During the week commencing April 4, 2016, WhatsApp rolled out an update that ensures users now have full end-to-end encryption on their chats. The move is quite striking because it comes at a time when public authorities are demanding easier access to communications data for the purpose of tackling crime. The tension between privacy and security is stronger than ever, and is likely to remain an unsolved matter for quite some time as legislators and companies figure out how to work together.
The tension between privacy and the need to tackle crime remains strong
During the week commencing April 4, 2016, WhatsApp users were shown a disclaimer in their chats, announcing that messages "are now secured with end-to-end encryption" (provided that all the participants in each chat had also updated their own app).
Such a move by the popular messaging service owned by Facebook looks particularly striking at a time when tech companies are facing pressure from governments and state authorities on the subject of privacy. Weeks earlier, Apple had denied the FBI's request to bypass encryption and retrieve data from the phone of a person who had committed a terrorist attack; the resulting legal dispute was interrupted once the FBI announced it had found another way to break into that phone, without Apple's help.
With this new feature, Facebook's messaging service makes a clear statement that it is not prepared to satisfy policymakers' pushes for a weakening of encryption, which have come from governments in countries such as the UK and the US recently. It also shows that WhatsApp is conscious that some competing services, such as Telegram, have become more appealing to users because of their enhanced security standards, which appear to matter more and more to end users.
The tension between the need for privacy and the necessity to access communications data to tackle crime remains strong. Companies, judicial powers, and investigators will have to figure out a way to work together to ensure neither of these two aspects are renounced. It remains a sensitive and highly divisive issue, as shown by the US President's recent refusal to back draft legislation that would empower judges to require technology companies to help law enforcement crack encrypted data. Similarly, European institutions have not yet filled the regulatory vacuum left by the demise of the Data Retention Directive, which was struck down by the European Court of Justice in 2014 and has never been replaced. Since then, organizations and individuals have had an easy job legally challenging national legislation on the same matter because most of the national laws were a national transposition of the European Directive.
Data Protection Tracker: 4Q15, TE0007-000955 (December 2015)
Luca Schiavoni, Senior Analyst, Regulation