this post was submitted on 04 Dec 2024
454 points (99.3% liked)

Technology

59772 readers
3191 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
L3s@fry.gs
L4s@fry.gs
L4s@lemmy.world
enu@lemmy.world
454
U.S. officials urge Americans to use encrypted apps amid unprecedented cyberattack (www.nbcnews.com)
submitted 18 hours ago by WhatsHerBucket@lemmy.world to c/technology@lemmy.world
147 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] EvilBit@lemmy.world 43 points 15 hours ago* (last edited 15 hours ago) (2 children)

google isn't going to fuck around with this service to make money

Your honor, I would like to submit Exhibit A, Google Chrome “Enhanced Privacy”.

https://www.eff.org/deeplinks/2023/09/how-turn-googles-privacy-sandbox-ad-tracking-and-why-you-should

Google will absolutely fuck with anything that makes them money.

[–] circuitfarmer@lemmy.sdf.org 22 points 14 hours ago (1 children)

This. Distrust in corporations is healthy regardless of what they claim.

[–] jagged_circle@feddit.nl 2 points 5 hours ago

Dont trust. Verify. Definitely dont touch it if its closed source

[–] mosiacmango@lemm.ee 0 points 15 hours ago* (last edited 15 hours ago) (2 children)

Thats a different tech. End to end is cut and dry how it works. If you do anything to data mine it, it's not end to end anymore.

Only the users involved in end to end can access the data in that chat. Everyone else sees encrypted data, i.e noise. If there are any backdoors or any methods to pull data out, you can't bill it as end to end.

[–] circuitfarmer@lemmy.sdf.org 9 points 14 hours ago (1 children)

You are suggesting that "end-to-end" is some kind of legally codified phrase. It just isn't. If Google were to steal data from a system claiming to be end-to-end encrypted, no one would be surprised.

I think your point is: if that were the case, the messages wouldn't have been end-to-end encrypted, by definition. Which is fine. I'm saying we shouldn't trust a giant corporation making money off of selling personal data that it actually is end-to-end encrypted.

By the same token, don't trust Microsoft when they say Windows is secure.

[–] mosiacmango@lemm.ee 2 points 13 hours ago* (last edited 13 hours ago) (2 children)

Its a specific, technical phrase that means one thing only, and yes, googles RCS meets that standard:

https://support.google.com/messages/answer/10262381?hl=en

How end-to-end encryption works

When you use the Google Messages app to send end-to-end encrypted messages, all chats, including their text and any files or media, are encrypted as the data travels between devices. Encryption converts data into scrambled text. The unreadable text can only be decoded with a secret key.

The secret key is a number that’s:

Created on your device and the device you message. It exists only on these two devices.

Not shared with Google, anyone else, or other devices.

Generated again for each message.

Deleted from the sender's device when the encrypted message is created, and deleted from the receiver's device when the message is decrypted.

Neither Google or other third parties can read end-to-end encrypted messages because they don’t have the key.

They have more technical information here if you want to deep dive about the literal implementation.

You shouldn't trust any corporation, but needless FUD detracts from their actual issues.

[–] sugar_in_your_tea@sh.itjust.works 1 points 2 hours ago

Even if we assume they don't have a backdoor (which is probably accurate), they can still exfiltrate any data they want through Google Play services after it's decrypted.

They're an ad company, so they have a vested interest in doing that. So I don't trust them. If they make it FOSS and not rely on Google Play services, I might trust them, but I'd probably use a fork instead.

[–] circuitfarmer@lemmy.sdf.org 8 points 13 hours ago (1 children)

You are missing my point.

I don't deny the definition of E2EE. What I question is whether or not RCS does in fact meet the standard.

You provided a link from Google itself as verification. That is... not useful.

Has there been an independent audit on RCS? Why or why not?

[–] mosiacmango@lemm.ee 0 points 13 hours ago* (last edited 13 hours ago) (2 children)

Not that I can find. Can you post Signals most recent independent audit?

Many of these orgs don't post public audits like this. Its not common, even for the open source players like Signal.

What we do have is a megacorp stating its technical implementation extremely explicitly for a well defined security protocol, for a service meant to directly compete with iMessage. If they are violating that, it opens them up to huge legal liability and reputational harm. Neither of these is worth data mining this specific service.

[–] circuitfarmer@lemmy.sdf.org 6 points 13 hours ago

I'm not suggesting that Signal is any better. I'm supporting absolute distrust until such information is available.

[–] deranger@sh.itjust.works 2 points 13 hours ago* (last edited 13 hours ago) (1 children)
[–] mosiacmango@lemm.ee 7 points 13 hours ago* (last edited 13 hours ago)

Thank you. I had trouble running down a list.

I do consider Signal to be a more trustworthy org than Google clearly, but find this quibbling about them "maybe putting a super secret backdoor in the e2ee they use to compete with iMessage" to be pretty clear FUD.

[–] micballin@lemmy.world 8 points 15 hours ago (3 children)

They can just claim archived or deleted messages don't qualify for end to end encryption in their privacy policy or something equally vague. If they invent their own program they can invent the loophole on how the data is processed

[–] cheesemoo@lemmy.world 9 points 15 hours ago (2 children)

Or the content is encrypted, but the metadata isn't, so they can market to you based on who you talk to and what they buy, etc.

[–] rottingleaf@lemmy.world 1 points 4 hours ago

Provided they have an open API and don't ban alternative clients, one can make something kinda similar to TOR in this system, taking from the service provider the identities and channels between them.

Meaning messages routed through a few hops over different users.

Sadly for all these services to have open APIs, there needs to be force applied. And you can't force someone far stronger than you and with the state on their side.

[–] mosiacmango@lemm.ee 2 points 13 hours ago (1 children)

This part is likely, but not what we are talking about. Who you know and how you interact with them is separate from the fact that the content of the messages is not decryptable by anyone but the participants, by design. There is no "quasi" end to end. Its an either/or situation.

[–] sugar_in_your_tea@sh.itjust.works 0 points 2 hours ago

It doesn't matter if the content is encrypted in transit if Google can access the content in the app after decryption. That doesn't violate E2EE, and they could easily exfiltrate the data though Google Play Services, which is a hard requirement.

I don't trust them until the app is FOSS, doesn't rely on Google Play Services, and is independently verified to not send data or metadata to their servers. Until then, I won't use it.

[–] mosiacmango@lemm.ee 1 points 13 hours ago* (last edited 13 hours ago)

The messages are signed by cryptographic keys on the users phones that never leave the device. They are not decryptable in any way by google or anyone else. Thats the very nature of E2EE.

How end-to-end encryption works

When you use the Google Messages app to send end-to-end encrypted messages, all chats, including their text and any files or media, are encrypted as the data travels between devices. Encryption converts data into scrambled text. The unreadable text can only be decoded with a secret key.

The secret key is a number that’s:

Created on your device and the device you message. It exists only on these two devices.

Not shared with Google, anyone else, or other devices.

Generated again for each message.

Deleted from the sender's device when the encrypted message is created, and deleted from the receiver's device when the message is decrypted.

Neither Google or other third parties can read end-to-end encrypted messages because they don’t have the key.

They cant fuck with it, at all, by design. That's the whole point. Even if they created "archived" messages to datamine, all they would have is the noise.

[–] circuitfarmer@lemmy.sdf.org 0 points 13 hours ago

Exactly. We know corporations regularly use marketing and doublespeak to avoid the fact that they operate for their interests and their interests alone. Again, the interests of corporations are not altruistic, regardless of the imahe they may want to support.

Why should we trust them to "innovate" without independent audit?