Liberty News

Encrypted chat apps like Signal and WhatsApp are one of the best ways to keep your digital conversations as private as possible. But if you're not careful with how those conversations are backed up, you can accidentally undermine your privacy.

When a conversation is properly encrypted end-to-end, it means that the contents of those messages are only viewable by the sender and the recipient. The organization that runs the messaging platform--such as Meta or Signal--does not have access to the contents of the messages. But it does have access to some metadata , like the who, where, and when of a message. Companies have different retention policies around whether they hold onto that information after the message is sent.

What happens after the messages are sent and received is entirely up to the sender and receiver. If youre having a conversation with someone, you may choose to screenshot that conversation and save that screenshot to your computers desktop or phones camera roll. You might choose to back up your chat history, either to your personal computer or maybe even to cloud storage (services like Google Drive or iCloud, or to servers run by the application developer).

Those backups do not necessarily have the same type of encryption protections as the chats themselves, and may make those conversations--which were sent with strong, privacy-protecting end-to-end encryption--available to read by whoever runs the cloud storage platform youre backing up to, which also means they could hand them at the request of law enforcement.

With that in mind, lets take a look at how several of the most popular chat apps handle backups, and what options you may have to strengthen the security of those backups.

How Signal Handles Backups

The official Signal app doesnt offer any way to back up your messages to a cloud server (some alternate versions of the app may provide this, but we recommend you avoid those, as there dont exist any alternatives with the same level of security as the official app). Even if you use a device backup, like Apples iCloud backup, the contents of Signal messages are not included in those .

Instead, Signal supports a manual backup and restore option. Basically, messages are not backed up to any cloud storage, and Signal cannot access them, so the only way to transfer messages from one device to another is manually through a process that Signal details here . If you lose your phone or it breaks, you will likely not be able to transfer your messages.

How WhatsApp Handles Backups

WhatsApp can optionally back up the contents of chats to either a Google Account on Android, or iCloud on iPhone, and you have a choice to back up with or without end-to-end encryption. Here are directions for enabling end-to-end encryption in those backups. When you do so, youll need to create a password or save a 64-digit key.

How Apples iMessages Handles Backups

Communication between people with Apple devices using Apples iMessage (blue bubbles in the Messages app), are end-to-end encrypted, but the backups of those conversations are not end-to-end encrypted by default. This is a loophole we've routinely demanded Apple close.

The good news is that with the release of the Advanced Data Protection feature , you can optionally turn on end-to-end encryption for almost everything stored in iCloud, including those backups (unless youre in the U.K., where Apple is currently arguing with the government over demands to access data in the cloud, and has pulled the feature for U.K. users).

How Google Messages Handles Backups

Similar to Apple iMessages, Google Messages conversations are end-to-end encrypted only with other Google Messages users (youll know its enabled when theres a small lock icon next to the send button in a chat).

You can optionally back up Google Messages to a Google Account, and as long as you have a passcode or lock screen password, the backup of the text of those conversations is end-to-end encrypted. A feature to turn on end-to-end encrypted backups directly in the Google Messages app, similar to how WhatsApp handles it, was spotted in beta last year but hasnt been officially announced or released.

Everyone in the Group Chat Needs to Get Encrypted

Note that even if you take the extra step to turn on end-to-end encryption, everyone else you converse with would have to do the same to protect their own backups. If you have particularly sensitive conversations on apps like WhatsApp or Apple Messages, where those encrypted backups are an option but not the default, you may want to ask those participants to either not back up their chats at all, or turn on end-to-end encrypted backups. Ask Yourself: Do I Need Backups Of These Conversations?

Of course, theres a reason people want to back up their conversations. Maybe you want to keep a record of the first time you messaged your partner, or want to be able to look back on chats with friends and family. There should not be a privacy trade-off for those who want to save those conversations, but unfortunately you do need to weigh whether or not its worth saving your chats with the potential of them being exposed in your security plan .

But also its worth considering that we dont typically need every conversation we have stored forever. Many chat apps, including WhatsApp and Signal , offer some form of disappearing messages, which is a way to delete messages after a certain amount of time. This gets a little tricky with backups in WhatsApp. If you create a backup before a message disappears, itll be included in the backup, but deleted when you restore later. Those messages will remain there until you back up again, which may be the next day, or may not be many days, if you dont connect to Wi-Fi.

You can change these disappearing messaging settings on a per-conversation basis. That means you can choose to set the meme-friendly group chat with your friends to delete after a week, but retain the messages with your kids forever. Google Messages and Apple Messages dont offer any such feature--but they should, because its a simple way to protect our conversations that gives more control over to the people using the app.

End-to-end encrypted chat apps are a wonderful tool for communicating safely and privately, but backups are always going to be a contentious part of how they work. Signals approach of not offering cloud storage for backups at all is useful for those who need that level of privacy, but is not going to work for everyones needs. Better defaults and end-to-end encrypted backups as the only option when cloud storage is offered would be a step forward, and a much easier solution than going through and asking every one of your contacts how or if they back up their chats.

Apple has stopped offering its end-to-end encrypted iCloud storage, Advanced Data Protection (ADP), to new users in the UK, and will require existing users to disable the feature at some point in the future. The move comes following reports earlier this month that UK security services requested Apple grant them backdoor access to worldwide users' encrypted backups. An Apple spokesperson Julien Trosdorf said in a statement to The Verge:

Apple can no longer offer Advanced Data Protection (ADP) in the United Kingdom to new users and current UK users will eventually need to disable this security feature. We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy.

ADP works by protecting iCloud data with end-to-end encryption, meaning it can only be decrypted by the person who owns the iCloud account on their own devices. Removing ADP means that British users' files will be accessible to Apple, and shareable with law enforcement, though that would still require a warrant.

Some types of iCloud data are end-to-end encrypted by default, and will remain so even in the UK. This includes passwords, health data, payment information, and iMessage logs. iCloud file backups, photos, notes, and voice memos are among the data types that will no longer be encrypted.

Trosdorf tells The Verge that UK users will be given an amount of time to disable ADP to keep using their iCloud account, though the company has not said when the deadline will be.

Earlier this month The Washington Post reported that the UK Home Office, led by Home Secretary Yvette Cooper, had demanded backdoor access to encrypted files uploaded not only by Brits, but by users worldwide. The company was reportedly served a document called a technical capability notice under the UK's Investigatory Powers Act of 2016. It was reported then that Apple was likely to disable its UK encryption instead of granting security services a backdoor, but that this might not placate the Labour government, which would still not be able to access encrypted files uploaded elsewhere in the world.

Apple is not the only tech company to offer end-to-end encrypted backups. Google has offered encrypted backups to Android users since 2018, and Meta also offers the option to encrypt WhatsApp backups. Both are currently still available in the UK. So does this mean that Google ansd Meta have opted to break the end to end encryption?

The Washington Post reports:

Security officials in the United Kingdom have demanded that Apple create a back door allowing them to retrieve all the content any Apple user worldwide has uploaded to the cloud.

The British government's undisclosed order, issued last month, requires blanket capability to view fully encrypted material, not merely assistance in cracking a specific account, and has no known precedent in major democracies. Its application would mark a significant defeat for tech companies in their decades-long battle to avoid being wielded as government tools against their users.

Rather than break the security promises it made to its users everywhere, Apple is likely to stop offering encrypted storage in the U.K., the people said. Yet that concession would not fulfill the U.K. demand for backdoor access to the service in other countries, including the United States.

The Home Office has served Apple with a document called a technical capability notice, ordering it to provide access under the sweeping U.K. Investigatory Powers Act of 2016, which authorizes law enforcement to compel assistance from companies when needed to collect evidence'

Apple can appeal the U.K. capability notice to a secret technical panel, which would consider arguments about the expense of the requirement, and to a judge who would weigh whether the request was in proportion to the government's needs. But the law does not permit Apple to delay complying during an appeal. Apple would also be barred from warning its users that its most advanced encryption no longer provided full security.

Meredith Whittaker, president of the nonprofit encrypted messenger Signal, said:

Using Technical Capability Notices to weaken encryption around the globe is a shocking move that will position the UK as a tech pariah, rather than a tech leader. If implemented, the directive will create a dangerous cybersecurity vulnerability in the nervous system of our global economy.

An article from computerweekly.com provides some interesting details about the secret technical panel which hears appeals about unviable technical capability notices. It is called the Technical Advisory Board (TAB) and is charged with reviewing secret legal orders given to internet communications companies to arrange surveillance of their users, and to copy their emails and files, or to monitor their calls and videos.

Enquiries by Computer Weekly this week revealed, astonishingly, that the Home Office had failed to renew the contracts for TAB members so maybe there is a little disarray there.