• h_ramus@lemm.ee
    link
    fedilink
    English
    arrow-up
    1
    ·
    9 months ago

    Thanks. Haven’t used them in like a decade so things seem to have changed. At the time, new phone meant your messages transferred automatically.

    At the same time, even if Facebook requires a backup for the messages to show up, as the app is close sourced, how would one know for sure whether the app doesn’t harvest the private key anyway?

    • bamboo@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      2
      ·
      9 months ago

      Sounds like you used Whatsapp pre Signal which happened in 2016: https://signal.org/blog/whatsapp-complete/

      With regard to private key, for backups, this relies on the HSM in Apple and Android devices, so the private key is engineered to never be accessible by Facebook. Here’s how they say they use the HSM to encrypt the backups: https://engineering.fb.com/2021/09/10/security/whatsapp-e2ee-backups/

      There’s no way to be 100% certain, but if Whatsapp were found to have access to the private keys, it would be huge damaging news, so why would they risk it? Security researchers can watch the traffic going to/from the app and the OS APIs being called, and can see the HSM being invoked. Despite it being closed source, that doesn’t mean it’s less secure and there’s no one verifying the security claims.

      • h_ramus@lemm.ee
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        8 months ago

        Thanks for explaining. It’s interesting and outside metadata there could be a case for data being secure. However, this is the same company that lied and got fined in the EU when they asserted that they wouldn’t be able to link WhatsApp and Facebook identities. This allowed the merger to happen. Security and privacy being something that the average Joe doesn’t care that much, it wouldn’t be too much of a negative impact when they already have so much bad press on other matters. Finally, from an ethical perspective, I’ll give this corp a miss. Values don’t really align with my personal ones even if privacy and security were beyond reproach.