Go after Us
Don’t miss out on WIRED’s latest movies.
Slide: one / of seven . Caption: Caption: WhatsApp founders Jan Koum (L) and Brian Acton (R). Michael Friberg for WIRED
Slide: two / of seven . Caption: Caption: Moxie Marlinspike. Michael Friberg for WIRED
Slide: three / of seven . Caption: Caption: Brian Acton. Michael Friberg for WIRED
Slide: four / of seven . Caption: WIRED
Slide: five / of seven . Caption: Caption: Jan Koum. Michael Friberg for WIRED
Slide: six / of seven . Caption: Caption: Moxie Marlinspike. Michael Friberg for WIRED
Slide: seven / of seven . Caption: WIRED
Leave behind Apple vs. the FBI: WhatsApp Just Switched on Encryption for a Billion People
For most of the past six weeks, the thickest story out of Silicon Valley was Apple’s battle with the FBI over a federal order to unlock the iPhone of a mass shooter. The company’s refusal touched off a searing debate over privacy and security in the digital age. But this morning, at a puny office in Mountain View, California, three guys made the scope of that enormous debate look kinda petite.
Mountain View is home to WhatsApp, an online messaging service now possessed by tech giant Facebook, that has grown into one of the world’s most significant applications. More than a billion people trade messages, make phone calls, send photos, and interchange movies using the service. This means that only Facebook itself runs a larger self-contained communications network. And today, the enigmatic founders of WhatsApp, Brian Acton and Jan Koum, together with a high-minded coder and cryptographer who goes by the pseudonym Moxie Marlinspike, exposed that the company has added end-to-end encryption to every form of communication on its service.
This means that if any group of people uses the latest version of WhatsApp—whether that group spans two people or ten—the service will encrypt all messages, phone calls, photos, and movies moving among them. And that’s true on any phone that runs the app, from iPhones to Android phones to Windows phones to old school Nokia roll phones. With end-to-end encryption in place, not even WhatsApp’s employees can read the data that’s sent across its network. In other words, WhatsApp has no way of obeying with a court order requesting access to the content of any message, phone call, photo, or movie traveling through its service. Like Apple, WhatsApp is, in practice, stonewalling the federal government, but it’s doing so on a larger front—one that spans toughly a billion devices.
“Building secure products actually makes for a safer world, (however) many people in law enforcement may not agree with that,” says Acton, who was employee number forty-four at Internet giant Yahoo before co-founding WhatsApp in two thousand nine alongside Koum, one of his old Yahoo colleagues. With encryption, Acton explains, anyone can conduct business or talk to a doctor without worrying about eavesdroppers. With encryption, he says, you can even be a whistleblower—and not worry.
The FBI and the Justice Department declined to comment for this story. But many inwards the government and out are sure to take issue with the company’s budge. In late 2014, WhatsApp encrypted a portion of its network. In the months since, its service has evidently been used to facilitate criminal acts, including the terrorist attacks on Paris last year. According to The Fresh York Times, as recently as this month, the Justice Department was considering a court case against the company after a wiretap order (still under seal) ran into WhatsApp’s end-to-end encryption.
“The government doesn’t want to stop encryption,” says Joseph DeMarco, a former federal prosecutor who specializes in cybercrime and has represented various law enforcement agencies backing the Justice Department and the FBI in their battle with Apple. “But the question is: what do you do when a company creates an encryption system that makes it unlikely for court-authorized search warrants to be executed? What is the reasonable level of assistance you should ask from that company?”
WhatsApp declined to discuss any particular wiretap orders. But the prospect of a court case doesn’t stir Acton and Koum. Espousing an article of faith that’s commonly held among Silicon Valley engineers—sometimes devoutly, sometimes casually—they believe that online privacy must be protected against surveillance of all kinds. “We’re somewhat fortunate here in the United States, where we hope that the checks and balances hold out for many years to come and decades to come. But in a lot of countries you don’t have these checks and balances,” says Koum, dressed in his usual T-shirt and hoodie. Coming from Koum, this is not an academic point, as most of WhatsApp’s users are outside the US. “The argument can be made: Maybe you want to trust the government, but you shouldn’t because you don’t know where things are going to go in the future.”
Acton and Koum commenced adding encryption to WhatsApp back in two thousand thirteen and then redoubled their efforts in two thousand fourteen after they were contacted by Marlinspike. The dreadlocked coder runs an open source software project, Open Whisper Systems, that provides encryption for messaging services. In tech security and privacy circles, Marlinspike is a well-known idealist. But the stance he has taken alongside Acton and Koum—not to mention the other WhatsApp engineers who worked on the project and the braintrust at Facebook that’s backing the effort—is hardly extreme in the context of Silicon Valley’s broader clash with governments and law enforcement over privacy. In Silicon Valley, strong encryption isn’t truly up for debate. Among tech’s most powerful leaders, it’s orthodoxy. And WhatsApp is encryption’s latest champ. It sees itself as fighting the same fight as Apple and so many others.
WhatsApp, more than any company before it, has taken encryption to the masses. What makes this budge even more striking is that the company did this with such a little group of people. The company employs only about fifty engineers. And it took a team of only fifteen of them to bring encryption to the company’s one billion users—a lil’, technologically empowered group of individuals engaging in a fresh form of asymmetrical resistance to authority, standing up not only to the US government, but all governments. “Technology is an amplifier,” Acton says. “With the right stewards in place, with the right guidance, we can truly effect positive switch.”
But of course, positive switch is in the eye of the beholder. And these are technological stewards in the style of Silicon Valley: billionaires in cargo cut-offs and T-shirts who did something massive because they desired to. And because they could.
Connecting the World
Like so many tech startups, WhatsApp’s success seems a bit accidental. Acton and Koum originally conceived of their app as a way for people to broadcast their availability to friends, family, and colleagues: Could they talk or text at that very moment or not? But it soon morphed into a more general messaging app, a way to trade text messages via the Internet without using the SMS networks operated by cellular phone carriers like Verizon and AT&T. But the real genius of the app is that very early on, Acton and Koum targeted the international market.
In the startup’s very first year, they suggested the service in German, Spanish, French, and Italian, among other languages, and it rapidly took off overseas, where SMS text fees are much higher in than US. Today, the company offers the app in more than fifty languages, and it has grown into the primary social network in so many of the world’s countries, including Brazil, India, and large parts of Europe. In many places, local wireless carriers have signed deals with WhatsApp to suggest the service directly to their customers, undermining their own texting services but driving more people to use the broader Internet through their wireless networks—and thus driving more revenue.
By February of 2014, WhatsApp had reached about four hundred fifty million users, and Facebook shelled out $Nineteen billion to acquire the startup, with its staff of only fifty people. Since then, with only a slight expansion of staff, WhatsApp has come to serve more than a billion people across the globe.
But the app’s two founders, for all their success, have remained in the shadows. They almost never speak with the media. Koum, in particular, is largely uninterested in press or publicity or, for that matter, any human interaction he deems extraneous. “Clearly, you can’t believe everything you read in the press,” he tells me, a reporter. Albeit the company runs one of the world’s largest online services—and is wielded by the world’s fattest social network—it resumes to operate almost entirely on its own in an unmarked building in Mountain View that’s fronted by unusually diligent security. And because the app is far more popular overseas than in the US, the typically fervent Silicon Valley tech press has largely left them alone. As a result, the American public hasn’t fairly captured the enormous scope of the company’s encryption project or the motivations behind it.
Koum and Acton share a long history in computer security. They very first met at Yahoo while doing a security audit for the company. During this time, Koum was also part of a seminal security collective and think tank called w00w00 (pronounced “whoo whoo”), a taut online community that used the old IRC talk service to trade ideas related to virtually any aspect of the field. Koum grew up in the Ukraine under Soviet rule before immigrating to the US as a teenager, so he has some intimate familiarity with the challenges of maintaining privacy in the face of an intrusive government. But Koum says that the fatter force behind encrypting WhatsApp was Acton, a comparatively outgoing individual who grew up in Florida. “Brian gets a lot of credit for wanting to do it earlier,” Koum says of WhatsApp encryption.
Indeed, it was Acton who very first launched an effort to add encryption to WhatsApp back in 2013. “I don’t truly want to be in the business of observing conversations,” he says, adding that people were permanently asking the company for utter encryption. “This is something our users dreamed. Maybe not your average mom in middle America, but people on a worldwide basis.” At the begin, however, the effort was little more than a prototype driven by a single WhatsApp intern. The project didn’t indeed take off until Moxie Marlinspike remembered a WhatsApp fellow—an engineer who worked on the version of WhatsApp for Windows phones—he had met at his gf’s family reunion.
Meeting Moxie
Moxie Marlinspike’s gf comes from a family of Russian physicists, and in 2013, she held a family reunion at the apartment she collective with Marlinspike. The guest list included about twenty three Russian physicists and one American stud who worked as an engineer at WhatsApp. (He had married into the family.) Marlinspike chatted shortly with the engineer at the reunion. Then, about a year later, Marlinspike determined it was time to add encryption to WhatsApp, one of the world’s largest messaging services. He sent the fellow an email, asking for an introduction to the company’s founders.
The debate over encryption has only grown more intense.
When I meet Marlinspike at WhatsApp headquarters, he is somewhat reticent to explain his motivations, which seems typical of the man—at least in interviews with the press. Online, however, he’s not timid about his views. In the past, he has written that encryption is significant because it gives anyone the capability to break the law. But in Mountain View, he is more laconic. “WhatsApp is the most popular messaging app in the world,” says Marlinspike, who is not just a coder and cryptographer but a sailor and a shipwright. “I dreamed to get in touch.”
Given the reclusive proclivities of WhatsApp, knowing someone who knows someone is particularly significant when it comes to making connections there. After the engineer helped make an introduction, Acton met Marlinspike at the Dana Street Roasting Company—a popular meeting place for Silicon Valley types. Then, a few weeks later, Marlinspike met with Koum. The two dudes, it turned out, had slew in common. Marlinspike had come up in the same world of underground security gurus before joining Twitter in 2011—and promptly leaving the company to form Open Whisper Systems. “We talked about the IRC days,” Koum says of their meeting. “How things used to be.”
The bond seemed to stick. Soon, Marlinspike was helping to build end-to-end encryption across all of WhatsApp, alongside Acton and Koum and a puny team of WhatsApp engineers. Acton says that they got “fortunate” in meeting Marlinspike and that they very likely wouldn’t have flipped out utter encryption if they hadn’t. It’s part of an intriguing casualness to the way Acton and Koum discuss their seemingly earthshaking undertaking—not to mention the way Marlinspike stays largely silent. They met. They had the means. And they built it. It would take about two years.
An Intensifying Debate
The encrypting of WhatsApp was supposed to be finished by the middle of January 2016. Koum and company desired to unveil a totally encrypted service at the DLD tech media conference in Munich, where he was set to give a proverbial fireside talk. Germany is a country that puts an unusually high value on privacy, both digital and otherwise, and Koum felt the time was ripe to make WhatsApp’s plans known to the world. Just recently, a Brazilian court had ordered a makeshift shutdown of WhatsApp in the country after the company failed to turn over messages to the government that had been sent across a part of the service that was already encrypted. In Germany, Koum could make his counterpoint.
But by the middle of December, it was clear the project wouldn’t be finished. The team was intent on encrypting everything on every kind of phone. “The last lump was movie,” Koum says. “You need to build for a situation where somebody on Android can send a movie to an S40 user. Or somebody on a Blackberry can send to a Windows phone.” So the company postponed the announcement. In Germany, Koum talked about WhatsApp’s fresh business model instead.
As Koum sees it, slipping a backdoor into an encrypted service would defeat the purpose.
In the meantime, the debate over encryption has only grown more intense. On February 16, Apple CEO Tim Cook released an open letter refusing the court order to unlock a phone that belonged to one of the two shooters who killed fourteen people and gravely injured another twenty two during a December attack in San Bernardino, California. That day, Acton turned to Koum and said: “Tim Cook is my hero.” About two weeks later in Brazil, authorities arrested a Facebook vice president because WhatsApp wouldn’t turn over messages after a court order. Evidently, the authorities didn’t realize that the Facebook employee had nothing to do with WhatsApp—or that WhatsApp, thanks to end-to-end encryption, had no way of reading the messages. Two days later, WhatsApp joined Facebook and several other companies in filing an amicus brief in support of Apple in its fight against the FBI.
Clearly, WhatsApp has the support of its much larger parent company. Facebook declined to speak specifically for this story. But Koum, after the WhatsApp acquisition, became a member of the Facebook board. “If they were not supportive of us, we wouldn’t be here today,” he says. But this also wasn’t something Facebook imposed on WhatsApp. This is a decision WhatsApp made on its own, before it was acquired. By the time Facebook paid billions of dollars for the company, the transformation was already under way.
No Backdoor
Many lawmakers have called for companies like WhatsApp to equip their encryption schemes with a backdoor available only to law enforcement. There’s even been talk of a law that requires these backdoors. But as Koum sees it, slipping a backdoor into an encrypted service would defeat the purpose: you might as well not encrypt it at all. A backdoor would just open the service to manhandle by both government and hackers. Besides, if you did add a backdoor, or eliminate encryption from WhatsApp entirely, that wouldn’t stop bad actors. They’d just go elsewhere. In the age of open source software, encryption contraptions are loosely available to everyone. “The encryption genie is out of the bottle,” Koum says.
Indeed, even some of those exploring legislation to require backdoors to encrypted digital services acknowledge that the issues in play aren’t that elementary. “If we require our companies to build in a door, do we need to let China through the door? Or do we have to build doors for them when these services are used in their countries?” asks Adam Schiff, the ranking Democrat on the House Intelligence Committee. “And what does that mean in terms of stifling dissent in authoritarian countries that may use it for non-law enforcement purposes?”
When asked about reports that terrorists used WhatsApp to plan the attacks on Paris—reports that politicians have used to back calls for a backdoor—Koum doesn’t budge. “I think this is politicians, in some ways, using these terrible acts to advance their agendas,” he says. “If the White House thinks that Twitter can solve their ISIS problem, they’ve got (a lot of problems).”
Koum is right that encryption is widely available to anyone motivated to use it, but WhatsApp is pushing it much further into the mainstream than anyone else. Apple, for example, encrypts the data sitting on an iPhone, and it uses end-to-end encryption to hide the messages that travel over its own iMessage texting service. But iMessage is only available on iPhones. Over the years, Apple has sold about eight hundred million iPhones. But it’s hard to know how many are still in use, or how many people who have them are communicating via iMessage anyway. WhatsApp runs on just about every kind of phone. Plus, Apple’s technologies have some gaping slots. Most notably, many users back up their iMessages to Apple’s iCloud service, which negates the end-to-end encryption. WhatsApp, meantime, has a billion users on its service right now.
Pundits have also made much of the encryption suggested by Telegram, a messaging service built by a Russian entrepreneur who travels the world in self-imposed exile. But Telegram doesn’t turn on end-to-end encryption by default. And it doesn’t do end-to-end encryption for group messaging. And it has only a fraction of the audience of WhatsApp.
The Fresh Status Quo
In pushing back against end-to-end encryption, the US government argues that it’s merely attempting to maintain the status quo—that it has long had the power to issue a warrant for communications data. “This is the same principle applied to a different set of facts,” says DeMarco, the former federal prospector that has helped law enforcement agencies back the Justice Department against Apple. “This is about what companies should do when the government had gone to court and gotten a court order, either a search warrant or a wiretap or a data tap.”
Leave behind Apple vs
Leave behind Apple vs. the FBI: WhatsApp Just Switched on Encryption for a Billion People
Get The
6 months for $Five – plus a FREE Portable
WIRED’s fattest stories, delivered to your inbox.
- Two hours
A year after he set the world record for holding his breath, he broke it again: twenty four minutes and three seconds. Here’s how bit.ly/2wsVJxq
Go after Us
Don’t miss our latest news, features and movies.
We’re On
See what’s inspiring us.
Go after Us
Don’t miss out on WIRED’s latest movies.
Slide: one / of seven . Caption: Caption: WhatsApp founders Jan Koum (L) and Brian Acton (R). Michael Friberg for WIRED
Slide: two / of seven . Caption: Caption: Moxie Marlinspike. Michael Friberg for WIRED
Slide: three / of seven . Caption: Caption: Brian Acton. Michael Friberg for WIRED
Slide: four / of seven . Caption: WIRED
Slide: five / of seven . Caption: Caption: Jan Koum. Michael Friberg for WIRED
Slide: six / of seven . Caption: Caption: Moxie Marlinspike. Michael Friberg for WIRED
Slide: seven / of seven . Caption: WIRED
Leave behind Apple vs. the FBI: WhatsApp Just Switched on Encryption for a Billion People
For most of the past six weeks, the largest story out of Silicon Valley was Apple’s battle with the FBI over a federal order to unlock the iPhone of a mass shooter. The company’s refusal touched off a searing debate over privacy and security in the digital age. But this morning, at a puny office in Mountain View, California, three guys made the scope of that enormous debate look kinda petite.
Mountain View is home to WhatsApp, an online messaging service now wielded by tech giant Facebook, that has grown into one of the world’s most significant applications. More than a billion people trade messages, make phone calls, send photos, and exchange movies using the service. This means that only Facebook itself runs a larger self-contained communications network. And today, the enigmatic founders of WhatsApp, Brian Acton and Jan Koum, together with a high-minded coder and cryptographer who goes by the pseudonym Moxie Marlinspike, exposed that the company has added end-to-end encryption to every form of communication on its service.
This means that if any group of people uses the latest version of WhatsApp—whether that group spans two people or ten—the service will encrypt all messages, phone calls, photos, and movies moving among them. And that’s true on any phone that runs the app, from iPhones to Android phones to Windows phones to old school Nokia spin phones. With end-to-end encryption in place, not even WhatsApp’s employees can read the data that’s sent across its network. In other words, WhatsApp has no way of obeying with a court order requesting access to the content of any message, phone call, photo, or movie traveling through its service. Like Apple, WhatsApp is, in practice, stonewalling the federal government, but it’s doing so on a larger front—one that spans harshly a billion devices.
“Building secure products actually makes for a safer world, (however) many people in law enforcement may not agree with that,” says Acton, who was employee number forty-four at Internet giant Yahoo before co-founding WhatsApp in two thousand nine alongside Koum, one of his old Yahoo colleagues. With encryption, Acton explains, anyone can conduct business or talk to a doctor without worrying about eavesdroppers. With encryption, he says, you can even be a whistleblower—and not worry.
The FBI and the Justice Department declined to comment for this story. But many inwards the government and out are sure to take issue with the company’s budge. In late 2014, WhatsApp encrypted a portion of its network. In the months since, its service has evidently been used to facilitate criminal acts, including the terrorist attacks on Paris last year. According to The Fresh York Times, as recently as this month, the Justice Department was considering a court case against the company after a wiretap order (still under seal) ran into WhatsApp’s end-to-end encryption.
“The government doesn’t want to stop encryption,” says Joseph DeMarco, a former federal prosecutor who specializes in cybercrime and has represented various law enforcement agencies backing the Justice Department and the FBI in their battle with Apple. “But the question is: what do you do when a company creates an encryption system that makes it unlikely for court-authorized search warrants to be executed? What is the reasonable level of assistance you should ask from that company?”
WhatsApp declined to discuss any particular wiretap orders. But the prospect of a court case doesn’t stir Acton and Koum. Espousing an article of faith that’s commonly held among Silicon Valley engineers—sometimes devoutly, sometimes casually—they believe that online privacy must be protected against surveillance of all kinds. “We’re somewhat fortunate here in the United States, where we hope that the checks and balances hold out for many years to come and decades to come. But in a lot of countries you don’t have these checks and balances,” says Koum, dressed in his usual T-shirt and hoodie. Coming from Koum, this is not an academic point, as most of WhatsApp’s users are outside the US. “The argument can be made: Maybe you want to trust the government, but you shouldn’t because you don’t know where things are going to go in the future.”
Acton and Koum embarked adding encryption to WhatsApp back in two thousand thirteen and then redoubled their efforts in two thousand fourteen after they were contacted by Marlinspike. The dreadlocked coder runs an open source software project, Open Whisper Systems, that provides encryption for messaging services. In tech security and privacy circles, Marlinspike is a well-known idealist. But the stance he has taken alongside Acton and Koum—not to mention the other WhatsApp engineers who worked on the project and the braintrust at Facebook that’s backing the effort—is hardly extreme in the context of Silicon Valley’s broader clash with governments and law enforcement over privacy. In Silicon Valley, strong encryption isn’t indeed up for debate. Among tech’s most powerful leaders, it’s orthodoxy. And WhatsApp is encryption’s latest champ. It sees itself as fighting the same fight as Apple and so many others.
WhatsApp, more than any company before it, has taken encryption to the masses. What makes this stir even more striking is that the company did this with such a lil’ group of people. The company employs only about fifty engineers. And it took a team of only fifteen of them to bring encryption to the company’s one billion users—a lil’, technologically empowered group of individuals engaging in a fresh form of asymmetrical resistance to authority, standing up not only to the US government, but all governments. “Technology is an amplifier,” Acton says. “With the right stewards in place, with the right guidance, we can truly effect positive switch.”
But of course, positive switch is in the eye of the beholder. And these are technological stewards in the style of Silicon Valley: billionaires in cargo cut-offs and T-shirts who did something massive because they desired to. And because they could.
Connecting the World
Like so many tech startups, WhatsApp’s success seems a bit accidental. Acton and Koum originally conceived of their app as a way for people to broadcast their availability to friends, family, and colleagues: Could they talk or text at that very moment or not? But it soon morphed into a more general messaging app, a way to trade text messages via the Internet without using the SMS networks operated by cellular phone carriers like Verizon and AT&T. But the real genius of the app is that very early on, Acton and Koum targeted the international market.
In the startup’s very first year, they suggested the service in German, Spanish, French, and Italian, among other languages, and it rapidly took off overseas, where SMS text fees are much higher in than US. Today, the company offers the app in more than fifty languages, and it has grown into the primary social network in so many of the world’s countries, including Brazil, India, and large parts of Europe. In many places, local wireless carriers have signed deals with WhatsApp to suggest the service directly to their customers, undermining their own texting services but driving more people to use the broader Internet through their wireless networks—and thus driving more revenue.
By February of 2014, WhatsApp had reached about four hundred fifty million users, and Facebook shelled out $Nineteen billion to acquire the startup, with its staff of only fifty people. Since then, with only a slight expansion of staff, WhatsApp has come to serve more than a billion people across the globe.
But the app’s two founders, for all their success, have remained in the shadows. They almost never speak with the media. Koum, in particular, is largely uninterested in press or publicity or, for that matter, any human interaction he deems extraneous. “Clearly, you can’t believe everything you read in the press,” he tells me, a reporter. Albeit the company runs one of the world’s largest online services—and is possessed by the world’s fattest social network—it resumes to operate almost entirely on its own in an unmarked building in Mountain View that’s fronted by unusually diligent security. And because the app is far more popular overseas than in the US, the typically fervent Silicon Valley tech press has largely left them alone. As a result, the American public hasn’t fairly captured the enormous scope of the company’s encryption project or the motivations behind it.
Koum and Acton share a long history in computer security. They very first met at Yahoo while doing a security audit for the company. During this time, Koum was also part of a seminal security collective and think tank called w00w00 (pronounced “whoo whoo”), a taut online community that used the old IRC talk service to trade ideas related to virtually any aspect of the field. Koum grew up in the Ukraine under Soviet rule before immigrating to the US as a teenager, so he has some intimate familiarity with the challenges of maintaining privacy in the face of an intrusive government. But Koum says that the thicker force behind encrypting WhatsApp was Acton, a comparatively outgoing individual who grew up in Florida. “Brian gets a lot of credit for wanting to do it earlier,” Koum says of WhatsApp encryption.
Indeed, it was Acton who very first launched an effort to add encryption to WhatsApp back in 2013. “I don’t truly want to be in the business of observing conversations,” he says, adding that people were permanently asking the company for utter encryption. “This is something our users wished. Maybe not your average mom in middle America, but people on a worldwide basis.” At the embark, however, the effort was little more than a prototype driven by a single WhatsApp intern. The project didn’t truly take off until Moxie Marlinspike remembered a WhatsApp dude—an engineer who worked on the version of WhatsApp for Windows phones—he had met at his gf’s family reunion.
Meeting Moxie
Moxie Marlinspike’s gf comes from a family of Russian physicists, and in 2013, she held a family reunion at the apartment she collective with Marlinspike. The guest list included about twenty three Russian physicists and one American stud who worked as an engineer at WhatsApp. (He had married into the family.) Marlinspike chatted shortly with the engineer at the reunion. Then, about a year later, Marlinspike determined it was time to add encryption to WhatsApp, one of the world’s largest messaging services. He sent the boy an email, asking for an introduction to the company’s founders.
The debate over encryption has only grown more intense.
When I meet Marlinspike at WhatsApp headquarters, he is somewhat reticent to explain his motivations, which seems typical of the man—at least in interviews with the press. Online, however, he’s not bashful about his views. In the past, he has written that encryption is significant because it gives anyone the capability to break the law. But in Mountain View, he is more laconic. “WhatsApp is the most popular messaging app in the world,” says Marlinspike, who is not just a coder and cryptographer but a sailor and a shipwright. “I wished to get in touch.”
Given the reclusive proclivities of WhatsApp, knowing someone who knows someone is particularly significant when it comes to making connections there. After the engineer helped make an introduction, Acton met Marlinspike at the Dana Street Roasting Company—a popular meeting place for Silicon Valley types. Then, a few weeks later, Marlinspike met with Koum. The two guys, it turned out, had slew in common. Marlinspike had come up in the same world of underground security gurus before joining Twitter in 2011—and promptly leaving the company to form Open Whisper Systems. “We talked about the IRC days,” Koum says of their meeting. “How things used to be.”
The bond seemed to stick. Soon, Marlinspike was helping to build end-to-end encryption across all of WhatsApp, alongside Acton and Koum and a puny team of WhatsApp engineers. Acton says that they got “fortunate” in meeting Marlinspike and that they very likely wouldn’t have spinned out total encryption if they hadn’t. It’s part of an intriguing casualness to the way Acton and Koum discuss their seemingly earthshaking undertaking—not to mention the way Marlinspike stays largely silent. They met. They had the means. And they built it. It would take about two years.
An Intensifying Debate
The encrypting of WhatsApp was supposed to be finished by the middle of January 2016. Koum and company desired to unveil a fully encrypted service at the DLD tech media conference in Munich, where he was set to give a proverbial fireside talk. Germany is a country that puts an unusually high value on privacy, both digital and otherwise, and Koum felt the time was ripe to make WhatsApp’s plans known to the world. Just recently, a Brazilian court had ordered a makeshift shutdown of WhatsApp in the country after the company failed to turn over messages to the government that had been sent across a part of the service that was already encrypted. In Germany, Koum could make his counterpoint.
But by the middle of December, it was clear the project wouldn’t be finished. The team was intent on encrypting everything on every kind of phone. “The last lump was movie,” Koum says. “You need to build for a situation where somebody on Android can send a movie to an S40 user. Or somebody on a Blackberry can send to a Windows phone.” So the company postponed the announcement. In Germany, Koum talked about WhatsApp’s fresh business model instead.
As Koum sees it, slipping a backdoor into an encrypted service would defeat the purpose.
In the meantime, the debate over encryption has only grown more intense. On February 16, Apple CEO Tim Cook released an open letter refusing the court order to unlock a phone that belonged to one of the two shooters who killed fourteen people and earnestly injured another twenty two during a December attack in San Bernardino, California. That day, Acton turned to Koum and said: “Tim Cook is my hero.” About two weeks later in Brazil, authorities arrested a Facebook vice president because WhatsApp wouldn’t turn over messages after a court order. Evidently, the authorities didn’t realize that the Facebook employee had nothing to do with WhatsApp—or that WhatsApp, thanks to end-to-end encryption, had no way of reading the messages. Two days later, WhatsApp joined Facebook and several other companies in filing an amicus brief in support of Apple in its fight against the FBI.
Clearly, WhatsApp has the support of its much larger parent company. Facebook declined to speak specifically for this story. But Koum, after the WhatsApp acquisition, became a member of the Facebook board. “If they were not supportive of us, we wouldn’t be here today,” he says. But this also wasn’t something Facebook imposed on WhatsApp. This is a decision WhatsApp made on its own, before it was acquired. By the time Facebook paid billions of dollars for the company, the transformation was already under way.
No Backdoor
Many lawmakers have called for companies like WhatsApp to equip their encryption schemes with a backdoor available only to law enforcement. There’s even been talk of a law that requires these backdoors. But as Koum sees it, slipping a backdoor into an encrypted service would defeat the purpose: you might as well not encrypt it at all. A backdoor would just open the service to manhandle by both government and hackers. Besides, if you did add a backdoor, or eliminate encryption from WhatsApp entirely, that wouldn’t stop bad actors. They’d just go elsewhere. In the age of open source software, encryption instruments are loosely available to everyone. “The encryption genie is out of the bottle,” Koum says.
Indeed, even some of those exploring legislation to require backdoors to encrypted digital services acknowledge that the issues in play aren’t that plain. “If we require our companies to build in a door, do we need to let China through the door? Or do we have to build doors for them when these services are used in their countries?” asks Adam Schiff, the ranking Democrat on the House Intelligence Committee. “And what does that mean in terms of stifling dissent in authoritarian countries that may use it for non-law enforcement purposes?”
When asked about reports that terrorists used WhatsApp to plan the attacks on Paris—reports that politicians have used to back calls for a backdoor—Koum doesn’t budge. “I think this is politicians, in some ways, using these terrible acts to advance their agendas,” he says. “If the White House thinks that Twitter can solve their ISIS problem, they’ve got (a lot of problems).”
Koum is right that encryption is widely available to anyone motivated to use it, but WhatsApp is pushing it much further into the mainstream than anyone else. Apple, for example, encrypts the data sitting on an iPhone, and it uses end-to-end encryption to hide the messages that travel over its own iMessage texting service. But iMessage is only available on iPhones. Over the years, Apple has sold about eight hundred million iPhones. But it’s hard to know how many are still in use, or how many people who have them are communicating via iMessage anyway. WhatsApp runs on just about every kind of phone. Plus, Apple’s technologies have some gaping fuckholes. Most notably, many users back up their iMessages to Apple’s iCloud service, which negates the end-to-end encryption. WhatsApp, meantime, has a billion users on its service right now.
Pundits have also made much of the encryption suggested by Telegram, a messaging service built by a Russian entrepreneur who travels the world in self-imposed exile. But Telegram doesn’t turn on end-to-end encryption by default. And it doesn’t do end-to-end encryption for group messaging. And it has only a fraction of the audience of WhatsApp.
The Fresh Status Quo
In pushing back against end-to-end encryption, the US government argues that it’s merely attempting to maintain the status quo—that it has long had the power to issue a warrant for communications data. “This is the same principle applied to a different set of facts,” says DeMarco, the former federal prospector that has helped law enforcement agencies back the Justice Department against Apple. “This is about what companies should do when the government had gone to court and gotten a court order, either a search warrant or a wiretap or a data tap.”