this post was submitted on 10 Mar 2026
1206 points (98.3% liked)

Privacy

47184 readers
600 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 6 years ago
MODERATORS
k_o_t@lemmy.ml
tmpod@lemmy.pt
Yayannick@lemmy.ml
ranok@sopuli.xyz
1206
Me Buying A Phone From Google Solely Because I Can Put GrapheneOS On It (lemmy.ml)
submitted 6 days ago* (last edited 6 days ago) by BladeFederation@piefed.social to c/privacy@lemmy.ml
169 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] NewNewAugustEast@lemmy.zip 15 points 6 days ago (4 children)

WhatsApp which is Meta but still E2EE

As far as you are told. There is no verification that is true.

[–] French75@slrpnk.net 8 points 6 days ago

There is no verification that is true.

But there is a nearly continuous stream of occurrences where Meta is caught lying.

[–] jjlinux@lemmy.zip 5 points 6 days ago (1 children)

It is actually verified e2ee. However, they do keep a 'spare key' for every single user and chat, you know, in case they need to help you, the good guys at Meta.

[–] NewNewAugustEast@lemmy.zip 1 points 6 days ago (2 children)

Can you show me where it's verified? Did someone get to see the code?

[–] jjlinux@lemmy.zip 3 points 5 days ago (1 children)

https://www.nccgroup.com/media/fzwdxklh/_ncc_group_whatsapp_e001000m_report_2021-10-27_v12.pdf

https://eprint.iacr.org/2023/843.pdf

Also, their e2ee is built on the signal protocol. Now, their server code and client code are not open source, so they could have left all types of doors open for their benefit. Also, the Metadata is not encrypted at all, something they actually brag about for some reason.

And just to be clear, I am a genuine 'everything-meta-hater" (and Google, MicroShit, Crapple, Crapsung, etc.), but spreading misinformation doesn't help preaching about privacy and security.

[–] NewNewAugustEast@lemmy.zip 1 points 5 days ago* (last edited 5 days ago) (1 children)

That verified if their backups were end to end encrypted though right?

It's also interesting what was out of scope:

Limitations
The following components were not in scope; NCC Group was therefore unable to evaluate and identify issues with them:
• Third-party and proprietary HSM vendor implementation.
• Backup encryption implementation.
• Side-channels in the access, creation, modification and deletion of backup data on third-party cloud storage.

[–] jjlinux@lemmy.zip 1 points 5 days ago (1 children)

Dude, you seem to be under the impression that I'm somehow defending meta, and you're evidently in battle mode. I said my piece, provided the evidence as requested. I guess this is where I drop off of this convoy for ith you, buddy. Make of it what you will. Have a good day.

[–] NewNewAugustEast@lemmy.zip 2 points 5 days ago* (last edited 5 days ago) (1 children)

No, I am not in battle mode. I just read the link and found it interesting and responded with things I saw in it.

What I didn't do, was realize you sent TWO links, and I failed to read the second one. But believe me I am not trying to argue in any way. I am just responding.

The second link was also just for backups.

Again, I am just saying that they are not able to demonstrate that they are actually implementing this, AND that both of those links are for backups only. Thats all.

And I totally get what you were driving at: it doesn't matter, they have a "spare key".

[–] jjlinux@lemmy.zip 1 points 5 days ago

I don't think it will. It's just another outside audit (no idea if país by meta or not though). It is E2ee, that's the bottom line. Now, the implementation is what dictates what that's worth. It's no different than client-side scanning or Microsoft co-pilot. What's the point of having e2ee if someone else can get access either before encryption or by a third party, like meta, having a master key to decrypt anyway?

The first thing was if there was any indo of e2ee being implemented, there's plenty, even Cloudflare audited them at one point if I recall correctly. But, nobody knows how it's implemented, except for meta, and that's where the lack of trust resides, because we all trust meta as far as we can throw our cars.

[–] hagelslager@feddit.nl 2 points 6 days ago* (last edited 6 days ago) (1 children)

As far as I'm aware Moxie Marlinspike made the encryption before it was acquired by Facebook. One of the founders of WhatsApp now finances Marlinspike'd Signal messenger.

In theory Meta only sees who you communicate with, but not what you communicate.

(I wouldn't be surprised if the bastards are trying to undo the encryption if they already haven't.)

[–] noodlejetski@piefed.social 3 points 6 days ago

before it was acquired by Facebook

not that it really matters, but it was a few years after the acquisition.

[–] BladeFederation@piefed.social 5 points 6 days ago* (last edited 6 days ago) (1 children)

They have had some third party audits. It is not totally convincing to me as being trustworthy, but I see it as more of an acceptable necessary evil. Better than Discord, Snapchat, Facebook Messenger, probably even SMS. My wife's whole family uses just WhatsApp, and so do some businesses even in her country. Believe me though, anyone I can get on Signal, Matrix, Session, etc, I do.

[–] NewNewAugustEast@lemmy.zip 7 points 6 days ago* (last edited 6 days ago) (1 children)

There have been third party audits, but the conclusions have been that you can't know if it's implemented correctly or at all. Nature of closed source. Because you can't know where the keys are.

I get the doing business in their country. That is so difficult to overcome. I will not do it. Foot down on that one, and it does make it hard. My wife's family does the same as you mentioned. I just tell them they are literally paying for fascism. They don't care. Or you can pick from many of the ills of Meta products (energy use, AI, misinformation, or even simply making someone a billionaire by contributing nothing to society).

Makes it hard.

[–] BladeFederation@piefed.social 4 points 6 days ago* (last edited 6 days ago) (1 children)

I'm working on it and avoid it when I can as I mentioned. The only reason I mentioned it is that it's one of the last vestiges of apps I don't fully trust. I treat it like SMS or email, I don't send anything I don't expect could be audited by the government with the right subpoenas.

But sometimes I'm in a weird position. If I need to order food in my wife's country, I am not going to be able to contact the restaurant without WhatsApp. Then I, as a white American who doesn't know them, am going to explain to the delivery guy the reasons why they shouldn't support American fascism, in their native language that I am not 100% fluent in?

[–] NewNewAugustEast@lemmy.zip 3 points 6 days ago (1 children)

It isn't American fascism of course. It's everywhere.

But I get it, I find myself in the same boat traveling and visiting family. It really is pervasive. So in your scenario you can't just go pick it up yourself?

I know there are other ones though: Everything in some places works like this where they want to do a call back - deliveries, doctors appointments, services. WhatsApp has almost, if not completely, replaced the phone, so even getting a local sim doesnt help.

I simply refuse to play along. I wont do it. Somehow we seem to work it out.

[–] jjlinux@lemmy.zip 2 points 6 days ago

Lol, story of my life. But the best part is looking at people's faces when you say 'I don't have whatsapp' 🤣