> WhatsApp backups no longer count against your Google Drive storage quota.
> Media and messages you back up aren't protected by WhatsApp end-to-end encryption while in Google Drive.
It's common knowledge that group chats are not E2E - there is one encryption context from a user to the servers, and another context from the server to each member of the group chat. Bog standard transport layer security, in other words.
However, even if you never used group chats and had E2E on with all your contacts, the traffic analysis ("metadata use") is enough to build associations and clusters. FB doesn't need to know the message contents (although they make use of them when available). You have frequent chats with people who play certain kinds of sports? Fine, for marketing purposes you'll be grouped with people who like those sports. Or if majority of your friends have pets - guess which cohorts you end up as well.
Oh, and if I remember correctly, WA definitely processes your messages locally before sending them: it uses a list of image hashes to prevent sending eg. child exploitation material onwards.
This is not the case. Signal for example has open source which allows to verify that it does not use the message texts for commercial purposes so we can with good reason assume that the messages are at least E2E encrypted properly within the app and at least Signal servers.
Yes, of course if you have root access to the device itself, or otherwise hack it, you can compromise any messenger. But that's not even in the same league as having basically a message spying built-in, turned on, always on, inside your damn messenger app itself.
Whatsapp calling their app "E2E" in their marketing is a spit in the direction of the users that have the technical knowledge to understand how it really works. It is inaccurate in all the ways that matter. It is accurate only in one technical way that is completely irrelevant in the real world, just put there so they could use the phrase in the marketing while not caring about the true intent behind E2E.
That was not my intention.
I'm trying to say that E2E implies a very specific threat model, and that WhatsApp are in fact in position to subvert theirs in pretty straightforward ways. Their group messages have never been E2E, which means that if they were to force a client update where all communications are always group chats and UI hid this fact, the users would be none the wiser. They could also use their client-side content filtering to build keyword histograms and upload those periodically to their servers, without breaking their E2E.
In fact, I was trying to point out that they do not necessarily need to inspect or store message contents. WhatsApp is owned by a marketing analytics giant. With all the noise about E2E and metadata, people forget (or ignore) that traditionally intelligence about communications has been primarily about traffic analysis ("metadata"). Tapping into the communications has been of course a valuable goal, but knowing the communication patterns, frequencies, memberships and direction/timing of communications within groups has been enough to build valuable intelligence.
Sure. Access to content allows to do keyword and semantic/NLP based targeting. But the aggregation of marketing cohorts and their various relationships is likely a much more valuable asset. These relationships are also known as the social graph. And E2E, as implemented in WhatsApp, does not protect against it. They know who you communicated with, when, and where you were at the time.
Signal on the other hand have done a lot of work to enable not only E2E protected, but also properly untrackable group communications.
> But that's not even in the same league as having basically a message spying built-in, turned on, always on, inside your damn messenger app itself.
You hit the nail on the head. If you can't trust the client, practically any and all E2E promises are worthless. We agree on this one.
You also touch upon a wider problem across the messaging technology space. The term end-to-end-encryption has been hijacked as a high-value keyword by every snakeoil salesman. It confers a high level of trust, precisely because when implemented correctly, it provides guaranteed message content confidentiality. But even in this thread, we see that the term E2E is routinely used to imply even higher standard: that of anonymous communication.
Anonymity, confidentiality and integrity are all aspects of communications security. End-to-end can guarantee the last two, assuming the endpoints remain secure or at least trusted. Getting the first one included is going to require a lot of hard work, and in case of WhatsApp, would go directly against their owner's motives.
