[fareesh]

If I login to Facebook.com from any random device+browser, I seem to be able to read my "Facebook Messenger" history - maybe this is different if I use the Messenger app, but it seems like there's no E2EE here since I get the plaintext from anywhere.

On WhatsApp there seems to be E2EE enabled but I have no idea what the keys are. A layperson definitely has no idea what the keys are.

Could Facebook build an "NSA mode" where the old keys (K1) are quietly replaced with some known keys (K2) for a particular user at a particular timestamp T?

This means that all messages before T are to be parsed by using K1 and all messages after T are to be parsed by using K2.

As a WhatsApp user, would I even know if "NSA mode" has been enabled for my account? This would enable courts to allow surveillance for all future messages, but the old messages would still be E2EE.

What if you involve Apple+Google into the mix and have them silently deploy a rogue update to a particular user's WhatsApp program - couldn't you just ask a court to write some kind of surveillance warrant which orders the 3 companies to work together to give the alphabet agency a way to remotely take the keys?

[ehnto]

That's exactly what the Assistance and Access Act of 2018 in Australia was for. It allows law enforcement to compel third parties to subvert encryption. This doesn't necessarily mean break the encryption itself, but could mean deploying a malicious update to a target device that keylogs or screen captures, or otherwise allows eavesdropping. Keep an eye out for similar bills in your respective governments, it passed without struggle in Australia despite the seemingly negative opinion the public and media had on the issue.

https://www.homeaffairs.gov.au/about-us/our-portfolios/natio...

[jaywalk]

Facebook Messenger conversations are not E2EE by default. When you start one, you have to choose "Secret" in order for E2EE to be applied. This is only available from the Messenger app on mobile devices.

[BelleOfTheBall]

Is this advertised anywhere, like in clear wording? On the site, in the app, etc. If it is, good on them. If not, kind of worrying.

Simply saying "We have E2EE so you can trust us now" and not actually clarifying where E2EE is applicable in your apps is some very typical PR talk.

[thatfunkymunki]

WhatsApp is default E2E and is quite visibly indicated in the application. You can probably make the call on how visible the E2E features in Messenger are yourself if you take a look.

[BelleOfTheBall]

That would require to join Facebook and I'm not coming back there. I'm aware of WhatsApp being E2E, yeah, everywhere except for backups. Another user replied that Facebook plans to go E2E completely, that's surprising but good.

[bryan_w]

They are planning on making messenger E2EE by default which is probably why they are being called to testify today

[shawnz]

> On WhatsApp there seems to be E2EE enabled but I have no idea what the keys are.

The keys are shown right in the contact's profile under "Encryption", same as Signal. It even has a feature to validate their key by taking a picture of their screen. How could it be any easier for laypeople than that?

[fareesh]

WhatsApp website:

> This code can be found in the contact info screen, both as a QR code and a 60-digit number. These codes are unique to each chat and can be compared between people in each chat to verify that the messages you send to the chat are end-to-end encrypted. Security codes are just visible versions of the special key shared between you - and don't worry, it's not the actual key itself, that's always kept secret

So basically it's just a random unique number and could have no relationship to the key whatsoever. We'll never know.

[shawnz]

It's easy to see it's calculated from the key since the validation will fail if the code is wrong.

What would it prove if they showed the private key in plain text?