
Belgium Arrests Two in Probe Over Returning Syria Fighter - Errorcod3
http://www.bloomberg.com/news/articles/2015-06-08/belgium-arrests-16-in-terror-raid-triggered-by-whatsapp-messages
======
late2part
It's called "Consumer Marketing of Encryption."

Almost certainly Whatsapp is doing consumer to server encryption, but not end
to end. If this is true, then Whatsapp holds or can decrypt the internal
storage or transfer of messages.

Alternatively, there is a likelihood that the encryption keys are escrowed or
trivially encrypted.

This is what we're seeing in the consolidating web giant world. Words don't
match technical expectations, but they meet the letter of the law. We see/saw
the same thing with privacy.

------
nly
As much as I like and respect Moxie, I think it's a huge personal risk for him
to associate himself with Facebook (WhatsApp)[0].

That said, come on... there's no user exposed key management in Whatsapp, or
secure means to perform a handshake with your contacts. Even if they've really
rolled out Moxies crypto protocol on Android, like they claim (go look at the
source and verify... oh, wait), on _features alone_ you can't trust it... you
just can't create a secure channel unless you're in control of the keys.

And on terrorists using Whatsapp... well, Whatsapp accounts are tied to your
cell phone #. The authorities can work with WhatsApp to piece together who
messaged who, and when, and where you both physically were at the time. This
is enough to bust terrorists. Deploying E-to-E crypto was never about
_anonymity_.

[0]
[https://whispersystems.org/blog/whatsapp/](https://whispersystems.org/blog/whatsapp/)

------
mapgrep
"In its initial phase, though, Whatsapp’s messaging encryption is limited to
Android, and doesn’t yet apply to group messages, photos or video messages. "
[http://www.wired.com/2014/11/whatsapp-encrypted-
messaging/](http://www.wired.com/2014/11/whatsapp-encrypted-messaging/)

------
phreeza
Seems very unwise of them to disclose this capability, if it exists. Might be
a red herring? Or maybe an accidental disclosure through due to belgian/US
miscommunication.

~~~
briandear
From an intelligence perspective this was profoundly dumb to reveal. This is
the heart of what protecting sources and methods is all about. However, it
really should go without saying that one should operate in the assumption that
all digital communications are compromised, at least commercial services.

------
kbart
I find it funny that somebody could be really so naive to expect privacy from
WhatsApp after it got acquired by Facebook. Especially after we've had similar
lessons with Skype + Microsoft.

------
speculation
[https://www.schneier.com/blog/archives/2015/06/us_identifies...](https://www.schneier.com/blog/archives/2015/06/us_identifies_a.html)

In the comments on this unrelated story of identifying a terrorist people
argued that it's possible the story is deliberate misinformation, it could
also be the case here.

~~~
late2part
To what end? To encourage Terrorists to use another mechanism, almost
certainly better vetted?

------
sehugg
FWIW this is an article with a headline closer to the original, though with no
additional information:

[http://www.businessinsider.com/whatsapp-may-have-
gotten-16-a...](http://www.businessinsider.com/whatsapp-may-have-
gotten-16-alleged-terrorists-busted-2015-6)

------
comrade1
Of course this turns into a debate about the article title on HN...

------
dogma1138
As many have pointed out Whats App's E2EE isn't deployed on all platforms and
messaging services.

Furthermore they've only rolled it out about 6 months ago, there's a good
chance that the information which lead to this case was collected before the
E2E encryption was rolled out.

------
caminante
Though, does this mean that the encryption was compromised?

~~~
jhallenworld
Even with encryption they can probably track who you're communicating with.

Perhaps they pushed an insecure version on the suspects.

------
simonvc
Even if you do you use an app that always uses crypto end to end (e.g.
signal/textsecure)

[https://whispersystems.org/blog/signal/](https://whispersystems.org/blog/signal/)

There's no guarantee that apple/google/microsoft haven't been ordered to
install a backdoored version.

tl;dr RMS was right

~~~
dogma1138
It's by far easier to force MSFT, Google or Apple to backdoor the device
rather than an individual app. Especially since at least on Android devices
you can always pull the APK you got form the store apart and see if it's being
messed with.

------
dsjoerg
Maybe you missed this — when end-to-end encryption was launched, they
mentioned that they did not yet encrypt iOS, nor group chat.

[https://whispersystems.org/blog/whatsapp/](https://whispersystems.org/blog/whatsapp/)

Did they make a subsequent announcement that they were encrypting those?

~~~
higherpurpose
Who's they? Because Whatsapp has never said it uses end to end encryption -
_anywhere_.

Also, I guess it _is_ possible that the so called terrorists used iPhones, but
I think there's a higher chance they used Android phones. Of course we don't
know exactly, but either way you shouldn't have assumed Whatsapp uses end-to-
end encryption even before this.

So those who thought Whatsapp was "safe", treat this as yet _another_ warning
sign that you shouldn't be using it for private conversations.

Those who were already paranoid about it, you probably weren't using it
already for that, so this changes nothing.

~~~
toong
Why do you think it's more likely they used Android phones ?

As of May 2015, iOS has 53.5% of the mobile market Android 41.7% (in Belgium)
- source: [http://howwebrowse.be/](http://howwebrowse.be/)

~~~
Light2Yellow
I want to add that not only the price is crucial but a bit of security. Using
a closed OS with belief you're not being tracked? Well, they are not so
stupid. The best choice for such things is a chinese no-name-smartphone on
Android or just an old Nokia on Symbian^3 or 9.4.

------
solarexplorer
AFAIK end-to-end encryption can only be used with Android clients.

[http://www.heise.de/ct/artikel/Keeping-Tabs-on-WhatsApp-s-
En...](http://www.heise.de/ct/artikel/Keeping-Tabs-on-WhatsApp-s-
Encryption-2630361.html)

tl;dr end-to-end encryption in WhatsApp is not really useful (yet)

~~~
zeeed
which, if you rely on it, defeats at least one "end" in "end-to-end" if you
don't know what device your peer is using. So much for end-to-end encryption
in Whatsapp...

~~~
morganvachon
That's exactly what I was thinking. If WhatsApp was an Android-only app, it
_might_ be able to claim end-to-end security. Even then a quirk in a certain
version of Android on one end, or even a hardware quirk with a certain model
phone, could impact security.

Of course if you want the most secure communication possible with someone, you
won't use a smartphone in the first place. There isn't a cellphone on the
planet that's 100% secure from eavesdropping.

~~~
Cederfjard
>If WhatsApp was an Android-only app, it _might_ be able to claim end-to-end
security.

Have they made this claim though, or stated it as a goal?

~~~
morganvachon
They did a while back:

[http://www.wired.com/2014/11/whatsapp-encrypted-
messaging/](http://www.wired.com/2014/11/whatsapp-encrypted-messaging/)

------
tptacek
You're not supposed to do this with story titles.

The correct title for this story would be "Belgium Arrests Two in Probe Over
Returning Syria Fighter".

~~~
morganvachon
I think in this particular case the story title applies. The part of the story
that is interesting/important to HN users is about WhatsApp's compromised
encryption, not so much the arrest and charges. Perhaps a nod to the article's
title would be better though; something like "Suspects Arrested in Probe Based
On WhatsApp Eavesdropping". That covers both aspects of the story.

~~~
tptacek
[https://hn.algolia.com/?query=author:dang%20editorialize&sor...](https://hn.algolia.com/?query=author:dang%20editorialize&sort=byPopularity&prefix&page=0&dateRange=all&type=comment)

~~~
morganvachon
Noted, and if that's the site's rules, so be it. I certainly wouldn't have
bothered with the article or the discussion if the HN headline had been the
same as the article headline, though.

~~~
sarciszewski
Caveat: It's a guideline, not a rule.

