- cross-posted to:
- privacy@lemmy.ml
- cross-posted to:
- privacy@lemmy.ml
As evidence, the lawsuit cites unnamed “courageous whistleblowers” who allege that WhatsApp and Meta employees can request to view a user’s messages through a simple process, thus bypassing the app’s end-to-end encryption. “A worker need only send a ‘task’ (i.e., request via Meta’s internal system) to a Meta engineer with an explanation that they need access to WhatsApp messages for their job,” the lawsuit claims. “The Meta engineering team will then grant access – often without any scrutiny at all – and the worker’s workstation will then have a new window or widget available that can pull up any WhatsApp user’s messages based on the user’s User ID number, which is unique to a user but identical across all Meta products.”
“Once the Meta worker has this access, they can read users’ messages by opening the widget; no separate decryption step is required,” the 51-page complaint adds. “The WhatsApp messages appear in widgets commingled with widgets containing messages from unencrypted sources. Messages appear almost as soon as they are communicated – essentially, in real-time. Moreover, access is unlimited in temporal scope, with Meta workers able to access messages from the time users first activated their accounts, including those messages users believe they have deleted.” The lawsuit does not provide any technical details to back up the rather sensational claims.
You must log in or register to comment.
No surprised at all tbf.
I never used WhatsApp, but what made people think they used e2e? I’m way passed blindly believing what any company says they do without proof. I’d expect some kind of key or certificate management in the app, is that present?
Heck… my default is still to think every website does plaintext password storage. I can’t prove it, but neither can they. Stop storing my passwords in plaintext lemmy! /s
People expect it what WhatsApp claims it’s E2E encrypted at the start of each chat:
I mean yeah, I get that… but why would I believe that? Its trivial to add a label in an app and make it say that. I’m questioning trust here. My question should have rather been: why do people trust Meta will do exactly what they say? Its Meta, that immediately sends alarms to my brain saying to stay cautious. Like I said, there’s no way to verify what that piece of text says and the people who would be interested in e2e encryption are also that kind of people who should know what a trusted authority is.
but why would I believe that?
No inherent reason to believe that, but seems like lying about this should be illegal. The belief is in Meta’s compliance with the law rather than in its ethics, which, according to these claims, is unfortunately an unfounded belief.
Why would the law matter? We clearly saw him bribe the president. It was public and in our faces.
And also because at some point they hired Signal people to design E2EE for them, I think.
Around a year ago WhatsApp had large ads that just said “no one else can read your messages.” I don’t think most people thought that some one could, which makes me wonder why they were paying so much to say it.
Because after N scandals, they needed to make sure people would trust them. Meta had never considered itself bound to any promise or commitment they ever made to anyone (users, ads customers, etc.). But you want a monopole, you need to make sure people see no issue with using your services.
And they’re doing it again with Threads. And it works AGAIN, because they promised not to do anything evil. Pending the next inevitable scandal with users flabbergasted that Meta could have done it AGAIN.
Is anyone actually still using threads? I thought all the Twitter refugees ended up on Bluesky.
Any time they get asked questions like “Are my messages visible only to me?”, they answer with a very canned response like “Your messages are encrypted from end-to-end and can’t be read by anyone while in transit” … or words to that effect. I have never seen them state that no analytics or telemetry is happening on the unencrypted side by the client. Which has always bothered me.
Back at the start WhatsApp wasn’t free, although it was pretty cheap. Then Meta bought it and made it free. Some time after that, the founders left and started Signal.
The E2E encrypted protocol WhatsApp used to use was the Signal protocol. When the OG founders left and created Signal they revamped it, calling it the Signal V2 protocol. Whether WhatsApp still uses that original Signal protocol or not is probably not known to many people outside of Meta, but WhatsApp definitely used to be E2E encrypted prior to Meta’s purchase.
I deleted my WhatsApp account around the time Meta announced they were merging all of their messaging stuff together, e.g. Facebook Messenger, Instagram etc.
Call me old fashioned but I really think that for real E2EE the vendor of the encryption and the vendor of the infrastructure should be two different entities.
For example PGP/GPG on <any mail provider>… great! Proton? Not great
Jabber/XMMP with e2ee encryption great! WhatsApp/Telegram/signal… less so (sure I take signal over the other two every day… but it’s enough to compromise a single entity for accessing the data)
Not much people use clients anymore.
Yeah and I think it’s a pity. It’s the byproduct of “app culture” everything has to be easy. One button, plug and play…
Unfortunately like many things in life “saving” (time and effort n this case) has a cost
why
Okay Old Fashioned, but doesn’t open source encryption audited by a third party solve this problem? Signal protocol for example? Also proton, I’m guessing, but I’m too lazy to check
Unfortunately even the best intentioned and best audited project can be compromised. So that is not a guarantee (sure, much better than closed source but that is a given)
You may be forced by a rubber hose attack (or legal one) to insert vulnerabilities in your code… and you have the traffic… a single point to attack… signal/proton/etc
Is it possible with two different vendors? Sure it is but it is way more complicated
That’s a really good point. All we’d need is for signal devs to be compromised in some way and the next update ends security for signal.
Removed by mod
By this logic, can we trust any open source software, even if they claim to use some third party encryption? They could say they’re using a super secure encryption, even show it implemented in their open source code base, then just put the other, secret evil backdoor code base in production? Is there a way for any open source project to prove that the code in their open source repo is the code in production?
Removed by mod
But only if you self-host right? Otherwise who ever hosts the matrix instance can tinker with it.
Removed by mod
In the end i have to choose between some shady company or some guy with a homelab. I guess I’ll choose the one who isn’t financially incentivized to screw me over.
This is called reproducible builds. With this all builds of a version will be binary-identical. So you can build from the repo and the compare it with the appstore binary and see if the owner was honest.
Neat! And can this been done with signal or proton?
I found this:
https://github.com/signalapp/Signal-Desktop/blob/main/reproducible-builds/README.md
Looks like they’re working on reproducibility, at least in the desktop app. That’s a little disappointing but i guess I’m happy they’re working on it.
insert pikachushockedface
I would argue that the vast majority of users don’t use WhatsApp for privacy. In the UK at least, it’s just the app everyone has and it works. I’ve actively tried to move friends over to signal, to limited success, but honestly it can be escaped how encryption is not it’s killer IP.
Yup. I use Whatsapp to text my girlfriend and my work uses it as a group chat for road conditions or just shit talking.
If you’re using it for secure purposes, you’re part of the problem.
It would not be surprising if found to be true. Difficult to see how the current business model operates at a profit. Their long term goal is the usual loss leader model until a monopoly is achieved and then slug us with ads, sell all the data, hike the price, etc. Sickening to watch them cosy up to fascists. They are probably supplying any and all the agencies with intelligence scraped from their user base. If Facebook were a person they would be a psychopath.
Obligatory
If Facebook were a person they would be a psychopath.
I mean, Mark Zuckerberg kind of is Facebook, and he’s a psycho.
WhatsApp client is closed source. Any claims around E2EE is pointless, since it’s impossible to verify.
For Facebook it doesn’t matter if its e2e. They control the client on both sides. They can just let the client sent the clear text data to them.
It’s E2EE alright. Just, don’t ask what “ends” we’re talking about.
Their mouth and Zuckerberg’s ass
TMBE
Trust me bro encryption
Any claims around E2EE is pointless, since it’s impossible to verify.
This is objectively false. Reverse engineering is a thing, as is packet inspection.
Now you just need Meta to allow you on their networks to inspect packets and reverse engineer their servers because as far as I know, WhatsApp messages are not P2P.
/edit I betcha $5 that the connection from client to server is TLS(https), good luck decrypting that to see what its payload is.
Outside of open-source. That shit is usually illegal
It isn’t. Otherwise security research would never happen for proprietary software and services.
SureSure no white hat never been sued before
Reverse engineering is theoretically possible, but often very difficult in practice.
I’m not enough of an expert in cryptography to know for sure if packet inspection would allow you to tell if a ciphertext could be decrypted by a second “back door” key. My gut says it’s not possible, but I’d be happy to be proven wrong.
Hell, as far as I know, E2EE would be indistinguishable from client to server encryption, where the server can read everything without the need for a secret “backdoor key”. You can see that the channel is encrypted, but you can’t know who has the other key.
No it is not. Whatsapp gets several updates a month. How do you keep up with that rate?
I’ve always considered iTunes to be one of the worst pieces of software ever written, but WhatsApp is a very close second.
Ending encryption is Meta’s end so they can spy on everyone and help governments do so as well, so they therefore have an end to end encryption. Oh, y’all thought the app had true E2EE such that even Meta with their surveillance capitalist business model couldn’t access your data? 🤣
Even if that’s all true, it’s not evidence that the end to end encryption is broken.
That sort of debug access could simply be included in the clients.
I’m not sure if it’s the encryption part you don’t understand, the end to end, or both.
I understand perfectly well, it’s you who doesn’t.
If the illegitimate access happens on the client which is the endpoint of the e2e-encryption then it doesn’t say anything about the e2e-encryption working or not working. On the endpoint the content is always available decrypted, for user consumption
Ah, so you don’t understand what the word user means. Got it.
an end to end encryption implementation is broken when secret keys leak, whether its intentional or not.
Nowhere in the given scenario do secret keys leak.
The “encryption for two different receiving sides” part is the one that you, in turn, might have missed. WhatsApp client might just send messages to some additional technical party, which is not your buddy.
You gatta be real stupid to not realize that Facebook is harvesting your data.
Im not a big fan of meta and WhatsApp, but these claims are a bit much. Any employee gets access to messages through a well documented internal process? “No separate decryption step is required” , so the WhatsApp CLIENT is not doing any actual e2e encryption and no attempt at reverse engineering or traffic analysis has ever seen that this is the case?
Where can one see, what these whistleblowers have actually published? I would expect to see this “simple process” and how that interface actually works… And I would expect any journalist to request some proof (show me the last message i sent to Alice) before trusting an anonymous whistleblower making such an extraordinary claim.
From what I heard so far, that anonymous whistleblower could be a troll or an ex-employee who just wants to cause some trouble for meta.
We should not trust anything blindly, even if it fits with our view of the world. Meta is an evil company, but as long as there is no indication for these specific allegations to be true, we should treat them as unfounded allegations.
Of course we shouldn’t trust anything blindly, but we also need to use common sense. Have we seen proof that what’s claimed to be true is in fact true? No. But it might be true, and it’s consistent with what Meta would do. So if your cautious minded, you should assume it’s true for now while you go through the next few years of your life waiting for discovery.
In principle the messages themselves could be E2E encrypted, but the closed-source WhatsApp client could transmit decryption keys to Meta HQ without anyone finding out. As long as the client or the client device is unsafe and not trusted, E2EE is not really effective. Which is why one should always demand a FOSS client for E2EE.
What?!! No. The owner of WhatsApp would never lie to us.
A lot of victim blaming in this thread. Why can’t you just be mad for someone who was deceived?
Because it’s the gazillionth time the exactly totally absolutely same kind of shit happens with the very exactly same company that didn’t even try to hide who they were.
And next week the very very same deceived people will be of Facebook, Instagram, etc. And maybe, just MAYBE they’ll migrate away from Whatsapp… to join another proprietary network of another billonaire’s controlled megacorp.Because I’m tired of being “that pain in the ass” when barely suggesting to use something else all to see at the end people crying over things they’ve be warned about.
If a kid burns themself once on a kitchen’s hotplate, you assume they learnt his lesson in an unfortunate way despite all the warnings.
If adults keep burning themselves over and over… and over and over and over, at which point are you entitlede to say they’re part of the f*cking problem??I’m sick of Mark fucking zuckerberg.
If i was the mad king of the usa all of those tech bros would be in a jail in el salvador.
OH JUST USE SOMETHING ELSE!
I do but that doesn’t stop that ugly weak fuck from stealing from my business every chance he fucking gets.
It’s like buying a hot dog from a gas station and not feeling awesome tomorrow.
If you keep buying the hot dog every week, you see other people buying it and are fine, but you’re the only one getting sick week after week, at some point maybe you should just stop buying the hot dog.
No one else is getting sick. They know what they’re getting. But you keep buying it expecting this time it’ll be different. And when it isn’t it’s the gas stations fault.
at what point is it someone’s responsibility to simply know better?
this isn’t some complicated deceit it’s literally one of the most untrustworthy companies in the world lying to your face. A company we’ve known for now like two decades is untrustworthy and overtly harms people to make money
do people have responsibility at all?
Do you think an attractive woman who has been raped multiple times should simply know better? Is she asking for it if she wears slightly more revealing clothing? How many times does she need to be sexually abused before it’s her fault? How much responsibility does she have for her own abuse?
Somehow you’ve managed to connect basic consumer responsibility to being raped
There is literally something wrong with your brain if these are somehow remotely appropriate to compare
People can’t take increase responsibility for every single aspect of life. It seems straightforward to you because you’re likely tech literate. Do you know every process around how the mechanic services your vehicle, how medicines are made that you consume, how food is curated that you consume, how energy is generated that you consume? People can’t have intimate knowledge of every aspect of life, therefore if a company says “this is E2EE” you should be able to believe that at face value and rely on consumer protection agencies to follow up if it’s inaccurate.
No that’s not correct at all. If a company says something you do not in fact just get to believe it at face value and do 0 research, this applies in every field you mentioned. What planet are you from where you are supposed to just believe what companies say at face value???
People often get second options from different mechanics, doctors, contractors, and all sorts of specialists when told something because you need to do your own research to know about stuff.
You literally do in fact need to try and learn and make informed decisions about everything in life.
What you’re positing here is a view of life that Margaret Thatcher loved. The idea is, “There is no society. There are no laws. There is no oversight. Everything, all responsibility, all of it is 1000% individual.”
Of course in reality that’s nonsense. We live in a world with laws that are sometimes enforced, where governments sometimes protect us, because we want them to, because that’s good for us all.
But even if you believe in Thatcher’s view, then you have the problem of corporations. You can’t seriously argue that we should be responsible for everything ourselves, as individuals, and also that corporations should exist, because they are anti-individual.
No im telling you how it is and until we don’t live in such a world we have to take responsibility or it literally is your own fault
We all know this is the world and corporations do not follow laws and the state is weak and subservient to international capital
Until it’s not you can’t just close your eyes and trust the goddam corpos lmao
Chief, if you needed to make an informed decision about every decision in life, there’d be no time for life. That’s why other people specialize in jobs so that within reason, confidence can be placed to their decision. I’m not saying you blindly agree and follow everything, but people can’t be responsible for every decision. For example, who made the seatbelt in your car? What research did you personally do to verify the safety of your seatbelt. What maintenance have you done to it to ensure that it works as intended? Pretty important life saving bit of equipment.
Edit: my presumption is that you(or the vast majority of the population) haven’t done any research into your seatbelt because you trust in the car company and the safety rating requirements of your nation to ensure adequate protection.
You don’t need to worry about who made your seatbelt the same way you don’t need to worry about which specific programmers work for meta
You do need to worry about the repairability and safety rating of your car the same way you need to worry about the core descriptions of Meta’s products
Do you see?
Repairability in what way? Outside of changing the tires, a modern car is so complex with all the electronic systems in it that you can’t really repair it yourself and you can’t even reset the error codes because you don’t have that special tablet to even hook into it.
For safety ratings, do you even know what they test and how without looking it up? I’d venture a guess that no, but I’ve been surprised before.
People maybe buy a Toyota because they once read that they just work or people may buy a Mercedes one day because their Dad used to always drive one, but they probably didn’t sift through the damn safety and repairability ratings for it, they probably just bought it after a test drive. Its the same thing with anything really, how many times have you ever seen anyone question an app or a device that they are using when it just works and they don’t even have to think about it? Its either 0 or close to it.
You can simply go look up how repairable various makes and models are considered by reputable sources it’s very simple research that a mere google will tell anyone. You’re actually making it out to be much more complicated than it is. They tell you exactly what the safety ratings are for and how they’re tested you just have to spend more than 0 minutes reading the first few google results.
People can voice ask Google simple questions they’re just not wanting to care about any of this and then are shocked when anything happens.
You admit it yourself they’re just lazy consumers lol
You don’t need to be tech literate to follow the news. Meta has been caught in lie after lie for YEARS and it has all been widely reported on. Meta needs to face actual repercussions for their crimes against humanity, but anybody still buying into their bullshit is being willfully ignorant.
You are correct and incorrect at the same time. Yes, nobody should trust Meta. But Meta should also be dragged into every court available for their lies.
You just agreed with my points while telling me I’m incorrect. How am I incorrect?
If companies are lying in their advertising to the general public, then that is something the companies are responsible for. You can blame the victims, but that’s kind of stupid because there are so many people in the world who are not technically savvy. They don’t have the resources, background, knowledge, and skills to evaluate whether what the company is telling them is true. That’s why there are laws designed to protect consumers from lying companies.
Would it be great if everyone was an expert in everything? Yes. Are they? No. They never will be. That’s why we have laws.
