Two questions.
My family insist on using Whatsapp for the family chats. I have to keep a copy on a device just so I can communicate with them. I do so under protest, as I was always told it isn’t secure. My brother has just said
“oh Whatsapp is encrypted, it’s perfectly secure”.
First, is it actually as encrypted and safe as my brother claims? That would solve everything.
Second, if it isn’t, where can I get some proof that we should switch to Telegram or whatever? Proof which doesn’t make me look like a raving loony?
The contents of the chat messages are e2e encrypted, so meta can’t see what you are sending.
But they can see all of the Meta data, ie how often you chat with someone, how often you send pictures/videos/voice messages, etc.
That is more than enough to know everything about you and your friends.
My understanding is that it IS encrypted, and its supposed to use the Signal protocol (Signal developed it and released it for others to use)
The problems are with
- metadata (like the other comment explained)
- closed source, so we take their word on it for how it works. It’s possible they’re being misleading or doing something shady
See this image from a few years ago:
Note that signal does require this, which isn’t in the chart:
- phone number (for now)
- last active date
- sign up date (I think)
Interesting! Do you remember where you got this chart?
These are just screenshots of the data privacy section from the Apple AppStore of each of the apps. Afaik those are mandatory & self reported by the devs of the app.
I assume Whatsapp encryption is equivalent to https, your connection to the server is encrypted and “impossible” to be intercepted and decrypted, but on the server end everything arrives as clear text, so the only people that can watch your conversation is the recipient of the messages and whatsapp.
That’s not correct. WA claims to use end-to-end encryption. I have no reason to doubt that. It probably arrives encrypted at the servers, not as clear-text.
That’d also align with the business-model of big tech. They do lots of things with meta-data. And algorithms can infer lots of important things just by looking at that. I wouldn’t be surprised if they really don’t care about the exact content of WA messages.
Reading whatsapp definition of e2ee seems to be the case, I stand corrected.
Yeah. I think they partnered with the makers of Signal and took the encryption from Signal back in 2014 or 2015. I still remember the first of my friends adopting WA and it had zero encryption or protection against impersonating people. I used XMPP (Jabber) back then and just shook my head.
But it’s different now.
I case they’re set on WhatsApp:
You could use something like:
https://github.com/mautrix/whatsapp
and bridge WA to a secure Matrix server of your choice. That way you can have a secure environment and they can use whatever they like.
Here is an overview table about messengers, in case you want to compare them and have more arguments in the discussion:
https://www.messenger-matrix.de/messenger-matrix-en.html
I wouldn’t consider WA secure. They do tracking, they have your phone numbers and those of all of your friends and know exactly who you talk to, when, and how often. Even if they don’t know the content of the message because it’s encrypted, that’s a lot of information for the algorithm to feed on. Apart from that, I’m not sure if they have access to the encryption keys. They might be able to decrypt everything if they want.
I’m sure someone wrote a lengthy blog article about WA. But unless someone does a proper security audit including where the encryption keys are stored and the implications of that and how extra features like breaking encryption in case someone flags an inappropriate post turns out… The ‘it’s safe’ is just a claim by your brother or Meta. You’re free to believe in anything you want. But it’s not necessarily true.
WhatsApp gives you the option to back up all messages to Google or Apple Cloud unencrypted.
No Telegram lol. Thats way worse. Whatsapp sais they are E2EE but its all “trust me bro” because you cannot look at the code.
With Telegram its a little pain to open encrypted chats and groups are always unencrypted. So its useless.
Let them try Signal, its nearly identical but you can trust it.
