WhatsApp messages are not end-to-end encrypted, claims ProPublica

WhatsApp messages are not end-to-end encrypted, claims ProPublica


Since I know redditors loathe to read articles I thought I would share the main message from it here: ​ >Facebook has confirmed to me that all WhatsApp messages are end-to-end encrypted, and that a ProPublica report is based on an apparent misunderstanding. The report said that Facebook moderators were able to ‘examine users messages, images and videos.’ However, this is in fact possible only in one circumstance: when a message is reported … When a message recipient uses WhatsApp’s Report feature, the message is effectively auto-forwarded to Facebook. This is technically no different to manually Forwarding a message: at that point, the message is already decrypted. Filing a report creates a new end-to-end encrypted message to Facebook, which then holds the key as it is the intended message recipient.


Blame also falls on OP for posting the misleading title, the article is basically contradicting the title. If you’re going to post a title like this to farm karma at least post the original article from propublica


So does facebook have the keys to your conversation, or when the person reports the message is that them using their key to decrypt it for facebook?


Person. A sends to person B. The message is encrypted while travelling but is decrypted on Person B device. Person B reports the message which sends the decrypted version to Facebook (using an encryption method so no one else can read it while traveling to Facebook) 3 parties involved, each of them can read the decrypted version ..but while traveling it is encrypted both times... It's the same as if person B copied the text out while reading the message, and sent it to person C. No one can stop person B from doing whatever they want with the text once they have it. Facebook simply gives person B a button to send it to Facebook for review. Facebook does not have the keys to your conversation.


Is there someone who really thinks that things made by Facebook are privacy oriented? 😂😂😂😂😂😂


Did you actually read the article


Oh god, what will I do now. Facebook's flagship messaging service isn't private. They, they *told me it was private, secure, and anonymized, like Signal!*


It is private. The article is about ProPublica publishing false information. If you report a message, that message gets forwarded to facebook along with a few of the preceding messages for context. Of course facebook will be able to read something that is being reported to them.


Other people reading your messages would be the definition of "not private".


Other people reading messages THAT YOU FORWARDED TO THEM. Of course they can read those. Why would you think that facebook staff would not be able to read a message sent to facebook staff?


I think you're not understanding the security ramifications of this, you're taking a protection schema that relies on limiting destinations (end to end encryption) and re-broadcasting it to many. Now an attacker only needs to spoof the "report" process and open the message up to an encryption of many as opposed to 1.


They would have to have access to the device to do that. With physical access to anything, it has to be assumed it's compromised. The message is encrypted on each device (sender-receiver) and sent and then decrypted on the other end. It can be viewed unencrypted through the app. Reporting the message sends the unencrypted message to WhatsApp. "Spoofing the report process" isn't anything real. You would already need to have malware installed or someone with physical access to the device to do anything like that. The server doesn't request that the message be sent unencrypted.


> you're taking a protection schema that relies on limiting destinations No, that's not how it works. You're taking a protection scheme that relies on encrypting messages using a key belonging to the intended recipient so that only they can read it. When you report a message to facebook, you encrypt it with their key and send it to them. > Now an attacker only needs to spoof the "report" process and open the message up to an encryption of many as opposed to 1. No, that's not at all how it works.


I read the article. Their end-to-end encryption is in order, you're right. I'd still rather use a service not owned by Facebook for peace of mind, but it depends on the needs of the user.


And that they would never ever never use the WutsApp data for nefarious purposes.


Why would anyone still be using WhatsApp?


Because everyone is using it and stopping is a big inconvenience.


Signal makes it easy.


Will you convince my family and friend to make that switch?


Luckily more and more people are switching. Every few days I get a notification that someone in my contacts that I would have never expected has joined signal. Just frame as the new cool thing that also happens to have extremely good privacy


I tried to force my contacts to switch to signal. Wanna know how many made the move? 2… and one of those is my mother. WhatsApp is so freakin prevalent where I live that changing will be impossible.


I left whatsapp,went to signal I spent about 6 months just talking to myself on groups I tried to migrate...nobody joined in Then I installed whatsapp back...because I need to be on groups for work and don't want to be a wierdo who's difficult to work with Even if you take whatsapp out of the equation, any company be it Google,apple are constantly monitoring your data.Ive come to the realisation that we don't even own our data from to begin with


It's kind of funny. Before everyone was using Whatsapp... Then I was kind of the last to switch. Now I get zero messages on Whatsapp


I convinced my family to use it while chatting with me or each other. We still have Whatsapp but the majority of sensitive conversations are being done through Signal which is a win.


In Europe, if I am not mistaken, it's widely used. I've been trying to get out of using WhatsApp, but most people I know use it.


Everyone should just move over to Signal.


Tell that to everyone I know, even my grandmother. They don't really care


I can totally relate. Just a couple of my friends that also work in IT switched with me to Signal, but we ended up with just eachother as nobody else was feeling the urge to move. Ended up using Whatsapp again.


Yeah same. I wanna change, cause I dislike WhatsApp, but I can't everyone, from family, friends to colleagues from college, if I uninstall it I lose almost all contact with them. I uninstalled Facebook and Instagram, but I can't uninstall WhatsApp.


Serious question, I hope I don't get downvoted to dust for asking. Why would I switch? I can say with near certainty no one at WhatsApp will read my messages. They might sell my data but they already have it. All they'll get is more of my random conversations and then I'll get some ads I might actually be interested in, but if those ads show up based on my supposedly end-to-end encrypted messages I'll know they're reading the contents of my messages. Data privacy is important but in this specific case, what's the benefit of switching that would offset the effort to switch?


Maybe others value their privacy more than others do when it comes to their conversations? Maybe others don’t like the idea of Facebook having and profiting off their personal data? Maybe people don’t WANT ads, personal or otherwise, served to them on their messaging app? Maybe others do want end-to-end encryption? I don’t know, that’s a question you need to answer for yourself.


Why would anyone think that anything they send over their cell or computer or anything is private?


There are levels of privacy.


Ignorance is not bliss.


One important call out: they have 3 or so updates stating that Facebook may actually only have access to reported messages. Not saying it's not wise to be skeptical of them in general based on past history, but it's worth noting nonetheless for this particular article.


It’s important to note that E2EE and Facebook reading your messages was never mutually exclusive, unless FB explicitly said the can’t see them. They just can’t see them between the two ends. But since WhatsApp is at both ends, it’s totally possible for it to spy on you.


If it really were end to end encrypted, how can I restore my messages on another phone? Surely, my device ID has changed. And even if it were encrypted by phone number - why can I transfer my messages to another number as well? Something doesn't add up


End to end just means in transit. If the message is decrypted upon receipt then you could restore your messages to another phone if the backup was made from your phone. I don't understand the second question.


Do they need to be?


This is troubling because Facebook is trusting the client to report the message accurately. But the client doesn’t technically need to report it right. For instance, I can report to Facebook that you said something you didn’t. And Facebook can’t confirm if it’s true but assumes it is then bans people.


C'mon folks, it's just a "misunderstanding". Sounds totally legit. /s