Can we undermine Facebook already? Please?
deleted by creator
From the article:
Clarification, Sept. 8, 2021: A previous version of this story caused unintended confusion about the extent to which WhatsApp examines its users’ messages and whether it breaks the encryption that keeps the exchanges secret. We’ve altered language in the story to make clear that the company examines only messages from threads that have been reported by users as possibly abusive. It does not break end-to-end encryption.
It should be no surprise that messages reported by users are forwarded to Facebook’s moderators as plaintext so they can evaluate whether the report is legitimate or not. It should also be pretty straightforward that once an encrypted message reaches the receiver’s device, the client has access to the plaintext data to show to the user (and can do whatever it wants with it as long as nobody notices). We didn’t need this investigation to know these two claims are true.
However, the article brings up some interesting details about how this data is handled and packed together with users’ metadata:
Artificial intelligence initiates a second set of queues — so-called proactive ones — by scanning unencrypted data that WhatsApp collects about its users and comparing it against suspicious account information and messaging patterns (a new account rapidly sending out a high volume of chats is evidence of spam), as well as terms and images that have previously been deemed abusive. The unencrypted data available for scrutiny is extensive. It includes the names and profile images of a user’s WhatsApp groups as well as their phone number, profile photo, status message, phone battery level, language and time zone, unique mobile phone ID and IP address, wireless signal strength and phone operating system, as a list of their electronic devices, any related Facebook and Instagram accounts, the last time they used the app and any previous history of violations.
It is no news that WhatsApp can access a ludicrous amount of metadata and can share them with Facebook (in non-European countries), but it’s interesting to see this practical usage being disclosed for the first time. More on this:
U.S. law enforcement has used WhatsApp metadata to help put people in jail. ProPublica found more than a dozen instances in which the Justice Department sought court orders for the platform’s metadata since 2017. These represent a fraction of overall requests, known as pen register orders (a phrase borrowed from the technology used to track numbers dialed by landline telephones), as many more are kept from public view by court order. U.S. government requests for data on outgoing and incoming messages from all Facebook platforms increased by 276% from the first half of 2017 to the second half of 2020, according to Facebook Inc. statistics (which don’t break out the numbers by platform). The company’s rate of handing over at least some data in response to such requests has risen from 84% to 95% during that period.
[…]
WhatsApp has for years downplayed how much unencrypted information it shares with law enforcement, largely limiting mentions of the practice to boilerplate language buried deep in its terms of service. It does not routinely keep permanent logs of who users are communicating with and how often, but company officials confirmed they do turn on such tracking at their own discretion — even for internal Facebook leak investigations — or in response to law enforcement requests.
It does not break end-to-end encryption.
Well, in my opinion, it kind of does, since it doesn’t notify the user that their messages are being forwarded.
company officials confirmed they do turn on such tracking at their own discretion — even for internal Facebook leak investigations
Oh, I’m sure, that never caused any problems in the past. Just like it never caused problems at other companies like Apple or three letter agencies like the NSA.
Well, in my opinion, it kind of does, since it doesn’t notify the user that their messages are being forwarded.
That’s more than Signal does. This is not a typical feature; I can’t think of an end-to-end encrypted messenger that does do this. If you want to make this argument, all end-to-end-encrypted messengers must be broken because the person who receives the message can then send it to anyone else without your knowledge, or take a photo. It’s trivial.
The thing is that this can be triggered externally. It’s not the user forwarding to another user, it’s the company having a spy feature built in.
well it seems like they track the unencrypted metadata and share it with law enforcement. i wouldn’t necessarily consider this breaking end to end encryption…
there is a separate issue with the “reporting” feature where the other end can voluntarily send your (decrypted) messages to facebook for content moderation. i dont think the article claimed that decrypted messages were being automatically sent…
Hah… trusting facebook not to put spying devices into whatsapp was never a good idea. Although, I am partial towards open source programs, for good reasons.