WhatsApp in healthcare: what’s up with end-to-end encryption?

On the 6th of April 2016, it finally happened! WhatsApp secured their messenger – an effort that was started in 2013 with the help of Moxie Marlinspike. Moxie is the founding father of Signal’s OpenWhisperSystems and his ideals must have resonated with WhatsApp’s founder, Jan Koum. He was raised in Ukraine during the Soviet-era when KGB eavesdropped on every word that was spoken. They have both done a wonderful job in protecting our privacy from mass internet surveillance. Thank you for this!

Gilles Lambert 8649

Can healthcare professionals use WhatsApp now that we have end-to-end encryption? *

We have received a lot of phone calls about this. And the short answer is… No.

But if you live and work in The Netherlands, we understand where the confusion comes from. Because a lot of the recent media attention was focused on 1 thing: the message with patient information moving from phone A to phone B, while being stored together with meta-data on Facebook’s servers, un-encrypted! So now that they have end-to-end encryption, the problem is solved, right? Well, WhatsApp did solve the Facebook server problem. Great. However, when you use WhatsApp in your clinical practice, you ought to consider what happens with the data when it is received. Is it just there, forever sitting on everybody’s phone? Or is it not only “just sitting there”?

Can we be absolutely, 100% sure that on the other side of the line, those pics are not accidentally accessed by another person or party?

There are still ways to easily eavesdrop information that was exchanged over WhatsApp now that it is encrypted.

  1. WhatsApp does not encrypt the data on the phone, protected with a pincode or TouchID. As the data is stored on your phone, and it is stored forever, you can be sure that this data will leak at some point.
  2. Did you allow WhatsApp to make automatic back-ups of your conversation? If you disabled this feature, did the receiving end also disable this feature? What does WhatsApp do for this cloud storage back-up? Is it also encrypted?
  3. What about the people you exchange messages with? Did they all opt-out of the automatic synchronization with the photos app on their phone? And are these images then uploaded onto their private cloud? And from that cloud, is that data accessible from all the devices in that household? And even worse: do these images automatically appear on screensavers at home?

These are all serious breaches that are NOT prevented by offering end-to-end encryption on the communication line. We are so used to the subconscious, automated back-ups of our data from our personal life, that a consumer messenger such as WhatsApp cannot be used in professional healthcare communication. Ever.

* end-to-end encryption means that the message you want to send, is encrypted on your device. And the only one to decrypt that message is the intended receiver. This means that the servers used for this communication cannot read the message