this post was submitted on 04 Dec 2024
557 points (99.5% liked)

Technology

59772 readers
3115 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
L3s@fry.gs
L4s@fry.gs
L4s@lemmy.world
enu@lemmy.world
557
U.S. officials urge Americans to use encrypted apps amid unprecedented cyberattack (www.nbcnews.com)
submitted 1 day ago by WhatsHerBucket@lemmy.world to c/technology@lemmy.world
175 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] circuitfarmer@lemmy.sdf.org 107 points 23 hours ago (5 children)

It's probably also good practice to assume that not all encrypted apps are created equal, too. Google's RCS messaging, for example, says "end-to-end encrypted", which sounds like it would be a direct and equal competitor to something like Signal. But Google regularly makes money off of your personal data. It does not behoove a company like Google to protect your data.

Start assuming every corporation is evil. At worst you lose some time getting educated on options.

[–] sugar_in_your_tea@sh.itjust.works 4 points 10 hours ago* (last edited 10 hours ago)

Well yeah, to use RCS on Android, you need to use Google's Messenger app, so they can absolutely still get your data. Source from GrapheneOS.

I don't use RCS because I refuse to use Google's Messenger app. Simple as.

[–] KingThrillgore@lemmy.ml 6 points 12 hours ago

If its not Open Source and Audited yearly, its compromised. Your best option for secure comms is Signal and Matrix.

[–] ayyy@sh.itjust.works 2 points 10 hours ago

RCS is an industry standard, not a Google thing.

[–] mosiacmango@lemm.ee 33 points 22 hours ago (11 children)

End to end is end to end. Its either "the devices sign the messages with keys that never leave the the device so no 3rd party can ever compromise them" or it's not.

Signal is a more trustworthy org, but google isn't going to fuck around with this service to make money. They make their money off you by keeping you in the google ecosystem and data harvesting elsewhere.

[–] WhyJiffie@sh.itjust.works 4 points 11 hours ago (1 children)

end to end is meaningless when the app scans your content and does whatever with it

[–] ayyy@sh.itjust.works 3 points 10 hours ago

For example, WhatsApp and their almost-mandatory “backup” feature.

[–] CatLikeLemming@lemmy.blahaj.zone 4 points 12 hours ago

Note that it doesn't mean metadata is encrypted. They may not know what you sent, but they may very well know you message your mum twice a day and who your close friends are that you message often, that kinda stuff. There's a good bit you can do with metadata about messages combined with the data they gather through other services.

[–] zergtoshi@lemmy.world 16 points 18 hours ago* (last edited 18 hours ago) (2 children)

Signal doesn't harvest, use, sell meta data, Google may do that.
E2E encryption doesn't protect from that.
Signal is orders of magnitude more trustworthy than Google in that regard.

[–] mosiacmango@lemm.ee 2 points 9 hours ago (1 children)

Agreed. That still doesnt mean google is not doing E2EE for its RCS service.

Im not arguing Google is trustworthy or better than Signal. I'm arguing that E2EE has a specific meaning that most people in this thread do not appear to understand.

[–] zergtoshi@lemmy.world 1 points 8 hours ago

Sure!
I was merely trying to raise awareness for the need to bring privacy protection to a level beyond E2EE, although E2EE is a very important and useful step.

[–] renzev@lemmy.world 8 points 18 hours ago

There's also Session, a fork of Signal which claims that their decentralised protocol makes it impossible/very difficult for them to harvest metadata, even if they wanted to.Tho I personally can't vouch for how accurate their claims are.

[–] EvilBit@lemmy.world 47 points 22 hours ago* (last edited 22 hours ago) (17 children)

google isn't going to fuck around with this service to make money

Your honor, I would like to submit Exhibit A, Google Chrome “Enhanced Privacy”.

https://www.eff.org/deeplinks/2023/09/how-turn-googles-privacy-sandbox-ad-tracking-and-why-you-should

Google will absolutely fuck with anything that makes them money.

[–] circuitfarmer@lemmy.sdf.org 24 points 21 hours ago (1 children)

This. Distrust in corporations is healthy regardless of what they claim.

[–] jagged_circle@feddit.nl 2 points 12 hours ago

Dont trust. Verify. Definitely dont touch it if its closed source

load more comments (16 replies)
[–] sxan@midwest.social 6 points 16 hours ago* (last edited 16 hours ago)

End to end could still - especially with a company like Google - include data collection on the device. They could even "end to end" encrypt sending it to Google in the side channel. If you want to be generous, they would perform the aggregation in-device and don't track the content verbatim, but the point stands: e2e is no guarantee of privacy. You have to also trust that the app itself isn't recording metrics, and I absolutely do not trust Google to not do this.

They make so of their big money from profiling and ads. No way they're not going to collect analytics. Heck, if you use the stock keyboard, that's collecting analytics about the texts you're typing into Signal, much less Google's RCS.

[–] sem@lemmy.blahaj.zone 17 points 21 hours ago (8 children)

It could be end to end encrypted and safe on the network, but if Google is in charge of the device, what's to say they're not reading the message after it's unencrypted? To be fair this would compromise signal or any other app on Android as well

load more comments (8 replies)
[–] MonkderVierte@lemmy.ml 3 points 14 hours ago* (last edited 14 hours ago) (2 children)

End to end matters, who has the key; you or the provider. And Google could still read your messages before they are encrypted.

[–] sugar_in_your_tea@sh.itjust.works 2 points 10 hours ago

Yup, they can read anything you can, and send whatever part they want through Google Play services. I don't trust them, so I don't use Messenger or Play services on my GrapheneOS device.

[–] mosiacmango@lemm.ee 2 points 10 hours ago (1 children)

You have the key, not the provider. They are explicit about this in the implementation.

They can only read the messages before encryption if they are backdooring all android phones in an act of global sabotage. Pretty high consequences for soke low stakes data.

[–] MonkderVierte@lemmy.ml 1 points 3 hours ago

I mean, Google does, with Play Services.

[–] jagged_circle@feddit.nl 1 points 12 hours ago (1 children)

They do encrypt it and they likely dont send the messages unencrypted.

Likely what's happening is they're extracting keywords to determine what you're talking about (namely what products you might buy) on the device itself, and then uploading those categories (again, encrypted) up to their servers for storing and selling.

This doesn't invalidate their claim of e2ee and still lets them profit off of your data. If you want to avoid this, only install apps with open source clients.

[–] mosiacmango@lemm.ee 0 points 10 hours ago* (last edited 10 hours ago) (1 children)

E2EE means a 3rd party cant extract anything in the messages at all, by definition.

If they are doing the above, it's not E2EE, and they are liable for massive legal damages.

[–] jagged_circle@feddit.nl 0 points 8 hours ago

Thats not what it means. It means that a third party cannot decrypt it on their servers.

Of course if the "third party" is actually decrypting it on your device, then they can read the messages. I dont know why this is not clear to you.

[–] circuitfarmer@lemmy.sdf.org 3 points 21 hours ago

You may be right for that particular instance, but I'd still argue caution is safer.

[–] renzev@lemmy.world 1 points 18 hours ago (2 children)

Of course our app is end-to-end encrypted! The ends being your device and our server, that is.

[–] jagged_circle@feddit.nl 2 points 12 hours ago* (last edited 5 hours ago)

That's literally what zoom said early in the pandemic.

Then all the business in the world gave them truck loads of money, the industry called them out on it, and they hired teams of cryptographers to build an actual e2ee system

[–] intensely_human@lemm.ee 4 points 18 hours ago

It’s end to end to end encrypted!

[–] s_s@lemm.ee 1 points 12 hours ago (1 children)

End-to-end encryption matters if your device isn't actively trying to sabotage your privacy.

If you run Android, Google is guilty of that.

If you run Windows in a non-enterprise environment Microsoft is guilty of that.

If you run iOS or MacOS, Apple is (very likely) guilty of that.

[–] sugar_in_your_tea@sh.itjust.works 1 points 10 hours ago

Yup, so I run GrapheneOS without Google at services. It probably doesn't spy on me, which is nice.