this post was submitted on 30 Apr 2026
755 points (99.0% liked)

Technology

84256 readers
3058 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
755
A federal agent said WhatsApp's encryption is a lie. Then the investigation was shut down (www.techspot.com)
submitted 1 day ago by throws_lemy@reddthat.com to c/technology@lemmy.world
88 comments fedilink hide all child comments
 

A 10-month Commerce Department probe concluded Meta could view all WhatsApp messages in unencrypted form

you are viewing a single comment's thread
view the rest of the comments
[–] NaibofTabr@infosec.pub 6 points 1 day ago (2 children)

If this is true:

If you report the message it then the full text gets sent to WhatsApp.

That means there's a software switch that dumps a plaintext copy of a supposedly encrypted message when flipped.

Therefore, all you need to read any WhatsApp message is the ability to flag the message as "reported", and access to wherever the plaintext copies get sent.

Considering how often security is an afterthought for corporations, the access part is probably easy.

[–] a4ng3l@lemmy.world 13 points 1 day ago (1 children)

The easiest implementation of this is that the recipient of an infringing message flags it from its local client. At that point it’s not encrypted if their claim of e2ee is true.

It also means that only parties involved in the message exchange can flag / report them.

Corporations are often not so monolithic ; the guys doing abuse are likely not the one who try to milk users (looking at you marketing).

[–] WhyJiffie@sh.itjust.works 1 points 1 day ago (1 children)

I don't want to defend whatsapp, but if messages are actually properly end to end encrypted, but one of the recipients (one of the ends) knowingly shares it (e.g. with the report function), that is still end to end encryption.

don't be surprised if signal or matrix implements this. I'm strongly against scanning messages, but if the recipient willfully decides so, they should be able to share a message with moderators. that would be an actual tool against actual pedophiles, and scammers.
but this can only work safely if the client is not sending the decrypted message, because it could modify it, but instead it sends the decryption keys for it. both signal and matrix are regularly rotating the keys, so it wouldn't grant the moderators to read all messages, but it would grant them the ability to see what was actually sent. with that the client should also show how far into the past messages will be revealed to moderators, so they can decide if that's ok for them.

[–] a4ng3l@lemmy.world 2 points 1 day ago

Yup we agree on that. This pattern is actually the most sensible approach to support privacy. Whatever happens in transmission.

[–] Rivalarrival@lemmy.today 2 points 1 day ago (1 children)

That means there’s a software switch that dumps a plaintext copy of a supposedly encrypted message when flipped.

Kinda, sorta, but no, not really. What's happening is that the recipient is decrypting the message. When you report the message, you include a cleartext copy with your report.

The "switch" you are talking about is in the same app that is doing the decryption. For the bad actor to toggle that "switch", they would have to control the app.

[–] Flagstaff@programming.dev 2 points 1 day ago* (last edited 1 day ago) (1 children)

For the bad actor to toggle that "switch", they would have to control the app.

Are you talking about physical control? Regardless, it's closed-source... There is nothing that says they can't also generate the keys on the other end that they had your devices generate. Outside of open source code that's buildable from source, they can claim whatever they want about lack of access to switches.

[–] Rivalarrival@lemmy.today 1 points 18 hours ago (1 children)

Technically true.

However, doing so would be perpetrating a fraud. If they denied the capability you're talking about in response to a warrant or subpoena, someone would be in contempt.

I don't know if any corpo actually cares about such things, but I know that if you or I were to do this, we'd quickly find ourselves broke and possibly in prison.

[–] Flagstaff@programming.dev 1 points 14 hours ago (1 children)

But my point is that Meta is committing fraud against the public for advertising WhatsApp as E2EE when it's not, as per this entire post...

[–] Rivalarrival@lemmy.today 2 points 11 hours ago (1 children)

There is no indication that they can actually acquire the clear text of an E2EE communicatiom. without one of the ends being complicit in the process. There is no evidence of the fraud you refer to.

That doesn't mean they are telling the truth, merely that they haven't been proven to have lied. They could release their source code tomorrow. That code could prove you are correct and they are liars. That code could prove that they are correct, and you were wrong.

We don't have to resort to unfounded claims to justify criticism here. Proving their claims to be unverifiable is more damning than failing to prove they are committing fraud.

[–] Flagstaff@programming.dev 1 points 9 hours ago

Hmm... true, fair! ∆