- cross-posted to:
- privacy@lemmy.ml
- cross-posted to:
- privacy@lemmy.ml
As evidence, the lawsuit cites unnamed “courageous whistleblowers” who allege that WhatsApp and Meta employees can request to view a user’s messages through a simple process, thus bypassing the app’s end-to-end encryption. “A worker need only send a ‘task’ (i.e., request via Meta’s internal system) to a Meta engineer with an explanation that they need access to WhatsApp messages for their job,” the lawsuit claims. “The Meta engineering team will then grant access – often without any scrutiny at all – and the worker’s workstation will then have a new window or widget available that can pull up any WhatsApp user’s messages based on the user’s User ID number, which is unique to a user but identical across all Meta products.”
“Once the Meta worker has this access, they can read users’ messages by opening the widget; no separate decryption step is required,” the 51-page complaint adds. “The WhatsApp messages appear in widgets commingled with widgets containing messages from unencrypted sources. Messages appear almost as soon as they are communicated – essentially, in real-time. Moreover, access is unlimited in temporal scope, with Meta workers able to access messages from the time users first activated their accounts, including those messages users believe they have deleted.” The lawsuit does not provide any technical details to back up the rather sensational claims.
You must log in or register to comment.
Call me old fashioned but I really think that for real E2EE the vendor of the encryption and the vendor of the infrastructure should be two different entities.
For example PGP/GPG on <any mail provider>… great! Proton? Not great
Jabber/XMMP with e2ee encryption great! WhatsApp/Telegram/signal… less so (sure I take signal over the other two every day… but it’s enough to compromise a single entity for accessing the data)
Okay Old Fashioned, but doesn’t open source encryption audited by a third party solve this problem? Signal protocol for example? Also proton, I’m guessing, but I’m too lazy to check
Unfortunately even the best intentioned and best audited project can be compromised. So that is not a guarantee (sure, much better than closed source but that is a given)
You may be forced by a rubber hose attack (or legal one) to insert vulnerabilities in your code… and you have the traffic… a single point to attack… signal/proton/etc
Is it possible with two different vendors? Sure it is but it is way more complicated
Cynical me would say they don’t have to use the code they put up on GitHub in production.
By this logic, can we trust any open source software, even if they claim to use some third party encryption? They could say they’re using a super secure encryption, even show it implemented in their open source code base, then just put the other, secret evil backdoor code base in production? Is there a way for any open source project to prove that the code in their open source repo is the code in production?
If you can self host it, yes. Like matrix
But only if you self-host right? Otherwise who ever hosts the matrix instance can tinker with it.
Correct.
Yep
why
Not much people use clients anymore.
Yeah and I think it’s a pity. It’s the byproduct of “app culture” everything has to be easy. One button, plug and play…
Unfortunately like many things in life “saving” (time and effort n this case) has a cost
insert pikachushockedface
WhatsApp client is closed source. Any claims around E2EE is pointless, since it’s impossible to verify.
For Facebook it doesn’t matter if its e2e. They control the client on both sides. They can just let the client sent the clear text data to them.
TMBE
Trust me bro encryption
It’s E2EE alright. Just, don’t ask what “ends” we’re talking about.
Their mouth and Zuckerberg’s ass
Any claims around E2EE is pointless, since it’s impossible to verify.
This is objectively false. Reverse engineering is a thing, as is packet inspection.
No it is not. Whatsapp gets several updates a month. How do you keep up with that rate?
Reverse engineering is theoretically possible, but often very difficult in practice.
I’m not enough of an expert in cryptography to know for sure if packet inspection would allow you to tell if a ciphertext could be decrypted by a second “back door” key. My gut says it’s not possible, but I’d be happy to be proven wrong.
Hell, as far as I know, E2EE would be indistinguishable from client to server encryption, where the server can read everything without the need for a secret “backdoor key”. You can see that the channel is encrypted, but you can’t know who has the other key.
The easiest way to break E2EE is to copy your private key to Meta’s servers. It’s very easy to implement, and close to impossible to detect.
Now you just need Meta to allow you on their networks to inspect packets and reverse engineer their servers because as far as I know, WhatsApp messages are not P2P.
/edit I betcha $5 that the connection from client to server is TLS(https), good luck decrypting that to see what its payload is.
Outside of open-source. That shit is usually illegal
It isn’t. Otherwise security research would never happen for proprietary software and services.
SureSure no white hat never been sued before
It would not be surprising if found to be true. Difficult to see how the current business model operates at a profit. Their long term goal is the usual loss leader model until a monopoly is achieved and then slug us with ads, sell all the data, hike the price, etc. Sickening to watch them cosy up to fascists. They are probably supplying any and all the agencies with intelligence scraped from their user base. If Facebook were a person they would be a psychopath.
If Facebook were a person they would be a psychopath.
I mean, Mark Zuckerberg kind of is Facebook, and he’s a psycho.
A lot of victim blaming in this thread. Why can’t you just be mad for someone who was deceived?
at what point is it someone’s responsibility to simply know better?
this isn’t some complicated deceit it’s literally one of the most untrustworthy companies in the world lying to your face. A company we’ve known for now like two decades is untrustworthy and overtly harms people to make money
do people have responsibility at all?
Do you think an attractive woman who has been raped multiple times should simply know better? Is she asking for it if she wears slightly more revealing clothing? How many times does she need to be sexually abused before it’s her fault? How much responsibility does she have for her own abuse?
People can’t take increase responsibility for every single aspect of life. It seems straightforward to you because you’re likely tech literate. Do you know every process around how the mechanic services your vehicle, how medicines are made that you consume, how food is curated that you consume, how energy is generated that you consume? People can’t have intimate knowledge of every aspect of life, therefore if a company says “this is E2EE” you should be able to believe that at face value and rely on consumer protection agencies to follow up if it’s inaccurate.
You don’t need to be tech literate to follow the news. Meta has been caught in lie after lie for YEARS and it has all been widely reported on. Meta needs to face actual repercussions for their crimes against humanity, but anybody still buying into their bullshit is being willfully ignorant.
You are correct and incorrect at the same time. Yes, nobody should trust Meta. But Meta should also be dragged into every court available for their lies.
No that’s not correct at all. If a company says something you do not in fact just get to believe it at face value and do 0 research, this applies in every field you mentioned. What planet are you from where you are supposed to just believe what companies say at face value???
People often get second options from different mechanics, doctors, contractors, and all sorts of specialists when told something because you need to do your own research to know about stuff.
You literally do in fact need to try and learn and make informed decisions about everything in life.
What you’re positing here is a view of life that Margaret Thatcher loved. The idea is, “There is no society. There are no laws. There is no oversight. Everything, all responsibility, all of it is 1000% individual.”
Of course in reality that’s nonsense. We live in a world with laws that are sometimes enforced, where governments sometimes protect us, because we want them to, because that’s good for us all.
But even if you believe in Thatcher’s view, then you have the problem of corporations. You can’t seriously argue that we should be responsible for everything ourselves, as individuals, and also that corporations should exist, because they are anti-individual.
Chief, if you needed to make an informed decision about every decision in life, there’d be no time for life. That’s why other people specialize in jobs so that within reason, confidence can be placed to their decision. I’m not saying you blindly agree and follow everything, but people can’t be responsible for every decision. For example, who made the seatbelt in your car? What research did you personally do to verify the safety of your seatbelt. What maintenance have you done to it to ensure that it works as intended? Pretty important life saving bit of equipment.
Edit: my presumption is that you(or the vast majority of the population) haven’t done any research into your seatbelt because you trust in the car company and the safety rating requirements of your nation to ensure adequate protection.
You don’t need to worry about who made your seatbelt the same way you don’t need to worry about which specific programmers work for meta
You do need to worry about the repairability and safety rating of your car the same way you need to worry about the core descriptions of Meta’s products
Do you see?
Repairability in what way? Outside of changing the tires, a modern car is so complex with all the electronic systems in it that you can’t really repair it yourself and you can’t even reset the error codes because you don’t have that special tablet to even hook into it.
For safety ratings, do you even know what they test and how without looking it up? I’d venture a guess that no, but I’ve been surprised before.
People maybe buy a Toyota because they once read that they just work or people may buy a Mercedes one day because their Dad used to always drive one, but they probably didn’t sift through the damn safety and repairability ratings for it, they probably just bought it after a test drive. Its the same thing with anything really, how many times have you ever seen anyone question an app or a device that they are using when it just works and they don’t even have to think about it? Its either 0 or close to it.
You can simply go look up how repairable various makes and models are considered by reputable sources it’s very simple research that a mere google will tell anyone. You’re actually making it out to be much more complicated than it is. They tell you exactly what the safety ratings are for and how they’re tested you just have to spend more than 0 minutes reading the first few google results.
People can voice ask Google simple questions they’re just not wanting to care about any of this and then are shocked when anything happens.
You admit it yourself they’re just lazy consumers lol
If companies are lying in their advertising to the general public, then that is something the companies are responsible for. You can blame the victims, but that’s kind of stupid because there are so many people in the world who are not technically savvy. They don’t have the resources, background, knowledge, and skills to evaluate whether what the company is telling them is true. That’s why there are laws designed to protect consumers from lying companies.
Would it be great if everyone was an expert in everything? Yes. Are they? No. They never will be. That’s why we have laws.
Because it’s the gazillionth time the exactly totally absolutely same kind of shit happens with the very exactly same company that didn’t even try to hide who they were.
And next week the very very same deceived people will be of Facebook, Instagram, etc. And maybe, just MAYBE they’ll migrate away from Whatsapp… to join another proprietary network of another billonaire’s controlled megacorp.Because I’m tired of being “that pain in the ass” when barely suggesting to use something else all to see at the end people crying over things they’ve be warned about.
If a kid burns themself once on a kitchen’s hotplate, you assume they learnt their lesson in an unfortunate way despite all the warnings.
If adults keep burning themselves over and over… and over and over and over, at which point are you entitled to say they’re part of the f*cking problem??I’m sick of Mark fucking zuckerberg.
If i was the mad king of the usa all of those tech bros would be in a jail in el salvador.
OH JUST USE SOMETHING ELSE!
I do but that doesn’t stop that ugly weak fuck from stealing from my business every chance he fucking gets.
It’s like buying a hot dog from a gas station and not feeling awesome tomorrow.
If you keep buying the hot dog every week, you see other people buying it and are fine, but you’re the only one getting sick week after week, at some point maybe you should just stop buying the hot dog.
No one else is getting sick. They know what they’re getting. But you keep buying it expecting this time it’ll be different. And when it isn’t it’s the gas stations fault.
I would argue that the vast majority of users don’t use WhatsApp for privacy. In the UK at least, it’s just the app everyone has and it works. I’ve actively tried to move friends over to signal, to limited success, but honestly it can be escaped how encryption is not it’s killer IP.
Yup. I use Whatsapp to text my girlfriend and my work uses it as a group chat for road conditions or just shit talking.
If you’re using it for secure purposes, you’re part of the problem.
What?!! No. The owner of WhatsApp would never lie to us.
Im not a big fan of meta and WhatsApp, but these claims are a bit much. Any employee gets access to messages through a well documented internal process? “No separate decryption step is required” , so the WhatsApp CLIENT is not doing any actual e2e encryption and no attempt at reverse engineering or traffic analysis has ever seen that this is the case?
Where can one see, what these whistleblowers have actually published? I would expect to see this “simple process” and how that interface actually works… And I would expect any journalist to request some proof (show me the last message i sent to Alice) before trusting an anonymous whistleblower making such an extraordinary claim.
From what I heard so far, that anonymous whistleblower could be a troll or an ex-employee who just wants to cause some trouble for meta.
We should not trust anything blindly, even if it fits with our view of the world. Meta is an evil company, but as long as there is no indication for these specific allegations to be true, we should treat them as unfounded allegations.
In principle the messages themselves could be E2E encrypted, but the closed-source WhatsApp client could transmit decryption keys to Meta HQ without anyone finding out. As long as the client or the client device is unsafe and not trusted, E2EE is not really effective. Which is why one should always demand a FOSS client for E2EE.
Of course we shouldn’t trust anything blindly, but we also need to use common sense. Have we seen proof that what’s claimed to be true is in fact true? No. But it might be true, and it’s consistent with what Meta would do. So if your cautious minded, you should assume it’s true for now while you go through the next few years of your life waiting for discovery.
Only a tech illiterate can expect privacy from a closed source program, open source is a requirement for both privacy and security.
You gatta be real stupid to not realize that Facebook is harvesting your data.
No surprised at all tbf.
15 years ago I’d have called this a conspiracy theory given how the evidence seems to be anecdotal, but given literally every single other thing we’ve learned in recent times about how cartoonishly evil and lying the tech bros truly are, it seems entirely likely.
s/the tech bros/humans/
Despite “the tech bros” really being that, I’m learning over time about some people surprisingly cowardly and evil, while looking like better versions of me, and some other people looking pretty normal and usual, while being epic and tragic heroes, and some other people looking like a typical Nazi 80 years late to the party, yet more honorable than many, and some other people looking like weak and nice versions of me, while having real warrior spirit.
You have no idea how big the world is in all dimensions. We are all looking at it via our daily interactions, via news and internet discussions, via games and via books, and we don’t see what’s deep inside. Well, I suppose, people who read classics can see something.
And they, these people on top of big tech, being just human, have such powers. What can they do with them? Perhaps we should forgive them for not being wise in deciding to have those powers, and praise them for doing less evil with them than they could.
So. Perhaps in 15 years you’ve just grown.
Well if I can’t trust Meta with my information, who CAN I trust
Me
Oh okay. My location is 55.752121, 37.617664, my full name is Jeremy, and my password is hunter9. I trust you not to tell this to anybody
Your full name is “Jeremy”?
Oh god damnit chemicalprofet why did you tell this guy i thougjt i could trust you :((
All I see is ‘••••••’
I see ‘******’ though.
Maybe it’s just a different interface.
Jeremy “Iks” Hunter IX
Edit: IX. Iks. I think we got it right now.
The Ninth
Pronounced “iks”
Just like Cher (which is short for Cheremy).
Your secret is safe with us and our 36,893 affiliates.
Legitimate interest, though 🤞
Nice to see the ancient lore alive.
Can confirm, chemicalprophet is the best password manager I’ve ever used.
Ah! You did your own research!
ta
The drunk dude that’s always sitting on the ground near the park entrance and sell weird tissue dolls with curly hairs is more trustworthy, I’d say.
Ending encryption is Meta’s end so they can spy on everyone and help governments do so as well, so they therefore have an end to end encryption. Oh, y’all thought the app had true E2EE such that even Meta with their surveillance capitalist business model couldn’t access your data? 🤣
Wait, you are telling me that the company whos entire business is collecting personal information, including people who don’t sign up for their services, to leverage for advertising, is keeping their platforms unsecured they can continually grab more information rather than secure it?
I for one am shocked, absolutely shocked.
Yes, except they’re not leveraging your data for advertising, they’re leveraging it so they can manipulate your political views and keep you from finding solidarity with other working people.
@FlyingCircus @technology These two things are the same thing
