Yep, this is an analysis by a trusted individual in the security field. His ultimate summary:
> [WhatsApp's representative is] technically correct. This is not a backdoor. This really isn't even a flaw. It's a design decision that put usability ahead of security in this particular instance.
> How serious this is depends on your threat model. If you are worried about the US government -- or any other government that can pressure Facebook -- snooping on your messages, then this is a small vulnerability. If not, then it's nothing to worry about.
Security isn't either a scale or a binary; from one point of view a large number of binary values.
Either your security will or won't be compromised by a given threat model. This is binary, but there's lots of different threat models one could have.
e.g. If you care about the Russian government impersonating you, it's a different threat model than if you care about the US government reading your communication, which is a different threat model than if you care about a private actor encrypting all your data and holding it ransom.
This is then complicated by the fact that we can't see into the future (sufficiently complicated code is likely to have bugs, we need to predict if those bugs will be exploited before they are fixed; large government attackers may or may not know about math that the public crypto community doesn't; which governments will successfully compel a third party to do various things or reveal various secrets &c.) so each binary value for the security becomes probabilistic.
Come on, a collection of binary values for all of the threat models on a product used by millions of people is a scale by any other name. How good is the product at covering each of the threat models?
> [WhatsApp's representative is] technically correct. This is not a backdoor. This really isn't even a flaw. It's a design decision that put usability ahead of security in this particular instance.