Is there any reason to trust Meta to not have this backdoored? Given their longstanding patterns of user-hostile behavior, I'm not inclined to see this as anything but bluster.
Is there any reason to trust Meta to not have this backdoored? Given their longstanding patterns of user-hostile behavior, I'm not inclined to see this as anything but bluster.
Backdooring E2EE would be the immediate end of any trust Facebook gets in the security world. Privacy and security are different concepts in tech. Good privacy requires good security, but security...
Backdooring E2EE would be the immediate end of any trust Facebook gets in the security world.
Privacy and security are different concepts in tech. Good privacy requires good security, but security doesn’t always imply privacy. Facebook has a very solid track record in security, and they operate the only widely deployed default E2EE messaging app (Signal is a drop in the ocean of WhatsApp users).
These clients are also not particularly hard to reverse engineer. So this would be found out quickly, would be a huge scandal, and result in the likely resignation of a few smart people - which is one of the most substantial losses you can inflict on a company.
Forgive my ignorance here--while I agree that backdooring E2EE would be security suicide for Facebook, I don't think I understand why it would be trivial to find out about it. What would prevent...
Forgive my ignorance here--while I agree that backdooring E2EE would be security suicide for Facebook, I don't think I understand why it would be trivial to find out about it. What would prevent them from using a key escrow, say by having a key copy silently sent with the initial package of metadata?
Nothing "prevents" them from doing that, but it's difficult to hide in the mobile client. These things are easy to reverse engineer, and auditing them for backdoors is relatively trivial. Given...
Nothing "prevents" them from doing that, but it's difficult to hide in the mobile client. These things are easy to reverse engineer, and auditing them for backdoors is relatively trivial. Given the amount of users those particular apps have, it's certainly being done, actively, especially since there aren't just white hats doing this but also black hats looking for vulnerabilities.
IIRC, Signal helped Meta when they implemented WhatsApp E2EE, and verified their implementation of their protocol in Messenger's encrypted chats. Also, if you look at how they market themselves in...
IIRC, Signal helped Meta when they implemented WhatsApp E2EE, and verified their implementation of their protocol in Messenger's encrypted chats. Also, if you look at how they market themselves in comparison to WhatsApp - where they have the incentive to make it look as insecure as possible - they seem to focus more on all the other info that's collected, such as user identifiers and usage data.
Says the people who literally handed over message logs to the Texan authorities because how dare somebody cross state lines to have an abortion.
People want to trust that their online conversations with friends and family are private and secure. We’re working hard to protect your personal messages and calls with end-to-end encryption by default on Messenger and Instagram. Today, we’re announcing our plans to test a new secure storage feature for backups of your end-to-end encrypted chats on Messenger, and more updates and tests to deliver the best experience on Messenger and Instagram.
Says the people who literally handed over message logs to the Texan authorities because how dare somebody cross state lines to have an abortion.
Are you talking about the Nebraska case? I haven't heard about this happening in Texas, and a quick Google didn't turn up anything. In the Nebraska case, Facebook was complying with a valid court...
Are you talking about the Nebraska case? I haven't heard about this happening in Texas, and a quick Google didn't turn up anything.
In the Nebraska case, Facebook was complying with a valid court order where they didn't have reasonable grounds to contest it.
Additionally, the charges did not include abortion when FB received the order, instead they involved illegal disposal of a body. The abortion charge was added later.
Note that abortion is legal in Nebraska. Nebraska's existing law (passed in 2010, nothing to do with recent supreme court craziness) bans abortions after 20 to 22 weeks (reports vary) which is less than some places, but not insanely so. Certainly nothing like Texas' new 6 week cutoff.
A step in the right direction for sure, but this is concerning: Do they retain control of the encryption keys? How are they implementing a user report system (which shouldn't even be there in the...
A step in the right direction for sure, but this is concerning:
As with end-to-end encrypted chats, secure storage means that we won’t have access to your messages, unless you choose to report them to us.
Do they retain control of the encryption keys? How are they implementing a user report system (which shouldn't even be there in the first place) that allows them to review messages if it's supposed to be "true E2EE"?
I'm guessing the "user report" button just resends the previous N messages to Facebook. After all, it's unencrypted at the end; even E2E encryption can't stop someone from forwarding a screenshot....
I'm guessing the "user report" button just resends the previous N messages to Facebook. After all, it's unencrypted at the end; even E2E encryption can't stop someone from forwarding a screenshot. I think this is how WhatsApp implements their report button.
I'm cautiously optimistic about this. On the one hand, Meta will certainly be harvesting as much metadata as they can to target ads despite not reading message content directly. On the other hand,...
Takeaways:
We’re testing secure storage on Messenger, a new feature that allows you to back up your end-to-end encrypted chats.
We’re also starting a test of automatic end-to-end encrypted chat threads on Messenger and expanding other features.
People want to trust that their online conversations with friends and family are private and secure. We’re working hard to protect your personal messages and calls with end-to-end encryption by default on Messenger and Instagram
I'm cautiously optimistic about this. On the one hand, Meta will certainly be harvesting as much metadata as they can to target ads despite not reading message content directly. On the other hand, if they actually pull this off...it'll help security for the common people. I can't just force my friends and family to switch to Signal or Element, so putting Messenger and Instagram on the same level as WhatsApp security wise would be nice.
They are only announcing this right now to get around the news and fact that they are complicit with charging and potentially sending a 17 year old to prison for having a miscarriage/abortion. .
I know it’s Facebook but that’s a very uncharitable framing. In the end, as a US based company, it is US law for them to obey search warrants. And that specific case the abortion would be illegal...
I know it’s Facebook but that’s a very uncharitable framing. In the end, as a US based company, it is US law for them to obey search warrants. And that specific case the abortion would be illegal in all but 2 European countries (Netherlands and UK).
This is the right response - the only way Facebook can refuse a search warrant or subpoena is not have the data in the first place.
You would be surprised (I was) to learn that it's the case for most European countries. We as most Europeans just had that conversation a long time ago and now it's other issues that's important....
You would be surprised (I was) to learn that it's the case for most European countries. We as most Europeans just had that conversation a long time ago and now it's other issues that's important. Like we don't really talk about it at all and that makes it so weird to watch the melt down the US has concerning this issue. Most countries in Europe have stricter abortions laws than much of the access the US are fighting about but the handling/religion/politics are vastly different and agreements are easier made between people/politicians who otherwise disagree on most other subjects.
Is there any reason to trust Meta to not have this backdoored? Given their longstanding patterns of user-hostile behavior, I'm not inclined to see this as anything but bluster.
Backdooring E2EE would be the immediate end of any trust Facebook gets in the security world.
Privacy and security are different concepts in tech. Good privacy requires good security, but security doesn’t always imply privacy. Facebook has a very solid track record in security, and they operate the only widely deployed default E2EE messaging app (Signal is a drop in the ocean of WhatsApp users).
These clients are also not particularly hard to reverse engineer. So this would be found out quickly, would be a huge scandal, and result in the likely resignation of a few smart people - which is one of the most substantial losses you can inflict on a company.
Forgive my ignorance here--while I agree that backdooring E2EE would be security suicide for Facebook, I don't think I understand why it would be trivial to find out about it. What would prevent them from using a key escrow, say by having a key copy silently sent with the initial package of metadata?
Nothing "prevents" them from doing that, but it's difficult to hide in the mobile client. These things are easy to reverse engineer, and auditing them for backdoors is relatively trivial. Given the amount of users those particular apps have, it's certainly being done, actively, especially since there aren't just white hats doing this but also black hats looking for vulnerabilities.
IIRC, Signal helped Meta when they implemented WhatsApp E2EE, and verified their implementation of their protocol in Messenger's encrypted chats. Also, if you look at how they market themselves in comparison to WhatsApp - where they have the incentive to make it look as insecure as possible - they seem to focus more on all the other info that's collected, such as user identifiers and usage data.
Says the people who literally handed over message logs to the Texan authorities because how dare somebody cross state lines to have an abortion.
Are you talking about the Nebraska case? I haven't heard about this happening in Texas, and a quick Google didn't turn up anything.
In the Nebraska case, Facebook was complying with a valid court order where they didn't have reasonable grounds to contest it.
Additionally, the charges did not include abortion when FB received the order, instead they involved illegal disposal of a body. The abortion charge was added later.
Note that abortion is legal in Nebraska. Nebraska's existing law (passed in 2010, nothing to do with recent supreme court craziness) bans abortions after 20 to 22 weeks (reports vary) which is less than some places, but not insanely so. Certainly nothing like Texas' new 6 week cutoff.
https://www.npr.org/2022/08/10/1116716749/a-nebraska-woman-is-charged-with-helping-her-daughter-have-an-abortion
A step in the right direction for sure, but this is concerning:
Do they retain control of the encryption keys? How are they implementing a user report system (which shouldn't even be there in the first place) that allows them to review messages if it's supposed to be "true E2EE"?
I'm guessing the "user report" button just resends the previous N messages to Facebook. After all, it's unencrypted at the end; even E2E encryption can't stop someone from forwarding a screenshot. I think this is how WhatsApp implements their report button.
I'm cautiously optimistic about this. On the one hand, Meta will certainly be harvesting as much metadata as they can to target ads despite not reading message content directly. On the other hand, if they actually pull this off...it'll help security for the common people. I can't just force my friends and family to switch to Signal or Element, so putting Messenger and Instagram on the same level as WhatsApp security wise would be nice.
They are only announcing this right now to get around the news and fact that they are complicit with charging and potentially sending a 17 year old to prison for having a miscarriage/abortion. .
I know it’s Facebook but that’s a very uncharitable framing. In the end, as a US based company, it is US law for them to obey search warrants. And that specific case the abortion would be illegal in all but 2 European countries (Netherlands and UK).
This is the right response - the only way Facebook can refuse a search warrant or subpoena is not have the data in the first place.
Huh. Surprising that Florida currently has longer abortion access than most EU countries...
You would be surprised (I was) to learn that it's the case for most European countries. We as most Europeans just had that conversation a long time ago and now it's other issues that's important. Like we don't really talk about it at all and that makes it so weird to watch the melt down the US has concerning this issue. Most countries in Europe have stricter abortions laws than much of the access the US are fighting about but the handling/religion/politics are vastly different and agreements are easier made between people/politicians who otherwise disagree on most other subjects.
This is terrible. Prime example of privacy needed within our messaging services.