WhatsApp End-to-End Encryption Allegations Questioned By Some Security Experts, Lawyers (msn.com) 31
Several security experts have "questioned the lack of technical detail" in that lawsuit alleging WhatsApp has no end-to-end encryption, reports the Washington Post:
"It's pretty long on accusations and thin on any sort of evidence," Matthew Green, a cryptography professor at Johns Hopkins University, said over Signal. "WhatsApp has been very consistent about using end-to-end encryption. This lawsuit seems to be a nothingburger." Nicholas Weaver, a security researcher at the International Computer Science Institute, criticized the lawsuit in a post on Bluesky for lacking detail needed to back up its claims. "They don't even do a citation to the actual whistleblowers," he wrote, calling the suit "ludicrous."
And Meta has done more than just deny the allegations: On Wednesday, WhatsApp sent a letter to [law firm] Quinn Emanuel threatening to seek sanctions against the firm's lawyers in court if they do not withdraw the suit, according to a copy reviewed by The Washington Post. "We're pursuing sanctions against Quinn Emanuel for filing a meritless lawsuit that was designed purely to grab headlines," Woog said by WhatsApp message. Woog also suggested the suit against WhatsApp was related to Quinn Emanuel's work on a separate case, between the social network giant and the spyware company NSO Group. The surveillance vendor is appealing a $167 million judgment entered against it in federal court last May, after a jury found that NSO's Pegasus tool exploited a weakness in the WhatsApp app to take over control of the phones of more than 1,000 users. An attorney from Quinn Emanuel joined NSO's legal team on that case on Jan. 22, according to legal filings, and different attorneys from that firm filed the case against WhatsApp on Jan. 23. "We believe a lawsuit like this is an attempt to launder false claims and divert attention from their dangerous spyware," Woog said.
"It's very suspicious timing that this is happening as that appeal is happening," Maria Villegas Bravo, counsel at the Electronic Privacy Information Center, told the site Decrypt, "as NSO Group is trying to lobby to get delisted from sanctions in the U.S. government."
EPIC's counsel also told the site that the complaint appears light on factual detail about WhatsApp's software: "I'm not seeing any factual allegations or any information about the actual software itself," Villegas Bravo said. "I have a lot of questions that I would want answered before I would want this lawsuit to proceed.... I don't think there's any merit in this lawsuit," Villegas Bravo said.
Meta has forcefully rejected the allegations. In a statement shared with Decrypt, a company spokesperson called the claims "categorically false and absurd... WhatsApp has been end-to-end encrypted using the Signal protocol for a decade," the spokesperson said. "This lawsuit is a frivolous work of fiction, and we will pursue sanctions against plaintiffs' counsel."
And Meta has done more than just deny the allegations: On Wednesday, WhatsApp sent a letter to [law firm] Quinn Emanuel threatening to seek sanctions against the firm's lawyers in court if they do not withdraw the suit, according to a copy reviewed by The Washington Post. "We're pursuing sanctions against Quinn Emanuel for filing a meritless lawsuit that was designed purely to grab headlines," Woog said by WhatsApp message. Woog also suggested the suit against WhatsApp was related to Quinn Emanuel's work on a separate case, between the social network giant and the spyware company NSO Group. The surveillance vendor is appealing a $167 million judgment entered against it in federal court last May, after a jury found that NSO's Pegasus tool exploited a weakness in the WhatsApp app to take over control of the phones of more than 1,000 users. An attorney from Quinn Emanuel joined NSO's legal team on that case on Jan. 22, according to legal filings, and different attorneys from that firm filed the case against WhatsApp on Jan. 23. "We believe a lawsuit like this is an attempt to launder false claims and divert attention from their dangerous spyware," Woog said.
"It's very suspicious timing that this is happening as that appeal is happening," Maria Villegas Bravo, counsel at the Electronic Privacy Information Center, told the site Decrypt, "as NSO Group is trying to lobby to get delisted from sanctions in the U.S. government."
EPIC's counsel also told the site that the complaint appears light on factual detail about WhatsApp's software: "I'm not seeing any factual allegations or any information about the actual software itself," Villegas Bravo said. "I have a lot of questions that I would want answered before I would want this lawsuit to proceed.... I don't think there's any merit in this lawsuit," Villegas Bravo said.
Meta has forcefully rejected the allegations. In a statement shared with Decrypt, a company spokesperson called the claims "categorically false and absurd... WhatsApp has been end-to-end encrypted using the Signal protocol for a decade," the spokesperson said. "This lawsuit is a frivolous work of fiction, and we will pursue sanctions against plaintiffs' counsel."
Iâ(TM)m sure the encryption IS end to end, bu (Score:5, Insightful)
But Meta owns both the ends. They donâ(TM)t need to break the encryption to spy on you.
Re: (Score:3)
The Signal client is open source and the binary is reproducibly built, making it impossible for the signal company to embed nefarious behaviour without being detected.
Re: (Score:2)
The Signal client is open source and the binary is reproducibly built, making it impossible for the signal company to embed nefarious behaviour without being detected.
Except that's not how the average user will use it. The average user will search for Signal in some poorly curated store well known for hosting malware embedded in apps, install it because they heard "signal good" and give it implicit trust for that reason. There's no reproducibility between the current open source code and the whatever you download from the App store.
Sure you can sideload a verified build.
Sure you can even build it yourself.
And sure if you want to go all out you can go validate the code to
Re: (Score:2)
Meta is an advertising company that is investing heavily in AI. To develop their AI ad bot, they need staggering amounts of data about the eyeballs they want to sell, and that data needs to be kept up to date.
They have literally hundreds of billions of dollars of incentive to put in those backdoors.
And a long history of putting those dollars above all other concerns, like user privacy, or the law.
"doesn't necessarily mean they put in backdoors" is another way of saying "but they certainly could if they want
Re: (Score:2)
I'd hope that someone inside of Meta would whistle blow on such allegations if they were true, but who knows in today's economy.
I still trust Signal above all else. And if I need something more secure than Signal, I'm dump
Re: I'm sure the encryption IS end to end, (Score:2)
It's theoretically possible to have both.
Let's suppose Meta honestly builds WhatsApp on the OpenWhisper protocol, honestly encrypting the chat from end to end.
And then let's suppose Meta _also_ transfers the contents of the input fields back home via a separate encrypted tunnel, whether via a "feature" of the WhatsApp app, or some other infrastructure it's placed on the phone.
In such a case, It _is_ end-to-end encrypted, just pointlessly so.
Sure, phone OSes are designed not to let one app's infrastructure s
Re: (Score:2)
Same can be said for the Signal
Signal, the company, cannot decrypt anything. What are you on about?
The usual `boilerplate verbiage` (Score:2)
Meta has forcefully rejected the allegations. In a statement shared with Decrypt, a company spokesperson called the claims "categorically false and absurd...
I won't be surprised if the parties somehow settle out-of-court.
State of the art encryption for 1st century BC (Score:2)
Meta has forcefully rejected the allegations. In a statement shared with Decrypt, a company spokesperson called the claims "categorically false and absurd...
They didn't claim state of the art or even competent encryption. Just encryption. ROT13 would count. :-)
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:3)
They claimed using Axolotl (Signal) encryption. That's more or less sota.
The bug will probably not be in the encryption library, but in key management. How do you control for which key(s) WhatsApp encrypts the message? Do you know if it encrypted the last message with the same key as yesterday? There are a lot of ways to sneak in a MITM without being caught. They would be stupid to have an obvious backdoor in the client everyone can examine. Either it is a clever bug or it can be pushed to clients when need
Closed Source (Score:2)
The protocol is good.
The client? Who knows. The Facebook version of the Double Ratchet includes "Abuse Reporting" [fb.com] to complain to the manager about a message you got.
Could a closed client accept some secret message to cause the recipient to narc on the sender? It could, but that doesn't mean it does.
Which version of which algorithm, precisely, is used in each version of their chat apps? Who knows.
Why is anybody who needs secure comms using a closed source client? Who knows.
It ain't a published paper, folks (Score:4, Insightful)
"It's pretty long on accusations and thin on any sort of evidence," Matthew Green, a cryptography professor at Johns Hopkins University, said over Signal.
Yeah, buddy, you might be good at reading scientific papers and research, but you're not so good at reading lawsuits. The suit itself is just a bunch of claims. Evidence is the stuff you present in court. So if you're thinking, "But I'm not a party to this suit, so I don't have access to all the evidence attorneys are planning to present" ... now yer thinkin'.
Re: (Score:3)
Errr no. You may be good at posting on Slashdot, but you're not so good at reading lawsuits. Claims themselves usually contain enough information to identify if a suit is frivolous or not. When you pull unsubstantiated bullshit out of your arse and put it in a claim, then expect the label given. Good lawsuits provide enough information in the claim to demonstrate the suit has value and merit. In some cases if you don't do this you won't even manage to get to a stage where evidence is presented (ever heard t
Re: (Score:2)
Yes, it comes after a lawsuit proceeds. Don't just parrot my last line back at me thinking it's some gotchya comment, it'll make you look stupid if you don't look up the order in which a lawsuit proceeds. Summary rulings come before discovery.
Whatâ(TM)s App not E2EE in the practical sens (Score:2, Interesting)
https://engineering.fb.com/202... [fb.com]
Their device link feature doesnâ(TM)t alert the user when a new device is added, and it doesnâ(TM)t require any action from them. The server can request the private encryption key from the primary device and provide it to the new device.
Whatâ(TM)s stopping Meta from adding one of their devices to your account?
Signal app on the other hand requires user action on the primary device, and it modifies the device signature, alerting all chat partners of the security
Re: (Score:3)
Re: (Score:3)
Errr no. 1. The user is absolutely notified when a device is linked. Even if the "linked devices" page is open in the app you still get a notification that a device has been linked (which seems redundant, but blocks precisely the issue you postulate). And yes I checked this just now before typing it by linking a new device.
2. The server is not involved at any point. A client action from your phone is required to initiate a key exchange with the added device, just like from Signal. Given the architecture the
What about the meta data that Meta is collecting? (Score:2)
But I'm sure the collecting of meta data by Meta is a big privacy problem.
Re: (Score:2)
This is a sleight of hand. Look over here (encryption) while we pickpocket you from all your pockets (metadata).
What is being said is not nearly as valuable as who is saying what to whom.
I don't have the chart in front of me, but, it shows how Signal collects like 3 metadata points, and Whatsapp collects..a lot more... like 30 data points.
Re: (Score:2)
Re: (Score:2)
And does he understand the consequences, is he informed about them?
Re: (Score:2)
Re: (Score:2)
I've been screwing your wife for some time now.
But it's all good, now that you know.
Can Meta do that? (Score:2)
Sue the law firm providing counsel and legal services to the plaintiffs? Don't they actually have to go after the parties initiating the suit?
Re: (Score:2)
Lawyers are obligated to act in certain ways, and when they don't, they can be held liable. It's a high bar, but it can, and does, happen.
(More likely would be them giving their clients bad advice, and the client suing them.)
WhatsApp spokesman Carl Woog (Score:2)
In case you were wondering and didn't read TFA, "Woog" refers to WhatsApp spokesman Carl Woog.
Smart people, tell me that I'm wrong (Score:2)
So... with Signal protocol is the data in RAM still encrypted ? or is it like Wireguard, where point to point means device to server?
If scenario 1 is correct for Signal/Whatsapp, then a custom kernel module could duplicate/read unencry
Shocker (Score:1)