A 10-month Commerce Department probe concluded Meta could view all WhatsApp messages in unencrypted form
I’m just here to satisfy my confirmation bias, but my question all along has been this: how does Meta simultaneously satisfy their claims of both E2EE and content moderation on WhatsApp? I can’t say that I’ve done anything even close to a deep dive on the topic, but those two things seem mutually exclusive.
You can actually report a message to WhatsApp within the app. If you report the message it then the full text gets sent to WhatsApp.
I don’t particularly know much about this specific topic but, it would be trivial for them to read what’s seen in the app. The encrypted part is only during transfer of a message, your app is still decrypting it to plain texts, and meta can just read the message at that point.
What I don’t understand yet is why there haven’t been any independent cybersecurity experts capable of finding a backdoor in WhatsApp. How hard would it be for an expert without access to the source code to find one? Are any independent entities monitoring WhatsApp’s security at all??
It’s not about being vulnerable. It’s probably a very tight software.
It’s just that Meta stores the private keys of the e2e encryption. So they can decrypt any and all chats if they want to.
The clients are one question, but the servers are another. If the backdoor is on the server end, which it sure looks like, then your experts won’t find anything by examining the client.
If the client was open source, it could be verified by inspecting this source alone. To my understanding, the clients do real end to end encryption. This is the good part. They also have some functionality to re-encrypt the data or export the secret key to let new peers take part, or so i guess. This is how your web browser can also read them after you peer it up. Now there might or might not be a function in the client, where meta can request the private key or re-encryption. This is really hard to figure out without having the source code.
Hey I work in cyber security. Just because an app has a backdoor doesn’t mean that the backdoor can be accessed by anyone. Accessing this backdoor would likely mean compromising meta themselves, not just the app or its communications.
I never assumed that this presumed “end to end encryption” was secure in any way. The key exchange either runs over Meta servers, and they just log them, or the client software simply surrenders the key (maybe always, maybe on demand) together with the data stream that still runs over Meta servers.
They can log anything they want and have nothing useful, if the encryption protocol is sound.
Have a look at how TLS is designed, if you want to know more.You can have the soundest encryption in the world but if they have access to the keys it doesn’t matter, they can see everything.
But the key exchange is not the issue then.
Access to private keys is.
If the host system, on which the key exchange runs, is compromised, you’re toast.Where’s the private key? I can get a new phone, log with WhatsApp and download all the historical messages without intruducing any additional password or key.
I assume they have all the required data too.
@Railcar8095 @zergtoshi actually is not my exlerience with whatsapp, since I have the backups disable, everytime I change phones I lost all my conversations. But since whatsapp is closed source, the app can indeed use encryption to comunicate p2p, but I will allways assume that the key is logged by meta, “just in case”
Sounds like a compromised phone in the sense that it doesn’t protect (and instead transmit) the private key.
So that ad campaign that they ran saying no one but you can see your messages. That was a bit strange that they were pushing it, since no one appeared to be saying otherwise, might be a lie? I never would have guessed.
“The claim that WhatsApp can access people’s encrypted communications is patently false,” Meta spokesperson Andy Stone said. He added that the bureau had already “disavowed this purported investigation, calling its own employee’s allegations unsubstantiated.”
I can’t help but notice that in response to people’s concern that Meta may be able to read people’s messages, the Meta spokesperson responds that WhatsApp can’t read them. A little bit of administrative juggling on Meta’s end so that the team with access to the messages doesn’t fall within the WhatsApp department, and both claims could be true.
But Facebook/“Meta” would never lie.
Oopsie! Hang on, they even lie to lawmakers in case buying them off fails? Bummer!
Seriously: this company needs to be scoured from the face of the earth.
Yeah, there are lots of ways for this to be true but misleading:
The communications are not encrypted if they have the keys.
The encrypted communications are not the people’s. By the TOS everything is the property of WhatsApp and they can access their own ‘Business Records’ perfectly legally.
A third party, like a federal agency, isn’t WhatsApp. (WhatsApp can also voluntarily give their ‘Business Records’ to said agencies without warrant or subpoena.)
Meta isn’t WhatsApp.
An internal project with an undisclosed codename isn’t WhatsApp.
Nitpicking; even if they have the keys, the messages can be encrypted. It’s just worthless as they can now decrypt them.
C’mon. It’s not that hard. You’re making the assumption that Andy Stone is telling the truth, with a gotchya astrict.
What if…the big business just…LIES???
The best lies have some kind of truth in them. Half truths are way more effective than complete falsehoods.
a gotchya astrict
Asterisk? This little fella? *
Nah, probably meant the other little fella - Asterix the Gaul.
Then they might get in trouble for false advertising.
In what world do you live where billionsires face actual consequences?
Worst case scenario, Meta pays a small fine, and doesn’t even blink. The day just goes on.
I mean yeah, but they’d usually not pay even a small fine (or pay for legal proceedings), so it’s a lot more efficient to use conveniently placed loopholes.
GDPR has entered the chat
…assuming the EU representatives have some balls
And here I thought the E2EE of Whatsapp was based on the one developed by Signal or at least so they say.
But I guess it’s hard to inspect anything, if it’s no open source software.
I’m so glad there’s SIgnal and a lot of my contacts use it.
Back when it was called Textsecure it was a different story.If you can’t see the code (closed source) then treat it as they’re lying and it isn’t end to end encrypted
Settle down. There’s nothing to see here. Move along quietly and please remain calm… /s
bold of you to assume meta respect data privacy, they have been all in on datamining for a while aready
The most important question to ask when evaluating end-to-end encryption: who manages the keys?
If Facebook manages all of the keys and is responsible for telling which public key belongs to who, then of course Facebook can read every message.
oh lol. the trust chain is harder and harder to verify these days. i miss the good old days where I would write emails in vi and encrypt with gpg.
I still write emails with vi. but I lost touch with the one other friend I had who how to use gpg 😂😂😂
There are dozens of us! Dozens!
Cory Doctorow still uses pgp if you email him, I think his key is on his website, IIRC
even better - as far as I am aware the client isn’t open (and even if it were, is your installed build from the same source?).
so, even if the keys are local only, who says there isn’t a hidden API that simply sends locally decrypted content back to a remotely calling endpoint?
Or steganographically leaks back the keys …
thought it was proper e2e
https://signal.org/blog/whatsapp-complete/
but if whatsapp owns both ends, what is stopping them from just reading the decrypted text? i duno crypto good enough
That, and if WhatsApp has the keys, then no amount of encryption is going to help.
If I remember, the allegation was that they did keep all the keys and many employees could request them to decrypt specific sessions.
If you still use faecesbook products, you’re an idiot.
I’m gonna borrow FaecesBook from you - that’s hilarious!
my brain automatically makes it faecesbook now. I’ve been saying it for a decade or more.
