And if so, why exactly? It says it’s end-to-end encrypted. The metadata isn’t. But what is metadata and is it bad that it’s not? Are there any other problematic things?

I think I have a few answers for these questions, but I was wondering if anyone else has good answers/explanations/links to share where I can inform myself more.

  • ɐɥO
    link
    fedilink
    99
    edit-2
    6 months ago

    It says it’s end-to-end encrypted.

    Whatsapp is closed source and made by a advertising company. Wouldnt really count on that

    Edit: Formatting

    • @folkrav
      link
      27
      edit-2
      5 months ago

      deleted by creator

      • @BitSound
        link
        266 months ago

        They would just say that they have a different definition of E2EE, or quietly opt you out of it and bury something in their terms of service that says you agree to that. You might even win in court, but that will be a wrist slap years later if at all.

        • SokathHisEyesOpen
          link
          fedilink
          English
          9
          edit-2
          6 months ago

          No single individual will beat a corporation as large as Facebook in a court battle. You could have all the evidence in the world and they’ll still beat you in court and destroy your life in the process. It took a massive class action lawsuit to hold them accountable for the Cambridge Analytica case, and the punishment was still pennies to them.

          Look at the DuPont case. There was abundant evidence that they were knowingly poisoning the planet, and giving people cancer, and they still managed to drag that case on for 30 years before a judgement. In the end they were fined less than 3% of their profit from a single year. That was their punishment for poisoning 99% of all life on planet earth, knowingly killing factory workers, bribing government agencies, lying, cheating, and just all around being evil fucks. 3% of their profit from a single year.

    • ultratiem
      link
      fedilink
      196 months ago

      “We just capture what you wrote and to whom before it gets encrypted and sent; we see nothing wrong with that” —Mark Zuckerberg, probably

    • @[email protected]
      link
      fedilink
      15
      edit-2
      6 months ago

      They don’t really need the actual contents of your messages if they have the associated metadata, since it is not encrypted, and provides them with plenty of information.

      So idk, I honestly don’t see why I shouldn’t believe them. Don’t get me wrong though, I fully support the scepticism.

      • @bouh
        link
        56 months ago

        All they need is the encryption key for the message, and it’s not the message itself.

        • @[email protected]
          link
          fedilink
          66 months ago

          If they keys are held by them, they have access.

          When you log into another device, if all your chat history shows up, then their servers have your encryption key.

  • @[email protected]
    link
    fedilink
    English
    37
    edit-2
    6 months ago

    Metadata is all the content of a message besides the actual text content of the message (i.e. what you type). Examples would be the date and time it is sent, what users these messages were sent to / from, and the IP addresses of both parties. (The availability of metadata varies from messenger to messenger).

    I like this example: If you only text your Aunt Sally, who lives in Alaska, twice per year to wish her a happy birthday and Christmas, just by looking at the metadata someone could infer the meaning of your messages, as well as your relationship to the person you’re messaging. To a point this is true about any messages you sent.

    As for Whatsapp specifically, it being end-to-end doesn’t really matter imo, as the application is not open source and is owned by an advertising / social media company. As long as the code is closed source, you cannot be sure:

    1. That your messages are encrypted at all
    2. That your encryption keys are kept on-device, and not plainly available to a centralized party
    3. That the encryption the application is using is securely implemented

    At least for applications handling truly sensitive information (for the average person only their messenger and browser), you should be using open source software. The easiest recommendations I can make are:

    1. Browsers: Firefox, Thorium, Brave (disabled all cryptocrap)
    2. Messengers: Signal, SimpleX Chat, XMPP

    Anyways, I hope this was a satisfactory answer.

    • BraveSirZaphod
      link
      fedilink
      3
      edit-2
      6 months ago

      That your messages are encrypted at all
      That your encryption keys are kept on-device, and not plainly available to a centralized party
      That the encryption the application is using is securely implemented

      This is true, but something that should be noted is that, to my knowledge, no law enforcement agency has ever received the supposedly encrypted content of WhatsApp messages. Facebook Messenger messages are not E2E encrypted by default, and there have been several stories about Facebook being served a warrant for message content and providing it. This has, as I understand, not occurred for WhatsApp messages. It is possible, of course, that they do have some kind of access and only provide it to very high-level intelligence agencies, but there’s no direct evidence of that.

      I would personally say that it’s more likely than not that WhatsApp message content is legitimately private, but I’d also agree that you should use something like Signal if you’re genuinely concerned about this.

      • @[email protected]
        link
        fedilink
        16 months ago

        If you log into WhatsApp on another device, does your history show up?

        If it does, that means they hold your encryption keys on their server. It’s the only way this could work.

        It’s why with Signal you need to maintain your keys and keep backups. No one else has your keys, so logging in to other devices won’t get history without that backup and the keys.

        Works this way with encrypted XMPP too, of course.

      • @bouh
        link
        16 months ago

        They would better hide those evidences as best as they can, or they would lose a useful source of informations.

        That’s the whole game of intelligence: to be a step ahead of the opponent, it must believe its safe so you can steal useful informations. As soon as the breach is discovered, it ceases to be useful.

        • BraveSirZaphod
          link
          fedilink
          16 months ago

          Sure. My point is that, as far as I believe anyone is currently aware, there is no evidence that any law enforcement agency has ever accessed the content of encrypted WhatsApp messages. That does not mean that it has never happened either, but anyone positively claiming so is doing it without actual evidence, which is something we should probably avoid doing.

          • @bouh
            link
            16 months ago

            We can assess the security of the app though. And we should. And we should also bring awareness to the problems of closed sources.

      • @[email protected]
        link
        fedilink
        16 months ago

        Fascinating.

        I have no facebook account, but family members who insist on Whatsapp instead of something more secure. I use it to contact them. How is it associated with a facebook id? Did they generate one? Or am I piggybacked on them?

    • @[email protected]OP
      link
      fedilink
      26 months ago

      How do I know other browsers/messengers actually include the code that is published when they arrive on my phone? Wouldn’t it be possible to simply add tracking/malicious code outside of the open-source repository, build an APK from it and put that on the Play Store instead of the “clean” code on the repository?

      • @[email protected]
        link
        fedilink
        English
        56 months ago

        You could compile the software yourself, and the builds they do publish are reproducable, therefore any hidden malicious code would almost certainly be noticed in any popular application.

    • @[email protected]OP
      link
      fedilink
      1
      edit-2
      6 months ago

      What use is this knowledge through metadata to them? Let’s say I have no Facebook account and no other apps by Meta. There are no ads within WhatsApp. What do they gain by having this data about me?

      • @[email protected]
        link
        fedilink
        English
        36 months ago

        They know your relationships with other people, and could infer things about you which will be stored in their servers regardless of whether you have a Facebook account, I believe if you search for “shadow accounts” you can read more about that

      • @[email protected]
        link
        fedilink
        26 months ago

        they can sell the information tied to your phone number or IP address to other companies, so they in turn now what ads to bombard you with.

    • @[email protected]OP
      link
      fedilink
      36 months ago

      Thank you, but I’m looking for actual arguments that would sway someone that is trying to come to a rational conclusion. “The reputation of the company is bad” is of course valid evidence, but it would be much more interesting to know what Facebook actually gains from having users on WhatsApp.

        • @[email protected]OP
          link
          fedilink
          1
          edit-2
          6 months ago

          I understand they have access to all this information you listed, but what do they gain from that if I don’t use any (other) Facebook services? Normally, I understand that it allows for better ad targeting, but WhatsApp does not have ads, and if I don’t use any other Meta services that actually serve ads, how could this info being out be a problem for me?

  • @[email protected]
    link
    fedilink
    216 months ago

    The biggest problem is that it uploads your entire contact list and thus social network to Facebook. That alone tells them a lot about who you are, and crucially, also leaks this information about your friends (whether they use it or not).

    With contacts disabled it’s a pain to use (last time I tried you couldn’t add people or see names, but you could still write to people after they contacted you if you didn’t mind them just showing up as a phone number).

    It still collects metadata - who you text, when, from which WiFi - which reveals a lot. But if both you and your contact use it properly (backups disabled or e2e encrypted), your messaging content doesn’t get leaked by default. They could ship a malicious version and if someone reports your content it gets leaked, of course, but overall, still much better than e.g. telegram which collects all of the above data AND doesn’t have useful E2EE (you can enable it but few do, and the crypto is questionable).

  • @[email protected]
    link
    fedilink
    206 months ago

    Is Facebook bad for privacy?

    Whatsapp is Facebook. Literally. Whatsapp sold themselves to Facebook.

    So yes: it’s bad for privacy.

  • @bouh
    link
    196 months ago

    It might be E2EE but it’s not encrypted on your phone and it’s closed source. How do you know they don’t send the conversation data to their company? How do you know they don’t get the encryption keys to decipher the messages for them?

    • SokathHisEyesOpen
      link
      fedilink
      English
      56 months ago

      How do you know they don’t get the encryption keys to decipher the messages for them?

      My guess is that they just capture keywords before you send it. They don’t need to read the contents of the sent conversation when both parties to the conversation are using an app they own. They can detect keywords before sending, log and report them, then send the message encrypted. No need to retain encryption keys since they already extracted what they want.

    • @[email protected]OP
      link
      fedilink
      1
      edit-2
      6 months ago

      Other apps may have code published in a repository, but the path from repository into the Play Store onto my phone is not clear. How do I know that they don’t add extra tracking code on top during the build and release to the Play Store? With for example a popular alternate app, Signal?

  • @[email protected]
    link
    fedilink
    English
    156 months ago

    While the messages itself are encrypted, the WhatsApp App itself can still collect data from you from the Device your using it on:

    • Phone number
    • operating system
    • associated contacts Etc.

    And given this is a Meta owned company, we can probably assume they profile you from that.

  • chi-chan~
    link
    156 months ago

    That’s what they say. Meta Facebook already lied before countless times, so who knows.

    • chi-chan~
      link
      66 months ago

      (You can google Facebook lawsuits. The number of the results is scary.)

  • @[email protected]
    link
    fedilink
    106 months ago

    If you’re on Android, the E2E is meaningless as WhatsApp can read what you type, just as the Facebook app can, since they have keyboard access.

    I don’t know that they do this, just saying it’s a leak point, and since it’s Meta/Facebook/Zuckerberg, well, let’s just say I’m a bit cynical.

  • @[email protected]
    link
    fedilink
    106 months ago

    Your address book is uploaded to Facebook servers when you use Whatsapp. And each time you interact, they know with who and link this information with other profiles and users of the Meta products.

      • @[email protected]
        link
        fedilink
        26 months ago

        That means if they want to see your messages they do it anytime, not only when someone report it.

        If a government want access to the messages they can access.

        • @[email protected]
          link
          fedilink
          16 months ago

          Unlike other messaging apps, they have access to encryption keys, when you change devices you only need to fill the phone number and all of your messages are available.

          On other apps like Signal or matrix, you need to backup or export your keys to other devices, otherwise you can access previous messages.

          It’s like you own an apartment and the doorman have keys to all apartments, if you lose the key the doorman can give you a copy, but also have access to your apartment when it pleases.

          • @[email protected]
            link
            fedilink
            16 months ago

            Don’t you need to have backed up your messages in Google drive to be able to restore them when changing devices? And up until the multi device update when someone changed their phone you’d get a text saying your encryption keys with them has changed.

            And I remember talks in matrix about the need for a single password solution to appeal to masses.

  • @just_another_person
    link
    46 months ago

    E2E is not equal to Symmetric Encryption, which is the most private “one way” encryption meaning the user controls the data at the origin, and the messages can’t be decrypted by anyone else.

    WhatsApp is not the latter, so it is not private. Signal is symmetric, for example.

    • @[email protected]
      link
      fedilink
      36 months ago

      Care to elaborate? You can’t just imply asymmetric encryption can be decrypted by 3rd parties and not explain how.

      Also I don’t know how exactly signal works but I know that you don’t need to share secrets externally to message someone, so how are they exchanging the symmetric keys without using asymmetric encryption to boot?

      • @just_another_person
        link
        16 months ago

        This is more of a “how encryption” works question, so I’ll just defer to some article response I got from Google which explains it simpler than I would:

        “When someone sends a message to a contact over an app using the Signal protocol, the app combines the temporary and permanent pairs of public and private keys for both users to create a shared secret key that’s used to encrypt and decrypt that message. Since generating this secret key requires access to the users’ private keys, it exists only on their two devices. And the Signal protocol’s system of temporary keys—which it constantly replenishes for each user—allows it to generate a new shared key after every message.”

        • @[email protected]
          link
          fedilink
          36 months ago

          That doesn’t explain why asymmetric encryption is insecure? In fact signal seems to be using two pairs of asymmetric keys to generate its symmetric secret, so it would also be prone to attack if asymmetric encryption was a flawed system.

          • @just_another_person
            link
            1
            edit-2
            6 months ago

            I guess I missed your initial conversations question, but this is easy to search, and not for me to defend WhatsApp. I’m not the harbinger of bad news here, I’m just telling you what everyone else has said on the internet. WhatsApp is not private. They cooperate with governments to make messages known even.

            I feel like you’re trying to drive a point home that has already lost in the security commutat as a hole. OP asked if WhatsApp is bad for privacy, and it is.

            Edit: just to shut you up - https://propertyofthepeople.org/document-detail/?doc-id=21114562