[meiraleal]

Easy to say, very difficult to implement it right (and implementing it not right is diffcult AND useless). Also, let's be clear here, whatsapp E2EE is a joke.

[ylk]

> whatsapp E2EE is a joke

Could you please elaborate why (in detail)?

[jusepal]

My guess is since its closed source, no one beside them can verify that the supposedly e2e is even true, or exist in current latest binary. Sort of telling everyone that I've got a mountain of gold inside my house but the door is locked, no one beside me could verify my claim. Security and/or privacy via obscurity is moot.

[ylk]

You can always go ahead and decompile the apps and then show everyone that they’re in fact lying, that story would be huge. That alone doesn’t make it true, but there have so far not been hints of them pulling weird stuff with their e2ee, unlike telegram, for example. They’re even working on improving the default mode 99% of users use e2ee chat apps with - trust on first use (TOFU): https://engineering.fb.com/2023/04/13/security/whatsapp-key-...

They probably do all kinds of horrible stuff with the metadata. I’m honestly too lazy to read the privacy policy. But I have yet to see critique of their e2ee that’s actually backed up by substance instead of people’s imaginations.

[jusepal]

If debunking security and/or privacy claims, and indirectly, to prove security and/or privacy claims is as simple as reverse engineering binaries then the very concept of open source for better privacy and/or security itself would be moot. Its outrageous to even suggest that.

[ylk]

It’s certainly not outrageous. It’s how people regularly find vulnerabilities in all kinds of closed-source software.

[jusepal]

It certainly is for proving privacy claims. Even finding vulnerability by reverse engineering is to debunk security claims, not to strengthening it.

[meiraleal]

They also handle and store users backup unencrypted by default so they have access to all messages in plaintext in multiple opportunities.

[ylk]

Meta has access to the backups that are stored on each individual’s Google Drive/iCloud? How does that work exactly? Please elaborate.

[meiraleal]

> Meta has access to the backups that are stored on each individual’s Google Drive/iCloud?

Why the surprise?

Meta has access to the folder it manages in the user's Google Drive. That's obvious, otherwise they wouldn't be able to write to it.

[ylk]

The app uses the (i)phone OS’s cloud storage APIs to write to the backup folder, meta’s servers don’t have access to any credentials. For Android I currently can’t check, but it’s obvious from their FAQs that they have the app upload to Google‘s servers even if they don’t use the OS APIs there: https://faq.whatsapp.com/481135090640375/?cms_platform=andro...

They have indirect control over the user’s backup folder via the app, but meta would need to distribute a malicious update to everyone that causes the user’s apps to download the backup and send it to meta, at which point they could just skip trying to access the backup and directly upload the chats from the app.

It’s impressive how much misinfo you’re spreading.

Edit: Meta’s actions over the years clearly show that they don’t want to know the contents of your messages. Not knowing their contents means, for example, that they don’t have to run scanners to detect illegal content (but users can report messages). They benefit from making WhatsApp a secure platform, as it allows them to collect everyone’s metadata, which apparently has lots of value to them.

[grvdrm]

Yes - I would love that too. Please back that up?