[dman]

As a user I find this section very intriguing.

*************************

"Can WhatsApp work with law enforcement without traceability?

WhatsApp respects the important work law enforcement does to keep people safe. Our dedicated team reviews and responds to valid law enforcement requests. We respond to valid requests by providing the limited categories of information available to us, consistent with applicable law and policy. We also have a team devoted to assisting law enforcement 24/7 with emergencies involving imminent harm or risk of death or serious physical injury. We consistently receive feedback from law enforcement that our responses to requests help solve crimes and bring people to justice.

It’s also important to understand that depending upon the nature of their investigations, law enforcement officials have multiple investigative tools, and may obtain information from many sources, including different companies, other governments, or from users’ devices. More information about how we work with law enforcement can be found here."

*************************

Can Facebook clarify what these limited categories of information are? While reading this article I had the following reaction - Facebook would like to prevent traceability to preserve user privacy. That makes complete sense. Oh wait - they say they do have means of helping law enforcement and governments, wait a minute, in a fully encrypted system end to end how are they able to help governments in emergencies at all?

So my question here is that in a hypothetical scenario where terrorists are using whatsapp to coordinate an evil plot, which to most people would fit a scenario where Facebook can and should help the government - what is it that Facebook can do to help a government?

The only way I can see them being able to help the government is if they have the ability to selectively turn off end to end encryption for specific numbers (probably based on a warrant from a court). Will Facebook confirm if this is the case?

[Ellipse0934]

> So my question here is that in a hypothetical scenario where terrorists are using whatsapp to coordinate an evil plot, which to most people would fit a scenario where Facebook can and should help the government - what is it that Facebook can do to help a government?

This logic has been used to justify mass-surveillance and degrade encryption for national security and "protecting the children" narrative. The problem is that governments also use this as a way to suppress civil liberties.

What if the government declares a journalist uncovering a multi-billion arms deal scam or some human-rights violations as a terrorist ? In the eyes of the law this qualifies the government to acquire private messages. Why should the government have this power ? The hardcore terrorists and journalists know about encryption and will setup their public keys for encrypted communication. It's the common man who is affected by such stupid legislation.

[jdlshore]

I think you've misunderstood the rhetorical device @dman is using. They're not saying Facebook should have the tools to help a government; they're asking what tools they have when they do want to help.

[vinay_ys]

Their argument is tracing persons vs tracing content.

If law enforcement comes with a warrant against a specific person of interest, then WhatsApp presumably has ways and means to pull all metadata associated with that person's account (which presumably includes all contacts, metadata about all messages sent/received - timestamp & other-party contact details, along with app metrics – IP addresses, mobile device/network information etc).

It would be same as a telephone network except for the actual content itself.

If they also have a way to eavesdrop on content by breaking end to end encryption (and users don't care when WhatsApp on their device says the other parties signature changed), there's that possibility that they could be under gag order to not acknowledge that.

[jorblumesea]

In intelligence, the metadata around the messages are sometimes more important than the contents itself. Parallel reconstruction is absolutely a tool and often law enforcement can get what they need through other means. It's just another puzzle piece in an investigation.

For example:

who talks to whom

when a user comes online, is most active, and general traffic analysis patterns

what groups a user might be present in and how active they are

what are the type of contents of a specific message (image, text, video)

As other users have noted as well, it's unclear as to the data sharing agreements these large companies have with various government agencies. For example if an agency has data access to messages DB, what does end to end matter? End to end encryption usually means un-snoopable data in transit, not data at rest.

[bidirectional]

Metadata I imagine? e.g. who is person X communicating with, when are they active, etc.

Could be extremely useful if you discover someone unreachable abroad is coordinating with people within your jurisdiction.

[542458]

I’d add account details (including profile pic), platforms being used, IP addresses, and linked accounts (including phone #) to that list. E2E protects your messages from interception, but literally everything else is fair game.

[Sleepytime]

"we kill people based on metadata"

https://www.youtube.com/watch?v=PxwEwwlDM8Q

[dman]

I wish Facebook was a lot more clear about what it shares and when. People need to be aware of what information exposure they have to digital platforms.

[ljm]

It sounds like fancy talk for "we don't share the content, we just share the metadata." Or in this case, "we encrypt the content, but we don't encrypt the metadata"

Of course, the metadata has always been more valuable than the exact content of your message, but it's always presented as a negligible detail.

[PoignardAzur]

> Of course, the metadata has always been more valuable than the exact content of your message

If you're doing something sensitive, like smuggling drugs or talking to NSA whistleblowers, the difference between metadata vs data is the difference between "the government is looking for an excuse to put you in jail" vs "the government gets a conviction".

[choeger]

I don't trust Facebook when it comes to messaging. But even if I did they could easily rollout a backdoor to a specific client. In the worst case, they need some help from google and apple.

[Cantinflas]

No need to break end to end encryption, they already control both ends. And the unencrypted backups

[swiley]

This is something people are just not talking about for some reason.

WhatsApp/signal style apps cannot be secure to this sort of attack. You would think now that a public mass attack has been successfully carried out (encrochat) people would get it. I don't know if it's submarine marketing or what but people think the current situation is just fine.

[kryogen1c]

> WhatsApp/signal style apps cannot be secure to this sort of attack.

isnt this not true?

e2e keys are not known to signal server like they are on whatsapp. also there are no serverside signal backups.

[joshuaissac]

> e2e keys are not known to signal server like they are on whatsapp. also there are no serverside signal backups.

E2E keys are not known to WhatsApp's servers, and there are no server-side WhatsApp backups, either.

[swiley]

Your contacts weren't known to the WhatsApp server, now they are. There's no reason the next automatic update for signal can't contain code to send your keys to the server, and it wouldn't be the first centralized E2EE app to do that.

[dman]

The backups are an interesting thing that you bring up. The cynic in me cant help thinking that even as companies posture about being pro privacy, they do design features in a way where they can subvert privacy with plausible deniability.

For instance the move away from screen passwords to biometric things like fingerprints had me thinking about the fact that from a police pov - if they have a suspect in custody, forcing the suspect to put their thumb on the phone is probably a lot easier than getting them to reveal their password.

Phrased another way, I find it hard to imagine that big companies are able to tell the state to take a hike and get away with it.

[tg180]

If you are thinking about a scenario like xkcd-538, it’s even worse.

Pass-codes and pass-phrases are protected under the 5th amendment, while biometrics are not.

The investigator will get a warrant for the biometric in question, refusing to comply is an offense.

[dman]

Which is why I have been very wary on why almost the entire industry has moved to biometrics. In a way its a cheap way of throwing the privacy gauntlet back to the user rather than standing up to governments.

[upofadown]

If they are claiming E2EE then they can't admit anything like this if they are to avoid having to produce message content to law enforcement. So for this debate it doesn't much matter if the E2EE is actually bogus.

[stormdennis]

Are you sure? You seem to be suggesting the Facebook could instruct whatsapp on my phone to snoop on my messages. Also my backups of Whatsapp are only on google drive as far as I know.

[smoldesu]

iMessage operates much on the same principals.

[Y_Y]

Is this a pun about "principal" referring to the person suspected of commuting a crime, or merely a Freudian typo?

[reaperducer]

Never ascribe to malice what is probably just stupid autocorrect.

[smoldesu]

I agree that this is pretty sketchy, but the US government has harassed Facebook time and memoriam. It doesn't come as any surprise to me that they're able to to use their leverage here to get user data the same way they get it from Google, Apple, and every other Top 500 company that incorporates in the United States.

[foolinaround]

there have been atleast 2 instances in the past few months where Indian govt agencies were able to release whatsapp messages of their opponents.

It is safe to say that if you are doing anything remotely of interest to the govt, you should not be using this tool.

[jace]

That happens by confiscating the phone. The US fifth amendment doesn't apply in India. Anything on a device isn't safe from a police search.

[foolinaround]

that is possible, but not what happened here.

the entities affected were powerful in their own right, just happened to be in the opposition to the central govt in one case, and in another, a top media personality in opposition to Mumbai's state govt/police machinery.