For open source messengers, you can check whether they actually encrypt your messages and whether the server has access to your encryption keys but what about WhatsApp? Since it’s not open source, you can’t be sure that the encryption keys aren’t sent to the server, right? Has there been a case where a government was able to access WhatsApp chats without reading them from the phone itself?

  • megopie@lemmy.blahaj.zone
    468·
    2 years ago

    Facebook owns what’s app and they can read any message on the service, they’ve also been known to give logs and messages to law enforcement agencies at request without warrants.

    • Frogodendron@beehaw.org
      8·
      2 years ago

      Why is it legal for them to advertise it as end-to-end encrypted then? I thought the main danger lies in WhatsApp insistence on backing up non-encrypted history to Google Drive/iCloud.

      Of course, the existence of backdoors is usually not disclosed (duh), but can they actually read any message?

      • megopie@lemmy.blahaj.zone
        71·
        2 years ago

        It’s not illegal because it is end to end encrypted when you send messages, but it’s not encrypted on your phone and they have access to that, not to mention, I imagine they have access to the keys used to encrypt the messages, so even if they backed it up encrypted they can still read the messages.

        The point of implementing it is not to protect people from surveillance, but rather to make people think they’re protected so they’ll keep using the platform rather than moving to another service. Their actual claims about it amount to “If your on public Wi-Fi or something, people skimming that won’t be able to see your messages” which is absurd because they already couldn’t.

        Admittedly, no law enforcement that they refuse to cooperate with will have access to the messages, but like, “law enforcement groups Facebook doesn’t cooperate with” is a very small list.

  • Lung@lemmy.world
    265·
    2 years ago

    You bet your ass they can. Since when has Facebook taken anybody’s privacy seriously? And you remember all the Snowden leaks? Like how AT&T has been a government apparatus for spying for decades? Or how about the way that the USA taps under sea cables to monitor data, causing China to build totally parallel backbone infrastructure

    The better question is whether Signal, despite being open source, is actually secure. It’s very plausible that the govt has backdoors somewhere, for either encryption, the OS, the programming language, the app store, or some random dependency lib

    The answer is yes, the US government spies on everything, and has a complete profile of everyone

      • Lung@lemmy.world
        31·
        2 years ago

        Well you gotta be careful if it’s your only donkey but I’m still confident you’ll end up winning a second ass

  • Zak@lemmy.world
    201·
    2 years ago

    Probably not, but it’s impossible to verify. There’s a strong argument for open source when security really matters.

  • kyle@lemm.ee
    131·
    2 years ago

    Everything I’ve ever heard about government cryptography from people close to me is that the government (FBI, military) is wildly far ahead of what’s available publicly. I wouldn’t count on anything you do on the Internet to be truly private.

    • trailing9@lemmy.ml
      6·
      2 years ago

      That was at times of DES. Cryptography that is used today is proven to be complicated enough that it’s unbreakable unless the government got quantum computing working at sufficient skale.

      Like others wrote, attacks will happen when the messages are received and decrypted.

  • TheAnonymouseJoker@lemmy.mlBanned
    101·
    2 years ago

    No. One-to-one chats are E2EE. However, group chats, if forced by government, can be subpoenaed and monitored by WhatsApp admin team temporarily.

    However, the best way to break encryption is usually a $5 wrench on someone’s head, which is how governments and authorities really do it.

    • cmeerw@programming.devEnglish
      2·
      2 years ago

      Group chats are also end-to-end encrypted in WhatsApp (so any monitoring would need to be done in cooperation with one of the participants’ devices before encryption or after decryption)

      • TheAnonymouseJoker@lemmy.mlBanned
        53·
        2 years ago

        In a subpoena case in India, that turned out to be not true. WhatsApp admins hold keys to being able to do that under law pressure. They only guarantee it for 1-1 messages and statuses, and against “generic” actors for group chats…

        • cmeerw@programming.devEnglish
          31·
          2 years ago

          In a subpoena case in India, that turned out to be not true.

          Source please.

          WhatsApp admins hold keys to being able to do that under law pressure.

          How do they get the keys?

          They only guarantee it for 1-1 messages and statuses, and against “generic” actors for group chats…

          Who is “they”?

      • InfiniteFlow@lemmy.world
        5·
        2 years ago

        Its a book of proceedings of a scientific conference, usually peer-reviewed. Springer publishes the proceedings but has nothing to do with the selection of the papers or their scientific quality… its just a service they provide, for a fee.

  • Cyclohexane@lemmy.ml
    71·
    2 years ago

    The code is not open source, so it’s hard to verify how good the encryption is or if it has backdoors.

    I’m not an expert in cryptography, but from my limited knowledge, the cryptographic keys used are very important. If Meta or the government can somehow know the decryption key to your messages or predict it, then they can see your messages.

    But they most likely don’t need to decrypt it in transit. One of the vulnerabilities in this system is Google firebase, which delivers notifications to your phone when WhatsApp messages arrive. Ever noticed how those notifications include the message content and the sender? Google has access to this information, despite the encryption.

    That’s just an example. Google has access to a lot on your phone.

    Another thing to consider is message metadata. The content of your message is encrypted, but what about information like the destination of your message, its recipients, time sent and received, and frequency? I’d even argue this is more important than content in many situations. Sometimes, linking person A to person B tells me a lot about person A.

    • loutr@sh.itjust.works
      7·
      2 years ago

      Ever noticed how those notifications include the message content and the sender? Google has access to this information, despite the encryption.

      Not necessarily. I work on a messaging app, and we only use firebase to “wake up” the app. Initially the notification doesn’t display anything meaningful, but the app very quickly connects to the server (tells the app who it should connect with) and then the peer (to finally get the actual content). The notification is updated once we have the content. But it typically goes so fast that you only ever see the final version of the notification.

  • cmeerw@programming.devEnglish
    5·
    2 years ago

    yowsup is an Open Source implementation of the WhatsApp protocol. So there is proper end-to-end encryption on the protocol level - that would only leave the possibility of having a backdoor in the “official” WhatsApp client, but none has been found so far. BTW, people do actually (try to) decompile the WhatsApp client (or the WhatsApp Web client which implements the same protocol and functionality) and look what it is doing.

    For anyone really curious, it’s not too difficult to hook into the WhatsApp Web client with your web browsers Javascript debugger and see what messages are sent.

    • asudox@lemmy.world
      1·
      2 years ago

      That repo was updated two years ago, everything could have happened within that time.

    • FooBarrington@lemmy.world
      1·
      2 years ago

      The E2E keys are exchanged over Meta servers, right? Couldn’t they just store the keys and decrypt on the server?

      • cmeerw@programming.devEnglish
        2·
        2 years ago

        Only public keys get exchanged via Meta’s servers, those keys don’t help you with trying to decrypt any messages (you need the corresponding private key to decrypt - and that private key stays on the device).

        Sure, they could just do a man in the middle, but that can be detected by verifying the keys (once, via another channel).

        • FooBarrington@lemmy.world
          1·
          2 years ago

          Makes sense. It does leave the MitM option open as you said, but if they did something nefarious here, it would have long been seen in at least a couple of cases due to OOB verification.

    • Fisch@lemmy.mlOP
      1·
      2 years ago

      I know that WhatsApp backups aren’t safe and I never turned them on

  • Astroturfed@lemmy.world
    52·
    2 years ago

    The better question is, do you trust meta at all? I’m sure they have a way to read everyone’s chats and would gladly hand over yours to the government if they want it.

  • nao@sh.itjust.works
    31·
    2 years ago

    It does not matter how good the encryption is. The app on your device has to be able to decrypt the content to be able to show it to you. If it has access to the decrypted data, it could just send it somewhere. If it has access to your private key, it can leak it. Even if the app is open source, you do not know if the binary on your phone matches that source, unless it uses reproducible builds and you actually verify the binary on your particular device, after each update.