Ask HN: How do we know that WhatsApp doesn't spy on messages?
I was about to confidently reply something about how, with modern encryption, you don't need to trust the server to pass messages securely... but something held me back.
I was so sure about the system privacy, and suddenly I wasn't.
I know WhatsApp claims to implement the Signal protocol, which is considered secure (so far).
But some questions popped in my head: - What's preventing WhatsApp from not using the protocol properly, or at all? - What's preventing WhatsApp from, say, also send secretly the message to itself? Or a digest of it? Or just some keyword matches? You know, for "analytics"? Or to comply with obscure child porn laws?
I use WhatsApp every single day, so this thought makes me pretty uncomfortable. The more I think about it, the less I'm sure. What I find the most convincing is that, if such a backdoor existed, a WhatsApp employee would have leaked it on HN already...
What do you think? Do you trust WhatsApp on this?
17 comments
[ 3.2 ms ] story [ 54.7 ms ] threadIt was so unlikely to be random that I checked right away to see if pictures were safe. It turns out that pictures received and sent are shared within all Facebook apps - Facebook, Messenger, Instagram -, at least on iOS)
https://thenextweb.com/facebook/2018/04/05/facebook-confirms...
Now Zuckerberg is merging Facebook Messenger, WhatsApp and Instagram:
https://mashable.com/article/mark-zuckerberg-speaks-on-whats...
Thus we can be pretty sure that WhatsApp messages are also being monitored.
Plus, merging 4 messaging app of this size probably takes some time. This doesn't say anything about today's WhatsApp IMO.
> "The first reason I'm excited is moving more to end to end encryption by default in our products. People like this in WhatsApp. I think it's the direction we should be going in. I think there's an opportunity ... to have encryption work in a consistent way across the things that we're doing."
What they certainly analyse and presumably monetise is the metadata.
2. Facebook's reputation is so bad when it comes to privacy at this point that trusting them is just naive.
3. Even in the best case, your metadata is certainly used. Facebook didn't pay over $20 billion for a service with no monetisation model purely out of the goodness of their hearts.
4. Whatsapp has good network effects at least here in the UK - when your flatmates or coworkers have a group chat, you can't just say "Well, let's get everyone over to Signal.". You either use Whatsapp or go without the group chat.
2. You are restating my friend's argument, but the idea of E2E is precisely to remove trust from the equation. If applied properly, there's nothing the company controlling the server can do.
3. Most probably, but that's not the point here. My question is specifically about the messages themselves.
4. Sure, but not related to my question either :)
It doesn't do that. You don't have a way to verify what software runs when you send a whatsapp message.
For some reason it reminds me of the famous Moxie article: https://signal.org/blog/the-ecosystem-is-moving Is it the same idea?
You claim that Whatsapp has E2EE, and that eleminates the need to trust them. Well let me ask you something: How do you know they have E2EE? You can't view the source code. Unless it's an open source program, the need to trust Facebook is still there.
And Facebook's history of continously violating user privacy can't be easily dismissed as well. If a company repeatedly collects data without consent, and sell them to third parties, you would be very naive to take them at their word.
Also the fact that Whatsapp was sold for $20 Billion is a huge red flag. Facebook isn't stupid, they wouldn't pay this much money without having a revenue plan.
So as TL;DR: It isn't 100% guaranteed that Whatsapp isn't spying on you, but we got to the point that until Facebook proves beyond doubt that they aren't, it's safe and logical to assume that they are.
Employees don't need to be aware of the backdoor if they aren't the one's listening.
At least, I assume Whatsapp is already compromised by some state actor and Facebook is getting some kind of funding to look the other way.