[avallach]

Isn't this actually improving safety by openly admitting how things always were in practice?

Any e2e encryption provided by the same entity who fully controls both the blackbox clients, and the server in between, is just a security theatre that they can selectively bypass anytime with very little risk of detection. Not really much better than simple client to server encryption.

Truly safe e2e requires open source client provided by a trusted entity who is as much as possible independent from the one who provides the untrusted transport layer. Eg how pgp email works.

[john_strinlai]

one thing to consider is how just the optics of major players using e2e was an overall benefit.

people who otherwise would have gone their entire lives without ever hearing about encryption were exposed to the term and the marketing convinced them that encryption and privacy was a valuable thing, even if they didnt fully understand the mechanisms or why e2e might not necessarily be very effective in specific circumstances.

later, when presented between option a and option b, where one has encryption and the other doesnt, they are more likely to choose the one with it ("well, if instagram and facebook use it and say it is good...")

[GoblinSlayer]

And Big Brother realized this optics was a mistake.

[gzread]

If someone's given the choice between say Instagram and IRC, and chooses Instagram because they heard it has E2EE, that's a loss.

[john_strinlai]

perfect is the enemy of good, etc etc.

between signal and plain text, it is easier to convince friends to use signal if they see positive marketing about encryption on other popular apps they use. it is easier to convince them to encrypt their backups before uploading them to their google drive. hell, its just a good conversation starter to introduce encryption/online privacy to people that never really think about it. that type of thing.

those same friends are not going to use irc regardless. not really a loss if it was never even on the table.

[iamthejuan]

This happened to my girlfriend and me twice on Messenger. On two consecutive nights, we heard a male voice with an American accent speaking as if he were talking to someone else, almost like they were conducting some kind of operation. It seemed as though he suddenly realized that we could hear him, after which the voice abruptly disappeared. The following night, it happened again, but this time the voice sounded like that of an African American woman. The situation was similar to the previous night. From that night, we have not used it to communicate and used Signal instead.

[browsingonly]

I work on products that feature live monitoring capabilities. There's no connection to the monitoring side's microphone (or camera) — why would there be? I'm not sure why there would be for their products.

Whatever the cause, it sure sounds like it was a strange and unnerving experience.

[exe34]

did you check your carbon monoxide alarm batteries?

[RobRivera]

I understand this reference.

[prox]

You mean like a voicecall on Messenger? That is creepy.

[XorNot]

One time when I was in Hawaii I could swear there was a club playing dance music quite loudly somewhere a few blocks over: there was that muffled quality to it where I kept trying to pick out the song from inside my Airbnb.

Walking outside (after asking my wife if she could hear it): silence. Trees rustling, normal noises.

It was background noise. But inside the apartment that combination of different sounds was just right that it sounded like muffled music to me - but hence why I couldn't identify it, whatever was there was just me thinking I was hearing things.

Draw ones own conclusions about the relative technical plausibility of the events described by the OP (how would digital packet based audio experience a glitch which is structured as though you'd tuned into another analog radio station? It wouldn't: that doesn't happen and it isn't even a failure mode).

[root_axis]

What do you imagine was going on here?

[mnahkies]

I don't disagree, but I think there is a distinction between "everything is e2ee, but specific conversations may be MiTM without detection" and "nothing is e2ee and can be retrospectively inspected at will" that goes a little beyond security theatre - makes it more analogous to old fashioned wiretaps in my mind.

Obviously it involves trust that it isn't actually "we say it's e2ee but actually we also MiTM every conversation"

[londons_explore]

Even with closed source clients, MitMing every conversation would likely be detected by some academic soon enough - various people take memory dumps of clients etc and someone would flag it up soon enough.

[chis]

E2E encryption lets Meta turn down government subpoenas because they can say they truly don't have access to the unencrypted data.

I can't say I really mind this change by Meta that much overall though. Anyone who's serious about privacy probably knew better than to pick "Instagram chat" as their secure channel. And on the other hand having the chats available helps protect minors.

[dgrin91]

One of the scary things is that not even this really works. Ignoring supply chain attacks, most people treat any client as effectively black box. When was the last time you read through the code of a messaging app? How do you know its safe? Maybe _you_ read through it, but 99% of people don't.

[londons_explore]

And even if you did read through every line of code, it is super easy to hide a deliberate bug which entirely breaks encryption.

Eg. The Debian random number generator bug.

[dhblumenfeld1]

wouldn't signal fall under this category (same entity control the client and server in between) but they have no way of peaking inside any envelopes?

[hsbauauvhabzb]

Every e2e solution relies on trusting the application/tooling/crypto used. Open source is better than nothing, but is not a silver bullet for trust.

[Synaesthesia]

It's all about trust at the end of the day. And given that it was exposed that Apple, Microsoft, Meta, Google etc all collaborated with the US government to provide surveillance (PRISM) by Edward Snowden, how we can trust them ever again?

[fragmede]

Did they collaborate? Google freaked out when Snowden revealed what the NSA was doing.

[Synaesthesia]

They definitely did collaborate with the NSA.

[JasonADrury]

>Any e2e encryption provided by the same entity who fully controls both the blackbox clients, and the server in between, is just a security theatre that they can selectively bypass anytime with very little risk of detection. Not really much better than simple client to server encryption.

You are no more capable of spotting a deliberately concealed backdoor in a binary than in source code, there's simply no meaningful difference.

[slim]

the purpose of this move is to feed your private conversations to ai