[clawoo]

One needs to ask themselves, what is more likely?

1. The /feds/ broke Snapschat's end to end encryption and they're monitoring for all traffic with designated stopwords, or...

2. One of his friends reported him, one way or another, or..

3. Snapchat's end to end encryption is... not. I can't find any definitive statement that the chat messages themselves are E2EE, only that photos and videos are encrypted and the key is exchanged between users[1]. This means that Snapchat can monitor for text messages or decrypt uploaded attachments when necessary, since they have access to the message that contains the key for the attachment.

Most likely Snapchat's E2EE is just a facade, they probably have a dictionary of "funny" words on the device (and/or the server) and automatically flags the message in the internal systems when certain stopwords are being used.

[1] https://nordvpn.com/blog/is-snapchat-safe/

[badwolf]

https://values.snap.com/privacy/privacy-by-product

Snap doesn't mention encryption in regards to chat, only in "my memories"

[ranger_danger]

I think there's arguably several things going on in reality.

I don't think anyone has "broken" proper encryption that any major service is using, but I believe there is proof that the encryption is being bypassed in one of multiple ways.

One way could be through things like Pegasus, the Israeli spyware that can be silently installed on mobile phones. How this gets onto the device in the first place is not disclosed, but with the major app stores already having the capability to remotely install apps without your permission, this is obviously a very easy way to do it.

There have also been leaked US government documents stating that they have systems in place to monitor unencrypted messages from major proprietary apps like Facebook, Whatsapp, Instagram etc. I think any time you don't have the source code to at least the client program, there's no guarantee it's properly encrypting things in the first place.

Also it's possible the Whatsapp and similar programs are simply compromised by design, to where even though messages DO use E2EE, the client program itself could still be intercepting the messages secretly BEFORE they're encrypted and then doing who knows what with them. Without the source it's hard to know.

And with UK being part of Five Eyes I don't doubt at least some of this tech is shared with them.

[implements]

> Most likely Snapchat's E2EE is just a facade, they probably have a dictionary of "funny" words on the device (and/or the server) and automatically flags the message in the internal systems when certain stopwords are being used.

On device content scanning notifies Snapchat of a certain type of threat, that + metadata goes to a real-time law-enforcement system which combines it with other sources to decide whether a lawful intercept is warranted - if so, Snapchat pulls the cached messages off the device and forwards them on.

It’s arguable that would be reasonable and legal, depending on the watchlist.

[CryptoBanker]

On device scanning would be reasonable? What happened when everybody was up in arms about Apple wanting to do on device scanning for child porn?

[implements]

Well - it’s reasonable for a government to seek to stop absolute privacy subverting the prevention and detection of crime … I think, so a state has to find some way to be able to construct reasonable suspicion and then lawful search on routine internet activity. (Opinions vary, obviously)

[ghaff]

The almost real-time response is what makes it really hard to believe it was in response to some list of codewords that probably get mentioned in messages many thousands of times per day. (and which, as far as we know, has never triggered a response like this previously.) Someone shoulder surfing or a friend freaking out and calling see something/say something seems much more likely IMO.

[vhguru]

Group chats generally don’t have E2EE. Most apps provide that only for one-to-one conversations. Group E2E encryption is a difficult problem.

[homefree]

I think signal/OTR has e2ee support for pretty large groups.

The kid was using airport wifi for this right? I'd guess public airport wifi installs some backdoored SSL cert and is generally monitored (and you probably agree to this ToS when you use it) - you may even agree to not make jokes about planes - I wouldn't be surprised.

[pr337h4m]

WhatsApp and Signal have had end-to-end encryption for group chats for a very long time.

[clawoo]

You're not wrong.

I've implemented E2EE in group chats using Olm/Megolm and it's not easy to scale and comes with a ton of limitations.

If I was running Snapchat, I wouldn't see the point in dedicating that many resources and infrastructure to it.

[wannacboatmovie]

> Group E2E encryption is a difficult problem.

Not if it was architected properly from the beginning.

[treyd]

Nah the best you could do for a long while was just to have n^2 bilateral encryption sessions that behave like a group channel. Only fairly recently was a workable construction for doing many-party encryption sessions actually developed, called TreeKEM, and is now standardized in the IETF MLS standard. This is literally bleeding edge cryptography.

It's an extremely flexible design and has relatively few constraints in how it can be used in a larger system, but it's just extremely new.

The ART construction exited a few years ealier than TreeKEM but that's a weaker design with more restrictions so it wasn't adopted very widely afaik.

[CMCDragonkai]

When talking about recent, you're talking about 6 years ago right?

[treyd]

Has it been 6 years already? I must be getting old.

[thaumasiotes]

> Nah the best you could do for a long while was just to have n^2 bilateral encryption sessions that behave like a group channel.

What? We could do better than that before we had group chats. PGP will let you send encrypted email to multiple recipients, and multiple simultaneous bilateral encryption sessions are not involved.

The system is:

1. You encrypt the message using a symmetric encryption key.

2. You encrypt the key, which is short, once for every recipient.

3. You prepend the whole bundle of encrypted keys to the message.

4. You send that out. Everyone receives the same encrypted data. This is what would appear in a group channel.

5. When you receive a message, you try to decrypt it. If decrypting the header doesn't produce a key for you, then you're not one of the recipients.

Even if you want to analyze this as a set of bilateral sessions, the storage and computation requirements are linear, not quadratic: when I send a shared message to Alice and Bob, I need to know how I send messages to Alice, and I need to know how I send messages to Bob, but I don't care how Alice sends messages to Bob.

[treyd]

PGP is poorly suited for live conversations with rotating members like this since it doesn't support post-compromise security or perfect forward secrecy (not in-protocol, at least), which most people would expect from an E2EE chat protocol. I was speaking of protocols that did have these properties.

TreeKEM also manages sublinear communication, constant per message (since there's a shared secret already used for the ratchet) and logn for key updates or group membership changes.

[thaumasiotes]

The concept of encryption is poorly suited for live conversations with rotating members. If you don't know who you're talking to, there's no point in encrypting your message.

> I was speaking of protocols that did have these properties.

The method PGP uses to encrypt messages to multiple recipients will still work for whatever protocol you have in mind. Why is your dislike for PGP relevant?

[AeroNotix]

> Most likely Snapchat's E2EE is just a facade, they probably have a dictionary of "funny" words on the device (and/or the server) and automatically flags the message in the internal systems when certain stopwords are being used.

Reminds me of whenever I used to phone a friend during my teenage years I would always start with "BOMB QUEEN, BOMB QUEEN."

[bell-cot]

2. ... friends of friends, or somebody posted his "joke" to a platform which GCHQ does real-time monitoring of, or ...

4. Compromised endpoint(s).

(I also somewhat favor your #3.)

[b112]

Yes, such as keyboard apps.