this post was submitted on 29 Sep 2023
349 points (97.5% liked)
Privacy
32130 readers
1118 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
This has always been my biggest pet peeve with WhatsApp. Yes, they might encrypt it all and the encryption might be practically unbreakable, but what worries me is what Meta might do with the private encryption keys. Lem me elaborate further.
I'll start by trying to explain how key-based encryption, the type of encryption WhatsApp uses, work at their core, for those who don't know (THIS IS GOING TO BE AN OVERSIMPLIFICATION). Imagine you want a friend to send you a message with super sensitive contents. Here's what you do to guarantee that no one else can read it but you:
This means that, if someone else manages to get the encrypted message, they will need the private key to read what it says, but they don't have it, only you have it. The only thing they can do keep guessing what that key is until they find what it was and read the message, but that can take up to millions of years, even using supercomputers.
As you can see, this works really well for sending messages without anyone but the sender and the reciever knowing what is being said, and that's why it's so used in encrypted message apps...
...but what if Meta has access to the private keys? I mean, what if, after WhatsApp creating the public and private keys for messaging, the private key is retrieved and stored in Meta's servers, making them able to read all the messages you receive?
Can someone with more experience in the subject say if my concerns are valid?
I have never believed Facebook when they’ve said they don’t have the ability to see your messages. There’s no proof of that whatsoever. And it’s fucking FACEBOOK.
I would be SHOCKED if they didn’t have access to private keys.
I think that would just be illegal, although I am not certain... maybe it's not
What I'd be more worried about personally is metadata. Sure, they might not know what you sent, but they know who you sent it to and when. The data is generally just gonna be "Oh, this person texts their mum every morning", but Meta already provided message contents in an abortion case, so what if someone is accused of having an abortion (the fact that you can be "accused" of that now in the US is still fucked up imo, but that's besides the point) and then Meta provides info that this teenager sent WhatsApp messages to a medical professional who can perform abortions. That would obviously not work as well as the contents themselves, but it does have value to the legal case.
In the end none of us have anything to hide... until we suddenly do
I know this wasn't argued here, but I'd like to make it clear anyways: You don't have to deal drugs or be a hired killer to want privacy. There are a bunch of reasons you could get in trouble with the government which fall into morally ambiguous areas. And sometimes we just don't want our entire life being analyzed to have an algorithm decide what advertisement is the most effective in getting us to click on it.
I share that concern and would not rely on my messaging being secure. Anyways as far as they state it themself, your private key for decrypting should stay on your device (in fact it uses the signal protocol and does a few more steps, e.g. to implement shared sessions over multiple devices. You can have a look at their FAQ, they've linked a white paper within it describing the technical details). But the main question is in my opinion: do you trust the guarantees they give you? It's the same struggle as with any proprietary software. You can trust them or you don't, but you will never know without access to the source code.
What do you mean, might? The keys will be stolen and sold to the highest bidder on the black market, probably to state surveillance organizations.