|
| ▲ | const_cast 3 days ago | parent | next [-] |
| > Messages are e2e and WA doesn't have access to them. We're talking about the metadata here. You're still just blindly trusting this is the case. You can't verify the encryption or any of the code. It would be trivial to actually encrypt the message and send it out and then store an unecrypted version locally and quietly exfiltrate it later. They have to already be storing an unecrypted version locally, because you can see the messages. So unless your analyzing packets on the scale of months or years, you cannot possibly know that it isn't being exfiltrate at some point. Take it a step further: put the extiltration behind a flag, and then when the NSA asks, turn on the flag for that person. Security researchers will never find it. |
|
| ▲ | roelschroeven 3 days ago | parent | prev | next [-] |
| We don't really know that messages really are end-to-end encrypted though, do we? Is there a way to actually check that the messages in transit are encrypted in a way that only the other end can decrypt them? If not, we have to take Meta's word for it, which frankly doesn't carry much weight. |
| |
| ▲ | varenc 3 days ago | parent | next [-] | | Not trivially. But with painstaking reverse engineering you could prove this. And people have, so you're not exclusively just taking Meta's word. The fact that Pegasus malware relied on remote code execution vuln to run malware on your phone to extract WhatsApp messages, really suggests that the E2EE works. If it wasn't E2EE, then the makers of Pegasus could have just intercepted traffic to get your messages. Academics have also reverse engineered it as well, and though there are some weakness it's not a lie that WhatsApp is E2EE. Here's some I just found: - https://eprint.iacr.org/2025/794.pdf - https://i.blackhat.com/USA-19/Wednesday/us-19-Zaikin-Reverse... | | |
| ▲ | wordofx 2 days ago | parent [-] | | This does not prove that Meta does not have the ability to decrypt the messages. | | |
| ▲ | varenc 2 days ago | parent [-] | | Eh, well painstaking reverse engineering is like having the source code, just 10000x more work. With that I feel like it should be possible to ensure this, or at least with some high level of confidence. |
|
| |
| ▲ | lioeters 3 days ago | parent | prev [-] | | How can we call it "E2E encryption" in any meaningful sense of the term when the ends run proprietary code, and at least one of the ends has proven themselves unworthy of trust time and again. |
|
|
| ▲ | wordofx 3 days ago | parent | prev [-] |
| Meta/WA. Same thing. Might have worked at WhatsApp but FB still advertises based on conversation content. |
| |
| ▲ | jonoc 3 days ago | parent [-] | | Not sure this is correct - alaq said the messages are e2e, so not visible at all by anyone other that the participants of the conversation. The meta->data<- however IS visible by them and can and is likely to be used for advertising. | | |
| ▲ | another_twist 3 days ago | parent [-] | | Of course the meta data is visible. Its probably more useful than the actual content of the conversation too. I mean from an ML perspective how would you even make features out of conversation that help with CTR ? That too without creeping the users out. I'd imagine its the same reason why meta doesnt (likely) listen in on mobile mics. Why go through the whole shebang of running always on transcription when simple features like who talked to who and at what times are more useful at establishing user similarities. | | |
| ▲ | jonoc 3 days ago | parent [-] | | I'm not making a stance on things, just clarifying the previous comment |
|
|
|
