28

I was wiping and restoring a family member's Android phone today, as it was running slowly with loads of apps on it.

I decided to back up their WhatsApp messages to Google Drive in order to recreate their chat history easily after the wipe.

On the phone, I noticed this message from WhatsApp:

Important: Media and messages you back up are not protected by WhatsApp end-to-end encryption while in Google Drive.

The same message is also available here, at the end of the section for Creating a Google Drive Backup:

https://faq.whatsapp.com/en/android/28000019

Does this mean that if I have been chatting to anyone in the past, and that person has periodic Google Drive backups enabled, then my conversation is compromised to Google and/or WhatsApp?

If this is the case then it actually makes end-to-end encryption on WhatsApp useless unless the person you're chatting to swears that they don't have Google Drive backup enabled on their end. We might as well just use server-side encryption.

Or is the message given by WhatsApp badly expressed and ambiguous?

Improve this question
6
  • 3
    Erm, obviously?
    – Awn
    Commented Jun 30, 2017 at 20:06
  • 6
    Obviously there's a compromise at play, or obviously the description given by WhatsApp is badly expressed and ambiguous? Your answer is far from obvious.
    – bitofagoob
    Commented Jun 30, 2017 at 21:23
  • If someone voluntarily exports their data from Whatsapp to anywhere else, Whatsapp would lose control over it. So it won't be protected by Whatsapp end to end encryption (which is used to encrypt data in transit between Whatsapp clients)
    – Limit
    Commented Jul 1, 2017 at 0:26
  • So what you're saying is that WhatsApp is putting out a disclaimer on the data to say that they no longer have control over it, but that data in itself is still sent to Google Drive in an encrypted form? I don't mean that it's sent over TLS, I mean that when Google get it, the data is encrypted?
    – bitofagoob
    Commented Jul 1, 2017 at 7:58
  • @bitofagoob No. Whatsapp doesn't encrypt the data. If it did, it would have to provide a decryption key along with it. I don't think Whatsapp does that
    – Limit
    Commented Jul 1, 2017 at 20:27

3 Answers 3

Reset to default
33
+50

You're confusing message integrity and security with secrecy. WhatsApp provides end to end encryption, meaning the message you send can only be read by the recipient and vice versa. This protects you from third parties trying to eavesdrop on your conversation, and even prevents WhatsApp themselves from reading the messages. You can't demand WhatsApp to allow you to wiretap a conversation if WhatsApp themselves have no idea what's being sent.

However once the message is in the hands of the recipient, it's a different story. In order for it to appear in their chat history, it has to be saved on the phone. If a persons device is compromised, so is your chat history with that person. The person could also screenshot your conversation, or even use another phone to take a picture of your conversation. Backup to Google Drive is simply a way of backing up your chat history so if you change devices or reset your phone all your messages aren't gone.

Once the conversation is in Google Drive however, if a valid law enforcement request is made for your files, your conversation is now compromised, as Google only provides server side encryption, which allows them to decrypt your files. This even opens you up to further compromise if the recipients Google account was ever hacked, as the hackers would have access to your message history with that person.

In short, no, the warning is accurate. It's not ambiguous, it tells you exactly what it means, if you save the messages to Google Drive, anyone with access to that account can retrieve the messages. This all boils down to the level of trust you have in your recipient. If you're not 100% sure that the person you're talking to isn't going to rat you out, best not to voice your dissent of your government to them.

Improve this answer
3
  • Thanks zzarzurr. I think this answer is detailed enough for anyone reading it to get a technical overview of what happens to the Google Drive backup, without it going into excessive detail. It's a great answer for someone reading who may be more interested in the privacy aspect, rather than digging deeply. When I asked the question I was more interested in privacy than security and this answer suits my question perfectly. I award my bounty to you and mark the question answered.
    – bitofagoob
    Commented Aug 3, 2017 at 21:11
  • Where the heck did u read that Google only provides server side encryption - its the opposite. Only transfer encryption. Dont spread misinformation. Just google "Google whatsapp storage encryption". Pleaase prove me wrong, one of the few times I would love being wrong.
    – killjoy
    Commented Jul 25, 2019 at 22:24
  • 1
    @killjoy I assume you’re referring to the quote “Media and messages you back up aren't protected by WhatsApp end-to-end encryption while in Google Drive”. That quote doesn’t say messages aren’t encrypted, just that it’s not protected by WhatsApp Encryption. Google Drive uses 128-bit AES to store your data at rest, however the key is managed by them, making it server side encryption.
    – zzarzzur
    Commented Jul 27, 2019 at 8:38
2

No it doesn't. Whatsapp sends you a key and your client use that for encrypting backup.

(The remaining problem for me is that it is a closed-source timer bomb. And open-source alternatives do not provide cloud backup even as an option, which flee ordinary users, so activists hesitate to become only users, besides being impractical)

Source: https://blog.elcomsoft.com/2018/01/extract-and-decrypt-whatsapp-backups-from-google/

Improve this answer
6
  • 1
    If Whatsapp knows the key for an encrypted back up it's not end-to-end encrypted. You should also cite a source for the claim that it's encrypted in the first place, as the comments on the question disagree.
    – AndrolGenhald
    Commented Jul 3, 2018 at 13:09
  • @AndrolGenhald Source added. If whatsapp is doing this backup w/o including phone number and if client don't secretly sends your google username to Whatsapp, even with google cooperation they could not find your backup.
    – Mahdi-Act
    Commented Jul 4, 2018 at 19:20
  • That source just says it's encrypted, it doesn't say who has the key. It looks to me like Google has the key, and that's what I'd assume unless there's a source that says otherwise. I'm also pretty sure a large number of Google accounts have phone numbers associated, likely the same phone numbers used for Whatsapp.
    – AndrolGenhald
    Commented Jul 4, 2018 at 19:24
  • @AndrolGenhald Below source confirm my claim at least for icloud: forbes.com/sites/thomasbrewster/2017/05/08/…
    – Mahdi-Act
    Commented Jul 4, 2018 at 20:44
  • @AndrolGenhald better source added to main post. read "WhatsApp Encryption" section
    – Mahdi-Act
    Commented Jul 4, 2018 at 20:53
-4

End to End encryption is useful only when your messages are travelling in the network and through whatsapp servers. Hackers can't snoop on your messages when you use a cafe wifi point let's say. Or governments can't request whatsapp for your data, because its encrypted. Like people already mentioned in previous answers, once the message is delivered to the client (the person you sent the message to), it doesn't matter that they have google drive backup enabled. The messages can be compromised from the recipient's phone itself

Improve this answer
1
  • 6
    I'm not sure what this adds to the accepted answer ... you literally repeat what was said.
    – schroeder
    Commented Sep 25, 2020 at 11:14

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .