- cross-posted to:
- privacy@lemmy.ml
- cross-posted to:
- privacy@lemmy.ml
As evidence, the lawsuit cites unnamed “courageous whistleblowers” who allege that WhatsApp and Meta employees can request to view a user’s messages through a simple process, thus bypassing the app’s end-to-end encryption. “A worker need only send a ‘task’ (i.e., request via Meta’s internal system) to a Meta engineer with an explanation that they need access to WhatsApp messages for their job,” the lawsuit claims. “The Meta engineering team will then grant access – often without any scrutiny at all – and the worker’s workstation will then have a new window or widget available that can pull up any WhatsApp user’s messages based on the user’s User ID number, which is unique to a user but identical across all Meta products.”
“Once the Meta worker has this access, they can read users’ messages by opening the widget; no separate decryption step is required,” the 51-page complaint adds. “The WhatsApp messages appear in widgets commingled with widgets containing messages from unencrypted sources. Messages appear almost as soon as they are communicated – essentially, in real-time. Moreover, access is unlimited in temporal scope, with Meta workers able to access messages from the time users first activated their accounts, including those messages users believe they have deleted.” The lawsuit does not provide any technical details to back up the rather sensational claims.
You must log in or # to comment.
DUH
That’s just another comment
Well if I can’t trust Meta with my information, who CAN I trust
Me
Oh okay. My location is 55.752121, 37.617664, my full name is Jeremy, and my password is hunter9. I trust you not to tell this to anybody
Your secret is safe with us and our 36,893 affiliates.
Legitimate interest, though 🤞
Hi Vova
ta
The drunk dude that’s always sitting on the ground near the park entrance and sell weird tissue dolls with curly hairs is more trustworthy, I’d say.
Assume the same for Telegram and pretty much any chat platform that controls your private keys.
Telegram doesnt even pretend to be end to end encrypted.
Telegram for iOS lets you create “secret chats” but as far as I know other platforms have eliminated that functionality at the request of governments. And I would assume Apple technically controls the keys on device.
iOS lets you create “secret chats”
How? Not natively unless I’m mistaken
Not natively that I know of, but Telegram for iOS has the option when looking at someone’s profile. However, the Windows client does not.
Ah I see your edit now, thanks (and see how it was assumed implied :) )
Wait, you are telling me that the company whos entire business is collecting personal information, including people who don’t sign up for their services, to leverage for advertising, is keeping their platforms unsecured they can continually grab more information rather than secure it?
I for one am shocked, absolutely shocked.
Yes, except they’re not leveraging your data for advertising, they’re leveraging it so they can manipulate your political views and keep you from finding solidarity with other working people.
15 years ago I’d have called this a conspiracy theory given how the evidence seems to be anecdotal, but given literally every single other thing we’ve learned in recent times about how cartoonishly evil and lying the tech bros truly are, it seems entirely likely.
If I am not adding my own private key to the app, like in Tox, I don’t trust their encryption.
Tox also isn’t that great security wise. It’s hard to beat Signal when it comes to security messengers. And Signal is open source so, if it did anything weird with private keys, everyone would know
And Signal is open source so, if it did anything weird with private keys, everyone would know
Well, no. At least not by default as you are running a compiled version of it. Someone could inject code you don’t know anything about before compilation that for example leaked your keys.
One way to be more confident no one has, would be to have predictable builds that you can recreate and then compare the file fingerprints. But I do not think that is possible, at least on android, as google holds they signature keys to apps.
Signal has reproducible builds and here’s the instruction how to check it on Android https://github.com/signalapp/Signal-Android/blob/main/reproducible-builds/README.md
If they have, then good. Wasn’t sure it was doable with current google’s signing process. Highly unlikely someone hasn’t tampered with them then (far easier to target the site displaying the “correct” fingerprint).
However, my original point still stands. Just because it is open source doesn’t in itself mean that a bad actor can’t tamper with it.
Being prebuilt isn’t the same as open source! By that metric Linux is closed source because 99.9% of Linux users don’t build their own kernels (and those that do ought to shower anyway).
What’s to stop an evil company uploading the keys as soon as you enter them in the App? It certainly wouldn’t stop Meta.
Man, you just brought back memories. I forgot qtox was even a thing. I think I still have my profile saved in my dev folder somewhere for my account
WhatsApp client is closed source. Any claims around E2EE is pointless, since it’s impossible to verify.
It’s E2EE alright. Just, don’t ask what “ends” we’re talking about.
TMBE
Trust me bro encryption
Any claims around E2EE is pointless, since it’s impossible to verify.
This is objectively false. Reverse engineering is a thing, as is packet inspection.
Reverse engineering is theoretically possible, but often very difficult in practice.
I’m not enough of an expert in cryptography to know for sure if packet inspection would allow you to tell if a ciphertext could be decrypted by a second “back door” key. My gut says it’s not possible, but I’d be happy to be proven wrong.
No it is not. Whatsapp gets several updates a month. How do you keep up with that rate?
Outside of open-source. That shit is usually illegal
It isn’t. Otherwise security research would never happen for proprietary software and services.
SureSure no white hat never been sued before
In the US, CFAA is so draconian that in certain aspects it can be very illegal to reverse engineer code behind explicit ToS which whatsapp make you agree through click-wrap agreement (meaning explicit I agree button press) upon installing the app. So Meta could easily sue you with very good chance of winning. I work in security and reverse engineer a lot of stuff but just because my company has lawyers that will protect me (also I’m not an american) but generally americans are super fucked here and there are many stories of people being sued and even imprisoned for breaking ToS.
E2EE isn’t really relevant, when the “ends” have the functionality, to share data with Meta directly: as “reports”, “customer support”, “assistance” (Meta AI); where a UI element is the separation.
Edit: it turns out cloud backups aren’t E2E encrypted by default… meaning: any backup data, which passes through Meta’s servers, to the cloud providers (like iCloud or Google Account), is unobscured to Meta; unless E2EE is explicitly enabled. And even then, WhatsApp’s privacy policy states: “if you use a data backup service integrated with our Services (like iCloud or Google Account), they will receive information you share with them, such as your WhatsApp messages.” So the encryption happens on the server side, meaning: Apple and Google still have full access to the content. It doesn’t matter if you, personally, refuse to use the “feature”: if the other end does, your interactions will be included in their backups.
Call me old fashioned but I really think that for real E2EE the vendor of the encryption and the vendor of the infrastructure should be two different entities.
For example PGP/GPG on <any mail provider>… great! Proton? Not great
Jabber/XMMP with e2ee encryption great! WhatsApp/Telegram/signal… less so (sure I take signal over the other two every day… but it’s enough to compromise a single entity for accessing the data)
Okay Old Fashioned, but doesn’t open source encryption audited by a third party solve this problem? Signal protocol for example? Also proton, I’m guessing, but I’m too lazy to check
Removed by mod
Yep
By this logic, can we trust any open source software, even if they claim to use some third party encryption? They could say they’re using a super secure encryption, even show it implemented in their open source code base, then just put the other, secret evil backdoor code base in production? Is there a way for any open source project to prove that the code in their open source repo is the code in production?
Removed by mod
Unfortunately even the best intentioned and best audited project can be compromised. So that is not a guarantee (sure, much better than closed source but that is a given)
You may be forced by a rubber hose attack (or legal one) to insert vulnerabilities in your code… and you have the traffic… a single point to attack… signal/proton/etc
Is it possible with two different vendors? Sure it is but it is way more complicated
why
Not much people use clients anymore.
Yeah and I think it’s a pity. It’s the byproduct of “app culture” everything has to be easy. One button, plug and play…
Unfortunately like many things in life “saving” (time and effort n this case) has a cost
Proposed line of defense: “With all respect, M. Judge, with all the different times we fucked our users, lied to them, tricked them, experimented on them, ignored them, we already sold private discussions on Facebook in the past, our CEO and founder most famous quote is «They trust me, dumbfucks!», the list goes on and on: no one in their sane mind would genuinely believe we were not spying on Whatsapp! They try to play dumb, they could not possibly believe we were being fair and honest THIS time?!”
A lot of victim blaming in this thread. Why can’t you just be mad for someone who was deceived?
Because it’s the gazillionth time the exactly totally absolutely same kind of shit happens with the very exactly same company that didn’t even try to hide who they were.
And next week the very very same deceived people will be of Facebook, Instagram, etc. And maybe, just MAYBE they’ll migrate away from Whatsapp… to join another proprietary network of another billonaire’s controlled megacorp.Because I’m tired of being “that pain in the ass” when barely suggesting to use something else all to see at the end people crying over things they’ve be warned about.
If a kid burns themself once on a kitchen’s hotplate, you assume they learnt their lesson in an unfortunate way despite all the warnings.
If adults keep burning themselves over and over… and over and over and over, at which point are you entitled to say they’re part of the f*cking problem??I’m sick of Mark fucking zuckerberg.
If i was the mad king of the usa all of those tech bros would be in a jail in el salvador.
OH JUST USE SOMETHING ELSE!
I do but that doesn’t stop that ugly weak fuck from stealing from my business every chance he fucking gets.
It’s like buying a hot dog from a gas station and not feeling awesome tomorrow.
If you keep buying the hot dog every week, you see other people buying it and are fine, but you’re the only one getting sick week after week, at some point maybe you should just stop buying the hot dog.
No one else is getting sick. They know what they’re getting. But you keep buying it expecting this time it’ll be different. And when it isn’t it’s the gas stations fault.
at what point is it someone’s responsibility to simply know better?
this isn’t some complicated deceit it’s literally one of the most untrustworthy companies in the world lying to your face. A company we’ve known for now like two decades is untrustworthy and overtly harms people to make money
do people have responsibility at all?
People can’t take increase responsibility for every single aspect of life. It seems straightforward to you because you’re likely tech literate. Do you know every process around how the mechanic services your vehicle, how medicines are made that you consume, how food is curated that you consume, how energy is generated that you consume? People can’t have intimate knowledge of every aspect of life, therefore if a company says “this is E2EE” you should be able to believe that at face value and rely on consumer protection agencies to follow up if it’s inaccurate.
No that’s not correct at all. If a company says something you do not in fact just get to believe it at face value and do 0 research, this applies in every field you mentioned. What planet are you from where you are supposed to just believe what companies say at face value???
People often get second options from different mechanics, doctors, contractors, and all sorts of specialists when told something because you need to do your own research to know about stuff.
You literally do in fact need to try and learn and make informed decisions about everything in life.
Chief, if you needed to make an informed decision about every decision in life, there’d be no time for life. That’s why other people specialize in jobs so that within reason, confidence can be placed to their decision. I’m not saying you blindly agree and follow everything, but people can’t be responsible for every decision. For example, who made the seatbelt in your car? What research did you personally do to verify the safety of your seatbelt. What maintenance have you done to it to ensure that it works as intended? Pretty important life saving bit of equipment.
Edit: my presumption is that you(or the vast majority of the population) haven’t done any research into your seatbelt because you trust in the car company and the safety rating requirements of your nation to ensure adequate protection.
You don’t need to worry about who made your seatbelt the same way you don’t need to worry about which specific programmers work for meta
You do need to worry about the repairability and safety rating of your car the same way you need to worry about the core descriptions of Meta’s products
Do you see?
Repairability in what way? Outside of changing the tires, a modern car is so complex with all the electronic systems in it that you can’t really repair it yourself and you can’t even reset the error codes because you don’t have that special tablet to even hook into it.
For safety ratings, do you even know what they test and how without looking it up? I’d venture a guess that no, but I’ve been surprised before.
People maybe buy a Toyota because they once read that they just work or people may buy a Mercedes one day because their Dad used to always drive one, but they probably didn’t sift through the damn safety and repairability ratings for it, they probably just bought it after a test drive. Its the same thing with anything really, how many times have you ever seen anyone question an app or a device that they are using when it just works and they don’t even have to think about it? Its either 0 or close to it.
You can simply go look up how repairable various makes and models are considered by reputable sources it’s very simple research that a mere google will tell anyone. You’re actually making it out to be much more complicated than it is. They tell you exactly what the safety ratings are for and how they’re tested you just have to spend more than 0 minutes reading the first few google results.
People can voice ask Google simple questions they’re just not wanting to care about any of this and then are shocked when anything happens.
You admit it yourself they’re just lazy consumers lol
You don’t need to be tech literate to follow the news. Meta has been caught in lie after lie for YEARS and it has all been widely reported on. Meta needs to face actual repercussions for their crimes against humanity, but anybody still buying into their bullshit is being willfully ignorant.
Do you think an attractive woman who has been raped multiple times should simply know better? Is she asking for it if she wears slightly more revealing clothing? How many times does she need to be sexually abused before it’s her fault? How much responsibility does she have for her own abuse?
Somehow you’ve managed to connect basic consumer responsibility to being raped
There is literally something wrong with your brain if these are somehow remotely appropriate to compare
You gatta be real stupid to not realize that Facebook is harvesting your data.
It would not be surprising if found to be true. Difficult to see how the current business model operates at a profit. Their long term goal is the usual loss leader model until a monopoly is achieved and then slug us with ads, sell all the data, hike the price, etc. Sickening to watch them cosy up to fascists. They are probably supplying any and all the agencies with intelligence scraped from their user base. If Facebook were a person they would be a psychopath.
If Facebook were a person they would be a psychopath.
I mean, Mark Zuckerberg kind of is Facebook, and he’s a psycho.
Obligatory
Why am I not surprised? Whether there is no end-end encryption, they have a copy of every key, get the decrypted messages from the client, or can ask the client to surrender the key - it does not matter.
The point is that they never intended to leave users a secure environment. That would make the three latter agencies angry, and would bar themselves from rather interesting data on users.
I would argue that the vast majority of users don’t use WhatsApp for privacy. In the UK at least, it’s just the app everyone has and it works. I’ve actively tried to move friends over to signal, to limited success, but honestly it can be escaped how encryption is not it’s killer IP.
Yup. I use Whatsapp to text my girlfriend and my work uses it as a group chat for road conditions or just shit talking.
If you’re using it for secure purposes, you’re part of the problem.
