Is The Guardian Backdoored? A Timeline
Tl;dr: in January, the Guardian wrote a series of false stories about WhatsApp that it will now neither stand behind nor retract. As a result of these stories (which remain up on the Guardian site), activists in vulnerable places have put themselves at risk by moving from secure WhatsApp messaging to very insecure SMS.
This is not just a failure of journalism (everybody makes mistakes), but a serious failure of accountability. Despite repeated calls for a retraction by experts in the field, the Guardian refuses to make any public comment.
Here’s what happened in detail:
January 13, 2017
- Moxie Marlinspike, co-creator of Signal (which the app the Guardian recommended WhatsApp users switch to), publishes a blog post titled "There is no WhatsApp 'backdoor'":
Given the size and scope of WhatsApp's user base, we feel that their choice to display a non-blocking notification is appropriate. It provides transparent and cryptographically guaranteed confidence in the privacy of a user's communication, along with a simple user experience... Even if others disagree about the details of the UX, under no circumstances is it reasonable to call this a "backdoor," as key changes are immediately detected by the sender and can be verified.
- Guardian changes headline to read "vulnerability" instead of "backdoor", adds statement "This article was amended following a further statement from WhatsApp, which said that it did not give governments a “backdoor” into its systems."
- Zeynep Tufekci, associate professor at UNC, reacts on Twitter. "@SamuelGibbs The level of irresponsibility and ignorance in your piece was breathtaking. Was the real human cost worth your clicks?"
- EFF writes in a post that it’s “it's inaccurate to the point of irresponsibility to call this behavior a backdoor”
- In email to Tufekci, Guardian assistant editor Emily Wilson says story is "rock solid", asks Tufekci to explain concerns.
- Tufekci replies to Wilson, explains "Telling people to switch away from WhatsApp is going to get people killed or jailed." Calls for retraction, apology, and corrected story.
- Wilson asks Tufekci to publish an article in the Guardian giving her perspective, offers to raise issue with readers' editor.
- Wilson forwards Tufekci's comments to Sam Gibbs, assistant technology editor. Gibbs "disagrees on most points," according to Wilson. Wilson again offers to escalate comments to the Readers' Editor, who "has the power to take stories down and correct them, and it's also his duty to write publicly about why Guardian staff are wrong when he thinks they are wrong."
- Tufekci declines Wilson’s invitation to write an article for the Guardian, arguing that it won’t undo the damage and couch the issue as “on the one hand, on the other hand” further confusing the users, repeats demand for a retraction. Offers to speak on phone with Readers' Editor.
- Participants in the Women’s March receive email saying “WhatsApp is no longer considered by tech experts to be a safe app,” citing Guardian article.
- Tufekci publishes an open letter to the Guardian, signed by 40 prominent cryptographers and security practitioners. List of expert signatures eventually grows to 74.
- Open letter circulated internally at Guardian. Wilson promises to forward details to Readers’ Editor.
- Tufekci requests update, learns that Readers’ Editor is "abroad this week", and that his office will be in touch.
- Office of the Readers’ Editor contacts Tufekci to tell her "The readers' editor – the Guardian’s internal ombudsman – will look into this matter, but he is currently on leave and so will not be able to address it until next month."
- Tufekci responds, asking Wilson "Is this the totality of Guardian's response? To wait for the reader's editor to come back from being on leave sometime "next month" to look into a story that some of world's top security experts and cryptographers has said was alarmist to the point of threatening user safety and one that has already been widely circulated?"
- Wilson again requests that Tufekci write an article for the Guardian, strongly defends the original claim that there is a vulnerability. Tufekci again demands retraction.
- Wilson forwards exchange to Readers’ Editor and asks him to break his holiday "if he can". Tufekci asks whether vacationing ombudsman is the only route to correcting serious errors at the Guardian.
- The Guardian adds a paragraph to the original article, linking back to Tufekci’s post:
Some security experts say that the vulnerability is a known and acceptable “trade-off” that makes sense for the majority of WhatsApp’s users, since it makes the app easier to use on a day to day basis. They describe the risk to most users as “remote” since the vulnerability only allows the targeting of individuals or groups of individuals at specific times, rather than widespread mass surveillance of WhatsApp users, and urge users not to switch to less secure platforms.
- Guardian publishes an article about WhatsApp two-step verification that includes the line "The roll out of the improved security comes weeks after the revelation of a vulnerability in the implementation of WhatsApp’s encryption protocols."
- After being criticized on Twitter for putting readers at risk, Guardian removes Shearlaw’s email address from Turkey article, adds language about using SecureDrop.
- Teen Vogue publishes an excellent explainer on secure messaging, citing three prominent security experts, including Tufekci and the creator of the Signal protocol. It has this to say about the Guardian’s coverage:
Don’t panic over recent reports that WhatsApp isn’t secure. In January, The Guardian reported that the messaging app’s encryption had a “backdoor”, a hole placed in the code allowing messages to be read without anyone knowing. That’s been debunked by security and privacy experts — some 70 of the best in the business — who argue it’s actually a design decision that ensures your messages get through as reliably as possible, and would be difficult to abuse to snoop on your conversation.
- Still no response from the vacationing Guardian Readers’ Editor, who in the words of Douglas Adams is “missing and presumed fed”.
- Five months since initial Guardian story; still no public response.
Compiled by Maciej Ceglowski (firstname.lastname@example.org)