A 10-month Commerce Department probe concluded Meta could view all WhatsApp messages in unencrypted form
Here’s the original reporting, instead of another website’s summary of Bloomberg’s actual report:
So it sounds like the agent was investigating allegations, from content moderation contractors, that Meta could access the contents of WhatsApp messages, and came to the conclusion that yes, Meta could.
There are a few possibilities here.
- Meta does have full plain text access to all Whatsapp messages, but guards that access very closely. Although the clients seem to generate E2EE keys for each session, somehow they’re leaking those keys to Meta’s servers somewhere, and the closed source code sufficiently hides that so that there’s no whistleblower or security researcher able to detect this definitively.
- Meta has a secret wiretap functionality where they can compromise the E2EE keys somehow, but uses it only for narrow cases. This helps keep the functionality secret, because security researchers and other reviewers may never see the functionality in action.
- Meta allows users to report objectionable content in the threads they’re already part of. The reporting function either forwards the E2EE key itself, or all the plaintext data, that gives content moderators access to the underlying message contents. The contractor whistleblowers and the federal agent investigating these allegations simply got it wrong, and misunderstood the technical process of how the plaintext messages end up in the content moderator’s possession.
Meta claims that it’s #3. They acknowledge they have plaintext access to messages when a party to the thread presses the report button.
This unnamed federal agent believes it’s #1, after 10 months of investigation, and sent out an email to other investigators that they should look into that possibility.
I’m skeptical of #1, simply because I don’t believe that conspiracies to keep that kind of stuff secret can be maintained. It’s not just that there would be technically skilled whistleblowers who have actual access to the code (not the non-technical content moderator contractors who review the content), but a weakness in such an important and widely used protocol would attract all sorts of hackers, state sponsored or otherwise.
But option #2 might explain everything we’ve seen so far. Full wiretap capability that is rarely used and very tightly controlled.
The fact that Trump’s own goon uses Signal and not WhatsApp should probably tell you all you need to know about using WhatsApp.
Yes, not to mention that their security breach on Signal was of their own making. Some moron invited a member of the press to their chat. XD
What I don’t understand yet is why there haven’t been any independent cybersecurity experts capable of finding a backdoor in WhatsApp. How hard would it be for an expert without access to the source code to find one? Are any independent entities monitoring WhatsApp’s security at all??
The clients are one question, but the servers are another. If the backdoor is on the server end, which it sure looks like, then your experts won’t find anything by examining the client.
I see. I thought that the backdoor had to be in the client, because I thought that could be the only place where the private keys are stored, but I’ve since realized that it could be on the server. Thanks for the insight.
Hey I work in cyber security. Just because an app has a backdoor doesn’t mean that the backdoor can be accessed by anyone. Accessing this backdoor would likely mean compromising meta themselves, not just the app or its communications.
I’m sure you must receive lots of annoying questions because of the work you do, so thanks a lot for the insight!
It’s not about being vulnerable. It’s probably a very tight software.
It’s just that Meta stores the private keys of the e2e encryption. So they can decrypt any and all chats if they want to.
Ooh, I see. Thanks.
