[snowmobile]

Sorry to be "that guy", because I don't know the details of how WhatsApp does E2EE, but in any proper (as in secure and private) implementation the only thing that should matter is whether the client follows the spec? You might as well ask, how does $browser work with HTTPS?

[palata]

The only thing that matter is whether you trust the app or not.

- If it is proprietary, you just have to blindly trust it (as is the case with WhatsApp currently: they say it is end-to-end encrypted, but you can't verify).

- If it is open source, then some people will want to understand how it works before they trust it. Other will either blindly trust (like for proprietary software) or trust that persons they trust understood how it works and were convinced.

> You might as well ask, how does $browser work with HTTPS?

Well, exactly. I am interested in how the WhatsApp interop works just as I am interested in how HTTPS works.

[skippyboxedhero]

I think the suspicion is based on this app being offered in a region whose government is hostile to privacy and this implementation being connected with the strong nativist bent in Europe.

The "spec" is not relevant in any way because we have no idea what else is going on. Why was it relevant that these operators must specifically be in the EU? Everyone is just complying with the global spec...but the app provider must be in Europe...okay.

[jeroenhd]

> Why was it relevant that these operators must specifically be in the EU

The integration is only possible because the EU forced Meta's hand. The law only applies to massive digital empires with gatekeeper levels of control.

I don't think the EU would mind at all if Meta would permit American companies to interoperate with them. Meta won't just permit it, they have to protect their WhatsApp Business money machine of course.

That's also why the feature is only available to EU numbers. Not because BirdyChat hates Australians, but because WhatsApp won't permit them to send messages to numbers from those countries.

[oblio]

> region whose government is hostile to privacy

Which government?

[skippyboxedhero]

EU. I don't think it is any better at the national level however.

[oblio]

The EU is not a government. It's a loose economic confederation. And national European governments vary wildly in their positions on this.

[skippyboxedhero]

It isn't an "economic confederation". It has a parliament, an executive, a judiciary, and a civil service. I would read the wiki page on the European Union.

[oblio]

The EU parliament can't propose laws, unlike any parliament in the world.

The executive is formed out of national government heads of state, which can veto everything.

Its judiciary and actually all 3 branches are strictly limited in their powers to powers delegated to them (which are weaker than the US Articles of Confederation).

The civil service is covered by the comments above.

In technical terms it is a government, in real life is is strictly limited, albeit growing. No country could operate with the "government" the EU has. France has several million government employees for about 70 million people while the EU has at most 50 000 workers for 450 million citizens).

This is a very complicated topic and I don't really apreciate the condescension inherent in sending me to Wikipedia.

[snowmobile]

Call it what you want but the fact remains that they can write a lot of laws the member countries must follow, for better or worse. GDPR, Chat Control, etc.

[TZubiri]

I can confirm that you don't know.

I can count 3 mistakes here:

1- The client isn't the only thing that matters (There's servers)

2- The client doesn't follow a spec in WhatsApp, there is no spec as it's a private non-interoperable system.

3- Browsers and HTTPS work with an entirely different encryption model, TLS is asymmetric, certificate based and domain based. TLS may be used in Whatsapp to some extent, but it's not the main encryption tool.

[snowmobile]

Wrong, wrong and wrong. If an app does real E2EE (not "marketing E2EE"), then the servers should have no control over the encryption. Otherwise it's not end-to-end, by definition. Regarding the "private non-interoperable system", the whole point of TFA is that EU made them open it up. See https://engineering.fb.com/2024/03/06/security/whatsapp-mess... Your last "point" is irrelevant because I never claimed anything about the similarity between encryption models. Have you ever heard of a "simile"?

[odo1242]

Well, yes. But one could think of a world in which WhatsApp has its own internal protocol and to bolt on third-party support they just decide to represent third party clients as “virtual clients” on the server side, which would be the easiest way to make it work while not having E2EE support. Especially since the feature only exists for legal compliance purposes.

(This is not the case, apparently.)

[Trufa]

That's not what OP is asking, he's asking how do you have two separate e2e encrypted apps that can interact.

[snowmobile]

By following the same protocol... This has been done for ages. PGP and GPG for example.

[odo1242]

Yep. And apparently the answer is they both use the Signal Protocol.