Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Facebook Encryption Government Privacy The Media

Did WhatsApp Backdoor Rumor Come From 'Unanswered Questions ' and 'Leap of Faith' For Closed-Source Encryption Products? (forbes.com) 105

On Friday technologist Bruce Schneier wrote that after reviewing responses from WhatsApp, he's concluded that reports of a pre-encryption backdoor are a false alarm. He also says he got an equally strong confirmation from WhatsApp's Privacy Policy Manager Nate Cardozo, who Facebook hired last December from the EFF. "He basically leveraged his historical reputation to assure me that WhatsApp, and Facebook in general, would never do something like this."

Schneier has also added the words "This story is wrong" to his original blog post. "The only source for that post was a Forbes essay by Kalev Leetaru, which links to a previous Forbes essay by him, which links to a video presentation from a Facebook developers conference." But that Forbes contributor has also responded, saying that he'd first asked Facebook three times about when they'd deploy the backdoor in WhatsApp -- and never received a response.

Asked again on July 25th the company's plans for "moderating end to end encrypted conversations such as WhatsApp by using on device algorithms," a company spokesperson did not dispute the statement, instead pointing to Zuckerberg's blog post calling for precisely such filtering in its end-to-end encrypted products including WhatsApp [apparently this blog post], but declined to comment when asked for more detail about precisely when such an integration might happen... [T]here are myriad unanswered questions, with the company declining to answer any of the questions posed to it regarding why it is investing in building a technology that appears to serve little purpose outside filtering end-to-end encrypted communications and which so precisely matches Zuckerberg's call. Moreover, beyond its F8 presentation, given Zuckerberg's call for filtering of its end-to-end encrypted products, how does the company plan on accomplishing this apparent contradiction with the very meaning of end-to-end encryption?

The company's lack of transparency and unwillingness to answer even the most basic questions about how it plans to balance the protections of end-to-end encryption in its products including WhatsApp with the need to eliminate illegal content reminds us the giant leap of faith we take when we use closed encryption products whose source we cannot review... Governments are increasingly demanding some kind of compromise regarding end-to-end encryption that would permit them to prevent such tools from being used to conduct illegal activity. What would happen if WhatsApp were to receive a lawful court order from a government instructing it to insert such content moderation within the WhatsApp client and provide real-time notification to the government of posts that match the filter, along with a copy of the offending content?

Asked about this scenario, Carl Woog, Director of Communications for WhatsApp, stated that he was not aware of any such cases to date and noted that "we've repeatedly defended end-to-end encryption before the courts, most notably in Brazil." When it was noted that the Brazilian case involved the encryption itself, rather than a court order to install a real-time filter and bypass directly within the client before and after the encryption process at national scale, which would preserve the encryption, Woog initially said he would look into providing a response, but ultimately did not respond.

Given Zuckerberg's call for moderation of the company's end-to-end encryption products and given that Facebook's on-device content moderation appears to answer directly to this call, Woog was asked whether its on-device moderation might be applied in future to its other end-to-end encrypted products rather than WhatsApp. After initially saying he would look into providing a response, Woog ultimately did not respond.

Here's the exact words from Zuckerberg's March blog post. It said Facebook is "working to improve our ability to identify and stop bad actors across our apps by detecting patterns of activity or through other means, even when we can't see the content of the messages, and we will continue to invest in this work. "
This discussion has been archived. No new comments can be posted.

Did WhatsApp Backdoor Rumor Come From 'Unanswered Questions ' and 'Leap of Faith' For Closed-Source Encryption Products?

Comments Filter:
  • your fears are unfounded, citizen, just carry as you have been, you have nothing to be afraid of. we, your benevolent protectors, only have your best interests at heart. no need to worry. everything is as it should be.
    • You can always trust spokesmen from the Ministry of Truth. Because Big Brother loves us all.

    • Trust the Computer. The Computer is your friend!
  • Just name some alternatives for us to use that can't be pried open by the courts.

    • by Teun ( 17872 )
      Signal.org
      • Signal uses your phone number for login. No one outside the gestapo likes or wants that anti-feature. It exists for one and only one reason: to enable real-ID for all users. The whole point of real-ID being to snoop the users and expose them to persecution should the gestapo so desire.

        Ergo I do not trust Signal nor believe their claims of superior privacy.

        A somewhat shady character I know tells me that "all real criminals use Line", the Korean-owned messenger app. According to him Line uses old school usern

        • by Teun ( 17872 )
          Which I find a minor issue.
          Because I have a reasonable expectancy of this platform not 'sharing' the connections made with Big Brother.
          The encryption used to keep content private is among the best available.
          • It's not "a minor issue" for subscribers to voice-only phone service. Many services that use a phone number for user identification or wannabe 2-factor authentication require specifically an SMS number, not a voice number. This shuts out users of land lines and the "wireless home phone" service offered by AT&T and Verizon, which are voice-only.

            • by Teun ( 17872 )
              Who are not the typical people using or even needing this type of security.
        • So, 2FA = "gestapo" "real-ID"?
          • by tepples ( 727027 )

            Two-factor authentication using a TOTP application and printed backup codes is not "secret police real ID." Nor is two-factor authentication using a FIDO U2F dongle and printed backup codes. In addition, for users on basic phone plans with limited number of SMS messages per month, TOTP and U2F don't contribute to exhaustion of the cellular subscription's monthly SMS quota.

            However, particularly parano^W careful users may want to enable black-and-white output so that the printer doesn't spray identifying yell [wikipedia.org]

        • According to him Line uses old school username/password for authentication, which is a good sign.
          On the desktop, yes.To create an account you need a phone or tablet: with a phone number.

          • It seems you are correct - I just downloaded the app and checked. So Line is snooped, too.

            It may well be the case that distributing a non-snooped messenger app is illegal. Most likely illegal under a secret law, or under a secret implementing regulation of a nominally public law.

            • Well, you simply ask s friend to install it for you on his device. Then with his help you install it on a tablet and computer. Of course, after he has deleted his app, he could reinstall it ... so get a throw away sim and do it yourself.

    • by gweihir ( 88907 )

      PGP/GnuPG encrypted email. If you manage to invest a few hours into the documentation.

  • by fluffernutter ( 1411889 ) on Sunday August 04, 2019 @12:45AM (#59036868)
    Downmod me to oblivion if you want.. can someone please explain this to me? Does WhatsApp do anything different than Skype does?
    • Re:bad juju (Score:5, Informative)

      by pegdhcp ( 1158827 ) on Sunday August 04, 2019 @01:07AM (#59036900)
      Yes, they do. WhatsApp had three root design parameters those were different than Skype and all other messaging platforms:
      • It was bound to a Phone Number
      • It was encrypted site to site
      • It was paid, so no advertisements

      Facebook after their share purchase, is in the process of removing all these features from WhatsApp. So you do not need to be downvoted to oblivion but need to learn to research and remember, preferably some thinking would also be useful.

      Skype had no such features/promises so not providing those would not be a problem. However with WhatsApp the promise was basically a paid, hassle free, secure and reliable alternative to SMS, and VoIP later on, services. These days I would very much like to use Skype, and waiting for a very big scandal with WhatsApp in order to see an increase in Skype penetration again. MS' reputation is far more better than Facebook's, and that is something you do not see or hear very often here in /. about MS.

      • You know what, I did research. I asked a 15 year old girl that I trust if she used WhatsApp and she said NO, so NAH!

        But seriously, you said that in kind of a dickish way. I'm not going to apologize for not knowing about an app used by children. Let's move on.

        If Facebook is, in fact, removing the aspects of WhatsApp that made it a distinct service, than that is the worst move ever. Especially considering their already shitty reputation and the growing momentum of people realizing how important priva
        • Re:bad juju (Score:5, Informative)

          by pegdhcp ( 1158827 ) on Sunday August 04, 2019 @02:18AM (#59036968)
          You do not seem to be neither new, nor dormant, so forgetting the "dickishness" standards of /. on your part is inexplicable on my part, but frankly I do not care so much, it is a problem between you and any professional support specialist you are using services of.

          If you can bother to check following URLs in your research in order to reduce your ignorance, your would see that WhatsApp has a serious user base, especially in countries with oppressive governments or countries with populations valuing their privacy (https://www.messengerpeople.com/global-messenger-usage-statistics/) (https://www.statista.com/statistics/291540/mobile-internet-user-whatsapp/)

          Claiming WhatsApp being used by children however is more harmful, than being just idiotic, because you are normalising the degeneration of a tool used by people with actual concerns about privacy. I do not know which country you are from but WhatsApp is being used by more people than actual phone users in your country.

        • In Europe WA is very popular. And childs don't use it because they use the Instagram or Twitter related apps.

        • I'm not going to apologize for not knowing about an app used by children.

          You're an idiot. Not for not knowing what apps children use, but for your assumption that the app is used by children as an excuse for your ignorance.

          WhatsApp is the *only* messaging platform in many parts of the world. Large parts of Europe and South America use SMS for 2FA codes, and alerts from governments only. WhatsApp has some 30 billion messages sent every day.

          While you're "thinking about children" (you disgust me) I use my banking app's integrated whatsapp features to split bills and track who has p

          • Ok whatever. I'm supposed to install every app under the sun out of pure curiosity. No wonder so many people get viruses. I will have nothing to do with Facebook.
          • One more thing. I certainly can't respect a person who trusts Facebook with access to their banking.
      • by Teun ( 17872 )
        The pre-MS Skype used a peer to peer and client server system with much less chance of big brother type spying.
        • I think you are right, Skype was not "bad" to begin with, it is not bad per se even now. My problem with WhatsApp is that, they (FB) are destroying their main premise about ability to reliably identify your correspondent by using their phone number and communicate with them securely.

          For the Skype, I have three problems (client performance, network performance and recently market penetration), none of which are directly related to privacy. I am/was not very concerned about privacy related to communications

          • by DrYak ( 748999 ) on Sunday August 04, 2019 @06:21AM (#59037384) Homepage

            Again, back before Microsoft acquisition, back when it was designed by former Kazaa devs, Skype was designed to be peer-to-peer.

            The devs were thinking basically: we have a cool peer-to-peer NAT traversal tech that does not require any central server (in the case of Kazaa's filesharing: for obvious reasons), what else can we apply it to?
            And VoIP/chat came as an obvious idea. Standards at the time (and some still used today) such as H323 and SIP relied on computer being directly accessible and connectable on the network, thus couldn't be reliably used by home users in their desktops, only in corporate settings.
            The Fastrack protocol developed for Kazaa already solves this problem.

            So Skype was exclusively peer to peer, with some coordination provided by a few nodes autopromoted to super-peer status. No need for any server owned by Skype. Thus also no way for Skype to even know who is calling whom as they don't ever see this information (only some random peer on the network who serves as super peer could see it occasionally ).

            Skype had some form of privacy, mostly of the metadata type, simply due to its architecure that the FastTrack protocol inherited from its Kazaa filesharing origins.

            (regarding encryption: it wasn't as good, due to bad RC4).

            When Microsoft arrived, they threw all this through the window and evolved it into a classical server/client topology.

            All the initial promises of a decentralized topology were lost in the Microsoft acquisition, just like eventually one day Facebook is going to kill the end-to-end encryption in WhatsApp.

            • Thanks, this is an interesting take. I seem to remember excuse MS used was the inefficiencies and security issues with Kazaa, which I assume would be easier to improve without a complete re-write. I am not sure, but wasn't it the time they were trying to market Azure and its (non existent back then) ecosystem as the next big thing?

              As mentioned in my other post below somewhere, I am not claiming MS's history is as clean as a milk white sheet and it is safer to assume if they saw any profit potential it is/

            • When Microsoft arrived, they threw all this through the window and evolved it into a classical server/client topology.

              Actually no. Well yes, but not quite. Your timeline is wrong. The client/server topology came *before* the Microsoft acquisition and was the natural result of NAT breaking the peer to peer concept.

              Before Microsoft came along and actually put some proper bandwidth behind the client/server topology you could actually tell whether you were peer-to-peer connected or client/server connected based poorly on the massive downgrade of video quality the latter incurred.

              • Nope.

                The whole raison d'etre for the Fasttrack protocol was to handle NAT.
                initially for Kazaa and then for Skype.

                NAT users were accounted for from the beginning (and explains the rise of popularity of Kazaa and Skype among home users).

                It does *NOT* rely on servers (which would be central and owned by the company), but on "super-peers" nodes on the network which get the status because they fulfil a bunch of criteria (mostly, their are net-accessible (= public IP), have plenty of bandwidth, and are up for lon

      • MS' reputation is far more better than Facebook's, and that is something you do not see or hear very often here in /. about MS.

        You mean the same Microsoft who - after they acquired Skype - ripped appart the peer-to-peer topology it was built upon (inherited from the FastTrack protocol that was initially designed for Kazaa filesharing - obviously designed on purpose without a central point of failure), and rebuilt it as a client-server topology ?

        Yeah, sure, totally trust worthy...

        • I guess it is difficult to READ on Sundays. I wrote and you quoted

          MS' reputation is far more better than Facebook's

          Does that expression contain anything like "totally trust worthy" or even "trust". If in your inner grading "trust worthy" is just above whatever the level you see Facebook at, that is the problem. I know pimps and government officers who are above Facebook's level, which does not mean they are trust worthy.

        • False. The client-server topology for Skype was built *before* Microsoft acquired Skype. It was the natural result of NAT constantly causing Skype connections to fail.

          Microsoft simply threw more bandwidth at the client-server topology and once it stopped incurring the massive quality hit that it did (before the acquisition) they phased out peer to peer communications.

      • Skype was only any good when it still was owned by skype.
        The first buydr ruined it, and now under the control of MS it is barely useable.
        At least phone and video calls still work.

    • WhatsApp encrypts it at the client, and decrypts it at the other client. I have no idea what Skype does.
      • by DrYak ( 748999 )

        Eons ago, Skype was peer-to-peer, (it was purposefully built on the FastTrack protocol that was used on the Kazaa filesharing network).

        Back then it wouldn't be anything other than end-to-end, because there was no other machines involved than the two end nodes (with occasional exception of super-nodes, but those only help NAT traversal and traffic redirect, they don't take part in the channel encryption).

        The problems that Skype faced wasn't due to the non "end-to-end"-ness of the encryption, but because the

        • but it wouldn't surprise me if they changed the encryption to a server-to-client model too...

          (My logic being that Microsoft has made a WebApp version - web.skype.com (Note: change your User-Agent to Chrome during log-in if you're on FireFox) - and in my experience at least on Android and Linux the official client is the web site repackaged as an App. Using electron if memory serves right. Client-server encryption would make sense in this context)

    • Bear in mind that WhatsApp was, quite literally, nothing more than a basic XMPP/Jabber client like a hundred others (they have since moved to a more proprietary protocol). But they were one of the firsts to use the genius (from the ease of use perspective) idea of using the phone number as the username, and not using a password. This allowed them to also check your address book to see which of your contacts also has WhatsApp installed.
      All of this lead to an incredibly simple set up experience, which led to
  • With Facebook's history of deceit, lies, and doublespeak ("we don't sell user data" - they instead "shared" it with paying advertisers) and overall sleaziness (Zuckerberg brazingly lying to Congress, according to former insiders), it will take many years, and probably third party audits, to convince us that they've matured and grown to be honest. Only time will tell, no matter what people there say today.
    • by gweihir ( 88907 )

      You think they can be redeemed? I doubt that very much. What will probably happen that over time people will get used to being spied on (only "criminals" need to fear that, right?) and things will get progressively worse. At some time, after the end-state of full-blown fascism this inevitable devolves to, has completely ruined the economy (as it always does), things will eventually collapse, and after that individual freedoms may have worth for a century or so. Then the same stupidity starts again if curren

  • by h33t l4x0r ( 4107715 ) on Sunday August 04, 2019 @01:02AM (#59036890)
    Your historical reputation becomes worth exactly diddly squat.
    • by AmiMoJo ( 196126 )

      Who are you talking about? Bruce Schneier does not work for Facebook.

      • His pal does though.
        I want to give him the benefit of the doubt, but if he takes a job with them in the not-so-distant future, let's just say I won't be surprised.
        • by AmiMoJo ( 196126 )

          Guilt by association?

          • I'm just saying that FB seems to be interested in acquiring "historical reputation" so maybe let's be extra vigilant.
            • by AmiMoJo ( 196126 )

              Fair enough, although usually Facebook hires people with shit reputations like Nick Clegg, because people with integrity won't push their BS.

              • But when they hire the face of their "Gee whiz, mister, we would never do anything like that!" team, they might need to write a dirtier playbook than usual.
              • by Anonymous Coward

                I met Bruce back at MIT. And I've met hime a few times since, when he presented details of how Kerberos works to a Harvard sys-admin group, and some old fraternity brothers of mine involved in creating Kerberos have worked directly directly with him at MIT's Project Athena. I think he does his due diligence on security claims. I take his opinions pretty seriously.

  • by Anonymous Coward

    Bruce's comments remain spot on, but the AG Mr Barr has lower standards.
    First off compliance with the law IS compulsory if secret letters served. Some other highly respected message services closed down altogether - read into that what you may.
    Secondly you can record encrypted conversations and decode later - perhaps you have a list of IP addresses or TOR nodes, and mine the routing information with the aim of installing law enforcement malware. Then you might recover the likely keys - because keyloggers a

  • by lkcl ( 517947 ) <lkcl@lkcl.net> on Sunday August 04, 2019 @01:33AM (#59036924) Homepage

    "He basically leveraged his historical reputation to assure me that WhatsApp, and Facebook in general, would never do something like this."

    .... yet.

    (1) we've seen this before, countless times, with "freeware" that "promised" never to put spyware or adware into their "free" products. they get bought out... next upgrade... crapware / spyware / adware.

    (2) only last week there was some idiot politician demanding that "the days of encryption are over" and that products must start bypassing strong encryption by sending the data to the U.S Government... *in exactly the way described by schneier*

    (3) all facebook has to do is fire the guy from the EFF (actually, he would probably quit) and do an "upgrade".

    the only way this is going to work - if facebook is to be involved at all - is for facebook to provide a "transport API" mechanism for 3rd party applications, where it would transparently carry ENCRYPTED end-to-end data, and to let its infrastructure be utilised by FREE SOFTWARE where the source code can be audited by users.

  • Despite prevalent marketing speak, logic is still a thing. Some requirements are simply inconsistent, and therefore will never be fulfilled, whateever the salesman says:

    You cannot have private conversations and third party control over it (to prosecute illegal conversations). Either the third party has access to the conversation and it is no longer private, or none has access and then it is uncontrolled (beyond what each party in the conversation can control). The puppeter is trying to fool us by changing

  • by 93 Escort Wagon ( 326346 ) on Sunday August 04, 2019 @02:20AM (#59036970)

    I respect Schneier. I appreciate that he talked to WhatsApp’s Privacy Policy Manager (Cardozo) and asked questions. But I’m bothered that the Director of Communications (Woog) has not responded to some pointed questions about the specific, fundamental issues people have found concerning.

    Sometimes non-answers are the most telling.

  • Think like a spy. Why not be behind a wonderful encryption tool that is super hard to penetrate with a hitch. The government created the encryption program and can read every tiny thing that you submit to the net or that is stored on your PC? Does anyone actually believe that large tech companies such as Microsoft do not have government agents hiding among their employees? Companies like Cisco, IBM, and AMD surely have both known and secret government workers observing everything they can with their h
  • People with computer skills still trust big brand "crypto"?
    What did big bands do?
    Help the NSA/GCHQ?
    Did not understand the NSA skills set and never noticed?
    Let the NSA in? Let the NSA stay in?
    It was all legal at the time?
    Now the gov/police/mil wants back in?
  • The only way to really ensure end-to-end encryption not be backdoored and allow governments to pry in on people they are interested in is to have a way of disabling the end-to-end encryption. To do this ad hoc there would need to be something that would trigger this. It could be triggered using list of words/phrases or be as simple as a remote computer sending a signal to trigger this unencrypted mode.

    Then again, maybe they just agreed to leave in a mistake in the encryption scheme thereby making the encr

  • If it's not open source, and you're not in control of the code, you can't trust it.

    It doesn't matter even slightly what Bruce thinks of this, especially if what he thinks of it is based entirely on what someone else told him, but frankly that makes no practical difference. If you cannot audit the source, and you can't build and run the code yourself, then you cannot trust it. Period. End of story. PLS STAHP

    By virtue of its business model, WhatsApp is not trustworthy, and if you trust them then you are a buf

  • What do yiu think how many FB accounts my GF has?
    I hate web sites where the Sign ON Screen (aka: enter your email and get an account) is the first screen and "log into existing account" is some where hidden.

FORTUNE'S FUN FACTS TO KNOW AND TELL: A black panther is really a leopard that has a solid black coat rather then a spotted one.

Working...