It was reported in Brazil last week that the Federal Police was able to access previously displayed WhatsApp “view once” messages during an “extraction carried out by specific software that jointly displays the messages and files sent, reversing, in practice, the single view of the message” .
Here follows the original report, in Portuguese, and a quick translation to English.
Emphases and text within square brackets on the translation are my own.
Original Report
Mensagens trocadas entre Vorcaro e Moraes foram extraídas e periciadas pela PF, diz jornal
Reportagem publicada pelo blog da jornalista Malu Gaspar, do jornal “O Globo”, trouxe prints de mensagens atribuídas ao banqueiro Daniel Vorcaro enviadas ao ministro Alexandre de Moraes horas antes de Vorcaro ser preso pela primeira vez.
O jornal o Globo publicou, na noite desta sexta-feira (6), uma reportagem informando que os dados das mensagens trocadas no dia 17 de novembro entre Daniel Vorcaro e o ministro Alexandre de Moraes, do Supremo Tribunal Federal (STF), foram retirados do celular do dono do Master por meio de análise técnica da Polícia Federal (PF), e que essa análise permite visualizar, ao mesmo tempo, a tela de whatsapp com as mensagens e as imagens de visualização única nela contida.
O jornal informa também que, diferentemente do material enviado à CPMI do INSS, o conteúdo a que o Globo teve acesso não é fruto de comparação entre os horários dos textos que constam em blocos de nota de Vorcaro e as mensagens enviadas por ele, embora coincidam, e sim resultado da extração realizada por um software específico que exibe conjuntamente as mensagens e os arquivos enviados, revertendo, na prática, a visualização única da mensagem.
English Translation
Messages exchanged between Vorcaro and Moraes were extracted and examined by the Federal Police, says newspaper
A report published by journalist Malu Gaspar’s blog, from the newspaper “O Globo”, brought prints of messages attributed to banker Daniel Vorcaro sent to minister Alexandre de Moraes hours before Vorcaro was arrested for the first time.
The newspaper “O Globo” published, on the night of this Friday (6), a report informing that the data of the messages exchanged on November 17th between Daniel Vorcaro and Minister Alexandre de Moraes, of the Federal Supreme Court (STF), were removed from the [banker’s] cell phone through technical analysis by the Federal Police (PF), and that this analysis allows viewing, at the same time, the WhatsApp screen with the messages and the single-view images contained therein.
The newspaper also informs that, unlike the material sent to [a National Congress investigation], the content that “O Globo” had access to is not the result of a comparison between the times of the texts contained in Vorcaro’s notebooks and the messages sent by him, although they coincide, but rather the result of extraction carried out by specific software that jointly displays the messages and files sent, reversing, in practice, the single view of the message .
This isn’t surprising.
Even if WhatsApp is really E2EE and doesn’t include backdoors (which is a big if), it almost certainly isn’t overwriting the deleted data in a secure way (does android/iOS even have a way to do this?)
(does android/iOS even have a way to do this?)
I’m a bit out of the loop by my last understanding (dated ca. 2021-ish) is it shouldn’t matter at that level. If Whatsapp is any like Signal in what comes to storing the history of conversations, this is done in a live database file (SQLite or similar), at which point you only need to modify or delete the record within the file’s data tables. I’d be going over the way the extraction is described:
rather the result of extraction carried out by specific software that jointly displays the messages and files sent
Note that this is about the device that sent the messages, not about the device that could in theory only see them once. I’ve never used view-once messages so I don’t know the details of how do they work on the sender side, but I would expect that from the sender side they can not be reliably deleted or redacted before the sender can verify the receiver viewed them once (remote deletion notwithstanding).
The only exfiltration points “from disk” that I can see from that perspective, would be:
- the automatic weekly(?) backup which generates copies of the database in designated files, at which point the only backups that might contain the message as-is (without any sort of redaction) would be the ones dated before the receiver sent a “read receipt” notification;
- the exports generated by the sending user via copy-paste, etc, by which point it’s not a WA security model failure (the entire point of being able to export the data is being able to export the data);
