And if so, why exactly? It says it’s end-to-end encrypted. The metadata isn’t. But what is metadata and is it bad that it’s not? Are there any other problematic things?

I think I have a few answers for these questions, but I was wondering if anyone else has good answers/explanations/links to share where I can inform myself more.

  • ɐɥO@lemmy.ohaa.xyz
    55·
    1 year ago

    It says it’s end-to-end encrypted.

    Whatsapp is closed source and made by a advertising company. Wouldnt really count on that

    Edit: Formatting

    • folkrav@lemmy.world
      111·
      1 year ago

      Saying they do E2EE but not doing it would be a literal massive scale fraud. Can’t say I put Meta past those behaviors to be fair though lol

      But as the other guy said, metadata is already a lot.

      • BitSound@lemmy.world
        101·
        1 year ago

        They would just say that they have a different definition of E2EE, or quietly opt you out of it and bury something in their terms of service that says you agree to that. You might even win in court, but that will be a wrist slap years later if at all.

    • meseek #2982@lemmy.ca
      81·
      1 year ago

      “We just capture what you wrote and to whom before it gets encrypted and sent; we see nothing wrong with that” —Mark Zuckerberg, probably

    • miss_brainfart@lemmy.ml
      6·
      1 year ago

      They don’t really need the actual contents of your messages if they have the associated metadata, since it is not encrypted, and provides them with plenty of information.

      So idk, I honestly don’t see why I shouldn’t believe them. Don’t get me wrong though, I fully support the scepticism.

      • bouh@lemmy.world
        2·
        1 year ago

        All they need is the encryption key for the message, and it’s not the message itself.

  • amanneedsamaid@sopuli.xyzEnglish
    231·
    1 year ago

    Metadata is all the content of a message besides the actual text content of the message (i.e. what you type). Examples would be the date and time it is sent, what users these messages were sent to / from, and the IP addresses of both parties. (The availability of metadata varies from messenger to messenger).

    I like this example: If you only text your Aunt Sally, who lives in Alaska, twice per year to wish her a happy birthday and Christmas, just by looking at the metadata someone could infer the meaning of your messages, as well as your relationship to the person you’re messaging. To a point this is true about any messages you sent.

    As for Whatsapp specifically, it being end-to-end doesn’t really matter imo, as the application is not open source and is owned by an advertising / social media company. As long as the code is closed source, you cannot be sure:

    1. That your messages are encrypted at all
    2. That your encryption keys are kept on-device, and not plainly available to a centralized party
    3. That the encryption the application is using is securely implemented

    At least for applications handling truly sensitive information (for the average person only their messenger and browser), you should be using open source software. The easiest recommendations I can make are:

    1. Browsers: Firefox, Thorium, Brave
    2. Messengers: Signal, SimpleX Chat, XMPP

    Anyways, I hope this was a satisfactory answer.

    • BraveSirZaphod@kbin.social
      2·
      1 year ago

      That your messages are encrypted at all
      That your encryption keys are kept on-device, and not plainly available to a centralized party
      That the encryption the application is using is securely implemented

      This is true, but something that should be noted is that, to my knowledge, no law enforcement agency has ever receive the supposedly encrypted content of WhatsApp messages. Facebook Messenger messages are not E2E encrypted by default, and there have been several stories about Facebook being served a warrant for message content and providing it. This has, as I understand, not occurred for WhatsApp messages. It is possible, of course, that they do have some kind of access and only provide it to very high-level intelligence agencies, but there’s no direct evidence of that.

      I would personally say that it’s more likely than not that WhatsApp message content is legitimately private, but I’d also agree that you should use something like Signal if you’re genuinely concerned about this.

      • bouh@lemmy.world
        1·
        1 year ago

        They would better hide those evidences as best as they can, or they would lose a useful source of informations.

        That’s the whole game of intelligence: to be a step ahead of the opponent, it must believe its safe so you can steal useful informations. As soon as the breach is discovered, it ceases to be useful.

        • BraveSirZaphod@kbin.social
          1·
          1 year ago

          Sure. My point is that, as far as I believe anyone is currently aware, there is no evidence that any law enforcement agency has ever accessed the content of encrypted WhatsApp messages. That does not mean that it has never happened either, but anyone positively claiming so is doing it without actual evidence, which is something we should probably avoid doing.

    • whale@lemm.ee
      1·
      1 year ago

      Metadata includes:

      1. Who
      2. When
      3. Where
      4. More?

      For example, if we look at Whatsapp:

      1. We know the sender and recipient(s) by phone number
      2. Time and date of every message and how frequently
      3. IP address (relative location)
      4. Every phone number is probably tied to a Facebook identity, which includes online and/or offline information about you and all your friends

      And that’s just if we take Facebook at its word

  • majestictechie@lemmy.fosshost.comEnglish
    14·
    1 year ago

    While the messages itself are encrypted, the WhatsApp App itself can still collect data from you from the Device your using it on:

    • Phone number
    • operating system
    • associated contacts Etc.

    And given this is a Meta owned company, we can probably assume they profile you from that.

  • bouh@lemmy.world
    6·
    1 year ago

    It might be E2EE but it’s not encrypted on your phone and it’s closed source. How do you know they don’t send the conversation data to their company? How do you know they don’t get the encryption keys to decipher the messages for them?

    • Lojcs@lemm.ee
      3·
      1 year ago

      Care to elaborate? You can’t just imply asymmetric encryption can be decrypted by 3rd parties and not explain how.

      Also I don’t know how exactly signal works but I know that you don’t need to share secrets externally to message someone, so how are they exchanging the symmetric keys without using asymmetric encryption to boot?

        • Lojcs@lemm.ee
          2·
          1 year ago

          That doesn’t explain why asymmetric encryption is insecure? In fact signal seems to be using two pairs of asymmetric keys to generate its symmetric secret, so it would also be prone to attack if asymmetric encryption was a flawed system.

      • American_Jesus@lemm.ee
        1·
        1 year ago

        That means if they want to see your messages they do it anytime, not only when someone report it.

        If a government want access to the messages they can access.

        • American_Jesus@lemm.ee
          1·
          1 year ago

          Unlike other messaging apps, they have access to encryption keys, when you change devices you only need to fill the phone number and all of your messages are available.

          On other apps like Signal or matrix, you need to backup or export your keys to other devices, otherwise you can access previous messages.

          It’s like you own an apartment and the doorman have keys to all apartments, if you lose the key the doorman can give you a copy, but also have access to your apartment when it pleases.

  • ReversalHatchery@beehaw.org
    1·
    1 year ago

    It says it’s end-to-end encrypted. The metadata isn’t. But what is metadata and is it bad that it’s not?

    It’s not just that. Their app can easily have tracking components that look for the list of installed apps, how often you charge your phone, how often are you on a WiFi network, etc.

    Also, the app and any tracking component it has can also freely communicate on the wifi network. That doesn’t only mean the internet, but the local, home network too, where they can find out (by MAC address, opened ports and response of the corresponding programs) what kind of devices you have, when do you have them powered on, what software you use on it (like do you use any bittorrent client? syncthing? kde connect? lots of other examples?), and if let’s say your smart tv publishes your private info on the network, it does not matter that you have blocked LG (just an example) domains in your local dns server, because facebook’s apps can just relay it through your phone and then their own servers.

    If the app’s code has been obfuscated, exodus privacy and others won’t be able to detect the tracking components in it.

  • cheese_greater@lemmy.worldEnglish
    32·
    1 year ago

    Whats the deal with IP address and Whatsapp? Like use a VPN ofc but still interested in what is known/felt about this matter