Barely a month after blocking access to Twitter, the Nigerian government allocated ₦1.93 billion ($4.6 million) to the National Intelligence Agency (NIA) for a “WhatsApp Intercept Solution”.

An interception solution for WhatsApp would allow an external party (the government, in this case) to access, monitor, or block communications (calls and chats) carried out by users via the app.

The move is reportedly aimed at protecting Nigeria from cybercrime and terrorism perpetrated through such messaging platforms. However, it is seen by media stakeholders and activists as yet another attempt to restrict civil liberties.

However, some uncertainty hangs over how Nigerian authorities plan to go about intercepting WhatsApp, particularly because the platform uses end-to-end encryption for its messages. TechCabal examines the possibility of such interception and technical intricacies involved.

What is end-to-end encryption?

End-to-end encryption (E2EE) is a technology that ensures chats can only be read by the sender and recipient and not intercepted by a middleman. Messages are scrambled when they leave the sender’s device and can be decoded only by the recipient’s device.

WhatsApp uses the popular Signal encryption protocol that involves exchanging unique security keys that are verified between users, to avoid any kind of interception by a middle person.

Whatever is said between users with WhatsApp is guaranteed to be private during transmission. 

According to a cybersecurity expert who spoke on the condition of anonymity, intercepting this flow of messages during transit across the internet is near-impossible. 

“It’s just impossible. The government would have to force every WhatsApp user in Nigeria to use a particular security key,” he said. “Even if somehow it’s pulled off and some messages are accessed, the encryption makes it much harder, if not impossible, to read them.”

However, an interception is possible if there’s a vulnerability in the implementation of the encryption system and that’s one problem with WhatsApp’s security.

Breaking down the WhatsApp encryption

On WhatsApp, new encryption keys are generated for users who log in with a new device, and messages that were in transit to them while offline get re-encrypted and resent automatically.

The sender does not get an opportunity to stop the messages from being resent nor to verify the recipient.

By forcing users to change security keys without informing them, WhatsApp’s encryption can be circumvented and a third party could spy on messages without the app knowing, a security researcher found in 2017.

Get the best African tech newsletters in your inbox

In a situation where a WhatsApp user’s sim card was stolen and put in another phone, this re-encryption of messages could allow a third party to intercept and read previously undelivered chats.

But the security threats from the design, which is meant to make WhatsApp more convenient to use, are small and unlikely to affect most users. In most cases, it would work for potential targeting of individuals, and not mass surveillance, like the Nigerian government probably intends to do.

To fix the issue, a sender can activate security notification settings in the WhatsApp app and would be informed whenever the recipient’s key changes.

Open the app and go to the Settings menu. In there, click Account and then Security. The page has just one option: “Show Security Notifications” – turn on that option and the app will send an alert every time the security key changes.

Storage loopholes

There are also vulnerabilities with how WhatsApp messages are stored, which could be exploited by hackers.

WhatsApp chats are saved in four locations, from where data can be retrieved later. These include the phone memories of both the sender and receiver, WhatsApp’s server, and on the cloud, depending on if a user allowed it in the app’s settings.

Spyware dropped on the phone of either the sender or receiver could read the messages before they are encrypted or after they are decrypted. On a few occasions, hackers and government agencies have been alleged to use spyware for decrypted messages on targeted phones. 

An instance is the hacking of several WhatsApp accounts in 2019 by the Pegasus remote surveillance software made by Israel-based cyber tech firm, NSO. Ex-Amazon CEO, Jeff Bezos, saw his phone hacked in 2018 after receiving a WhatsApp message purportedly sent by the crown prince of Saudi Arabia.

The cloud backup of messages can also be hacked. In the case of WhatsApp, users get the option to back up chats to Google Drive or iCloud but the copies aren’t protected by the end-to-end encryption. Hence, an attacker could access old chats if they hack into a cloud storage account.

On national security grounds, the Nigerian government could approach WhatsApp to request access to certain information stored on its servers but not chats because that violates privacy laws, the expert said.

Chat platforms often don’t store messages on their servers. WhatsApp claims it only does so if chats cannot be delivered immediately – for example, in instances where the receiver is offline, the sender’s messages are kept on the server for 30 days. Once they’re delivered, Whatsapp deletes the messages from the server.

WhatsApp has repeatedly said that with end-to-end encryption, only both parties in the conversation and nobody in between, not even the company itself, can decode what’s sent. Thus, it has often expressed helplessness to law enforcement agencies pressing for access to private messages, in countries like India.

Bottom line

WhatsApp Messenger enjoys a reputation of confidentiality but even encryption has its vulnerabilities. 

In theory, any device or service is susceptible to hackers, but encryption technology offers protection in most cases and WhatsApp is often quick to issue updates including security fixes.

It’s unclear how the Nigerian government intends to go about tracking WhatsApp messages after earmarking billions of naira for the said interception solution.

With over 90 million Nigerian users per data from Statista, WhatsApp is the most popular social media platform used in the country. Any attempt to tamper with the application would thus affect a massive number of people.

If you enjoyed reading this article, please share it in your WhatsApp groups and Telegram channels.

Michael Ajifowoke Author

Get the best African tech newsletters in your inbox