
Jan Koum: “I couldn't agree more with everything [Apple] said” - envy2
https://www.facebook.com/jan.koum/posts/10153907267490011/?
======
gry
Jan Koum is a WhatsApp co-founder. WhatsApp is notable, I think, in this
debate specifically because WhatsApp partnered with Moxie's Open Whisper
Systems for end-to-end encryption.

[https://news.ycombinator.com/item?id=8624212](https://news.ycombinator.com/item?id=8624212)

~~~
unfunco
WhatsApp is still closed-source though, and I'm unsure as to the veracity of
the claim of end-to-end encryption, I sure hope that's the case. In the
Panorama documentary about Edward Snowden on the BBC, when discussing the
death of Lee Rigby, a representative of Facebook says they're capable of
decrypting messages (whether that applies to WhatsApp or just Facebook
messenger is not clarified.)

[https://www.youtube.com/watch?v=SjVxqlncS2I&t=46m15s](https://www.youtube.com/watch?v=SjVxqlncS2I&t=46m15s)
(also see 49:00+)

~~~
envy2
You might be interested in this set of videos[1] of public testimony by
WhatsApp's Deputy General Counsel at a hearing on cybercrime in Brazil in
December 2015, where he explains in some detail the type of information they
have and don't have. He explicitly notes that they are incapable of accessing
message content for end-to-end encrypted messages, and also explains that they
don't retain copies of any communications once they've been delivered to
recipients.

[1] [http://www2.camara.leg.br/atividade-
legislativa/comissoes/co...](http://www2.camara.leg.br/atividade-
legislativa/comissoes/comissoes-temporarias/parlamentar-de-
inquerito/55a-legislatura/cpi-crimes-
ciberneticos/videoArquivo?codSessao=55221&codReuniao=42467#videoTitulo)

~~~
davorb
I think that only messages sent between two android devices are encrypted
using E2E. If you send a message to your mom (who uses a blackberry), the
message won't be encrypted with that protocol.

~~~
dingo_bat
What about ios? And how does your device know whether to encrypt or not? It's
useless talking about encryption if the code is hidden. What if tomorrow they
turn off the encryption silently?

~~~
dc3k
They can turn off the encryption silently whether or not the code is hidden.

~~~
dingo_bat
How so? You can compile yourself if you like.

~~~
Ded7xSEoPKYNsDd
More importantly, you could change the client to show encryption status before
a message is sent and add client-side key management.

------
dclowd9901
It's gotta be so frustrating. Here's this little thing that could answer all
your questions, maybe. If you could just open it, you could easily solve many
mysteries. And the only people who can help won't.

I don't envy the job of law enforcement. It must feel like at times that
everyone is standing in your way. But where does it stop?

If only we could track everyone all the time...

If only we could watch everyone in their homes all the time...

If only we could open everyone's safes whenever we needed to...

Yes, you could solve many mysteries with all of the keys. But it's not your
information. You're not owed it. No one is owed the answer to any question.

I hope law enforcement understands someday what a destructive request they've
made, but I'm guessing like anything else addictive, that one taste will just
lead to more.

~~~
rconti
Many of us often complain that our jobs would be much easier _if only_. This
is a reminder to step back and realize that, sometimes, your job isn't
_supposed_ to be easy. Your goals are not necessarily your entire
organization's goals, nor the entire nation or world's goals.

~~~
nickik
A programmer complaining about bureaucracy usually does not have the same
moral high ground. Thats probably the difference. Nobody in society complains
when the newest feature of your Webapp is delayed but when when its about
crime and terror, its different. Thats where they are coming from.

It totally disagree but thats how many people see it (I would guess).

------
ryanSrich
I really respect Jan. I saw him talk at Startup School a few years ago and
what really impressed me was his non-traditional path to becoming a tech
billionaire. He had a long career at Yahoo! before founding WhatsApp. He's a
role model we should be looking at. Not young college kids who can dupe old
investors into giving them millions for vaporware.

It's also important that he's speaking out in opposition to these government
tactics. Hopefully Zuckerberg will follow suit but if history tells us
anything it's that Facebook is rather compliant and doesn't take security
seriously.

~~~
renaudg
_if history tells us anything it 's that Facebook is rather compliant and
doesn't take security seriously._

Citation needed...

~~~
ryanSrich
[http://www.boston.com/news/nation/2015/08/12/harvard-
student...](http://www.boston.com/news/nation/2015/08/12/harvard-student-
loses-facebook-internship-after-pointing-out-privacy-
flaws/zASZFdUjn6PoliUiR9kVHJ/story.html)

[http://m.huffpost.com/us/entry/facebook-security-wall-
mark-z...](http://m.huffpost.com/us/entry/facebook-security-wall-mark-
zuckerberg_n_3779228.html)

[http://www.forbes.com/sites/thomasbrewster/2015/12/17/facebo...](http://www.forbes.com/sites/thomasbrewster/2015/12/17/facebook-
instagram-security-research-threats/#7b320e2f2d82)

[http://www.businessinsider.com/facebook-security-flaw-
leaks-...](http://www.businessinsider.com/facebook-security-flaw-leaks-
private-photos-2015-3?r=UK&IR=T)

[http://www.businessinsider.com/well-these-new-zuckerberg-
ims...](http://www.businessinsider.com/well-these-new-zuckerberg-ims-wont-
help-facebooks-privacy-problems-2010-5)

[https://facebook.com/safety/groups/law/guidelines/](https://facebook.com/safety/groups/law/guidelines/)

~~~
lazzlazzlazz
These individual cases happen for every tech company.

------
redthrow
WhatsApp doesn't seem very secure:

 _As of December 1, 2015, WhatsApp has a score of 2 out of 7 points on the
Electronic Frontier Foundation 's secure messaging scorecard. It has received
points for having communications encrypted in transit and having completed an
independent security audit. It is missing points because communications are
not encrypted with a key the provider doesn't have access to, users can't
verify contacts' identities, past messages are not secure if the encryption
keys are stolen, the code is not open to independent review, and the security
design is not properly documented_

[https://en.wikipedia.org/wiki/WhatsApp](https://en.wikipedia.org/wiki/WhatsApp)

~~~
tprynn
The EFF score card is an embarrassment which is essentially equivalent to one
of those "comparison table of our competitors" on a SaaS website. That's a
good analogy for it, because it uses the same questionable metrics and even
more questionable ranking system that one of those tables would use. The score
card gives Signal the same ranking as Cryptocat - that's an instant negative
result for its usefulness.

~~~
redthrow
> Signal the same ranking as Cryptocat

You are probably right that getting a high score on the scorecard doesn't
guarantee a secure program. (The standard of the socrecard is not high.)

But can't you still argue that getting a low score on the scorecard would
probably mean it's not a secure app?

------
akerro
Why should I trust a company that works with NSA and makes money on
information about me to protect my privacy and "fight" government. I see his
post as nothing more than PR move - "we're the good guys" \- before we find
out that they cooperated with agencies. Am I alone in this opinion?

~~~
Tepix
His company also makes money by earning the trust of their customers. If they
lose that trust, it has the potential to be a great financial loss.

~~~
akerro
It's a corporation that's a point of living is making profit and selling
overpriced stuff. It's government job to take care of people and give them
safety, privacy and protect them from illegal and harmful practices of
corporations.

------
zepto
Will Google step forward too?

~~~
AngrySkillzz
I doubt it. Google has shown little spine so far in standing up to the
intelligence community or in securing user data. They spent some legal money
to defend Appelbaum and encrypted GMail data in transit between data centers,
but that's all that comes to mind.

Standing with Cook would be a good step for them but I'm not optimistic.

~~~
samstave
Unsure:

Google 'appeared' to have a negative reaction to the NSA jacking their inter
DC lines which at the time were not encryoted.

Google will not make public claims on their infra regardless

Google may stand up to the .gov but it may choose to be more quiet.

Anyone that stands up to the police-state-mentality is honorable. The
situation we have now is fucked.

Its not "Armageddon" or anything - but the situation is fucked.

Do you have any idea how many people at places like goog and fb and appl are
very progressive - dont give a shit about pot, molly, lsd etc as they have all
been partying and have had growth experiences due to this? a fucking ton.

It is disingenuous for these companies and their employees to not have the
balls to stand up to the government's over reaching BS. EXCEPT that they all
share a tenuous thread of "employment status" with a corporation... thus they
dont speak up.

Hey Obama, you smoked pot, (That was the point), so release anyone who has
ever gone to jail for pot -- or go to jail yourself?

so tired of this hypocrisy

~~~
pdkl95
> The situation we have now is fucked.

This situation _should_ have ended 20 years ago with the first round of the
crypto wars. /sigh/

> Anyone that stands up to the police-state-mentality is honorable.

Exactly. They aren't alone, either - with Apple taking first-mover risk, it
should be easier for others to stand up together.

It's important to realize that there isn't much neutral ground here. Now that
the line has been drawn, you're either helping implement backdoors or you are
making a stand, potentially at personal risk. Collaborators will not find much
cover if they attempt to hide behind a Nuremberg Defense.

I _strongly_ recommend that everybody watch Quinn Norton and Elanor Saitta's
amazing talk from 30c3, "No Neutral Ground in a Burning World"[1]. Most people
didn't ask for the responsibility, but it's irresponsible to avoid it by
pretending that technology is somehow external to politics. Everything we
implement _has political consequences_ , and we (the people implementing all
of modern technology) need to start thinking about those consequences.

[1] [https://media.ccc.de/v/30C3_-_5491_-_en_-
_saal_1_-_201312272...](https://media.ccc.de/v/30C3_-_5491_-_en_-
_saal_1_-_201312272300_-_no_neutral_ground_in_a_burning_world_-_quinn_norton_-
_eleanor_saitta)

~~~
okc
The underlying debate isn't technological, its social and requires a more
abstract paradigm of thinking - beyond "with us or against us mentality".
Everyone involved has been and will be negotiating boundaries that fits with
their own moral focus.

> Anyone that stands up to the police-state-mentality is honorable.

Theres a difference between a police state and a police state mentality. The
latter is a subjective and abstract point of view, not so easy to stand up
against.

------
meerita
Imagine if Donald Trump reaches the White House what would happen. I bet an
scenario of much more hardcore surveillance.

~~~
raverbashing
What do you mean by 'more hardcore'?

Also, more surveillance means also more noise

------
philip142au
and Microsoft said?

------
envy2
Jan Koum is WhatsApp's co-founder and current CEO, and a Facebook board
member. I had this in the original title but it seems to have gotten
removed—sorry!

------
munchbunny
I noticed several people asking, and was wondering myself: Jan Koum is one of
the WhatsApp cofounders.

~~~
sarciszewski
That makes a lot more sense. His Facebook profile didn't indicate anything
about his background.

~~~
chetanahuja
Whatsapp and it's founders are famous for avoiding drawing any attention
towards themselves and their company. There offices in Mountain View didn't
even have any signage outside (even to identify them as one of the tenants in
the building) right up to the time they were acquired by Facebook. Looks like
things haven't changed much since the acquisition.

------
wesleytodd
Is this someone I should know about?

~~~
soviettoly
One of the founders of WhatsApp

~~~
wesleytodd
Thanks!

------
pbasista
What is suspicious about this Cook's statement is that he was able to publish
it. I believe this kind of government requests is usually made with a strong
non-disclosure agreement with severe consequences if disclosed. So, either the
consequences were not that bad or Apple has chosen to ignore them for the good
cause.

Or ... something "fishy" is going on and this article is just a bait by Apple
to let its customers believe they do care about privacy ... while in reality
the situation might be entirely different. And the "best" thing is that
ordinary people will never know for sure, because with Apple's proprietary
software philosophy, there is no way to tell.

~~~
envy2
Sorry, this isn't "suspicious": there is a publicly available court order[1]
issued by the US District Court for the Central District of California for
Apple to comply with, which you could have found in 15 seconds of Googling.
This was not a FISA warrant or National Security Letter.

[1] [https://www.documentcloud.org/documents/2714001-SB-
Shooter-O...](https://www.documentcloud.org/documents/2714001-SB-Shooter-
Order-Compelling-Apple-Asst-iPhone.html)

~~~
taneq
Just playing devil's advocate here (and I'm in no way full bottle on U.S. law)
but from other posts here, one of the most contentious points about national
security letters is the very strict gag order that is usually attached to
them.

Yes, there's a publicly available court order. How would you know there isn't
also an NSL?

------
suprgeek
This specific encryption debate is THE TURNING POINT around this debate.

The NSA has [most likely] found a way to penetrate Apple/Google/MS/FB for
specific targets i.e. they can get the info on any specific person/group
covertly. The attack surface is just too large - TAO, Zero-Days, Insider
threats, Financial threats, etc. The problem with that is things like needing
"Parallel Construction [1]" to legally prosecute.

What the FBI is now doing is using a recent horrible tragedy to force SV
companies to establish a precedent. Make no mistake, this has been long time
coming. The Feds want to set a precedent both legal and 'cultural'. Ultimately
Apple might cave, but the fact that they are raising a stink is very good
news. Time for other heavyweights to join the chorus.

[1] [http://thefreethoughtproject.com/parallel-construction-
law-e...](http://thefreethoughtproject.com/parallel-construction-law-
enforcement-illegally-collected-evidence-criminal-prosecutions/)

