this post was submitted on 30 Apr 2026
794 points (98.9% liked)

Technology

84891 readers
3142 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
794
A federal agent said WhatsApp's encryption is a lie. Then the investigation was shut down (www.techspot.com)
submitted 3 weeks ago by throws_lemy@reddthat.com to c/technology@lemmy.world
93 comments fedilink hide all child comments
 

A 10-month Commerce Department probe concluded Meta could view all WhatsApp messages in unencrypted form

top 50 comments
sorted by: hot top controversial new old
[–] floofloof@lemmy.ca 192 points 3 weeks ago* (last edited 3 weeks ago) (5 children)

"The claim that WhatsApp can access people's encrypted communications is patently false," Meta spokesperson Andy Stone said. He added that the bureau had already "disavowed this purported investigation, calling its own employee's allegations unsubstantiated."

I can't help but notice that in response to people's concern that Meta may be able to read people's messages, the Meta spokesperson responds that WhatsApp can't read them. A little bit of administrative juggling on Meta's end so that the team with access to the messages doesn't fall within the WhatsApp department, and both claims could be true.

[–] FauxLiving@lemmy.world 60 points 3 weeks ago* (last edited 3 weeks ago) (2 children)

Yeah, there are lots of ways for this to be true but misleading:

The communications are not encrypted if they have the keys.

The encrypted communications are not the people's. By the TOS everything is the property of WhatsApp and they can access their own 'Business Records' perfectly legally.

A third party, like a federal agency, isn't WhatsApp. (WhatsApp can also voluntarily give their 'Business Records' to said agencies without warrant or subpoena.)

Meta isn't WhatsApp.

An internal project with an undisclosed codename isn't WhatsApp.

[–] Valmond@lemmy.dbzer0.com 22 points 3 weeks ago (1 children)

Nitpicking; even if they have the keys, the messages can be encrypted. It's just worthless as they can now decrypt them.

load more comments (1 replies)
[–] trailee@sh.itjust.works 11 points 3 weeks ago (2 children)

My favorite option is that they don’t access the encrypted communications, they access messages before encryption takes place and send copies home for safe keeping. With a closed source client they can do anything they want to the plaintext even if they handle the ciphertext appropriately.

[–] Whostosay@sh.itjust.works 4 points 3 weeks ago

Which end is the encrypted end lmao

[–] FauxLiving@lemmy.world 4 points 3 weeks ago

Yeah, that or either of the ends is compromised by one of the various commercial spyware which offers zero-click installation of their software or the person you're talking to is intentionally recording the messages.

End-to-End encryption only protects you from someone eavesdropping on the communication on the line. It doesn't secure the endpoints or make the participants trustworthy.

[–] IratePirate@feddit.org 32 points 3 weeks ago (3 children)

But Facebook/"Meta" would never lie.

Oopsie! Hang on, they even lie to lawmakers in case buying them off fails? Bummer!

Seriously: this company needs to be scoured from the face of the earth.

load more comments (3 replies)
[–] Lost_My_Mind@lemmy.world 9 points 3 weeks ago (7 children)

C'mon. It's not that hard. You're making the assumption that Andy Stone is telling the truth, with a gotchya astrict.

What if......the big business just......LIES???

[–] illi@piefed.social 12 points 3 weeks ago

The best lies have some kind of truth in them. Half truths are way more effective than complete falsehoods.

[–] victorz@lemmy.world 8 points 3 weeks ago (1 children)

a gotchya astrict

Asterisk? This little fella? *

[–] count_duckula@discuss.tchncs.de 5 points 3 weeks ago

Nah, probably meant the other little fella - Asterix the Gaul.

load more comments (5 replies)
[–] Whostosay@sh.itjust.works 6 points 3 weeks ago* (last edited 3 weeks ago)

Are you telling me that the company that hosts "free" not propaganda services and has been caught repeatedly stealing all possible data including data about women and presumably girls' periods and has been caught in one of the largest data manipulation scandals this century could be betraying my trust with their "vawwy vawwy pwivate and vawwy vawwy encwypted" closed source and again operated by the most sinister motherfuckers of all time messaging app????

I. Am. Shocked.

I'm also looking for a bridge on the cheap if you guys have any leads.

load more comments (1 replies)
[–] codenamekino@lemmy.world 78 points 3 weeks ago (2 children)

I'm just here to satisfy my confirmation bias, but my question all along has been this: how does Meta simultaneously satisfy their claims of both E2EE and content moderation on WhatsApp? I can't say that I've done anything even close to a deep dive on the topic, but those two things seem mutually exclusive.

[–] HereIAm@lemmy.world 26 points 3 weeks ago

I don't particularly know much about this specific topic but, it would be trivial for them to read what's seen in the app. The encrypted part is only during transfer of a message, your app is still decrypting it to plain texts, and meta can just read the message at that point.

[–] baatliwala@lemmy.world 25 points 3 weeks ago (2 children)

You can actually report a message to WhatsApp within the app. If you report the message it then the full text gets sent to WhatsApp.

[–] Rivalarrival@lemmy.today 12 points 3 weeks ago (2 children)

That's a little disingenuous...

  1. You receive an encrypted message.
  2. You decrypt the message.
  3. You report the message.
  4. You forward the decrypted message.

When you send a message, no E2EE scheme can prevent your recipient from forwarding the decrypted message to a third party.

[–] GamingChairModel@lemmy.world 14 points 3 weeks ago

It's really important for people to understand that E2EE cannot protect the message portions that aren't between the ends themselves. The best encryption in the world can't help you if the person you're talking to is an undercover cop, because that "end" can do with the plaintext whatever they want, including record/store/forward the plaintext of any messages they then encrypt and send, or any messages they receive and then decrypt.

That's not a flaw of the E2EE protocol itself, but is a limit to the scope of protection that E2EE provides.

[–] Prathas@lemmy.zip 4 points 3 weeks ago

Well, yeah, you can't control other people. Even if you use a walkie-talkie, they can still record your voice with a device. Ideally you should only be talking about safely publishable content, or with mature-enough individuals. We ultimately must settle for good-enough...

[–] NaibofTabr@infosec.pub 4 points 3 weeks ago (11 children)

So... anyone with access to the report API can read any message they want?

load more comments (11 replies)
[–] GamingChairModel@lemmy.world 76 points 3 weeks ago (1 children)

Here's the original reporting, instead of another website's summary of Bloomberg's actual report:

https://www.bloomberg.com/news/articles/2026-04-28/us-ends-investigation-into-claims-whatsapp-chats-aren-t-private

https://archive.is/sGE3e

So it sounds like the agent was investigating allegations, from content moderation contractors, that Meta could access the contents of WhatsApp messages, and came to the conclusion that yes, Meta could.

There are a few possibilities here.

  1. Meta does have full plain text access to all Whatsapp messages, but guards that access very closely. Although the clients seem to generate E2EE keys for each session, somehow they're leaking those keys to Meta's servers somewhere, and the closed source code sufficiently hides that so that there's no whistleblower or security researcher able to detect this definitively.
  2. Meta has a secret wiretap functionality where they can compromise the E2EE keys somehow, but uses it only for narrow cases. This helps keep the functionality secret, because security researchers and other reviewers may never see the functionality in action.
  3. Meta allows users to report objectionable content in the threads they're already part of. The reporting function either forwards the E2EE key itself, or all the plaintext data, that gives content moderators access to the underlying message contents. The contractor whistleblowers and the federal agent investigating these allegations simply got it wrong, and misunderstood the technical process of how the plaintext messages end up in the content moderator's possession.

Meta claims that it's #3. They acknowledge they have plaintext access to messages when a party to the thread presses the report button.

This unnamed federal agent believes it's #1, after 10 months of investigation, and sent out an email to other investigators that they should look into that possibility.

I'm skeptical of #1, simply because I don't believe that conspiracies to keep that kind of stuff secret can be maintained. It's not just that there would be technically skilled whistleblowers who have actual access to the code (not the non-technical content moderator contractors who review the content), but a weakness in such an important and widely used protocol would attract all sorts of hackers, state sponsored or otherwise.

But option #2 might explain everything we've seen so far. Full wiretap capability that is rarely used and very tightly controlled.

[–] flambonkscious@sh.itjust.works 6 points 3 weeks ago

Thanks for the sane interpretation of the situation!

[–] theunknownmuncher@lemmy.world 58 points 3 weeks ago* (last edited 3 weeks ago) (2 children)

The most important question to ask when evaluating end-to-end encryption: who manages the keys?

If Facebook manages all of the keys and is responsible for telling which public key belongs to who, then of course Facebook can read every message.

[–] lemonhead2@lemmy.world 38 points 3 weeks ago* (last edited 3 weeks ago) (2 children)

oh lol. the trust chain is harder and harder to verify these days. i miss the good old days where I would write emails in vi and encrypt with gpg.

I still write emails with vi. but I lost touch with the one other friend I had who knew how to use gpg 😂😂😂

[–] deegeese@sopuli.xyz 22 points 3 weeks ago (2 children)

There are dozens of us! Dozens!

load more comments (2 replies)
[–] SnotFlickerman@lemmy.blahaj.zone 14 points 3 weeks ago

Cory Doctorow still uses pgp if you email him, I think his key is on his website, IIRC

[–] Eyekaytee@aussie.zone 4 points 3 weeks ago (1 children)

thought it was proper e2e

https://signal.org/blog/whatsapp-complete/

but if whatsapp owns both ends, what is stopping them from just reading the decrypted text? i duno crypto good enough

[–] logi@piefed.world 6 points 3 weeks ago

That, and if WhatsApp has the keys, then no amount of encryption is going to help.

If I remember, the allegation was that they did keep all the keys and many employees could request them to decrypt specific sessions.

[–] cerebralhawks@lemmy.dbzer0.com 35 points 3 weeks ago (2 children)

No. Shit.

People who say Facebook (now Meta) paid $21 billion (with a B) for WhatsApp to be charitable. Even though the original creators have distanced themselves from it after the acquisition.

Fun fact: every forum running phpBB, Invision, or vBulletin (as in, traditional Internet forums) can read your DMs in plaintext. They're unencrypted in the SQL database. However, the forum's Admin Control Panel (ACP) does not provide this functionality. All three have mods that add it in. So imagine you run a forum. You have a hidden forum where only your mods and admins can interact. No one else can even see it. You could have a whole other one that is just all the DMs. I'm not sure about social networks. But I know if you have command-line access to the SQL database, you can query a user and see everything that user has put in the database. Public messages... and private ones. So a lot of the forums started saying "Personal messages" or "Direct messages" instead of "Private messages" because they were never private.

Disbelieve anyone who says they can't see your private or personal messages.

[–] FaygoBoozer@lemmy.world 12 points 3 weeks ago (2 children)

I can confirm this, I used to run several phpbb and (pirated) vbulletin juggalo forums and when I found out this was possible I read everyone's DMs for funzies.

Lotttts of requests for noodz.

[–] a_wild_mimic_appears@lemmy.dbzer0.com 4 points 3 weeks ago

Since you are a self proclaimed professional, what percentage of nude requests were answered positively, and is it as close to zero as I expect?

load more comments (1 replies)
load more comments (1 replies)
[–] thatradomguy@lemmy.world 35 points 3 weeks ago (1 children)

The fact that Trump's own goon uses Signal and not WhatsApp should probably tell you all you need to know about using WhatsApp.

[–] QuandaleDingle@lemmy.world 10 points 3 weeks ago

Yes, not to mention that their security breach on Signal was of their own making. Some moron invited a member of the press to their chat. XD

[–] Treczoks@lemmy.world 31 points 3 weeks ago (12 children)

I never assumed that this presumed "end to end encryption" was secure in any way. The key exchange either runs over Meta servers, and they just log them, or the client software simply surrenders the key (maybe always, maybe on demand) together with the data stream that still runs over Meta servers.

load more comments (12 replies)
[–] cyberduck@aussie.zone 28 points 3 weeks ago

If you can't see the code (closed source) then treat it as they're lying and it isn't end to end encrypted

[–] FlashMobOfOne@lemmy.world 25 points 3 weeks ago* (last edited 3 weeks ago)

Just assume anything you're writing online, on any app, any website, any social media platform... ANYTHING is being tracked now.

We learned from the FBI's disclosure of the Guthrie kidnapping video that every camera and microphone are surveilling you and feeding that data into a government database without a warrant, so why would you think your apps are doing anything different?

[–] CanIFishHere@lemmy.ca 23 points 3 weeks ago

It's decided. No more arms deals on Whatsapp for this guy.

[–] osanna@lemmy.vg 14 points 3 weeks ago* (last edited 3 weeks ago) (2 children)

If you still use faecesbook products, you're an idiot.

[–] zergtoshi@lemmy.world 6 points 3 weeks ago (1 children)

I'm gonna borrow FaecesBook from you - that's hilarious!

[–] osanna@lemmy.vg 4 points 3 weeks ago

my brain automatically makes it faecesbook now. I've been saying it for a decade or more.

load more comments (1 replies)
[–] Tollana1234567@lemmy.today 8 points 3 weeks ago

bold of you to assume meta respect data privacy, they have been all in on datamining for a while aready

[–] zergtoshi@lemmy.world 5 points 3 weeks ago* (last edited 3 weeks ago)

And here I thought the E2EE of Whatsapp was based on the one developed by Signal or at least so they say.
But I guess it's hard to inspect anything, if it's no open source software.
I'm so glad there's SIgnal and a lot of my contacts use it.
Back when it was called Textsecure it was a different story.

load more comments
view more: next ›