In January, the Guardian published an alarming report from Manisha Ganguly alleging a serious encryption vulnerability in WhatsApp:
A design feature that could potentially allow some encrypted messages to reach unintended recipients is present within the WhatsApp messaging service.
Facebook-owned WhatsApp, which has about one billion users, has not made it widely known that there is an aspect of WhatsApp that results in some messages being re-encrypted and resent automatically, without first giving the sender an opportunity to verify the recipient.
Campaigners have expressed concern about how this aspect of WhatsApp could potentially be exploited to conduct surveillance.
In the first version of this article, the headline said that this was a WhatsApp “backdoor”, but Zeynep Tufekci quickly pointed out how misleading that description was in an open letter to the Guardian signed by dozens of computer security professionals:
WhatsApp’s behavior increases reliability for the user. This is a real concern, as ordinary people consistently switch away from unreliable but secure apps to more reliable and insecure apps. The imagined attack on WhatsApp, on which your reporting is based, is a remote scenario requiring an adversary capable of many difficult feats. Even then, the threat would involve only those few undelivered messages, if they exist at all, between the time the recipient changes their phone and the user receives a warning.
In the full scheme of things, this is a small and unlikely threat. The preconditions of the attack (which is not a backdoor) would in practice mean that the attacker had many other ways of getting at their target.
Despite this cogent explanation, Tufekci and the co-signers of this letter barely heard from the Guardian. They amended the problematic piece with a link to the letter and removed the word “backdoor” from their reporting, but did not retract the story. The Guardian’s ombudsman was ostensibly on a very long vacation because, try as the letter signers might, the newspaper simply wouldn’t acknowledge how deeply flawed their reporting was.
Today, however, an update in the opinion section of the paper from reader’s editor Paul Chadwick:
In a detailed review I found that misinterpretations, mistakes and misunderstandings happened at several stages of the reporting and editing process. Cumulatively they produced an article that overstated its case.
The Guardian ought to have responded more effectively to the strong criticism the article generated from well-credentialled experts in the arcane field of developing and adapting end-to-end encryption for a large-scale messaging service.
This is about the most honest and straightforward admission that the piece from January — six months ago! — should never have been published. However:
This made a relatively small, expert, vocal and persistent audience very angry.
This sentence deeply undermines the credentials and the rationale of the responsible professionals who brought this issue forward. By framing them as “small” and “vocal”, it makes them sound unreasonably concerned. Nothing could be further from the truth, as Chadwick states in the very next sentence:
Guardian editors did not react to an open letter co-signed by 72 experts in a way commensurate with the combined stature of the critics and the huge number of people potentially affected by the story.
Chadwick also refuses to suggest a retraction of the story, despite effectively stating that none of the concerns presented in the original article are valid — and acknowledging the damage that the article caused in Turkey, in particular. I agree with him stating that the article should not be deleted entirely, but I think that the message added to the top of the original article is far too soft. It should be in a big-ass yellow box, and it should explicitly state that the Guardian found the concerns that they raised to be misleading and damaging. Anything less is a tacit admission that they still stand by their story, even after implying today that they don’t.