US Government Also Received a Whistleblower Complaint That WhatsApp Chats Aren't Private (yahoo.com) 26
Remember that lawsuit questioning WhatsApp's end-to-end encryption? Thursday Bloomberg reported those allegations had been investigated by special agents with America's Commerce Department, "according to the law enforcement records, as well as a person familiar with the matter and one of the contractors."
Similar claims were also the subject of a 2024 whistleblower complaint to the US Securities and Exchange Commission, according to the records and the person, who spoke on the condition that they not be identified out of concern for potential retaliation. The investigation and whistleblower complaint haven't been previously reported...
Last year, two people who did content moderation work for WhatsApp told an investigator with Commerce's Bureau of Industry and Security that some staff at Meta have been able to see the content of WhatsApp messages, according to the agent's report summarizing the interviews. [A spokesperson for the Bureau later told Bloomberg that investigator's assertions were "unsubstantiated and outside the scope of his authority as an export enforcement agent."] Those content moderators, who worked for Meta through a contract with the management and technology consulting firm Accenture Plc, also alleged that they and some of their colleagues had broad access to the substance of WhatsApp messages that were supposed to be encrypted and inaccessible, according to the report. "Both sources confirmed that they had employees within their physical work locations who had unfettered access to WhatsApp," wrote the agent... One of the content moderators who told the investigator she had access said she also "spoke with a Facebook team employee and confirmed that they could go back aways into WhatsApp (encrypted) messages, stating that they worked cases that involved criminal actions," according to the document...
The investigator's report, dated July 2025, described the investigation as "ongoing," includes a case number and dubs the inquiry "Operation Sourced Encryption..." The inquiry was active as recently as January, according to a person familiar with the matter. The inquiry's current status and who may be the defined target are both unclear. Many investigations end without any formal accusations of wrongdoing...
WhatsApp on its website says it does, in some instances, allow information about messages to be seen by the company. If someone reports a user or group for problematic messages, "WhatsApp receives up to five of the last messages they've sent to you" and "the user or group won't be notified," the company says. In those cases, WhatsApp says it receives the "group or user ID, information on when the message was sent, and the type of message sent (image, video, text, etc.)." Former contractors outlined much broader access. Larkin Fordyce was an Accenture contractor who the report says an agent interviewed about content moderation work for Meta. Fordyce told the investigator he spent years doing this work out of an Austin, Texas office starting as early as the end of 2018. He said moderators eventually were granted their own access to WhatsApp, but even before that they could request access to communications and "the Facebook team was able to 'pull whatever they wanted and then send it,'" the report states...
The agent also gathered records that were filed in the whistleblower complaint to the SEC, according to his report, which doesn't describe the materials... The status of the whistleblower complaint is unclear.
Some key points from the article:
Last year, two people who did content moderation work for WhatsApp told an investigator with Commerce's Bureau of Industry and Security that some staff at Meta have been able to see the content of WhatsApp messages, according to the agent's report summarizing the interviews. [A spokesperson for the Bureau later told Bloomberg that investigator's assertions were "unsubstantiated and outside the scope of his authority as an export enforcement agent."] Those content moderators, who worked for Meta through a contract with the management and technology consulting firm Accenture Plc, also alleged that they and some of their colleagues had broad access to the substance of WhatsApp messages that were supposed to be encrypted and inaccessible, according to the report. "Both sources confirmed that they had employees within their physical work locations who had unfettered access to WhatsApp," wrote the agent... One of the content moderators who told the investigator she had access said she also "spoke with a Facebook team employee and confirmed that they could go back aways into WhatsApp (encrypted) messages, stating that they worked cases that involved criminal actions," according to the document...
The investigator's report, dated July 2025, described the investigation as "ongoing," includes a case number and dubs the inquiry "Operation Sourced Encryption..." The inquiry was active as recently as January, according to a person familiar with the matter. The inquiry's current status and who may be the defined target are both unclear. Many investigations end without any formal accusations of wrongdoing...
WhatsApp on its website says it does, in some instances, allow information about messages to be seen by the company. If someone reports a user or group for problematic messages, "WhatsApp receives up to five of the last messages they've sent to you" and "the user or group won't be notified," the company says. In those cases, WhatsApp says it receives the "group or user ID, information on when the message was sent, and the type of message sent (image, video, text, etc.)." Former contractors outlined much broader access. Larkin Fordyce was an Accenture contractor who the report says an agent interviewed about content moderation work for Meta. Fordyce told the investigator he spent years doing this work out of an Austin, Texas office starting as early as the end of 2018. He said moderators eventually were granted their own access to WhatsApp, but even before that they could request access to communications and "the Facebook team was able to 'pull whatever they wanted and then send it,'" the report states...
The agent also gathered records that were filed in the whistleblower complaint to the SEC, according to his report, which doesn't describe the materials... The status of the whistleblower complaint is unclear.
Some key points from the article:
- "The investigative report seen by Bloomberg doesn't include a technical explanation of the contractors' claims."
- "A spokesperson for Meta, which acquired WhatsApp in 2014, said the contractors' claims are impossible."
- One contractor "said that there was little vetting" of foreign nationals hired to do content moderation for Meta, saying this granted them "full access to the same portal to review" content moderation cases
"private" != "end-to-end encrypted" (Score:3)
For chats to be private, quite a few additional requirements have to be fulfilled. For example, user private keys only on user devices and inaccessible to WhatsApp.
Re: "private" != "end-to-end encrypted" (Score:3)
look man. im not a special agent. I'm drunk actually. and ive always known whatApp os not private.. its not fucking rocket science. it allows you to recover the private key through SmS. fucking sms. unencrypted. from fb.
Re: (Score:2)
Interesting. I have never used WhatsApp, but this makes it pretty clear what is going on.
Re: "private" != "end-to-end encrypted" (Score:2)
Re:"private" != "end-to-end encrypted" (Score:5, Interesting)
The main problem is the keys have to be accessible to the WhatsApp ... app ... itself and you have no way of validating what that does. Never mind that it isn't open source, you can't read its memory space or debug it in any way, heck if you aren't rooted you can't even read /data/data/com.whatsapp/files/ . Because you know, it's too dangerous for you to be able TO READ YOUR OWN FILES ON YOUR OWN DEVICE.
They already have the facility to read your already decrypted messages remotely via the web interface "app", even if that encryption is end to end (which I guess can be, but it might be very cumbersome as opposed to whatsapp's servers doing everything and serving you the web interface) still the authentication process is mostly under Meta's control.
Re: (Score:2)
Obviously. They could also push an "update" specifically made for you at any time. The whole approach is only secure as long as the provider is not targeting you in any way. Which makes it unsuitable for anything needing real security.
Enhanced security (Score:1)
If you have any type of account recovery or backup enabled then your keys are with the service provider. Usually thereâ(TM)s an option to enable enhanced security which clearly mentions no recovery or backup possible if you forget password.
In this case you chats will also open only on 1 device while other devices will say they canâ(TM)t display the chat (though few apps do offer e2e on multiple devices too)
Content Moderators? (Score:4, Insightful)
Re: Content Moderators? (Score:2)
Re: (Score:2)
For messages that are reported to them. At least in theory, turns out that it wasn't just journalists accidentally added to top secret Whatsapp groups that could read the US government's messages.
Re: (Score:1)
It seems that when you click "report" on WhatsApp, a screenshot is taken of the message. That is, the "report" feature is used for presumably illegal content or content that's against WhatsApp rules. And these messages are the purpose of the moderators.
This link somewhat describes the process. I've inferred that it must be a screenshot: https://faq.whatsapp.com/91903... [whatsapp.com]
Nonetheless, WhatsApp DOESN'T clearly state the technical details of how "report" works. This, I think, is the primary problem. That is, al
Using WhatsApp can get you killed (Score:1)
https://edition.cnn.com/2018/1... [cnn.com]
Re: (Score:1)
Wait until you learn what owning a gun or driving a car in Minneapolis can get you.
Inspired by the Off-the-Record Messaging protocol (Score:4, Interesting)
Their encryption is inspired by, if not directly based upon, the Off-the-Record Messaging (OTR) protocol [wikipedia.org].
Being a public-key encryption protocol [wikipedia.org], OTR messages can have the session key encrypted by more than one PK key, meaning that more than just the user's intended recipient can read the data.
The "perfect forward secrecy" and "plausible deniability" are still in effect, but you have two Bobs in the Alice and Bob encryption model [wikipedia.org].
Keys (Score:4, Insightful)
Key management is a huge pain in the ass. If you aren't personally dealing with the keying hassles, your communications are neither private nor secure.
At best, there might be a corporate policy somewhere that says that employees should not snoop.
I thought this was common knowledge (Score:2)
Re: I thought this was common knowledge (Score:1)
Mrs Bezos designed the Whatsapp encryption?
Re: I thought this was common knowledge (Score:2)
end-to-end encryption is meaningless when... (Score:4, Interesting)
... the attacker controls both ends. Nothing stops Apple or Google from just taking screen shots of those messages for selected end users. You don't need a lot of code for that, you could easily hide it everywhere. You do not even need lists of user-ids since you can obscure those away with a bloom filter.
I'd still like to see proof, but... (Score:4, Interesting)
Let's also keep in mind that Zuckerberg is a sociopathic monster who will do anything to bloat his ego and to profit. He doesn't care who he hurts, who he kills, what he damages, what he destroys -- his only value is himself. With that firmly in mind, "lying about E2E in WhatsApp'" would be just a blip -- he does far worse things on an ordinary Tuesday.
My money is on a backdoor put in place by his direct order and implemented by a small group of highly loyal, highly paid insiders -- done in such a way that even other people at Meta don't know how or when it was done. Those people aren't going to blow the whistle because they're Zuckerberg's obedient toadies and because he would burn them if they did and because it would wreck whatever their future career prospects are.
I'd write "we'll see" but perhaps we won't. Meta has unleashed its lawyers and its money to try to silence this, and it might succeed. But I hope not: I think we need to know exactly what happened.
Re: (Score:2)
While I'd certainly like to know what happened, it's easier just to consider anything he offers you to be tainted.
"Possibly compromised" is identical to "considered compromised" for anyone serious about security.
By design of course (Score:2)
Could result in a lot of people going to prison (Score:2)
If Meta ever lied to a federal agent WRT being able to answer a subpoena or a search warrant, that's a felony.
So if there's merit to these claims, and a lot of cases went dead because Meta was lying its ass off to the government, a WHOLE LOT of people at Meta are looking at getting swept away in a sea of indictments if they choose to act.