The case, led by a special agent in the Commerce Department's Bureau of Industry and Security, focused on claims that some Meta employees and contractors could access...
A 10-month Commerce Department probe concluded Meta could view all WhatsApp messages in unencrypted form
Any reported message ? Back when I was doing anti spam at my ISP we could read reported spam from our customers. Obviously not all mails from / to the customers. That would be way disproportionate.
If you report the message it then the full text gets sent to WhatsApp.
That means there’s a software switch that dumps a plaintext copy of a supposedly encrypted message when flipped.
Therefore, all you need to read any WhatsApp message is the ability to flag the message as “reported”, and access to wherever the plaintext copies get sent.
Considering how often security is an afterthought for corporations, the access part is probably easy.
That means there’s a software switch that dumps a plaintext copy of a supposedly encrypted message when flipped.
Kinda, sorta, but no, not really. What’s happening is that the recipient is decrypting the message. When you report the message, you include a cleartext copy with your report.
The “switch” you are talking about is in the same app that is doing the decryption. For the bad actor to toggle that “switch”, they would have to control the app.
For the bad actor to toggle that “switch”, they would have to control the app.
Are you talking about physical control? Regardless, it’s closed-source… There is nothing that says they can’t also generate the keys on the other end that they had your devices generate. Outside of open source code that’s buildable from source, they can claim whatever they want about lack of access to switches.
However, doing so would be perpetrating a fraud. If they denied the capability you’re talking about in response to a warrant or subpoena, someone would be in contempt.
I don’t know if any corpo actually cares about such things, but I know that if you or I were to do this, we’d quickly find ourselves broke and possibly in prison.
There is no indication that they can actually acquire the clear text of an E2EE communicatiom. without one of the ends being complicit in the process. There is no evidence of the fraud you refer to.
That doesn’t mean they are telling the truth, merely that they haven’t been proven to have lied. They could release their source code tomorrow. That code could prove you are correct and they are liars. That code could prove that they are correct, and you were wrong.
We don’t have to resort to unfounded claims to justify criticism here. Proving their claims to be unverifiable is more damning than failing to prove they are committing fraud.
So… anyone with access to the report API can read any message they want?
Any reported message ? Back when I was doing anti spam at my ISP we could read reported spam from our customers. Obviously not all mails from / to the customers. That would be way disproportionate.
If this is true:
That means there’s a software switch that dumps a plaintext copy of a supposedly encrypted message when flipped.
Therefore, all you need to read any WhatsApp message is the ability to flag the message as “reported”, and access to wherever the plaintext copies get sent.
Considering how often security is an afterthought for corporations, the access part is probably easy.
Kinda, sorta, but no, not really. What’s happening is that the recipient is decrypting the message. When you report the message, you include a cleartext copy with your report.
The “switch” you are talking about is in the same app that is doing the decryption. For the bad actor to toggle that “switch”, they would have to control the app.
Are you talking about physical control? Regardless, it’s closed-source… There is nothing that says they can’t also generate the keys on the other end that they had your devices generate. Outside of open source code that’s buildable from source, they can claim whatever they want about lack of access to switches.
Technically true.
However, doing so would be perpetrating a fraud. If they denied the capability you’re talking about in response to a warrant or subpoena, someone would be in contempt.
I don’t know if any corpo actually cares about such things, but I know that if you or I were to do this, we’d quickly find ourselves broke and possibly in prison.
But my point is that Meta is committing fraud against the public for advertising WhatsApp as E2EE when it’s not, as per this entire post…
There is no indication that they can actually acquire the clear text of an E2EE communicatiom. without one of the ends being complicit in the process. There is no evidence of the fraud you refer to.
That doesn’t mean they are telling the truth, merely that they haven’t been proven to have lied. They could release their source code tomorrow. That code could prove you are correct and they are liars. That code could prove that they are correct, and you were wrong.
We don’t have to resort to unfounded claims to justify criticism here. Proving their claims to be unverifiable is more damning than failing to prove they are committing fraud.
Hmm… true, fair! ∆