this post was submitted on 24 Feb 2024
731 points (98.4% liked)
Technology
59534 readers
3209 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
WhatsApp is end-to-end encrypted. How does all the data magically show up when you change phone which doesn't have the same private key as the old phone? It's like having a lock on your front door and giving the keys to a random neighbour. Most folks trade convenience for privacy or security. That trade is looking less and less appealing by the day.
Ehm, they don't show up magically.
You have to backup directly to your new phone, otherwise it won't get transfered.
I just did this, and I can 100% confirm that not backuped data won't go to the new phone.
Which is also exactly how Signal works too; I migrated both two days ago. Process was virtually identical.
I much prefer Signal, but can't judge WhatsApp to harshly on this tbh.
It better be the same because WhatsApp uses the Signal encryption protocol!
Doesn't necessarily have to be the same. Afaik the signal protocol is for sending messages, not for transferring backups of chats.
Whatsapp actually lets you back up all your chats, unencrypted, to Google Drive or iCloud. Definitely not the same as Signal.
Also when logging in on the website version on pc, you need to keep whatsapp open on your phone to sync old messages and media to your pc if you want to be able to see them there.
Thanks. I stand corrected. I was one of those that paid $1 for life when WhatsApp was a new kid on there block but haven't used it since news broke that Facebook acquired them like a decade ago. At the time, you had a new phone, your messages would transfer. Dunno how it is today after all those years but seems to be similar to Signal.
Based on the stories coming up on Facebook and their lack of moral / humane boundaries I still won't trust them not to have access to a private key when their app is so invasive. Their whole model is based on behind the curtain trafficking.
If you get a new phone and don't import anything from your existing phone, then messages you receive will be unable to be decrypted. Since WhatsApp uses the Signal encryption protocol, it's fairly detailed how receiving a message which can't be decrypted can start an initialization to the sender to retry sending the messages: https://signal.org/docs/specifications/sesame/#retry-requests-and-delivery-receipts
The signal app will prompt you when a contact's public key is updated, but IIRC, by default Whatsapp will not do this, and it will automatically happen under the hood, which is why it appears like magic.
Thanks. Haven't used them in like a decade so things seem to have changed. At the time, new phone meant your messages transferred automatically.
At the same time, even if Facebook requires a backup for the messages to show up, as the app is close sourced, how would one know for sure whether the app doesn't harvest the private key anyway?
Sounds like you used Whatsapp pre Signal which happened in 2016: https://signal.org/blog/whatsapp-complete/
With regard to private key, for backups, this relies on the HSM in Apple and Android devices, so the private key is engineered to never be accessible by Facebook. Here's how they say they use the HSM to encrypt the backups: https://engineering.fb.com/2021/09/10/security/whatsapp-e2ee-backups/
There's no way to be 100% certain, but if Whatsapp were found to have access to the private keys, it would be huge damaging news, so why would they risk it? Security researchers can watch the traffic going to/from the app and the OS APIs being called, and can see the HSM being invoked. Despite it being closed source, that doesn't mean it's less secure and there's no one verifying the security claims.
Thanks for explaining. It's interesting and outside metadata there could be a case for data being secure. However, this is the same company that lied and got fined in the EU when they asserted that they wouldn't be able to link WhatsApp and Facebook identities. This allowed the merger to happen. Security and privacy being something that the average Joe doesn't care that much, it wouldn't be too much of a negative impact when they already have so much bad press on other matters. Finally, from an ethical perspective, I'll give this corp a miss. Values don't really align with my personal ones even if privacy and security were beyond reproach.