crosspost to c/privacy
Hello! This is a FULL writeup tiny writeup (will do better soon).
The quick post writeup before: https://i.postimg.cc/9Q7GBxX5/image.png
#SOURCE
You can apparently report groups and individual contacts to WhatsApp, according to new update 2.20.206.3: https://wabetainfo.com/whatsapp-beta-for-android-2-20-206-3-whats-new/ (Archived: https://archive.is/GeKao)
#EXPLANATION
This reporting feature confirms that a copy of messages of both the sender and receiver can be read by WhatsApp employees, thus affirming a convenient backdoor that can be used by entities.
Now, here, I am not entirely sure if this can be called a traditional backdoor into the encryption itself. What this report feature does is, it creates a plaintext copy of both the sender and receiver’s “most recent” messages and sends it for moderation to WhatsApp team.
The “most recent” wording tells me it can be anywhere from upto 7 days of messages, and not the entire chat history since existence that can just be casually backdoored into.
You can say “ZUCC LIZARD BAD EVIL MEGACORP” as far as E2EE implementation goes in Stallman fashion, however, the earlier case was (and is) that the group chats could be monitored by the “WhatsApp team” and could be subpoenaed as per any legal order. Also, the metadata is clearly grabbed by Facebook, as we know.
This report feature changes that to any stranger either abusing this feature for revenge, or acting as a threat actor honeypot trying to expose you.
#DETAILED SOLUTION IN POINTS
-
The silver lining here is that it is currently a beta only feature, however it has been implemented, and in a month it will be rolled out for all users in stable build in about 30 days from November 4, 2020. So you still have about 10 days from today to decide your OPSEC or if you cannot manage, delete the messenger.
-
Treat WhatsApp as compromised, censored and backdoored platform completely.
-
Talk only essential things if needed, and restrict your contacts via it to only family and trusted friends, NOT strangers.
-
Refuse to talk anything sensitive outside of your most trusted family and close friend circle. This means no trust with strangers, that girlfriend of two years of relationship, anyone acting too friendly or overly helpful.
-
Avoid WhatsApp usage as much as possible, and prefer Signal over it.
#CONCLUSION
Not exactly much has changed. This, according to me, strictly going by facts and legal case studies, is NOT an E2EE backdoor situation. However, the report feature is a way to rat out people who become too friendly too quickly with strangers or potential doxxers.
Making people switch to messengers like Signal is tough game, but better for long run. That said, if you use it carefully, you can still use WhatsApp safely enough, and since majority people have it, you will do yourself a disservice by going back to insecure and unencrypted SMS, practically speaking.
Hmm, honestly, I don’t understand what’s weird about it. Of course if you report a message, it will be sent in plaintext to some moderator which then will have to evaluate the report. How would reports work otherwise? Among all the things that make whatsapp a compromised platform (obfuscated closed source code, constant push to enable google/apple cloud backups, recurring vulnerabilities being discovered every other month, being owned by literally Facebook, metadata being collected and kept at the disposal of Facebook), this seems the least relevant to me. I mean, I didn’t expect their report system to work any differently. I definitely back your suggestion to move to Signal or some other alternative of course!
And why should encrypted messages be moderated?
Metadata is not a concern with family and close friends, which is what one should be using it with only, but THIS creates a different level of consequences.