this post was submitted on 23 Oct 2023
74 points (89.4% liked)

Privacy

31803 readers
345 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

And if so, why exactly? It says it's end-to-end encrypted. The metadata isn't. But what is metadata and is it bad that it's not? Are there any other problematic things?

I think I have a few answers for these questions, but I was wondering if anyone else has good answers/explanations/links to share where I can inform myself more.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 37 points 1 year ago* (last edited 1 year ago) (6 children)

Metadata is all the content of a message besides the actual text content of the message (i.e. what you type). Examples would be the date and time it is sent, what users these messages were sent to / from, and the IP addresses of both parties. (The availability of metadata varies from messenger to messenger).

I like this example: If you only text your Aunt Sally, who lives in Alaska, twice per year to wish her a happy birthday and Christmas, just by looking at the metadata someone could infer the meaning of your messages, as well as your relationship to the person you're messaging. To a point this is true about any messages you sent.

As for Whatsapp specifically, it being end-to-end doesn't really matter imo, as the application is not open source and is owned by an advertising / social media company. As long as the code is closed source, you cannot be sure:

  1. That your messages are encrypted at all
  2. That your encryption keys are kept on-device, and not plainly available to a centralized party
  3. That the encryption the application is using is securely implemented

At least for applications handling truly sensitive information (for the average person only their messenger and browser), you should be using open source software. The easiest recommendations I can make are:

  1. Browsers: Firefox, Thorium, Brave (disabled all cryptocrap)
  2. Messengers: Signal, SimpleX Chat, XMPP

Anyways, I hope this was a satisfactory answer.

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago) (2 children)

That your messages are encrypted at all
That your encryption keys are kept on-device, and not plainly available to a centralized party
That the encryption the application is using is securely implemented

This is true, but something that should be noted is that, to my knowledge, no law enforcement agency has ever received the supposedly encrypted content of WhatsApp messages. Facebook Messenger messages are not E2E encrypted by default, and there have been several stories about Facebook being served a warrant for message content and providing it. This has, as I understand, not occurred for WhatsApp messages. It is possible, of course, that they do have some kind of access and only provide it to very high-level intelligence agencies, but there's no direct evidence of that.

I would personally say that it's more likely than not that WhatsApp message content is legitimately private, but I'd also agree that you should use something like Signal if you're genuinely concerned about this.

[–] [email protected] 1 points 1 year ago (1 children)

They would better hide those evidences as best as they can, or they would lose a useful source of informations.

That's the whole game of intelligence: to be a step ahead of the opponent, it must believe its safe so you can steal useful informations. As soon as the breach is discovered, it ceases to be useful.

[–] [email protected] 1 points 1 year ago (1 children)

Sure. My point is that, as far as I believe anyone is currently aware, there is no evidence that any law enforcement agency has ever accessed the content of encrypted WhatsApp messages. That does not mean that it has never happened either, but anyone positively claiming so is doing it without actual evidence, which is something we should probably avoid doing.

[–] [email protected] 1 points 1 year ago

We can assess the security of the app though. And we should. And we should also bring awareness to the problems of closed sources.

[–] [email protected] 1 points 1 year ago (1 children)

If you log into WhatsApp on another device, does your history show up?

If it does, that means they hold your encryption keys on their server. It's the only way this could work.

It's why with Signal you need to maintain your keys and keep backups. No one else has your keys, so logging in to other devices won't get history without that backup and the keys.

Works this way with encrypted XMPP too, of course.

[–] [email protected] 2 points 1 year ago (1 children)

You have to scan a QR code from the website with your phone, which I'm assuming then facilitates a transfer of the keys.

That's essentially what's been posited by this rando on StackExchange.

https://security.stackexchange.com/questions/119552/how-does-end-to-end-encryption-work-with-whatsapp-web

[–] [email protected] 1 points 1 year ago

Does it work if your other devices are offline? That would be telling.

[–] [email protected] 2 points 1 year ago (1 children)

How do I know other browsers/messengers actually include the code that is published when they arrive on my phone? Wouldn't it be possible to simply add tracking/malicious code outside of the open-source repository, build an APK from it and put that on the Play Store instead of the "clean" code on the repository?

[–] [email protected] 5 points 1 year ago

You could compile the software yourself, and the builds they do publish are reproducable, therefore any hidden malicious code would almost certainly be noticed in any popular application.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (2 children)

What use is this knowledge through metadata to them? Let's say I have no Facebook account and no other apps by Meta. There are no ads within WhatsApp. What do they gain by having this data about me?

[–] [email protected] 3 points 1 year ago

They know your relationships with other people, and could infer things about you which will be stored in their servers regardless of whether you have a Facebook account, I believe if you search for "shadow accounts" you can read more about that

[–] [email protected] 2 points 1 year ago

they can sell the information tied to your phone number or IP address to other companies, so they in turn now what ads to bombard you with.

load more comments (2 replies)