Hacker News new | past | comments | ask | show | jobs | submit login

You think Facebook does not have access to Whatsapp messages ? Would be very surprised if thats not the case.



Facebook doesn't have access to WhatsApp messages. WhatsApp uses the same end-to-end encryption protocol as Signal. We know this is true because the app has been extensively reverse engineered to create these third party clients among other reasons.


WhatsApp is closed source, so you have no idea what it's doing. And they can push an update doing whatever they wish to you at any moment. You have to rely on Facebook pinky-swearing that it is what they say it is. And I promise you it isn't what they say it is.


Being open source isn't necessary or sufficient to be able to audit a piece of software. Software can be audited even if it's closed source (for example by reverse engineering, although it's more difficult), and even if it's open source it might still be impractically difficult for non-experts to audit.


"more difficult" is an understatement!

I agree that FOSS doesn't solve all ills. It's a necessary step, though.


A 5B install-base would invite all sorts of experts to review an OSS codebase, I'm sure.


You can’t promise things like that without having good references or proof. “Promise” might be a stronger word than you meant


WhatsApp client is made by Facebook. It must see plaintext so it can put it on the screen. If it doesn’t send it anywhere yet, good - but it’s borrowed time.


> Facebook doesn't have access to WhatsApp messages. WhatsApp uses the same end-to-end encryption protocol as Signal.

Everything is closed source, and you have no idea what is running on their servers, etc, so all your suppositions are worth basically nothing.


Check my reply to the other comment. WhatsApp has been extensively reverse engineered.


Yes, they very publicly state that they do not have access and I have yet to see a reason to not believe them in that regard. All big Facebook data leaks and hacks have just exploited not very well known APIs or badly set privacy settings. But nothing that was secret.


Facebook has publicly stated a lot of privacy related things that turned out to be outright lies in the past, including to congress


They are lying when they say this. I promise you Facebook MITMs WhatsApp communications for oppressive regimes.


I think someone caught the app dumping private keys to crashlogs.whatsapp.net

But a MITM should still be visible

More details?


For example:

https://www.aljazeera.com/news/2021/1/26/iran-blocks-signal-...

Q: Why would Iran block Signal but not WhatsApp if they actually use the exact same protocol? A: Because Facebook has cut a deal with the regime to give them access to things they could not get access to with Signal

I suppose it could be that blocking WhatsApp would cause too much disruption, so the Iranian regime tolerates it for now, but I put much more weight on Facebook just rolling over.

There are other instances of WhatsApp being allowed and other allegedly as-secure platforms being banned. It could be chance or network effects, but my guess is that Facebook has built in tools to comply with those regimes' spying demands. Perhaps they even push locale-specific versions of the app.


Law enforcement has access to a list of people who forwarded particular links or media. This indicates that e2e has some bypasses or exceptions. It would be pretty much impossible to unearth the details though.


I would be pretty shocked if Facebook was not doing this.

It’s probably done on the device, with suspicious links and media sent to the servers for further inspection.

We are also sure some of their engineers worked on methods to detect bypasses on the checks.

It’s a leak of data and metadata, a privacy invasion for sure, but not comparable to a MITM.


Source?


> Yes, they very publicly state that they do not have access

Why do you believe them?


They have the metadata I presume - who you text, how much and when, and that's probably pretty valuable in itself.

Even if you put in no personal data to FB at all they create a ghost profile that will be very accurate based on who you are connected to.


One's speculation, the other's a certainty?

Good thing that Beeper lets you self-host their (AGPLd) bridges.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: