Hello! This is a FULL writeup tiny writeup (will do better soon).

The quick post writeup before: https://i.postimg.cc/9Q7GBxX5/image.png

#SOURCE

You can apparently report groups and individual contacts to WhatsApp, according to new update 2.20.206.3: https://wabetainfo.com/whatsapp-beta-for-android-2-20-206-3-whats-new/ (Archived: https://archive.is/GeKao)

#EXPLANATION

This reporting feature confirms that a copy of messages of both the sender and receiver can be read by WhatsApp employees, thus affirming a convenient backdoor that can be used by entities.

Now, here, I am not entirely sure if this can be called a traditional backdoor into the encryption itself. What this report feature does is, it creates a plaintext copy of both the sender and receiver’s “most recent” messages and sends it for moderation to WhatsApp team.

The “most recent” wording tells me it can be anywhere from upto 7 days of messages, and not the entire chat history since existence that can just be casually backdoored into.

You can say “ZUCC LIZARD BAD EVIL MEGACORP” as far as E2EE implementation goes in Stallman fashion, however, the earlier case was (and is) that the group chats could be monitored by the “WhatsApp team” and could be subpoenaed as per any legal order. Also, the metadata is clearly grabbed by Facebook, as we know.

This report feature changes that to any stranger either abusing this feature for revenge, or acting as a threat actor honeypot trying to expose you.

#DETAILED SOLUTION IN POINTS

  • The silver lining here is that it is currently a beta only feature, however it has been implemented, and in a month it will be rolled out for all users in stable build in about 30 days from November 4, 2020. So you still have about 10 days from today to decide your OPSEC or if you cannot manage, delete the messenger.

  • Treat WhatsApp as compromised, censored and backdoored platform completely.

  • Talk only essential things if needed, and restrict your contacts via it to only family and trusted friends, NOT strangers.

  • Refuse to talk anything sensitive outside of your most trusted family and close friend circle. This means no trust with strangers, that girlfriend of two years of relationship, anyone acting too friendly or overly helpful.

  • Avoid WhatsApp usage as much as possible, and prefer Signal over it.

#CONCLUSION

Not exactly much has changed. This, according to me, strictly going by facts and legal case studies, is NOT an E2EE backdoor situation. However, the report feature is a way to rat out people who become too friendly too quickly with strangers or potential doxxers.

Making people switch to messengers like Signal is tough game, but better for long run. That said, if you use it carefully, you can still use WhatsApp safely enough, and since majority people have it, you will do yourself a disservice by going back to insecure and unencrypted SMS, practically speaking.

The fact that WhatsApp is owned by Facebook should really be all the information anyone needs.

@TheAnonymouseJoker
mod
creator
05M

That could be called conspiracy and was debatable.

Now, we have proof of what is possible.

Facebook has been spying on users demonstrably for its entire existence. It was never a conspiracy theory and it was never up for debate.

@TheAnonymouseJoker
mod
creator
1
edit-2
5M

I disagree. It was up for debate whether WhatsApp E2EE was unbreakable on demand, and the only legal subpoena cases ever processed were against group chat message requests, not one to one DMs.

You can scream all you want without academic rigour, but at the end of the day, if proof does not exist, you are shouting into your echo chamber.

Attitude like yours is exactly why privacy community is treated by ordinary people as a bunch of conspiracy nutjobs.

Dessalines
cake
admin
25M

These are closed source applications and services tho, proof can only be revealed by whistleblowers and leakers (as was the case when Snowden revealed that FB was sharing all user data with the NSA since 2013).

@TheAnonymouseJoker
mod
creator
25M

I still think having facts is something we should value. Academic rigour must be held onto as much as possible.

Attitude like yours is exactly why privacy community is treated by ordinary people as a bunch of conspiracy nutjobs.

Your attitude is much more likely to be the cause of such treatment for other people. You are the one putting in bold that

This is an EMERGENCY

While your premise is clearly false.

From the website you linked:

WhatsApp never receives your messages without your permissions. If you decide to report a contact, you agree to forward a copy to WhatsApp of the recent messages from that chat.

Nothing seem to suggest that the E2E is broken here.

@TheAnonymouseJoker
mod
creator
15M

Have a look, I updated the writeup to full version now, with full explanation.

WhatsApp never receives your messages without your permissions. If you decide to report a contact, you agree to forward a copy to WhatsApp of the recent messages from that chat.

This doesn’t change anything. This is not the definition of a backdoor. It would be a backdoor if somehow What’sApp had the ability to trigger reports remotely, but this is no different from the person you are contacting taking a screenshot of your message and sending it to What’sApp.

@TheAnonymouseJoker
mod
creator
25M

Did you read the updated version above? Or did you just want to downvote and not listen to others?

Treat WhatsApp as compromised, censored and backdoored platform completely.

That’s from the updated version.

Please stop being so aggressive. This is making discussion insufferable for the both of us.

@TheAnonymouseJoker
mod
creator
25M

Are you doing this on purpose? You picked one bullet point contrary to your opinion (NOT provable FACT) and humming about it.

I find this worrisome. While I only use the app to talk to two people I can totally imagine people using this for revenge and general trolling.

Also, where I live, France, there are a few laws regarding privacy that do cover digital communication so lots of people use WhatsApp to talk about things that should be private. They assume that what they say is OTR. Even if permissions need to be given before the report is submitted it still something that should be highlighted.

Thanks for the warning!

@TheAnonymouseJoker
mod
creator
25M

I updated it to full detailed version, give it a read again.

Dreeg Ocedam
2
edit-2
5M

Since the reports require an action from the person doing the report, it is quite likely that the client just sends the messages it decrypted, and that the E2E of chats is not compromised.

Edit: the website you linked to even says so

WhatsApp never receives your messages without your permissions. If you decide to report a contact, you agree to forward a copy to WhatsApp of the recent messages from that chat.

privatelife - privacy, security, freedom advocacy
!privatelife

    This community is meant to advocate privacy, security and freedom in an concise manner, free of prejudice bias, free of politics, free of cultist thoughts.

    Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say. - Edward Snowden

    Telegram: t.me/r_privatelife

    Reddit: reddit.com/r/privatelife

    READ THE RULES

    1. Opinions are welcome, facts more so. Attack arguments, not people. Hating, baiting, trolling, flaming will be dealt with strictly.

    2. Discuss closed source software with caution. Advocating for it strongly (cult brigading) can be treated as violation of this rule.

    3. Editing titles of article links is strictly prohibited, unless and until the summarisation remains accurate to the context of the article or paper. Such link post will be removed without questioning.

    4. Targeting of any country, person or nation is strictly prohibited without valid reasoning. Evidence if not presented against the specific company/corporation/individual will be treated as personal attack and/or hate speech. This will result in a warning, then ban system.

    5. NO PERMA BANS! Ban system will work as follows:

    1 day --> 3 day --> 1 week --> 2 weeks --> 3 weeks --> 1 month --> 3 months --> 6 months

    Severity of the ban system will be dealt with based on degree of violation and circumstances.

    1. NO FACT-LESS EVIDENCES, NO FALSE RHETORIC Evidence has to be credible. The onus of this lies on the claimant. The same applies on the user who questions proven evidence. Violation of this rule will be dealt with strictly.

    2. Copycat posts serve to litter the community, increasing quantity and decreasing quality of posts. As such, posts will be removed. Repeated attempts will receive warning.

    • 0 users online
    • 1 user / day
    • 2 users / week
    • 5 users / month
    • 40 users / 6 months
    • 248 subscribers
    • 137 Posts
    • 265 Comments
    • Modlog