Plus folks may be put off by the lack of encryption, which is probably of little benefit in the case of WhatsApp.
What do you mean?
The WhatsApp encryption bit?
Many are concerned that despite Mark Zuckerberg’s ‘Privacy-Focused Vision’, Facebook has a history of misuse of customer data. For example, pulling your call records and SMS data off your phone.
WhatsApp being encrypted doesn’t stop Facebook accessing the data. They have a number of apps on your phone usually, all that share data containers I think.
1 Like
Well, it prevents them from accessing your WhatsApp data. Specifically, the contents of your conversations. Metadata is unencrypted but conversations are and they’re not stored on their servers.
1 Like
It bugs me when the CEO says ‘WhatsApp data is encrypted so Facebook can’t access it’. Technically this can’t be true, the data is decrypted on your device and used by their app. I think also devs have shown the various Facebook apps (Insta, Facebook, Messenger) can also access this message data, as it is shared between apps. Doesn’t mean they are running any analytics against it, of course 
Being encrypted on the server is good I agree, prevents a malicious 3rd-party pulling the database and accessing it.
Discourse is warning me not to keep replying to you on this 
Maybe Security Now can help our understanding?
1 Like
All good 
I’m not trying to argue and I admit that I could very well be wrong about this.
Here is my understanding of the WhatsApp situation:
Metadata is unencrypted, stored on Facebook servers, and can be shared amongst their apps - Ex: Who you spoke to, where you were, how often you spoke to them, etc.
The contents of the conversations themselves are encrypted and the private keys are stored locally. That can’t be shared amongst their apps. To be more precise, it can’t be decrypted by Facebook making it useless to them. If you get a new phone for example and don’t back up your conversations to iCloud or Google Drive (which by their own admission is unencrypted), you lose all of your messages because they aren’t stored by FB and aren’t able to be decrypted.
1 Like
Hopefully once RCS is implemented, our friends at Signal can easily integrate it to the Signal app in a way that it is easy for the carriers to implement that protocol. I just know that it cannot be worse than SMS. People use iMessage not so much for the encryption, but for the reason that Apple is very closed in their protocol and because it allows for high quality media to be shared. Once RCS is implemented, people could probably turn off iMessage or even decide to not turn it on in the first place.
RCS is also a great excuse for people to change their mobile phones. Phone manufacturers could prevent RCS updates from going to old phones, forcing everyone to have to switch phones in order to get the benefits of RCS.
Well FB is the author of the WhatsApp app, and the content needs to be decrypted by the app to show it to the user. Do you know for certain that they don’t scan the messages they decrypt on the phone for keywords and other analytics?
Your private encryption key is only stored locally In order to decrypt a message, you need both the private and public key.
Here’s a whitepaper on it:
They use the same encryption protocol that Signal uses (Open Whisper Systems/Axolotl Ratchet).
Steve Gibson went over this in detail on episode 555 of Security Now.
1 Like
You’re focusing on a technical detail which makes no difference. You have to trust the author of the app… I and have less than zero trust in FB. Who cares where the encryption keys are… the CONTENT is on the phone? If the app, running on that phone, has access to the content (which it HAS to have to present it to the user) then there is NOTHING stopping that app from scanning that content for keywords or other analytics.
1 Like
If you look at it that way, you should never use any apps that aren’t 100% open source and you have to verify the source code yourself. I’m not a developer. At the end of the day I have to trust someone at some point. I am not saying that I am a huge fan of Facebook, but I trust an encryption implementation that Moxie Marlinspike oversaw vs other closed-source encryption implementations (Telegram). I acknowledge (and agree with) your distrust of Facebook, but I am limited to what others use and WhatsApp seems to be almost as good from a security perspective as anything else out there (the EFF and Steve Gibson seem to agree as well).
But all the tech was created for Signal, which has no interface to FB so has all the benefits and no risk of FB scamming your data. The issue is people haven’t set it up because Moxie et el. don’t have a marketing budget like FB does. Still if you’re technically savvy, you should encourage your friends and contacts to switch. (And good luck with fighting the herd mentality that leads so many people into the control of FB.)
But all the tech was created for Signal, which has no interface to FB
I’m not sure what you mean by this. Sorry, I’m not trying to be pedantic. It’s an open-source encryption protocol that is used in a number of applications.
Still if you’re technically savvy, you should encourage your friends and contacts to switch.
I am 100% with you on this, but realistically, it won’t happen. They don’t care that one app is open-source and the other isn’t. They don’t even know or care about encryption. They use what everyone they know uses 
. I agree with you about having to fight the herd mentality.
1 Like
The protocol used by WhatsApp is called The Signal Protocol. The technology was built for Signal, and then “co-opted” into WhatsApp by FB. (Not saying that better security in WhatsApp is bad, only that I don’t trust FB’s motivations for doing it.)
I disagree with this. FB has time and time again broken their trust to the public. They blatantly and openly don’t care about privacy, they only care about control or money. Just because you don’t trust FB’s encryption doesn’t mean you shouldn’t trust anyone’s encryption.
I disagree with this. FB has time and time again broken their trust to the public.
I agree with you regarding Facebook.
Just because you don’t trust FB’s encryption
It isn’t their encryption, it’s Open Whisper System’s encryption. If you don’t trust the encryption protocol, you shouldn’t use Signal either. Telegram uses it’s own, closed-source encryption protocol and they store the messages on their servers. My point regarding open source was that looking at the source code itself is the only way to verify what an app is actually doing.
I think you’re still missing the point. I DO trust the crypto. But crypto is for the transit… it has to be in the clear at the endpoints, and the endpoint of WhatsApp is a FB app… which has access to all your communications in the clear.
Yeah I understand it, I meant more “If you don’t trust Facebook’s implementation” PHolder is right, FB is the endpoint of the encryption. I don’t trust them. Therefore I don’t trust the E2E encryption of whatsapp.
I get the point. I was responding to the insinuation that FB was using their own crypto. Honestly, unless what you’re using is 100% open source, you don’t know what it is doing. I can only trust the security audits that others have done. I agree with you all on how problematic it is that WhatsApp is owned by Facebook. I wish that weren’t the case and I wish that everyone I talk to would use something else.
I understand. When it comes to security, it’s hard to trust any app that isn’t completely open source using an open source protocol.