crosspost to c/privacy
Hello! This is a FULL writeup tiny writeup (will do better soon).
The quick post writeup before: https://i.postimg.cc/9Q7GBxX5/image.png
#SOURCE
You can apparently report groups and individual contacts to WhatsApp, according to new update 2.20.206.3: https://wabetainfo.com/whatsapp-beta-for-android-2-20-206-3-whats-new/ (Archived: https://archive.is/GeKao)
#EXPLANATION
This reporting feature confirms that a copy of messages of both the sender and receiver can be read by WhatsApp employees, thus affirming a convenient backdoor that can be used by entities.
Now, here, I am not entirely sure if this can be called a traditional backdoor into the encryption itself. What this report feature does is, it creates a plaintext copy of both the sender and receiver’s “most recent” messages and sends it for moderation to WhatsApp team.
The “most recent” wording tells me it can be anywhere from upto 7 days of messages, and not the entire chat history since existence that can just be casually backdoored into.
You can say “ZUCC LIZARD BAD EVIL MEGACORP” as far as E2EE implementation goes in Stallman fashion, however, the earlier case was (and is) that the group chats could be monitored by the “WhatsApp team” and could be subpoenaed as per any legal order. Also, the metadata is clearly grabbed by Facebook, as we know.
This report feature changes that to any stranger either abusing this feature for revenge, or acting as a threat actor honeypot trying to expose you.
#DETAILED SOLUTION IN POINTS
-
The silver lining here is that it is currently a beta only feature, however it has been implemented, and in a month it will be rolled out for all users in stable build in about 30 days from November 4, 2020. So you still have about 10 days from today to decide your OPSEC or if you cannot manage, delete the messenger.
-
Treat WhatsApp as compromised, censored and backdoored platform completely.
-
Talk only essential things if needed, and restrict your contacts via it to only family and trusted friends, NOT strangers.
-
Refuse to talk anything sensitive outside of your most trusted family and close friend circle. This means no trust with strangers, that girlfriend of two years of relationship, anyone acting too friendly or overly helpful.
-
Avoid WhatsApp usage as much as possible, and prefer Signal over it.
#CONCLUSION
Not exactly much has changed. This, according to me, strictly going by facts and legal case studies, is NOT an E2EE backdoor situation. However, the report feature is a way to rat out people who become too friendly too quickly with strangers or potential doxxers.
Making people switch to messengers like Signal is tough game, but better for long run. That said, if you use it carefully, you can still use WhatsApp safely enough, and since majority people have it, you will do yourself a disservice by going back to insecure and unencrypted SMS, practically speaking.
And why should encrypted messages be moderated?
Metadata is not a concern with family and close friends, which is what one should be using it with only, but THIS creates a different level of consequences.
Unfortunately this is the real world and whatsapp is used by two billion people for all kind of stuff: work chats, meme chats, business-to-client chats, local chats, news chats, even public chats which invite links are posted on Instagram pages and Facebook groups. Of course the app being very popular and, in some countries, almost impossible to leave behind (“how could I ever stop to use whatsapp? I have all my contacts and chats there!”) makes a very fertile environment for spammers, scammers, stalkers, and all this kind of people whatsapp doesn’t want on its platform. Cause they are annoying and dangerous for tech-illiterate people and boomers. So yeah at the end of the day, in a platform that is already compromised at its roots, moderation have a reason to exist even if the chat app is encrypted because it helps to flag actually annoying or dangerous accounts, and of course it helps big corps to keep their image clean - they don’t want to be associated with spam or other shady stuff.
Also: assuming even the dumbest of the users would come to the conclusion that if you use a red button labeled “report”, the message is going to be examined by some platform moderator to judge whether it is legitimate or not, why would you be so scared of a scenario where your chat partners have the ability to willingly send your plain text messages to WhatsApp/Facebook? If this is a possibility, isn’t your chat with this person compromised already in first place? As they can willingly do whatever they want with the unencrypted content they receive anyway
I updated the writeup, give it a read.