he Nigerian government committed $4.6 million (1.93 billion Naira) to the NIA (National Intelligence Agency) for a “WhatsApp Intercept Solution” barely a month after restricting access to Twitter.
An interception solution for WhatsApp would allow an outside entity (in this case, the government) to access, monitor, or stop communications (calls and chats) made by users through the service.
According to reports, the action is intended to protect Nigeria from cybercrime and terrorism done via such chat services. Media stakeholders and campaigners, on the other hand, perceive it as another attempt to stifle freedom of speech and civil freedom.
However, there is still doubt regarding how Nigerian officials intend to intercept WhatsApp chats, especially when the platform uses end-to-end encryption. Let us look at the feasibility of such interception as well as the technical challenges that it entails.
What is and how does end-to-end encryption work?
End-to-end encryption (E2EE) is a method of ensuring that chats can only be read by the sender and recipient, and not by a third party. When messages leave the sender’s device, they are scrambled and only the recipient’s device can decode them.
WhatsApp employs the well-known Signal encryption system, which entails users exchanging unique security keys that are validated between them in order to avoid third-party interception.
During transmission, everything communicated between WhatsApp users is kept private.
Intercepting this flow of messages while they travel across the internet, according to a cybersecurity expert who spoke on the condition of anonymity, is near-impossible.
“It is simply impossible”, according to him, “the government would have to force every WhatsApp user in Nigeria to use a certain security key. Even if it is somehow accomplished and some messages are retrieved, the encryption makes reading them much more difficult, if not impossible.”
However, if there is a flaw in the encryption system’s implementation, an interception is conceivable, and this is one of WhatsApp’s security issues.
WhatsApp’s encryption crack down
When users connect in with a new device on WhatsApp, new encryption keys are created, and messages received to them while they were offline are immediately re-encrypted and reissued.
The sender has no way of stopping the messages from being resent or confirming the recipient.
A security researcher discovered in 2017 that WhatsApp’s encryption may be evaded by forcing users to change security keys without alerting them, and that a third party might spy on communications without the app’s knowledge.
This re-encryption of messages might allow a third party to intercept and read previously undelivered communications if a WhatsApp user’s sim card was stolen and used in another phone.
However, the security risks posed by the design, which is intended to make WhatsApp more user-friendly, are minor and unlikely to harm most users. In most circumstances, it would be useful for individual targeting rather than mass surveillance, as the Nigerian government is likely to do.
To resolve the problem, a sender can use the WhatsApp app’s security notification settings to be notified whenever the recipient’s key changes.
Navigate to the Settings menu after opening the app. Select Account, then Security from the drop-down menus. When you enable “Show Security Notifications” on the page, the app will give you an alert whenever the security key changes.
Loopholes in storage
Hackers may be able to take advantage of flaws in the way WhatsApp communications are stored.
WhatsApp conversations are saved in four places, from which data can be recovered at any time. Depending on whether a user permitted it in the app’s settings, they include the sender’s and receiver’s phone memories, WhatsApp’s server, and the cloud.
Spyware installed on either the sender’s or receiver’s phone might read the communications before or after encryption. Hackers and government organizations have been accused of using spyware to decrypt texts on targeted phones on a few occasions.
In 2019, the Pegasus remote surveillance app, developed by Israel-based cyber tech firm NSO, was used to access multiple WhatsApp accounts. In 2018, ex-Amazon CEO Jeff Bezos’ phone was hacked after he received a WhatsApp message supposedly from Saudi Arabia’s Crown Prince.
Message backups in the cloud can potentially be hacked. Users of WhatsApp can back up their conversations to Google Drive or iCloud, but the copies are not protected by end-to-end encryption. As a result, if an attacker gains access to a cloud storage account, he may view old communications.
According to the expert, the Nigerian government may approach WhatsApp on national security grounds and request access to some information held on its servers, but not chats, because that would violate privacy rules.
Messages are rarely stored on the servers of chat sites. WhatsApp argues that it does so only when messages cannot be transmitted quickly – for example, when the recipient is offline – and that the sender’s communications are stored on the server for 30 days. WhatsApp removes messages from the server once they have been delivered.
WhatsApp has said numerous times that end-to-end encryption allows just the two people in the chat to decipher what is sent, with no one in between, including the firm itself, being able to decrypt what is sent. As a result, in countries such as India, it has frequently expressed inability to law enforcement officials seeking access to private messages.
WhatsApp Messenger has a reputation for secrecy, yet even encryption is not without flaws.
In theory, every device or service can be hacked, but encryption technology protects users in the majority of cases, and WhatsApp is quick to release updates with security improvements.
After allocating billions of Naira to the alleged interception solution, it is unclear how the Nigerian government plans to follow WhatsApp chats.
According to Statista, WhatsApp is the most popular social networking app in Nigeria, with over 90 million members. Any attempt to tamper with the application would therefore have a large-scale impact.
The government would rather spend a whopping $4.6 million just to monitor the citizens’ messages on WhatsApp rather than put such a huge sum to boost the lingering infrastructural deficit, educational sector or better still, to pay the vast medical personnel who are currently on strike nationwide due to nonpayment of salary over months now. This goes to show the authoritarian nature of the Buhari administration and how far the Federal Government is willing to go to put everyone of its citizens under lock and key. Simply put, the Presidency is clueless as to what to do to drive the economy forward – they are all about devising ways to stay in power forever to enrich themselves and their generations unborn.