IMPORTANT UPDATE re: data policy changes, see below, January 12th
So there are one-or-more people on Twitter who worry that WhatsApp are somehow changing their End-to-End encryption; fortunately there are also other people who already know the answer and are responding to those who fret:
That Leigh is correct is confirmed by the WhatsApp FAQ page, where you also get a glimpse of the “how we will make money” direction that WhatsApp seem to be taking:
Basically: if you are the local Electric Utility Company then you will get better security and privacy of messaging via WhatsApp than you would SMS – but how would you be able to cluster 100 customer service agents around a single iPhone?
Answer: Docker, and the WhatsApp Business API; if you want to know the hard details of that then I recommend the actual documentation, but the short version is something like: “all the WhatsApp cryptographic stuff will live in a Docker container, and if you are a business owner who is not very technical but sees extra value in secure communication, you will be able to pay for someone to host that container for you – even Facebook!”
…which leads directly to the circumstance where they have to rip out any overly-specific text that says “Facebook never holds private keys”, because they are soon to offer businesses the option to pay Facebook to do precisely that, as a service.
Services which actually care rather more deeply about customer privacy – Banks, Doctors – will be able to host their own Business API Containers on their own premises.
See also this document, for a lot more context and perspective:
Important Update, January 12th
WhatsApp have finally worked out that maybe it would be good to put up an FAQ about the “privacy policy changes” which so many people have been panicking about, and so much hot air and FUD has been written – so much so that SignalApp has occasionally been struggling to keep pace with the additional load as the media points everyone at them.
This kind of fearmongering and panic is not good for the global adoption of end-to-end encryption – E2EE should be everywhere and should be default, rather than perceived as being a “special app” which you use for “special purposes”.
The infosec community has a love-hate with the PGP for being an end-to-end encryption bolt-on application that was hard to use and which was and remains abused for many security purposes.
At least Signal is easy to use, but it must not become the “PGP of Messengers”, and the community must demand real E2EE, worthy of the name, from all messenger platform providers. There must be no backdoors, no “exceptional access for law enforcement”, no client-side filtering, strong capability for the user to block and report harm, abuse, and other forms of badness in a manner where the user is the person in charge of the process – and any automated processes must have a clear opt-in.
And, while we’re at it: data which is “deleted” must really be adequately deleted.
I attach screencaps of the FAQ page, below, as-taken on January 12th.
The literal boss of WhatsApp is trying to explain this, but I worry that nobody is listening any more because its more benefit or emotionally satisfying to them to beat up Facebook and Mark Zuckerberg than to consider what some of his employees might be trying to bring to the table:
Leave a Reply