WhatsApp can access virtually all of it 3 billion users’ purportedly ‘private’ communications,” according to a lawsuit filed against Meta.

@newsguyusa

I would have been surprised if they hadn't done it. No company that wants to survive can afford to have any scruples.

@newsguyusa
"They gave us their private keys so there can be no expectation..."

@draken @newsguyusa Do you have something you can point to confirm that claim?

@starluna @newsguyusa
It's literally in the text of the suit.

@newsguyusa Not a suprise, the user's private key is stored in the cloud.

@newsguyusa #degafam

@draken @newsguyusa I think you need to reread the text. There are references to NSO group as part of the rationale underlying the risks for the plaintiffs. There's nothing in the text of the documents that state the NSO group is funding this lawsuit.

@newsguyusa it's been year we know their "autoroccrect" feature send back data.

So it's been year we know they broke their E2EE

@newsguyusa I am SHOCKED

@newsguyusa wasn't there the story of the local TCP port that whatsapp was opening on the mobile, and to which javascript was connecting to. This way they could track what websites users were visiting.

@newsguyusa

One of the most disturbing things about this is that so many governments, political parties and public bodies use Whatsapp to communicate at the highest level, including ministers, heads of government etc.

Why aren't they using something properly secure, considering the high stakes?

@newsguyusa To the surprise of no one who was aware of it being a Meta product.

@newsguyusa the lawsuit provides seemingly no evidence to support this

https://techhub.social/@alextecplayz/115971857366040544

quick correction, as I'm reading into it more: Techlore may have been wrong about the connection between the law firms representing the Plaintiffs and NSO Group, I can't find any information on that

but the brief on the lawsuit is that they claim that through their "courageous whistleblowers" they allege that Meta workers send a request to an engineer and without scrutiny in most cases, will just grant the worker access to the data for that user.

This is somewhat demonstrably false as WA web has been reverse-engineered twice, once via a presentation at Black Hat US 2019 (https://i.blackhat.com/USA-19/Wednesday/us-19-Zaikin-Reverse-Engineering-WhatsApp-Encryption-For-Chat-Manipulation-And-More.pdf) and for a university project (https://www.ir.juit.ac.in:8080/jspui/bitstream/123456789/7764/1/Whatsapp%20Web%20Reverse%20Engineering.pdf) to show that it's E2EE and using the Signal protocol.

they also try to represent all WA users globally except WA users in the US, Canada, EU, UK lmfao

@newsguyusa

Watched a doco a decade or so ago in which they approached Zuck in the street with a camcorder to ask him Qs. Zuck said "Ok,but please stop recording." They said, "Ok, we've stopped".

They then narrated "But we kept recording, because that's what he does."

@newsguyusa
"WhatsApp and [...] Meta, store, analyze, and can access virtually all of WhatsApp users’ purportedly “private” communications. [...]

Meta and WhatsApp store, maintain access to, and use WhatsApp’s three billion users’ “encrypted” messages. This lawsuit seeks to expose the fundamental privacy violations and fraud Meta is perpetrating against the billions of people."

@Sibshops WhatsApp is E2EE, uses the Signal protocol, and the user's private key is not stored in the cloud, as per their 2016 whitepaper.

https://www.bitsoffreedom.nl/wp-content/uploads/WhatsApp-Security-Whitepaper.pdf

Page 4: "At registration time, a WhatsApp client transmits its public Identity
Key, public Signed Pre Key (with its signature), and a batch of public
One-Time Pre Keys to the server The WhatsApp server stores these
public keys associated with the user’s identifier. At no time does the
WhatsApp server have access to any of the client’s private keys."

Page 8: "3 No client authentication secrets are stored on the server Clients
authenticate themselves using a Curve25519 key pair, so the server
only stores a client’s public authentication key. If the server’s user
database is ever compromised, no private authentication credentials
will be revealed"

Page 9: "WhatsApp servers do not have access to the private keys of
WhatsApp users, and WhatsApp users have the option to verify
keys in order to ensure the integrity of their communication."

@alextecplayz @Sibshops

But unless and until the source code of the client app is made public, we only have the vendor's word for any of that.

@only_ohm @Sibshops this is true, WA is closed-source, but reverse-engineering has shown that it is using the Signal protocol.

There's a 2019 black hat slide presentation from Check Point that reverse-engineered the encryption: https://i.blackhat.com/USA-19/Wednesday/us-19-Zaikin-Reverse-Engineering-WhatsApp-Encryption-For-Chat-Manipulation-And-More.pdf

and a 2019 project from a university in India that also reverse-engineered whatsappp web and its E2EE to create some 'AI' chatbots using the Business API: http://www.ir.juit.ac.in:8080/jspui/handle/123456789/7764

Either way, I'd believe Meta and these technical findings over these hacks that allege this "through the assistance of courageous whistleblowers" and no other evidence.

Upon further checking, there's no ties between the law firms representing the Plaintiffs of this lawsuit and NSO group. The supposed connection between the firms and NSO was based off the recent Techlore video on the subject.

@alextecplayz @newsguyusa

Love digging thru 'WhatsApp bad ' to find this comment. Took 2 minutes reading the brief to see there's no teeth in the argument. It's like they skipped that part.

1 Define End2End Encryption
2 Explain OWS helped impl. Signal protocol
3 Unencrypted metadata note
4 Signal's source is public, not WhatsApps
5 WhatsApps claim they have no access to users’ chats: false. As whistleblowers explained(?), they store & have ∞ access to encrypted comms

Where'd that come from?

@FediThing @newsguyusa OK, but WhatsApp uses Signal protocol, and if you enable e2e you should be secure. As I understand in this lawsuit there is not description of mechanism, above this that somehow Meta implemented Signal protocol in such way that they are able to break encryption. Maybe it is something like back channel to device where keys ma be requested?