If you read the article, it’s talking about not putting in a backdoor, and not Facebook saying “we have access to all encrypted messages, we’re just not giving them to you”. As it stands, they’re end-to-end encrypted so not even Facebook can’t see your messages, and that’s what Barr doesn’t like
> they’re end-to-end encrypted so not even Facebook can’t see your messages
Not quite. Facebook still controls the endpoints, so when you see the message so can they. This is obvious: you use their app to view the encrypted message, hence the app has access to the cleartext.
If I login to Facebook.com from any random device+browser, I seem to be able to read my "Facebook Messenger" history - maybe this is different if I use the Messenger app, but it seems like there's no E2EE here since I get the plaintext from anywhere.
On WhatsApp there seems to be E2EE enabled but I have no idea what the keys are. A layperson definitely has no idea what the keys are.
Could Facebook build an "NSA mode" where the old keys (K1) are quietly replaced with some known keys (K2) for a particular user at a particular timestamp T?
This means that all messages before T are to be parsed by using K1 and all messages after T are to be parsed by using K2.
As a WhatsApp user, would I even know if "NSA mode" has been enabled for my account? This would enable courts to allow surveillance for all future messages, but the old messages would still be E2EE.
What if you involve Apple+Google into the mix and have them silently deploy a rogue update to a particular user's WhatsApp program - couldn't you just ask a court to write some kind of surveillance warrant which orders the 3 companies to work together to give the alphabet agency a way to remotely take the keys?
That's exactly what the Assistance and Access Act of 2018 in Australia was for. It allows law enforcement to compel third parties to subvert encryption. This doesn't necessarily mean break the encryption itself, but could mean deploying a malicious update to a target device that keylogs or screen captures, or otherwise allows eavesdropping. Keep an eye out for similar bills in your respective governments, it passed without struggle in Australia despite the seemingly negative opinion the public and media had on the issue.
Facebook Messenger conversations are not E2EE by default. When you start one, you have to choose "Secret" in order for E2EE to be applied. This is only available from the Messenger app on mobile devices.
> On WhatsApp there seems to be E2EE enabled but I have no idea what the keys are.
The keys are shown right in the contact's profile under "Encryption", same as Signal. It even has a feature to validate their key by taking a picture of their screen. How could it be any easier for laypeople than that?
From the content of the article it also seems like it maybe should have that title. In the body they say they won't open their messaging product to law enforcement. Nowhere does it suggest (or deny) they can open messages. Some clarity on this would be nice.
Agreed. "Can't" implies they are unable to do it at all, which means they will not give the information to random LEO requests, because they simply can't.
"Won't" implies they select who they want to give the data to, which mean they probably give that data to other actors, without users even knowing about it.
How would a can't be possible here? They're being asked to modify the client code to enable surveillance. A client can't be secure against changes to its own code, and a protocol can't be secure against the client sharing the data it receives.
It's surprising to me that so many people give the benefit of the doubt to enterprises, when they (at huge effort and expense) emit "mealy-mouthed" rebuttals that leave open the possibility that they actually are doing evil.
These people aren't stupid, and their legal and PR teams understand the fine details of the English language.
It says what they mean to say, not what we wish it would say.
ImminentFate|6 years ago
tantalor|6 years ago
Not quite. Facebook still controls the endpoints, so when you see the message so can they. This is obvious: you use their app to view the encrypted message, hence the app has access to the cleartext.
https://en.wikipedia.org/wiki/Endpoint_security
SilasX|6 years ago
fareesh|6 years ago
On WhatsApp there seems to be E2EE enabled but I have no idea what the keys are. A layperson definitely has no idea what the keys are.
Could Facebook build an "NSA mode" where the old keys (K1) are quietly replaced with some known keys (K2) for a particular user at a particular timestamp T?
This means that all messages before T are to be parsed by using K1 and all messages after T are to be parsed by using K2.
As a WhatsApp user, would I even know if "NSA mode" has been enabled for my account? This would enable courts to allow surveillance for all future messages, but the old messages would still be E2EE.
What if you involve Apple+Google into the mix and have them silently deploy a rogue update to a particular user's WhatsApp program - couldn't you just ask a court to write some kind of surveillance warrant which orders the 3 companies to work together to give the alphabet agency a way to remotely take the keys?
ehnto|6 years ago
https://www.homeaffairs.gov.au/about-us/our-portfolios/natio...
jaywalk|6 years ago
shawnz|6 years ago
The keys are shown right in the contact's profile under "Encryption", same as Signal. It even has a feature to validate their key by taking a picture of their screen. How could it be any easier for laypeople than that?
bonestamp2|6 years ago
blackboxlogic|6 years ago
brink|6 years ago
csunbird|6 years ago
"Won't" implies they select who they want to give the data to, which mean they probably give that data to other actors, without users even knowing about it.
daveFNbuck|6 years ago
pjkundert|6 years ago
These people aren't stupid, and their legal and PR teams understand the fine details of the English language.
It says what they mean to say, not what we wish it would say.
They "Won't". Not that they "Can't".