E2E encryption means that no third party can read the text message that is exchanged between the sender and receiver, not even WhatsApp. But then how is NCB managing to do it? There could be possible ‘mistakes’ from the user’s end that are helping NCB. And due to these mistakes, NCB doesn’t even need to request WhatsApp officials for help.
The first mistake from the user’s end is backing up WhatsApp chats on Google Drive or iCloud. If you have WhatsApp chat backup turned on, then you are basically making E2E encryption useless. This is because all WhatsApp chats saved on Google Drive or iCloud are without encryption. So, if anyone manages to get hold of your WhatsApp backup chats via Google Drive or iCloud then you are helpless.
Another mistake is not having WhatsApp two-factor authentication (2FA) turned on. WhatsApp 2FA is simply a six-digit code that helps you to protect your account from third-party intervention. While a hacker or any agency can clone your mobile phone and SIM, they would need the 2FA code to get in your WhatsApp account.
Now, what happens if you already have 2FA pin activated on WhatsApp? WhatsApp allows its users to provide an email ID to retrieve this 2FA Pin in case they forget it. So, if the law enforcement agencies have got control of your email ID then even WhatsApp 2FA PIN becomes useless as “the email address will allow WhatsApp to send you a link via email to disable two-step verification in case you ever forget your six-digit PIN,” as per WhatsApp. Thankfully, there’s an option of not providing your email ID. In this case, if you forget your WhatsApp PIN, you will have to forget your WhatsApp account as well.
Apart from WhatsApp chats, the law enforcement agencies can legally request WhatsApp to provide data. For those unaware, WhatsApp collects some metadata of users which could be passed on to law enforcement agencies if a request is made through a proper government channel.
WhatsApp stores obvious metadata like mobile numbers, device type, mobile network, mobile numbers of contacted people on WhatsApp, data on web pages visited through the app, time of chats, duration of chats, IP addresses, location and contacts. These data can be legally revealed.
Coming to the question of WhatsApp’s E2E policy, for E2E to work the best, users may need to delete all chat backups and disable backup altogether. Also, have a strong six-digit WhatsApp PIN and not provide any backup email ID. You can also provide a wrong email ID, as WhatsApp doesn’t verify it.