
Flawed reporting about WhatsApp - Calvin02
https://www.theguardian.com/technology/commentisfree/2017/jun/28/flawed-reporting-about-whatsapp
======
te_chris
For those who don't know, newspapers often have a Reader's editor whose job it
is is to criticise and be the voice of the readers inside the newspaper. In
this case, this is written by that person for the Guardian after what would
appear to be a thorough investigation of the matter.

There's a lot of people here saying this should have happened faster, they're
likely right, but also, given how extensive and thorough this is, it is more
likely an example of how old-school editorial rigour just takes a lot of time.

~~~
idlewords
The public editor, in private communication, attributed some of this delay to
his difficulty in finding independent experts who hadn't signed the open
letter.

Apparently if you're so wrong that an entire field disagrees with you, you can
get anything printed in the Guardian.

~~~
untog
It's a kind of interesting problem to have. I can see the logic in trying to
find someone not on the letter to verify that what it says is true... but when
literally everyone agrees, the logic falls apart.

I suspect this might be the side effect of excessive CYA. I'm not happy with
it, but there have been so, so many articles that get the basic premises of
tech completely wrong that I think I'd still rather them take an excessive
amount of time checking than publish another ill-informed piece.

~~~
willstrafach
I really do not see the logic in seeking input from those who did not sign the
letter. The reason I signed was specifically to help show them that a very
large number of infosec experts disagreed with the reporting (And I am sure
that is the reason many others signed).

~~~
jolic
Few of the people on the list have any, at least obvious, position outside of
their field. The purpose of seeking input is to make sure that this isn't 72
"climate change deniers" in fringe positions or with their own "custom"
organisations.

~~~
willstrafach
I understand what you are trying to say, but you might want to check out the
full list. It contains people who have various strong opinions on different
nuanced security related topics, yet all agree regarding this. I think that is
why it is strange to brush aside the signatories.

~~~
Analemma_
> It contains people who have various strong opinions on different nuanced
> security related topics, yet all agree regarding this.

But it takes a while to verify this if you're not already familiar with it
(I'd argue that's a reason why they shouldn't have published the article to
begin with, but w/e)

------
gtf21
I think this is a really thorough mea culpa which is quite impressive, given
the frequent failure of other newspapers to publish a prominent apology when
they have got things far more wrong than this.

~~~
iaw
Did you read it? This is a lawyers carefully worded article to avoid being
sued...

> "I accept the consensus view of the experts and, in consultation with
> editors, have arranged for the coverage to be amended and for a note to be
> added drawing attention to the review and linking to this column.

> I do not agree with critics that the story should be entirely retracted."

Huh? Accepting a consensus view is a really shifty way to avoid acknowledging
being blatantly wrong.

~~~
gtf21
> Did you read it?

I try to avoid making a habit of commenting on things without reading them,
and also of over-quickly assuming that others do so.

> This is a lawyers [sic] carefully worded article to avoid being sued [...]
> Accepting a consensus view is a really shifty way to avoid acknowledging
> being blatantly wrong.

This leads me to question whether you read the article, or simply picked out
snippets to support your preconceptions. Let's take some other quotations:

> In a detailed review I found that misinterpretations, mistakes and
> misunderstandings happened at several stages of the reporting and editing
> process. Cumulatively they produced an article that overstated its case.

> The most serious inaccuracy was a claim that WhatsApp had a “backdoor”

^ these look like an acknowledgement to me.

Furthermore, to refute your selectively used quotation above:

> I am not an expert in this field. For the review I consulted suitably
> experienced experts other than the 72 who had already declared their view.
> [...] I found a consensus that [...]

The author is accepting the consensus view amongst the experts with whom he
spoke, since, as he acknowledges, he is not an expert in the field. This seems
to me to be an emminently sensible approach, which most journalists would do
well to follow.

------
idlewords
It astonishes me that the Readers' Editor, someone with long experience in
journalism, thinks retracting this story would mean taking it offline as if it
never happened.

Frankly, I think this is a weak response. There is nothing in this
investigation they could not have cleared up in January; instead, they dawdled
and now they equivocate.

------
acchow
Pretty much every single person I know outside of the Bay Area and not working
in tech believes that the government and the corresponding corporations
running the service are reading all of their messages on:

* Whatsapp * FB Messenger * iMessage * Hangouts

They also all believe that the police can look at their Facebook posts because
they have special access.

This is precisely why there was minimal reaction to the Snowden revelations -
what revelations?

~~~
jiqiren
they are correct for two of the above - given a warrant from a court - FB
Messenger and Hangouts messages are readable by Facebook and Google.

~~~
marcosdumay
Google can read any of them. Or anything else on an Android phone with Play
(as can Apple on an iPhone).

They very likely don't, but that doesn't mean they can't.

~~~
kasey_junk
Back that assertion up. Because actual security experts disagree with you.

~~~
marcosdumay
You mean that security experts are claiming Google and Apple can not update
their software at will?

Who are those experts?

~~~
kasey_junk
Your claim was not that Google or Apple can update their software at will, it
was specifically that Google or Apple can read existing WhatsApp messages that
have been already sent (particularly ones that utilize e2e). This is not
something that security engineers agree with on record. Can you find a cadre
of security engineers that agree with that?

Further, there is the implication in your comment that Android and iOS are
less secure than some other format (assumedly a linux or bsd variant desktop
OS) for secure messaging. I'd be shocked if you could find a group of security
engineers that even agreed with that. You certainly will find lots of them
that disagree, so its in question at least.

I'd go further and suggest that if I made the proposition that from a security
perspective you were best served by using e2e encrypted WhatsApp purely from
an iOS or Chromebook that I'd gain more agreement from the security community
than any other proposition about messaging formats other than "don't use
electronic messaging for secret things".

~~~
marcosdumay
> Your claim was not that Google or Apple can update their software at will,
> it was specifically that Google or Apple can read existing WhatsApp messages
> that have been already sent (particularly ones that utilize e2e).

Yes, being able to update their software at will enables them to read messages
that have been already sent, even with e2e encryption.

> Further, there is the implication in your comment that Android and iOS are
> less secure than some other format (assumedly a linux or bsd variant desktop
> OS) for secure messaging.

Endpoint security is a can of worms. There is no simple conclusion to be taken
from my comment, except for the literal meaning.

~~~
kasey_junk
If you are implying that _any_ system with auto updates could swap in
malicious software I'll buy that. But you pointed out iOS and Android
specifically. Most (all?) OS have auto update features and by enabling them
you open yourself up to this vector.

~~~
marcosdumay
We were talking about WhatsApp. It runs mostly on iOS and Android.

------
ngrilly
The linked Guardian's article doesn't really explain why they were wrong. This
article by Moxie, designer of the Signal Protocol, is great:
[https://whispersystems.org/blog/there-is-no-whatsapp-
backdoo...](https://whispersystems.org/blog/there-is-no-whatsapp-backdoor/).

~~~
dang
[https://news.ycombinator.com/item?id=13394900](https://news.ycombinator.com/item?id=13394900)

------
lern_too_spel
Maybe one day they'll issue a correction for their PRISM reporting too. The
solution is exactly the same as the solution in this case: the editors should
demand that the journalists verify their claims with experts.

~~~
tptacek
This is getting downvoted, but reporting on PRISM was egregiously flawed in
ways that created myths about what PRISM is that persist to this day.

~~~
willstrafach
I think it is too late - Any refuting of the original narrative will get you
labeled a shill, "JTRIG", or discussion turns to "well you can't know what is
going on for sure"

------
chicob
Speaking of security, the new possibility of a Google Drive backup for
WhatsApp messages and files has been quite overlooked imo.

This backup is not e2ee, which means that if the other part is backing up data
in Google Drive, then at least part of you WhatsApp history is not e2ee. Yes,
it might be encrypted whithin Google Drive by whatever secure methods Google
chooses, but not by you.

------
EternalData
Good on them for admitting to all these flaws. I'm especially interested in
the fact that government officials seem to be citing articles to push people
to certain communication channels.

------
jancsika
From the open letter:

"People believe that you perform due diligence on matters critical to their
lives and safety."

And at the bottom of the open letter many security experts have signed in
support. That is, "signed" in the colloquial sense.

Small digression-- let's say a person tasked with reviewing a story in the
Guardian is not an expert in security. They would really love some way to
start with one or two security experts they know and trust and "fan out" to
other experts based on their relationships.

Is there a quick and easy way for the journalist to do that by looking at the
names of cryptographers listed at the bottom of a webpage?

Also: can someone explain what "due diligence" means? Is it the expectation
here that a journalist not only report what would look reasonable to a non-
journalist reader, but also use their considerable skill to ensure that they
present their readers with verifiable facts, to the best of their ability?
Even if it takes a considerable amount of time and effort on their part? Even
if verifying the evidence relies on clunky, cumbersome tools that no one wants
to spend time using?

------
vzaliva
It is funny how while reading this article establishing Guardian's screw up I
was nevertheless asked twice to give them money.

------
omnifischer
Sad that the writer (calling herself investigative journalist -
[https://twitter.com/manisha_bot](https://twitter.com/manisha_bot) ) of the
flawed article does not even mention the amended article in her twitter
account.

------
wolf550e
non-AMP link:
[https://www.theguardian.com/technology/commentisfree/2017/ju...](https://www.theguardian.com/technology/commentisfree/2017/jun/28/flawed-
reporting-about-whatsapp)

~~~
nneonneo
Mods: please make this the canonical link; AMP links force mobile layouts
which are suboptimal on desktop.

~~~
roywiggins
AMP links break apps on mobile too, the Guardian app tries to open
guardian.com links, but AMP breaks that.

Mind you, stories load faster via AMP than the app, but still.

------
dphnx
Non-AMP link:
[https://theguardian.com/technology/commentisfree/2017/jun/28...](https://theguardian.com/technology/commentisfree/2017/jun/28/flawed-
reporting-about-whatsapp)

~~~
ReverseCold
Isn't this amp hosted on their own server? What's wrong with that?

------
danjoc
This is not the original Title. Submitter is editorializing via title. Please
don't do that on Hacker News.

~~~
captainmuon
Why not? I think this title "Guardian admits WhatsApp story was flawed"
reflects the content better. The original title "Flawed reporting about
WhatsApp" could have meant many other things. For example, the article might
have complained about flawed reporting of other newspapers.

I like this title better, and the likelyhood that I'd have clicked on it would
have been less with the original.

Just because somebody wrote that rule down doesn't mean you have to follow it,
much less enforce it. Do you believe in it yourself, in absolutely every case,
or do you follow it just because it is a rule? I'm not trolling, just curious.
I find to many people on the net follow rules blindly. Rules are crystallized
attitudes of communities. They shape the community, but the community also
shapes the rules. If people would never break a rule, not even a little bit,
they would either never change, or only change to be more strict over time.

Why am I loosing so many words over this? Why do I say you shouldn't bother
that much, but then myself bother so much to write this? Because I don't want
the moderation on HN to become like Wikipedia or Stack Overflow.

~~~
danjoc
>Do you believe in it yourself, in absolutely every case, or do you follow it
just because it is a rule? I'm not trolling, just curious.

I don't think you're trolling. I understand your viewpoint. I'm against
selective enforcement. If there's a rule, and it isn't applied evenly to
everyone all the time, it is a weapon of oppression. It is like the electronic
form of white privilege.

~~~
captainmuon
Weeell, I'm not sure I like your comparison with white privilige, but I get
your point. I see that kind of selective enforcement happen IRL too often.
Ideally of course you'd adapt the rules to be a bit less strict, and find a
middle ground.

------
majewsky
Hint: If site is empty for you, remove "amp." from domain name.

~~~
yorwba
FWIW, the site worked completely fine for me in Firefox with JavaScript and
cookies disabled, and even Lynx worked (but shows some mustache syntax that
would be hidden by CSS otherwise).

~~~
michaelt
If you enable JS from theguardian.com but disable JS from ampproject.org the
result is a blank page.

------
eehee
This entire conflict just seems _completely_ absurd to me - why on earth are
the 72 "experts" who signed the open letter so quick to trust WhatsApp without
access to the source code?

~~~
g-clef
The experts (no scare quotes needed, they really are experts) were commenting
on the story's facts as presented. There was no need to read the source of
whatsapp, as the facts as stated in the original article were overblown and
based on fundamental misunderstandings of cryptography.

The entire story was based on the question of "what do you do when someone
you're communicating with using encryption changes keys?" Whatsapp chose to
dynamically use the new key, rather than fail & force the user to verify the
new key in some out-of-band way. This was described as a "backdoor" in the
guardian story. That was simply false. Even calling it a vulnerability is a
mis-understanding of how cryptography works and of the risk involved in that
design decision.

~~~
eehee
Thank you for actually replying instead of downvoting...and I'll admit, the
scare quotes may have been a bit too much!

That said, the open letter plainly states "WhatsApp effectively protects
people against mass surveillance."

How do they know? From this, and the entire tone of the letter, it looks to me
like they're still implicitly trusting that WhatsApp does what it claims to
do. I see absolutely no reason to do so, and am utterly baffled that top
security experts do.

~~~
CiPHPerCoder
Most (if not all) people who signed that letter, myself included, are capable
of reverse engineering and analyzing Android apps (i.e. WhatsApp).

You don't need access to the source code to perform this analysis.

Furthermore, if you can verify that the app does what it advertises, you don't
need to trust their infrastructure. E2E takes care of that.

~~~
jolic
It's still not entirely accurate, or at least conclusive, that WhatsApp
effectively protects people against mass surveillance. It might be that
there's enough other sources, messages aren't that valuable in the first place
or even that mass surveillance itself, between target surveillance and
everyone being a public person, isn't that important to protect people
against.

I think it's much easier to conclude that WhatsApp protects peoples messages
from leaking or being abused by providers and other "softer" merits.

~~~
CiPHPerCoder
> It's still not entirely accurate, or at least conclusive, that WhatsApp
> effectively protects people against mass surveillance.

Yes, it is.

Mass surveillance is, by its very nature, defeated by E2E encryption even
_without_ identity verification.

Are you thinking of targeted surveillance?

~~~
jolic
I'm saying that both the claim that "WhatsApp is effective" and that "it is
effective against mass surveillance" might be untrue even if it is effective
at E2E encryption.

You can argue that WhatsApp itself de facto doesn't effectively protect
(against mass surveillance) because it only works with instant messages and a
lot of data isn't instant messages. You can argue that there is still mass
surveillance of metadata. And that governments could enact secret laws to
force vendors to engage directly in mass surveillance of their customers
through the OS (less likely in the US, more so in China, especially as Google
isn't present).

Sure, it's a nitpick. It's implied that it's effective because it's a good way
to use E2E. But it not necessarily explored in the article whether it
effectively protects people. I'm sure someone thinks that PGP was effective
against mass surveillance too. So it becomes and issue over what you think is
worth protecting.

