Lawsuit Alleges That WhatsApp Has No End-to-End Encryption

Comments

• just_another_person@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

  DUH

  source

  • sexy_peach@feddit.org ⁨2⁩ ⁨weeks⁩ ago

    No if this is proven it would be a real scandal and would bring a lot of users to better alternatives.

    If it’s false that’s good too, since then WA has e2e encryption

    source

    • MrSoup@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago

      would bring a lot of users to better alternatives.

      Most users of whatsapp don’t care about e2e. They hardly even know what it is.

      source

      • -> View More Comments
    • just_another_person@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

      It’s already a known risk, because WA uses centralized key management and servers, and always has regardless what Meta says. If you believe their bullshit, then I feel sad for you.

      Also…you don’t think that LAWYERS willing to go up against Meta would have rock solid proof from these whistleblowers FIRST before filing a lawsuit?

      C’mon now, buddy.

      source

      • -> View More Comments
    • RIotingPacifist@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

      What are the better alternatives, because it seems like the comment section is flooded with people (yourself includes) that don’t understand that most (probably all) e2e messaging apps are vulnerable to this attack as long as they trust a centralized server.

      The issue isn’t an encryption one, it’s a trust one that requires you to trust the makers of the messaging app and the servers the apps connect to (and the method by which the app is distributed to you).

      source

      • -> View More Comments
    • zeca@lemmy.ml ⁨2⁩ ⁨weeks⁩ ago

      People wouldnt move. They know its not secure and they dont care enough.

      source
    • Nioxic@lemmy.dbzer0.com ⁨2⁩ ⁨weeks⁩ ago

      Mark zuckerberg eats scandals for breakfast

      source

      • -> View More Comments
    • sauerkrautsaul@lemmus.org ⁨2⁩ ⁨weeks⁩ ago

      we can’t lose!

      source
    • pressanykeynow@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

      If it’s false

      How would we know?

      source
    • devfuuu@lemmy.world [bot] ⁨2⁩ ⁨weeks⁩ ago

      It would not. People don’t care. People don’t care that meta is an evil corp. Encryption is not even close to the top 10 reasons people use that app. It’s just a random word normal users throw around because marketing told them it’s good.

      source

      • -> View More Comments
  • Sunspear@piefed.social ⁨2⁩ ⁨weeks⁩ ago

    Shocked, I tell you

    source
  • justanotheruser4@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

    That’s just another comment

    source
• BanMe@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

  Well if I can’t trust Meta with my information, who CAN I trust

  source

  • chemicalprophet@slrpnk.net ⁨2⁩ ⁨weeks⁩ ago

    Me

    source

    • usernameusername@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago

      Oh okay. My location is 55.752121, 37.617664, my full name is Jeremy, and my password is hunter9. I trust you not to tell this to anybody

      source

      • -> View More Comments
    • Buffy@libretechni.ca ⁨2⁩ ⁨weeks⁩ ago

      Can confirm, chemicalprophet is the best password manager I’ve ever used.

      source

      • -> View More Comments
    • DasSkelett@discuss.tchncs.de ⁨2⁩ ⁨weeks⁩ ago

      ta

      source
  • cley_faye@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

    The drunk dude that’s always sitting on the ground near the park entrance and sell weird tissue dolls with curly hairs is more trustworthy, I’d say.

    source
• bjoern_tantau@swg-empire.de ⁨2⁩ ⁨weeks⁩ ago

  The biggest news is that Slashdot is still alive.

  source

  • RIotingPacifist@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

    +5 insightful

    source

    • gnutrino@programming.dev ⁨2⁩ ⁨weeks⁩ ago

      I used to find slashdot delightful,
      but my feelings of late are more spiteful;
      my comments sarcastic
      the iconoclastic
      keep modding to plus five (Insightful).

      source
• wuffah@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

  Assume the same for Telegram and pretty much any chat platform that controls your private keys.

  source

  • zeca@lemmy.ml ⁨2⁩ ⁨weeks⁩ ago

    Telegram doesnt even pretend to be end to end encrypted.

    source

    • wuffah@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

      iOS lets you create secret chats, but as far as I know other platforms have eliminated that functionality at the request of governments.

      source

      • -> View More Comments
  • REDACTED@infosec.pub ⁨2⁩ ⁨weeks⁩ ago

    The telegram was clear as a day they announced cooperation with the Russian government and they unblocked it. That was way before the whole France fiasco, I doubt they’re actually giving up the keys to France. I’m from East and many say that Telegram now is essentially a Russian weapon. Surveillance at home, total free reign (sell drugs, spread CP, etc.) in west.

    source
• Delilah@lemmy.blahaj.zone ⁨2⁩ ⁨weeks⁩ ago

  Wait, you are telling me that the company whos entire business is collecting personal information, including people who don’t sign up for their services, to leverage for advertising, is keeping their platforms unsecured they can continually grab more information rather than secure it?

  I for one am shocked, absolutely shocked.

  source

  • FlyingCircus@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

    Yes, except they’re not leveraging your data for advertising, they’re leveraging it so they can manipulate your political views and keep you from finding solidarity with other working people.

    source

    • dogzilla@masto.deluma.biz ⁨2⁩ ⁨weeks⁩ ago

      @FlyingCircus @technology These two things are the same thing

      source
• socsa@piefed.social ⁨2⁩ ⁨weeks⁩ ago

  It is end to end encrypted but they can just pull the decrypted message from the app. This has been assumed for years, since they said they could parse messages for advertising purposes.

  source

  • Hotzilla@sopuli.xyz ⁨2⁩ ⁨weeks⁩ ago

    Hasn’t it always been that they can decrypt the backups that you personally setup in wa, this way they don’t legally lie to you when the app tells you “this chat is encrypted, even Whatsapp cannot read the messages”.

    source

    • socsa@piefed.social ⁨2⁩ ⁨weeks⁩ ago

      Yes, any time you can store and recover encrypted cloud archives across devices, without needing to transfer keys between devices, it implies that there is a key archive somewhere in the cloud. Even Signal struggles to get this both user friendly and properly secure without compromising forward secrecy. I believe they still actually make you explicitly do a local key transfer to populate a new device, even though they have cloud archives now. Whatsapp doesn’t do that. And the app also clearly leaks some amount of unencrypted data anyway, archives or not.

      source
  • FactualPerson@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

    Surely they have access otherwise how do they moderate and investigate account blocks, reports of spam etc. Accounts get suspended, then some automation reviews it, then it escalates to a human, who will have to make a judgement based on some policy. How can they do that if they see nothing? (I’m asking not condoning).

    source
• herseycokguzelolacak@lemmy.ml ⁨2⁩ ⁨weeks⁩ ago

  WhatsApp client is closed source. Any claims around E2EE is pointless, since it’s impossible to verify.

  source

  • cley_faye@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

    It’s E2EE alright. Just, don’t ask what “ends” we’re talking about.

    source

    • Canigou@jlai.lu ⁨2⁩ ⁨weeks⁩ ago

      Their mouth and Zuckerberg’s ass

      source
  • Flipper@feddit.org ⁨2⁩ ⁨weeks⁩ ago

    For Facebook it doesn’t matter if its e2e. They control the client on both sides. They can just let the client sent the clear text data to them.

    source
  • escapeVelocity@lemmy.ca ⁨2⁩ ⁨weeks⁩ ago

    TMBE

    Trust me bro encryption

    source
  • CeeBee_Eh@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

    Any claims around E2EE is pointless, since it’s impossible to verify.

    This is objectively false. Reverse engineering is a thing, as is packet inspection.

    source

    • snowboardbumvt@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

      Reverse engineering is theoretically possible, but often very difficult in practice.

      I’m not enough of an expert in cryptography to know for sure if packet inspection would allow you to tell if a ciphertext could be decrypted by a second “back door” key. My gut says it’s not possible, but I’d be happy to be proven wrong.

      source

      • -> View More Comments
    • escapeVelocity@lemmy.ca ⁨2⁩ ⁨weeks⁩ ago

      Outside of open-source. That shit is usually illegal

      source

      • -> View More Comments
    • Sinthesis@lemmy.today ⁨2⁩ ⁨weeks⁩ ago

      Now you just need Meta to allow you on their networks to inspect packets and reverse engineer their servers because as far as I know, WhatsApp messages are not P2P.

      source
    • herseycokguzelolacak@lemmy.ml ⁨2⁩ ⁨weeks⁩ ago

      No it is not. Whatsapp gets several updates a month. How do you keep up with that rate?

      source
• skisnow@lemmy.ca ⁨2⁩ ⁨weeks⁩ ago

  15 years ago I’d have called this a conspiracy theory given how the evidence seems to be anecdotal, but given literally every single other thing we’ve learned in recent times about cartoonishly evil and lying the tech bros truly are, it seems entirely likely.

  source

  • vacuumflower@lemmy.sdf.org ⁨2⁩ ⁨weeks⁩ ago

    s/the tech bros/humans/

    Despite “the tech bros” really being that, I’m learning over time about some people surprisingly cowardly and evil, while looking like better versions of me, and some other people looking pretty normal and usual, while being epic and tragic heroes, and some other people looking like a typical Nazi 80 years late to the party, yet more honorable than many, and some other people looking like weak and nice versions of me, while having real warrior spirit.

    You have no idea how big the world is in all dimensions. We are all looking at it via our daily interactions, via news and internet discussions, via games and via books, and we don’t see what’s deep inside. Well, I suppose, people who read classics can see something.

    And they, these people on top of big tech, being just human, have such powers. What can they do with them? Perhaps we should forgive them for not being wise in deciding to have those powers, and praise them for doing less evil with them than they could.

    So. Perhaps in 15 years you’ve just grown.

    source
• Rusty@lemmy.ca ⁨2⁩ ⁨weeks⁩ ago

  If I am not adding my own private key to the app, like in Tox, I don’t trust their encryption.

  source

  • wallabra@lemmy.eco.br ⁨2⁩ ⁨weeks⁩ ago

    Tox also isn’t that great security wise. It’s hard to beat Signal when it comes to security messengers. And Signal is open source so

    source

    • REDACTED@infosec.pub ⁨2⁩ ⁨weeks⁩ ago

      Well, Whatsapp uses signal. Bad timing

      source

      • -> View More Comments
    • Tanoh@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

      And Signal is open source so, if it did anything weird with private keys, everyone would know

      Well, no. At least not by default as you are running a compiled version of it. Someone could inject code you don’t know anything about before compilation that for example leaked your keys.

      One way to be more confident no one has, would be to have predictable builds that you can recreate and then compare the file fingerprints. But I do not think that is possible, at least on android, as google holds they signature keys to apps.

      source

      • -> View More Comments
  • derin@lemmy.beru.co ⁨2⁩ ⁨weeks⁩ ago

    What’s stopping the app from keeping your private key and still not encrypting anything?

    I’m not trying to be difficult here, I just don’t see how anything outside of an application whose source you can check yourself can be trusted.

    All applications hosted by other people require you to react positively to “just trust me bro”.

    source

    • GamingChairModel@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

      Or, if the app has the private key for decryption for the user to be able to see the messages, what’s stopping the app from copying that decrypted text somewhere else?

      The thread model isn’t usually key management, it’s more about the insecure treatment of the decrypted message after decryption.

      source
  • Candice_the_elephant@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

    What’s to stop an evil company uploading the keys after you enter them in the App? It certainly wouldn’t stop Meta.

    source
  • Pika@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago

    Man, you just brought back memories. I forgot qtox was even a thing. I think I still have my profile saved in my dev folder somewhere for my account

    source
• PierceTheBubble@lemmy.ml ⁨2⁩ ⁨weeks⁩ ago

  E2EE isn’t really relevant, when the “ends” have the functionality, to share data with Meta directly: as “reports”, “customer support”, “assistance” (Meta AI); where a UI element is the separation.

  source

  • partofthevoice@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago

    Yeah. E2EE isn’t a single open standard. It’s a general security concept / practice. There’s no way to argue that they don’t really have E2EE if in fact they do, but they keep a copy of the encryption key for themselves. Also, the workers client app can simply have the “decrypt step” done transparently. Or, a decrypted copy of the messages could be stored in a cache that the client app uses… who knows? E2EE being present or not isn’t really the main story here.

    source

    • Candice_the_elephant@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

      I don’t think it can be called End to End Encryption if it is actually End to End and The guy in the Middle.

      End to End implies only the Sender and Recipient have keys to decrypt the message.

      source

      • -> View More Comments
    • PierceTheBubble@lemmy.ml ⁨2⁩ ⁨weeks⁩ ago

      Yeah, I guess if you want users to keep sharing “confessions, [] difficult debases, or silly inside jokes” through a platform you’ve acquired, E2EE might give the WhatsApp user the false sense of privacy required.

      source
• arcterus@piefed.blahaj.zone ⁨2⁩ ⁨weeks⁩ ago

  So, is it basically treating every message as a “group” message where it sends it to some system WhatsApp account and then also to your intended receiver? This is what I’m assuming based on them supposedly being able to see deleted messages. Also would let them say it’s technically still “E2EE” since it’s indeed E2EE to your receiver, but it’s also E2EE to them as well.

  source

  • axx@slrpnk.net ⁨2⁩ ⁨weeks⁩ ago

    Ah yes, good old E2E AWA3E.

    “End to end, and we are also an end”.

    source

    • lando55@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago

      The E is for “Everyone”

      source
    • Rooster326@programming.dev ⁨2⁩ ⁨weeks⁩ ago

      The S is for Security.

      source
    • Mr_Dr_Oink@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

      I guessed you meant “end to end, as well as 3rd end” before reading on.

      source
  • Pika@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago

    If that is the case though, its not E2E it’s client server encryption and then server client encryption back. thats just deceptive marketing at that point.

    source

    • arcterus@piefed.blahaj.zone ⁨2⁩ ⁨weeks⁩ ago

      Obviously it’s deceptive. But if you individually encrypt the messages you’re sending, the one you send to the receiver still can’t be decrypted by Meta, only the copy sent directly to Meta can, so the copy sent to your intended receivers is still “E2EE.”

      source

      • -> View More Comments
• lavander@lemmy.dbzer0.com ⁨2⁩ ⁨weeks⁩ ago

  Call me old fashioned but I really think that for real E2EE the vendor of the encryption and the vendor of the infrastructure should be two different entities.

  For example PGP/GPG on <any mail provider>… great! Proton? Not great

  Jabber/XMMP with e2ee encryption great! WhatsApp/Telegram/signal… less so (sure I take signal over the other two every day… but it’s enough to compromise a single entity for accessing the data)

  source

  • phtheven@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

    Okay Oldschool, but doesn’t open source encryption audited by a third party solve this problem? Signal protocol for example? Also proton, I’m guessing, but I’m too lazy to check

    source

    • BoJackHorseman@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

      Cynical me would say they don’t have to use the code they put up in GitHub in production.

      source

      • -> View More Comments
    • lavander@lemmy.dbzer0.com ⁨2⁩ ⁨weeks⁩ ago

      Unfortunately even the best intentioned and best audited project can be compromised. So that is not a guarantee (sure, much better than closed source but that is a given)

      You may be forced by a rubber hose attack (or legal one) to insert vulnerabilities in your code… and you have the traffic… a single point to attack… signal/proton/etc

      Is it possible with two different vendors? Sure it is but it is way more complicated

      source

      • -> View More Comments
  • TractorDuffy@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

    why

    source
  • escapeVelocity@lemmy.ca ⁨2⁩ ⁨weeks⁩ ago

    Not much people use clients anymore.

    source
• Jyek@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago

  A lot of victim blaming in this thread. Why can’t you just be mad for someone who was deceived?

  source

  • matlag@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago

    Because it’s the gazillionth time the exactly totally absolutely same kind of shit happens with the very exactly same company that didn’t even try to hide who they were.
    And next week the very very same deceived people will be of Facebook, Instagram, etc. And maybe, just MAYBE they’ll migrate away from Whatsapp… to join another proprietary network of another billonaire’s controlled megacorp.

    Because I’m tired of being “that pain in the ass” when barely suggesting to use something else all to see at the end people crying over things they’ve be warned about.

    If a kid burns themself once on a kitchen’s hotplate, you assume they learnt his lesson in an unfortunate way despite all the warnings.
    If adults keep burning themselves over and over… and over and over and over, at which point are you entitlede to say they’re part of the f*cking problem??

    source
  • gustofwind@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

    at what point is it someone’s responsibility to simply know better?

    this isn’t some complicated deceit it’s literally one of the most untrustworthy companies in the world lying to your face. A company we’ve known for now like two decades is untrustworthy and overtly harms people to make money

    do people have responsibility at all?

    source
• roserose56@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago

  No surprised at all tbf.

  source
• matlag@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago

  Proposed line of defense: “With all respect, M. Judge, with all the different times we fucked our users, lied to them, tricked them, experimented on them, ignored them, we already sold private discussions on Facebook in the past, our CEO and founder most famous quote is «They trust me, dumbfucks!», the list goes on and on: no one in their sane mind would genuinely believe we were not spying on Whatsapp! They try to play dumb, they could not possibly believe we were being fair and honest THIS time?!”

  source
• Lucidlethargy@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago

  You gatta be real stupid to not realize that Facebook is harvesting your data.

  source
• darkmogool@feddit.org ⁨2⁩ ⁨weeks⁩ ago

  insert pikachushockedface

  source
• myfunnyaccountname@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago

  What?!! No. The owner of WhatsApp would never lie to us.

  source
• BilboBargains@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

  It would not be surprising if found to be true. Difficult to see how the current business model operates at a profit. Their long term goal is the usual loss leader model until a monopoly is achieved and then slug us with ads, sell all the data, hike the price, etc. Sickening to watch them cosy up to fascists. They are probably supplying any and all the agencies with intelligence scraped from their user base. If Facebook were a person they would be a psychopath.

  source

  • Amroth@feddit.it ⁨2⁩ ⁨weeks⁩ ago

    If Facebook were a person they would be a psychopath.

    I mean, Mark Zuckerberg kind of is Facebook, and he’s a psycho.

    source
  • drmoose@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

    Obligatory Image

    source
• sefra1@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago

  Only a tech illiterate can expect privacy from a closed source program, open source is a requirement for both privacy and security.

  source
• Treczoks@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

  Why am I not surprised? Whether there is no end-end encryption, they have a copy of every key, get the decrypted messages from the client, or can ask the client to surrender the key - it does not matter.

  The point is that they never intended to leave users a secure environment. That would make the three latter agencies angry, and would bar themselves from rather interesting data on users.

  source
• pinesolcario@lemy.lol ⁨2⁩ ⁨weeks⁩ ago

  Shocking.

  source
• in_my_honest_opinion@piefed.social ⁨2⁩ ⁨weeks⁩ ago

  https://piefed.social/post/1699663#comment_9829227

  Lol

  source
• PieMePlenty@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

  I never used WhatsApp, but what made people think they used e2e? I’m way passed blindly believing what any company says they do without proof. I’d expect some kind of key or certificate management in the app, is that present?

  source

  • Ozymandias88@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

    People expect it what WhatsApp claims it’s E2E encrypted at the start of each chat:

    Screenshot from the start of a WhatsApp thread where WhatsApp prints “Messages and calls are end-to-end encrypted. Only people in this chat can read, listen to, or share them.”

    source
• FlashMobOfOne@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

  Just assume any digital platform you’re using isn’t safe at this point.

  source
• clav64@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

  I would argue that the vast majority of users don’t use WhatsApp for privacy. In the UK at least, it’s just the app everyone has and it works. I’ve actively tried to move friends over to signal, to limited success, but honestly it can be escaped how encryption is not it’s killer IP.

  source
• M1k3y@discuss.tchncs.de ⁨2⁩ ⁨weeks⁩ ago

  Im not a big fan of meta and WhatsApp, but these claims are a bit much. Any employee gets access to messages through a well documented internal process? “No separate decryption step is required” , so the WhatsApp CLIENT is not doing any actual e2e encryption and no attempt at reverse engineering or traffic analysis has ever seen that this is the case?

  Where can one see, what these whistleblowers have actually published? I would expect to see this “simple process” and how that interface actually works… And I would expect any journalist to request some proof (show me the last message i sent to Alice) before trusting an anonymous whistleblower making such an extraordinary claim.

  From what I heard so far, that anonymous whistleblower could be a troll or an ex-employee who just wants to cause some trouble for meta.

  We should not trust anything blindly, even if it fits with our view of the world. Meta is an evil company, but as long as there is no indication for these specific allegations to be true, we should treat them as unfounded allegations.

  source
• i078@europe.pub ⁨2⁩ ⁨weeks⁩ ago

  There is a distinct difference between not having end to end encryption, and bypassing it.

  source
• fodor@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago

  It will be interesting to see if this goes anywhere. It looks like the claims are based on specific aspects of California law (put simply: wiretapping, privacy, and deceptive business practices). Do they have a strong case? I don’t know, not worth my personal time to research state law on these issues.

  Is there enough to go to court? Certainly the lawyers think so, and I agree. If Meta is claiming E2EE (which it is) and then immediately undercutting that by re-transmitting large numbers of messages to itself (which is alleged), that sure feels deceptive to me, and it’s easy to think that a jury might agree.

  source
• RIotingPacifist@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

  Is the same not true of any app depending on centralized servers, e.g including signal?

  And also Google & Apple can backdoor any app on any mobile device.

  source