WhatsApp Moderators Can Read Your Messages (gizmodo.com) 87
Gizmodo highlights the findings of a new ProPublica report on WhatsApp's content moderation system. What they found was that there are at least 1,000 WhatsApp content moderators employed by Facebook's moderator contract firm Accenture to review user-reported content that's been flagged by its machine learning system. "They monitor for, among other things, spam, disinformation, hate speech, potential terrorist threats, child sexual abuse material (CSAM), blackmail, and "sexually oriented businesses,'" reports Gizmodo. "Based on the content, moderators can ban the account, put the user 'on watch,' or leave it alone." From the report: Most can agree that violent imagery and CSAM should be monitored and reported; Facebook and Pornhub regularly generate media scandals for not moderating enough. But WhatsApp moderators told ProPublica that the app's artificial intelligence program sends moderators an inordinate number of harmless posts, like children in bathtubs. Once the flagged content reaches them, ProPublica reports that moderators can see the last five messages in a thread.
WhatsApp discloses, in its terms of service, that when an account is reported, it "receives the most recent messages" from the reported group or user as well as "information on your recent interactions with the reported user." This does not specify that such information, viewable by moderators, could include phone numbers, profile photos, linked Facebook and Instagram accounts, their IP address, and mobile phone ID. And, the report notes, WhatsApp does not disclose the fact that it amasses all users' metadata no matter their privacy settings.
WhatsApp didn't offer much clarity on what mechanism it uses to receive decrypted messages, only that the person tapping the "report" button is automatically generating a new message between themselves and WhatsApp. That seems to indicate that WhatsApp is deploying a sort of copy-paste function, but the details are still unclear. Facebook told Gizmodo that WhatsApp can read messages because they're considered a version of direct messaging between the company and the reporter. They added that users who report content make the conscious choice to share information with Facebook; by their logic, Facebook's collection of that material doesn't conflict with end-to-end encryption. So, yes, WhatsApp can see your messages without your consent.
WhatsApp discloses, in its terms of service, that when an account is reported, it "receives the most recent messages" from the reported group or user as well as "information on your recent interactions with the reported user." This does not specify that such information, viewable by moderators, could include phone numbers, profile photos, linked Facebook and Instagram accounts, their IP address, and mobile phone ID. And, the report notes, WhatsApp does not disclose the fact that it amasses all users' metadata no matter their privacy settings.
WhatsApp didn't offer much clarity on what mechanism it uses to receive decrypted messages, only that the person tapping the "report" button is automatically generating a new message between themselves and WhatsApp. That seems to indicate that WhatsApp is deploying a sort of copy-paste function, but the details are still unclear. Facebook told Gizmodo that WhatsApp can read messages because they're considered a version of direct messaging between the company and the reporter. They added that users who report content make the conscious choice to share information with Facebook; by their logic, Facebook's collection of that material doesn't conflict with end-to-end encryption. So, yes, WhatsApp can see your messages without your consent.
Have you actually read the "terms or service"? (Score:5, Informative)
Re: (Score:2)
Re:Have you actually read the "terms or service"? (Score:5, Funny)
If I want privacy I just post to Slashdot. Nobody reads my comments here, especially mods.
Re: (Score:3)
Re: (Score:3)
Try writing an article or even a summary - they get even less attention ;-)
Re: (Score:3)
Of course you didn't, no one does, but if you did you'd know that it basically says "you are nothing to us and we can do anything we want with anything you do on our platform."
If you like having a job, thank your lucky stars that people don't read them, for if they did, the US economy would tank overnight, a heretofore unseen wave of bankruptcies would ensue, massive layoffs would occur, and the unemployment rate would skyrocket.
Most adhesion-contracts link to other adhesion contracts which link to still ot
Re: (Score:3)
If you like having a job, thank your lucky stars that people don't read them, for if they did, the US economy would tank overnight, a heretofore unseen wave of bankruptcies would ensue, massive layoffs would occur, and the unemployment rate would skyrocket.
Fire and brimstone coming down from the skies! Rivers and seas boiling! Forty years of darkness! Earthquakes, volcanoes... The dead rising from the grave! Human sacrifice! Dogs and cats living together! Mass hysteria!
Re: (Score:3)
More than that, what did people think happens when there's a "report" button? That they just blindly accept someone did $BAD_THING?
Just the nature of having a report button tells you there is functionality for a 3rd party to inspect the messages. How is this not obvious?
Re: (Score:2)
> That they just blindly accept someone did $BAD_THING?
If they modelled it after the DMCA strike... then yes. :)
Re: (Score:2)
I don't get the 'surprise' tone either à la 'my mailman reads my postcards!'
Consent (Score:5, Informative)
It seems that the party you are messaging intentionally forwards the content, rather than facebook abusing the backend to grab the content directly.
Anyone you send messages to is free to forward those messages to anywhere else they choose, it is the person you are messaging who is violating your privacy in this instance by forwarding the message without your consent.
Re: (Score:3)
Except that the moderators aren't getting just the message being reported, they're getting the 5 most recent messages from the reported account. That means that somewhere in there the WhatsApp system can decrypt any arbitrary message at any time. Which frankly is what I'd assume from any free-to-use system irrespective of any claims they make to the contrary. The only system I'd even consider trusting not to be able to decrypt messages is one where both sender and recipient are paying for the service, and t
Re:Consent (Score:5, Insightful)
You say:
they're getting the 5 most recent messages from the reported account
but the story says:
moderators can see the last five messages in a thread.
I'm not a WhatsApp user, but isn't there an important difference between "thread" and "account"? Can't recipients see multiple thread messages, meaning that there's not necessarily any unexplained decrypting going on?
Re:Consent (Score:4, Insightful)
You wonder,
The summary actually says something unrelated,
Are you suggesting that users regularly host threads with AI bots for judgement?
Or in fact is Faceplant able to examine messages that are supposedly end-to-end encrypted? (or are these only non- end-to-end encrypted messages?)
Re: (Score:2)
Are you suggesting that users regularly host threads with AI bots for judgement?
Not quite. The "AI" is nothing more than a crude filter in the app and it forwards messages to Zuck-n-co on sending *before* encrypting them. This was discussed at length in 2019 when this feature was announced at their developer conference.
The paradox here is that it's a word matching filter. Facebook maintains a list of filter rules that it silently pushes out to phones which then silently forward matched messages back to Facebook. The "AI" is that this filter is dynamically updated, allegedly based on cu
Re: Consent (Score:2)
You know the old joke about not saying the word "bomb" on a plane, or "assassinate the president" over the phone? Well it's no joke on WhatsApp if you want your messages to stay private.
I think those were never jokes. The joke is always they do something like that in a TV show, and then they get into trouble, because haha, just their luck, someone overheard them and took it serious. The part where there is a slim chance you might possibly get into trouble or answer some questions for doing it wasn't the joke, it was more like it'd be funny if the FBI were taping my phones right now right.
Re: (Score:2)
They are end-to-end encrypted, but Facebook controls the client and it will quietly send anything it doesn't like the look of off for moderation.
Re: (Score:2)
Big shock, if you have correspondence with someone and they bundle up all of your letters and hand them to a 3rd party, they can read them!!! No shit, Sherlock!
Re:Consent (Score:5, Insightful)
If you don't trust the person you're sending encrypted message to, then the Klingon proverb applies: "If you do not want something heard, do not say it".
Re: (Score:2)
Can "most" agree? (Score:5, Insightful)
Not any more than via telephone or mail — and only by the actual law-enforcement officers, and only with a judge-issued warrant.
Unless one of the parties to the communication is voluntarily forwarding the suspicious content to the enforcers.
How does the AI access the communications, that are, supposedly, end-to-end encrypted [whatsapp.com]?
Re: (Score:2)
supposedly, end-to-end encrypted?
I believe *the cake is a lie*.
Always safest to assume the worst, everything you say can and will be used against you
Re: (Score:1)
The end of the summary perfectly explains what's going on, this has nothing to do with their end-to-end encryption. It works as advertised, but this doesn't stop the recipient on the other end, who obviously decrypted your message, from forwarding it on to Whatsapp themselves -- i.e. "reporting" it.
Re: (Score:2)
The end of the summary perfectly explains what's going on, this has nothing to do with their end-to-end encryption. It works as advertised, but this doesn't stop the recipient on the other end, who obviously decrypted your message, from forwarding it on to Whatsapp themselves -- i.e. "reporting" it.
That's correct, but the question was how does the AI do this? There's no official statement, but the article suggests the app is scanning your messages and images for suspicious content before you send them and, if triggered, it sends them to Facebook for moderation. If not triggered then it's true that Facebook will not be able to view your conversation (unless reported in the future).
In essence you are also in conversation with an AI moderator that auto-reports you. That's a mockery of the 'we don't read
Re: (Score:2)
The worst is that even the things you did not say can and will be used against you.
The truth is that using Faceboot is a shortcut to hell.
Don't go there.
Only for right wing? (Score:2, Troll)
How is this relevant to the argument? I'm not defending child molesters here — I'm defending privacy. The vast majority of people will not be "put in jail" over any of the comments, but still don't want strangers to read their private messages — and look at their babies in bathtubs.
Given WhatsApp's promise of "end-to-end" encryption, we have a right to expect such privacy — and may prosecute the company for fa
Apps don't build gulags, commit genocides (Score:3)
> But all the reasons for which we have this law â" the Fourth Amendment â" apply equally to governmental and non-governmental
With respect, I have a different viewpoint. It's only bad governments who throw people into gulags, especially for what they think and say. Bad governments do things like genocide. Bad messaging apps could cancel your account so you have to either make a new account or switch to a different messaging service.
Governments have hundreds of thousands of heavily armed troops,
Re: (Score:2)
A bad government will throw you into GULAG for protesting a corrupt election regardless of your private messages. Most of the hundreds of folks jailed (without bail) over the January 6th events, for example — the big "crime" so important to Sommervillain — are facing decades in prison for things like "parading on Capitol grounds" [usatoday.com]. No one denies their having been there — their IMs aren't needed to prove it. it is simply a sign of bad (te
Then ask for your money back. (Score:2)
Given WhatsApp's promise of "end-to-end" encryption, we have a right to expect such privacy — and may prosecute the company for false advertising, if the promise is broken.
I fully support you getting a refund for every dollar you spent in WhatsApp if you can prove that their actual service is counter to what they documented in the terms and conditions. However, the free market principle still applies. Many communication services ARE doing the right thing. Support them.
I think Dunkin coffee suuucks. I don't whine, I don't bitch, I just don't buy from them. I support the businesses who make coffee I like. Do the same. Get off WhatsApp, get on a service that treats you
Re: (Score:2)
Wow! Look, who's gone full-throttle laissez-faire free markets! Congratulations!
Because the only people, who care for privacy, are those with something to hide...
Let me explain this again to you... The Fourth Amendment is not there to make it harder for police to prosecute actual criminals — be they your fellow Communists, o
Re: (Score:2)
The actual messages are end to end encrypted. It's just that a copy is made and that copy is decrypted.
PR 101.
Honestly, I'd think that slashdot nerds of all people would understand that since every messaging event with a new person requires distribution of keys, and since it's whatsapp that's handling said distribution, facebook has keys for decrypting every message that is sent over whatsapp. And of course they're tracking as much as they legally can, because that's how they earn their profits. By building
Re: (Score:2)
Since it's whatsapp that's handling said distribution, facebook has keys for decrypting every message that is sent over whatsapp
Maybe you should assume the worst about Facebook when it comes to matters of data privacy, but there's no technical reason to assume that Facebook needs has the keys just because WhatsApp is facilitating the exchange. Diffie-Hellman [wikipedia.org]. Alice and Bob can securely exchange a key even with Eve listening in on their communications. It's how you established a TLS connection with Slashdot to read this post.
Re: (Score:2)
Eve isn't "listening to their communications". Eve is "distributing the keys for them so that Alice and Bob can talk".
You may return your nerd card at the door as you exist this discussion. Have a nice day.
Re: (Score:2)
My nerd card is under threat? I don't think you understand Eve's canonical role in these examples.
Which is besides the point, because this isn't symmetric encryption. The entity you describe as "distributing the keys" doesn't exist in the Signal protocol.
Re: (Score:2)
Yes, your canonical example does not match the reality. Bingo. Eve is the party distributing the keys. She's also the party creating the keys. She's also the party delivering the messages encrypted and decrypted by said keys, regardless of what keys they are. So Eve is indeed the courier. But she's also much more than that, something that your canonical example simply doesn't take into account, which makes it obvious that you don't understand how the system works.
That's why when you attempt to message a new
Re: (Score:2)
The assertion I'm challenging here is "$messagingApp is handing the protocol for exchanging keys, therefore $messagingAppCreator has access to your keys." As I said in my first reply, given Facebook's reputation and the fact WhatsApp is closed-source we should probably assume the worst. But, there's no technical reason why the assertion must be true.
And I have even less understanding why you suddenly decided to drag Signal into this. Other than as a pointless red herring.
WhatsApp's E2E encryption is based on the Signal protocol.
Re: (Score:2)
I challenge your assertion that being an autist is the same thing as being a nerd.
Re: (Score:2)
I'm honestly not sure if you're calling me an autist for knowing that "Eve" = "eavesdropper" or for knowing that WhatsApp uses the Signal protocol. Or something else? Sorry if I offended you by assuming that a self-proclaimed nerd had some basic understanding of the topic that he/she was arguing about.
Re: (Score:2)
I'm talking about the fact that you managed to ignore entirety of both the subject and the context of this discussion, and instead zero in on "canonical role" in what is essentially a "canonical scenario", which you managed to somehow replace both of the aforementioned things with in your head. And then got really confused when I insisted on staying on topic.
That's something that autistic people do. It's a part of the problem they have, where they have problems grasping entirety of a complex concept, and in
Re: (Score:2)
If WhatsApp is using the Signal protocol, then Facebook is Eve. In that scenario, are you claiming that Eve can decrypt Alice and Bob's message?
If WhatsApp is not using such a secure protocol, then, no shit, all bets are off. My point is exclusively that there are secure protocols for exchanging keys without the middleman having access to them, and that WhatsApp claims to use one.
I do appreciate you taking the time to write out a response. It's been an interesting discussion. I've tried to reply in goo
Re: (Score:2)
I think his point was that WhatsApp is not only the middleman, but the end point too. The client app is Eve and also the paper Bob uses to write the unecrypted message on, plus the pen he uses to write it.
Re: (Score:2)
Bingo. Reality doesn't conform to the canonical principle.
Re: (Score:2)
I'm really not sure what you're referring to...
But anyways, been nice chatting with you.
Re: (Score:2)
The fact that Facebook controls the closed-source client definitely means that they can make it do all sorts of things, like forward messages to their support staff as described in the article. Key exchange really isn't the point of weakness, and that's where this whole conversation started.
Re: (Score:2)
Likewise.
Re: (Score:2)
And of course they're tracking as much as they legally can, because that's how they earn their profits. By building an extremely accurate and detailed profile on everyone, and then selling specifically targeted advertisements that are targeted based on those detailed profiles. The more accurate the profile, the more profitable the advertisement.
Since "as much as they legally can" changes by the minute these days with corporations essentially becoming extensions of law enforcement, I really do hope you see the dangerous and slipperly slope here, because the problems with social media and tracking in general have fuck all to do with marketing and advertising.
A perceived bad social media profile or even a post can prevent you from getting a job and sustaining a successful and rewarding life. How long before those "detailed profiles" will be used to
Re: (Score:2)
I'm not talking about any of the downstream effects. I'm talking about the technical side of things. Whatsapp can't freely share message contents to facebook for targeting purposes in EU region for example, because of the way Facebook structured the merger deal to get the relevant competition bureaucracy to sign off on the facebook-whatsapp merger back in the day.
Re: (Score:2)
I'm not talking about any of the downstream effects. I'm talking about the technical side of things. Whatsapp can't freely share message contents to facebook for targeting purposes in EU region for example, because of the way Facebook structured the merger deal to get the relevant competition bureaucracy to sign off on the facebook-whatsapp merger back in the day.
Most (all?) of my examples were clearly centered around American Rights and issues with social media. From GDPR to the fact we're talking about a Union of countries, I can't really see how Facebooks US legal dealings really bear resemblance to EU legal dealings.
And my point about how that can change by the minute, stands. For example, since the merger, have you validated that "structured" deal is still intact today as you perceive it, or has it been changed, possibly behind the scenes, buried in clause 73
Re: (Score:2)
I'm merely pointing out that I am not talking about downstream social issues, but upstream technical ones. There are plenty of social issues. I'm just choosing not to go into them in a discussion about technical aspects. See: original post in this thread.
Re: (Score:3)
How does the AI access the communications, that are, supposedly, end-to-end encrypted [whatsapp.com]?
Your don't write encrypted messages. You write normal messages which then get encrypted before they get sent. The "AI" does nothing more than create some matching rules. Those rules are part of the WhatsApp client and regularly updated from Facebook. The client forwards matched messages to Facebook for review *before* encrypting them to send. This was discussed in detail in the 2019 F8 developer conference when it was first introduced.
Encryption is useless when you run code from an untrusted party on your d
The hell I don't! (Score:2)
Re: (Score:2)
Obviously you are one end and their servers are the other end of the end to end encryption.
Someday people will wake up to the fact that the Internet is a public place.
Shut up shut up shut up (Score:5, Insightful)
Confused (Score:2)
You mean to say they lied to us? (Score:3, Funny)
I'm shocked and dismayed. If you can't trust Facebook to respect users' privacy and make good on on its promises, who can you trust?
Re: (Score:2)
Re: (Score:2)
No they told you the whole truth. You just didn't listen (or in this case read the Terms of Service).
Documented (Score:3, Insightful)
Facebook has a variant of the axolotyl ratchet that includes cryptographic reporting functionality.
Use Signal if that's a problem but it's not mysterious - they published a whitepaper a few years back.
Re: (Score:2)
that includes cryptographic reporting functionality
Citation required. Because what is *actually* documented is that all Facebook has access to is messages outside of the encrypted chain. In this case the receiver reporting a message sends the decrypted version to Facebook. In the case of their "AI matching", all it is is "AI" coming up with a crude word filter which is sent to the WhatsApp client, and if a match occurs a copy of the message is sent to Facebook *before* encryption.
No fancy crypto needed when an you run an untrusted party's code on your devic
Yes, same with physical mails, emails, packages (Score:3)
If you send something to me, and I want it to be reported, of course I will share the content.
How do you think moderators will perform their duties? If I were to receive a bomb threat, and ask the police for help, will they say "please do not show us the letter, it will infringe on the privacy of the accused"?
If you don't want something to be shared, don't put it on the Internet, especially don't share with strangers.
"Most can agree that violent imagery and CSAM..." (Score:4, Insightful)
"...should be reported."
Oh, maybe, but I hope not. You're just demanding that people inspect all of your mail for anything that's remotely not in line with the Official Belief Package, as maliciously interpreted by your friendly (very grumpy) low-wage worker with a possible axe to grind.
"CSAM"? Really? When you get to four-word mumbles that have to be replaced by bizarre acronyms, you're discovered rabid twisted roots in the system.
George Carlin had his usual acid-dripping comedy take on the abuse of jargon. When the phrase goes from shell-shocked to "Post-Traumatic Stress Disorder" (PTSD), you've seen ugly bureaucracy in action, throwing a few smoke bombs and shouting, "IGNORE THE MAN BEHIND THE CURTAIN!"
Unsurprising. (Score:2)
Even if WA encrypts end to end, if one reports a message, it has to be decrypted on your device so that a human can review it.
Lies (Score:3)
Re: (Score:3)
Not lies in the slightest. The messages are end to end encrypted and WhatsApp can't read them. Now go read your ToS and you'll find a few more bits of information:
1) When I receive a message it is decrypted (of course by necessity). If I hit the report button the decrypted messages are sent to Facebook.
2) When you send a message WhatsApp will use a crude filter to look for abusive content. If it finds a match it will forward a copy before encryption to moderators for review.
You not listening (or reading the
Re: (Score:2)
Not lies in the slightest. The messages are end to end encrypted and WhatsApp can't read them. Now go read your ToS and you'll find a few more bits of information: 1) When I receive a message it is decrypted (of course by necessity). If I hit the report button the decrypted messages are sent to Facebook.
When the product is designed around E2E encryption, mind explaining how (or more importantly WHY) reported messages are sent decrypted to the one holding all the encryption keys anyway? Seems it would be easier to maintain a product that actually provides E2E encryption 100% of the time, rather than specifically design it to not encrypt when certain conditions are met.
Re: Lies (Score:2)
Re: (Score:3)
Re: (Score:2)
reported messages are sent decrypted to the one holding all the encryption keys anyway?
I honestly cannot imagine how you think what you write makes sense or why you think that's how it works. I'm going to give you the opportunity to rethink and re-post your question.
Otherwise I'll just say: They aren't.
Seems it would be easier to maintain a product that actually provides E2E encryption 100% of the time, rather than specifically design it to not encrypt when certain conditions are met.
Encryption is provided 100% of the time. Even messages which are sent for review to the Zuck are still encrypted before being sent as part of the conversation to the recipient. I feel like you fundamentally misunderstood what I wrote or didn't think your comment through.
Re: (Score:2)
No, I actually DID think your comment through, which is the entire reason I questioned the encryption claim.
Users of this product don't understand that the "end to end" security provided by the liars in marketing, is complete and utter bullshit. The fact that the average EULA layman is not armed with a legal degree, is completely irrelevant.
Think about this from a safety and security perspective. This would be akin to advertising that airbags and seat belts save lives, and then watching those products fa
Re: (Score:2)
*sigh* The fact that people run client software from an untrusted source that intercepts something before encryption or after decryption doesn't make end to end encryption a lie or bullshit. Equally so in this case since it's the difference between everything being visible, and the last 5 messages (in the case of a report) or a single message (in the case of a filter hit).
Security is not a binary thing.
Disclaimer: This post was made using HTTPS, end-to-end encrypted securely as it comes, from a PC running c
Not all chats are encrypted (Score:2)
I thought only person to person chats were encrypted, and group chats were not.
Which implies one of the two people in an encrypted chat needs to report the message, which is pointless, as they both probably know each other and know what content they're sharing with each other.
And group chats are all monitored by "AI"
Sharing without consent (Score:2)
Re: (Score:2)
Why pick American telephone rules? What about postal rules - somebody sends you a letter that you then choose to share with law enforcement? Should postal rules also follow telephone rules? Yes, there are privacy laws at play with mail, as we see with the recent lawsuite about Meghan Markle's father sharing one of her letters with the media, but I don't think you get any protection when it comes to sharing with the courts.
Re: (Score:2)
Re: (Score:2)
ML Agent Runs On All Messages Or Reported Content? (Score:1)
Re: (Score:2)
The article explicitly mentions two sets of queues for content the moderators review. The "reactive" ones for content flagged by users (i.e. sent to the queue after being decrypted at the receiving end, and the "procative" queues for content flagged by the AI (i.e. sent to the queue before being encrypted by the sending end):
Why is Facebook Outsourcing this work? (Score:1)
Re: (Score:2)
relevant (Score:1)
Sane people already left Fakebook.
Glad to hear (Score:2)
Must check where those bunch of empty EBAY SIM-cards are, to set up a few WhatsApp accounts sending spam and hate-mail to each other, so that these people keep their jobs.
Workaround (Score:2)
Maybe WhatsApp has thought of this and is storing the deleted messages anyway, but that would be a big breach of trust.
BTW hasn't anyone wondered why none of the Big Tech (Facebook, Google, Microsoft, DropBox) firms implement end-to-end encrypted file storage? I believe this cannot be a coincidence and that the government is essentiall