
Ask HN: How do we know that WhatsApp doesn't spy on messages? - fdeage
Yesterday I was talking about WhatsApp with friends, trying to explain how end-to-end (E2E) encryption works. One of my friend (who is not a techie) said I was naive to believe Facebook couldn&#x27;t see users&#x27; messages, considering its awful track record on privacy.<p>I was about to confidently reply something about how, with modern encryption, you don&#x27;t need to trust the server to pass messages securely... but something held me back.<p>I was so sure about the system privacy, and suddenly I wasn&#x27;t.<p>I know WhatsApp claims to implement the Signal protocol, which is considered secure (so far).<p>But some questions popped in my head:
- What&#x27;s preventing WhatsApp from not using the protocol properly, or at all?
- What&#x27;s preventing WhatsApp from, say, also send secretly the message to itself? Or a digest of it? Or just some keyword matches? You know, for &quot;analytics&quot;? Or to comply with obscure child porn laws?<p>I use WhatsApp every single day, so this thought makes me pretty uncomfortable. The more I think about it, the less I&#x27;m sure. What I find the most convincing is that, if such a backdoor existed, a WhatsApp employee would have leaked it on HN already...<p>What do you think? Do you trust WhatsApp on this?
======
onreact
As far as I know Mark Zuckerberg already admitted that Facebook is spying on
the Messenger messages:

[https://thenextweb.com/facebook/2018/04/05/facebook-
confirms...](https://thenextweb.com/facebook/2018/04/05/facebook-confirms-it-
spies-on-your-messenger-conversations/)

Now Zuckerberg is merging Facebook Messenger, WhatsApp and Instagram:

[https://mashable.com/article/mark-zuckerberg-speaks-on-
whats...](https://mashable.com/article/mark-zuckerberg-speaks-on-whatsapp-
instagram-messenger-merger/?europe=true)

Thus we can be pretty sure that WhatsApp messages are also being monitored.

~~~
FabHK
The first article talks about Messenger only, not WhatsApp, and the second
article claims the opposite of what you're insinuating, namely that they want
to introduce E2EE across their apps:

> "The first reason I'm excited is moving more to end to end encryption by
> default in our products. People like this in WhatsApp. I think it's the
> direction we should be going in. I think there's an opportunity ... to have
> encryption work in a consistent way across the things that we're doing."

What they certainly analyse and presumably monetise is the metadata.

------
psv1
1\. You can't know. (Unless something confirming the opposite leaks in the
future).

2\. Facebook's reputation is so bad when it comes to privacy at this point
that trusting them is just naive.

3\. Even in the best case, your metadata is certainly used. Facebook didn't
pay over $20 billion for a service with no monetisation model purely out of
the goodness of their hearts.

4\. Whatsapp has good network effects at least here in the UK - when your
flatmates or coworkers have a group chat, you can't just say "Well, let's get
everyone over to Signal.". You either use Whatsapp or go without the group
chat.

~~~
fdeage
1\. OK...

2\. You are restating my friend's argument, but the idea of E2E is precisely
to remove trust from the equation. If applied properly, there's nothing the
company controlling the server can do.

3\. Most probably, but that's not the point here. My question is specifically
about the messages themselves.

4\. Sure, but not related to my question either :)

~~~
psv1
> the idea of E2E is precisely to remove trust from the equation

It doesn't do that. You don't have a way to verify what software runs when you
send a whatsapp message.

~~~
zzzcpan
Oh, it's worse. End-to-end encryption assurances are essentially in conflict
with centralized control over software development and distribution. Literally
the same organization end-to-end encryption is supposed to protect from is the
one responsible for implementing and deploying that protection and doing that
well and correctly.

~~~
fdeage
That's interesting. Could you develop on this conflict?

For some reason it reminds me of the famous Moxie article:
[https://signal.org/blog/the-ecosystem-is-moving](https://signal.org/blog/the-
ecosystem-is-moving) Is it the same idea?

~~~
zzzcpan
It's the opposite of Moxie's propaganda. Here's an example of this conflict at
play:
[https://news.ycombinator.com/item?id=22106536](https://news.ycombinator.com/item?id=22106536)

------
fdeage
(By the way, one day I sent a picture of a dress to my sister-in-law on
WhatsApp. She told me that Instagram sent her an ad 5 minutes later, _with the
exact same dress_.

It was so unlikely to be random that I checked right away to see if pictures
were safe. It turns out that pictures received and sent are shared within all
Facebook apps - Facebook, Messenger, Instagram -, at least on iOS)

------
ktpsns
You should study open source software (like the Signal app or the Matrix
network). Furthermore, study "trusted builds" and trusted hardware -- attempts
to proof that certain lines of codes are really running on a system. Then we
can talk again about encryption...

~~~
fdeage
I know there are other problems and unknowns when using WhatsApp on an iPhone.
I do not see how this is related to E2E though... Does it mean that any try to
secure communications on the iOS platform is irrelevant in your opinion?

------
bowlich
> WhatsApp employee would have leaked it on HN already

Employees don't need to be aware of the backdoor if they aren't the one's
listening.

At least, I assume Whatsapp is already compromised by some state actor and
Facebook is getting some kind of funding to look the other way.

