Helpfully given in the introduction, here is some useful context for this change in case some people miss this part:
> Since 2016, all personal messages, calls, video chats and media sent on WhatsApp have been end-to-end encrypted. […]
> WhatsApp’s backup management relies on mobile device cloud partners, such as Apple and Google, to store backups of the WhatsApp data (chat messages, photos, etc ) in Apple iCloud or Google Drive. Prior to the introduction of end-to-end encrypted backups, backups stored on Apple iCloud and Google Drive were not protected by WhatsApp’s end-to-end encryption. Now we are offering the ability to secure your backups with end-to-end encryption before they are uploaded to these cloud services.
I'm pretty sure both Apple and Google are very happy with the current state of affairs, this system works great to keep people locked into IOS or Android, as exporting your data is super hard (there were a number of expensive sketchy-looking apps that claimed to be able to do this)
It used to be encrypted before upload to google, and then … one day it just wasn’t (but came with the “candy” that it no longer counts against your account quota). I could never found any explanation for this, best hypothesis I found is that it’s a backdoor for law enforcement without admitting it.
I would be surprised, given everything happening in the world today, if the new system does not somehow allow law enforcement to get access (possibly indirectly, through the app giving the key in some weird back channel)
Why is this being called E2EE? If you're uploading them, shouldn't they be encrypted at rest? Why would we want it decrypted on the other end? I just want to upload an encrypted file that can only be decrypted by my app. No other end.
The worst part is even if you disable automatic backups, which you should, the app will nevertheless force the creation of a backup every day at 2am. And keep 7 days worth of backups at a time. Of every single thing it can gets its hands on. The amount of storage and processing that globally occurs daily due to this, that people neither want nor need, is probably jaw dropping.
Many non-tech people I know that are not aware of this have just come to terms with the fact that phone storage just runs out quicker than it did before, and old phones just lag at 2am for mysterious reasons.
Automatic backups do not include any images or videos. They remain just unencrypted.
> Many non-tech people I know that are not aware of this have just come to terms with the fact that phone storage just runs out quicker than it did before, and old phones just lag at 2am for mysterious reasons.
Non-tech people get pissed when one smiley message is lost. So for all non-hn people automatic backups are a boon. I know this as we run a free repair-cafe - and help people migrate data from old phones.
Not to mention that the solution to not uploading over cellular (on iOS at least) reads:
> To avoid excessive data charges, connect your phone to Wi-Fi or disable cellular data for iCloud. iPhone Settings > Cellular > iCloud Drive > OFF.
Like I have to be inconvenienced when I simply want to grab a pdf from iCloud, just to avoid having a few GB of my data cap used if I happen to be out at 2am.
They may say all the right words, but given how Facebook has been consistently behaving with respect to people's privacy, all this e2e goodness amounts to nothing less than an extremely disingenuous and misleading charade. So, yeah, good to know. But, no, still have zero trust in FB's implementation of it and won't touch it with a long pole.
WhatsApp has been pretty consistent with their track record, not every Facebook product is the same but if there's one part of the company that's doing really well in terms of security and privacy for its users that's the one.
I must say, it is unclear to me why this is being downvoted -- it mirrors my exact reaction.
The old saying "Actions speak louder than words" has never been more apt. It was just two days ago that Ars & others ran "WhatsApp "end-to-end encrypted" messages aren't that private after all" [1]. Yet, here we are.
This. Exactly the reason why I use Signal and even though I encounter some bugs once in a while, it is the only messaging app I trust in respecting my privacy.
> To decrypt the backup, the key K is needed Thus, to safeguard K in the HSM-based Backup Key Vault, the client performs a registration of K with WhatsApp.
> The key to encrypt the backup is secured with a user-provided password. The password is unknown to WhatsApp, the user’s mobile device cloud partners, or any third party. The key is stored in the HSM Backup Key Vault to allow the user to recover the key in the event the device is lost or stolen. The HSM Backup Key Vault is responsible for enforcing password verification attempts and rendering the key permanently inaccessible after a certain number of unsuccessful attempts to access it. These security measures provide protection against brute force attempts to retrieve the key.
> Additionally, the users have a choice to use a 64-digit encryption key instead of a password, which would require them to remember the encryption key themselves or store it manually as in this case the key is not sent to the HSM Backup Key Vault
So they do allow not storing the key on their servers, which is the only way I know to ensure encrypted backups can't be decrypted, but they make it inconvenient by forcing the key to be 64 digits, for a strength of 10^64.
They could make "no store" keys much easier by allowing the key to be characters, so that people could use a sentence or other sequence of words as a key and not have to write down or remember 64 digits. Using just letters (ignoring case), you'd need at least 46 to get equivalent (12x actually) strength. With uppercase, lowercase, and digits, you'd only need 36 to get 3x the strength of 64 digits.
If users already need to create a password to secure the random key stored on WhatsApp servers, it seems the strength of that password is really the strength of the whole system. In that case, they could just derive a key from the password and use that directly as the encryption key. Assuming they actually want to protect the backup that is.
Disclaimer: I have never used WhatsApp, but am author of HashBackup which does not store your key on any servers.
> it seems the strength of that password is really the strength of the whole system
Not quite. If you trust the HSM that WhatsApp is using the HSMs provide a defense against brute-force attacks that is infeasible with a mathematical key derivation function. For example even with a weak password you could limit an attacker to 10 attempts after which the key is wiped. This isn't something that you can do if your key is only protected my math. With a random 4 digit pin and 10 attempts you can only guess it 1% of the time. With a password you can brute force it until you get it (of course a password with sufficient entropy is probably still out of reach).
Of course trusting their HSMs is a huge if. There are also concerns about refreshing the attempt count (you don't want a brute force attack to wipe your key!) and synchronizing the attempt count across the distributed HSMs. (just enforcing the limit on each is likely to be sufficient though)
I think WhatsApp's proposed solution here is sensible and achieves both objectives of protecting user privacy whilst also preventing users from accidentally shooting themselves in the foot with "password123".
Introduction of friction can add security. For example, bitcoin wallets that are self-custody will often involve elaborate, un-skippable "write these 24 words down, repeat it one by one" processes to ensure users properly back up the seed words.
It seems that End-to-end (encryption) is now firmly established as a buzzword.
I'm not really a cryptographer, but from what I've gathered from a whitepaper, it's just an encrypted backup with a fancy system that allows users to safely store encryption keys on WhatsApp servers. But of course they have to call it end-to-end because users know it is safe
Saving encrypted stuff on a server is more properly known as client side encryption[1]. Any instance of cryptography used to protect the contents of anything in any way is commonly referred to as end to end encryption these days. Fortunately, the misuse of the term can serve to identify an entity with poor understanding of the technology they are try to sell you.
Your complete chat history with everyone on WhatsApp, to date, has been provided in basically unencrypted form to Apple and Google by your conversation partners, which means that it is available on demand and without a warrant to US federal authorities via FAA Section 702 (commonly known as PRISM, or FISA).
This means that even if you stop using it today, there is a huge wealth of information about your habits, travel, personal identifiers, social graph, location history, and personal thoughts and opinions that will be permanently stored associated with your name.
Enabling e2e on backups won't purge this information, especially if it has already been downloaded by USG from Apple/Google.
If you want to mitigate this, you basically have to move, replace all your friends/contacts, never go back to the same venues/restaurants/cities, et c, because your existing pattern of life is already archived.
I think the expectations of e2ee have been greatly stretched in this case. e2ee means that the data is encrypted from device to device only and that's it, from one end to another end. If someone backs up their device in an unencrypted way then thats out of scope for WhatsApp - that's not what e2ee is about.
People that expected full at rest encryption (which is what a backup system would include) despite the app never being advertised that way would have always needed a large kick to realise that isn't the case. Encryption is complicated and you can't expect everybody to fully understand what e2ee/at rest/etc really means. This whole situation is a learning experience for everyone and I wouldn't blame WhatsApp for it either. They now know that advertising encryption needs a little more explanation.
WhatsApp currently handles local backups entirely incompetently and infuriatingly despite claiming (IMO dishonestly) that the feature exists, providing inaccurate and incomplete documentation. This is nice to see, but far too little too late for me to trust the app for longevity.
I recently had the issue for the second time of losing over a year of messages due to dysfunctional WhatsApp backups, about which I wrote a blog post of complaints/rants [1]. The user, as far as I can tell at least on Android, currently has no viable option besides uploading their messages, unencrypted, to Google.
Genuine question, context first. I've never backed up any chat, I don't use WhatsApp anymore, I used to keep the photos I liked and deleted the rest.
What's the point? I've never felt the need to go back and read any messages I've previously sent. I have no idea why you'd keep them. And also can you imagine if someone got hold of your life's worth of messages?
This is ridicolous, they block the account of people for no reason, making them loose years of messages, and now they come up with encrypted backups... they should focus on improving their support. They have only an email address for support. Try to get your account unblocked if their AI decides to block you. Good luck
[+] [-] pgalvin|4 years ago|reply
> Since 2016, all personal messages, calls, video chats and media sent on WhatsApp have been end-to-end encrypted. […]
> WhatsApp’s backup management relies on mobile device cloud partners, such as Apple and Google, to store backups of the WhatsApp data (chat messages, photos, etc ) in Apple iCloud or Google Drive. Prior to the introduction of end-to-end encrypted backups, backups stored on Apple iCloud and Google Drive were not protected by WhatsApp’s end-to-end encryption. Now we are offering the ability to secure your backups with end-to-end encryption before they are uploaded to these cloud services.
[+] [-] inasio|4 years ago|reply
[+] [-] beagle3|4 years ago|reply
I would be surprised, given everything happening in the world today, if the new system does not somehow allow law enforcement to get access (possibly indirectly, through the app giving the key in some weird back channel)
[+] [-] baby|4 years ago|reply
[+] [-] godelski|4 years ago|reply
[+] [-] pharmakom|4 years ago|reply
[+] [-] 5faulker|4 years ago|reply
[+] [-] phreack|4 years ago|reply
Many non-tech people I know that are not aware of this have just come to terms with the fact that phone storage just runs out quicker than it did before, and old phones just lag at 2am for mysterious reasons.
[+] [-] john2010|4 years ago|reply
> Many non-tech people I know that are not aware of this have just come to terms with the fact that phone storage just runs out quicker than it did before, and old phones just lag at 2am for mysterious reasons.
Non-tech people get pissed when one smiley message is lost. So for all non-hn people automatic backups are a boon. I know this as we run a free repair-cafe - and help people migrate data from old phones.
[+] [-] krrrh|4 years ago|reply
> To avoid excessive data charges, connect your phone to Wi-Fi or disable cellular data for iCloud. iPhone Settings > Cellular > iCloud Drive > OFF.
Like I have to be inconvenienced when I simply want to grab a pdf from iCloud, just to avoid having a few GB of my data cap used if I happen to be out at 2am.
[+] [-] huhtenberg|4 years ago|reply
[+] [-] baby|4 years ago|reply
[+] [-] ziddoap|4 years ago|reply
The old saying "Actions speak louder than words" has never been more apt. It was just two days ago that Ars & others ran "WhatsApp "end-to-end encrypted" messages aren't that private after all" [1]. Yet, here we are.
It's a strong "No thanks" from me.
[1] https://arstechnica.com/gadgets/2021/09/whatsapp-end-to-end-...
[+] [-] gordon_freeman|4 years ago|reply
[+] [-] anaganisk|4 years ago|reply
[+] [-] prirun|4 years ago|reply
> The key to encrypt the backup is secured with a user-provided password. The password is unknown to WhatsApp, the user’s mobile device cloud partners, or any third party. The key is stored in the HSM Backup Key Vault to allow the user to recover the key in the event the device is lost or stolen. The HSM Backup Key Vault is responsible for enforcing password verification attempts and rendering the key permanently inaccessible after a certain number of unsuccessful attempts to access it. These security measures provide protection against brute force attempts to retrieve the key.
> Additionally, the users have a choice to use a 64-digit encryption key instead of a password, which would require them to remember the encryption key themselves or store it manually as in this case the key is not sent to the HSM Backup Key Vault
So they do allow not storing the key on their servers, which is the only way I know to ensure encrypted backups can't be decrypted, but they make it inconvenient by forcing the key to be 64 digits, for a strength of 10^64.
They could make "no store" keys much easier by allowing the key to be characters, so that people could use a sentence or other sequence of words as a key and not have to write down or remember 64 digits. Using just letters (ignoring case), you'd need at least 46 to get equivalent (12x actually) strength. With uppercase, lowercase, and digits, you'd only need 36 to get 3x the strength of 64 digits.
If users already need to create a password to secure the random key stored on WhatsApp servers, it seems the strength of that password is really the strength of the whole system. In that case, they could just derive a key from the password and use that directly as the encryption key. Assuming they actually want to protect the backup that is.
Disclaimer: I have never used WhatsApp, but am author of HashBackup which does not store your key on any servers.
[+] [-] kevincox|4 years ago|reply
Not quite. If you trust the HSM that WhatsApp is using the HSMs provide a defense against brute-force attacks that is infeasible with a mathematical key derivation function. For example even with a weak password you could limit an attacker to 10 attempts after which the key is wiped. This isn't something that you can do if your key is only protected my math. With a random 4 digit pin and 10 attempts you can only guess it 1% of the time. With a password you can brute force it until you get it (of course a password with sufficient entropy is probably still out of reach).
Of course trusting their HSMs is a huge if. There are also concerns about refreshing the attempt count (you don't want a brute force attack to wipe your key!) and synchronizing the attempt count across the distributed HSMs. (just enforcing the limit on each is likely to be sufficient though)
[+] [-] dannyw|4 years ago|reply
Introduction of friction can add security. For example, bitcoin wallets that are self-custody will often involve elaborate, un-skippable "write these 24 words down, repeat it one by one" processes to ensure users properly back up the seed words.
[+] [-] habibur|4 years ago|reply
[+] [-] Andrew_nenakhov|4 years ago|reply
I'm not really a cryptographer, but from what I've gathered from a whitepaper, it's just an encrypted backup with a fancy system that allows users to safely store encryption keys on WhatsApp servers. But of course they have to call it end-to-end because users know it is safe
[+] [-] upofadown|4 years ago|reply
[1] https://en.wikipedia.org/wiki/Client-side_encryption
[+] [-] baby|4 years ago|reply
[+] [-] sneak|4 years ago|reply
This means that even if you stop using it today, there is a huge wealth of information about your habits, travel, personal identifiers, social graph, location history, and personal thoughts and opinions that will be permanently stored associated with your name.
Enabling e2e on backups won't purge this information, especially if it has already been downloaded by USG from Apple/Google.
If you want to mitigate this, you basically have to move, replace all your friends/contacts, never go back to the same venues/restaurants/cities, et c, because your existing pattern of life is already archived.
Too little, too late.
[+] [-] prawnsalad|4 years ago|reply
People that expected full at rest encryption (which is what a backup system would include) despite the app never being advertised that way would have always needed a large kick to realise that isn't the case. Encryption is complicated and you can't expect everybody to fully understand what e2ee/at rest/etc really means. This whole situation is a learning experience for everyone and I wouldn't blame WhatsApp for it either. They now know that advertising encryption needs a little more explanation.
[+] [-] vinay427|4 years ago|reply
I recently had the issue for the second time of losing over a year of messages due to dysfunctional WhatsApp backups, about which I wrote a blog post of complaints/rants [1]. The user, as far as I can tell at least on Android, currently has no viable option besides uploading their messages, unencrypted, to Google.
[1] https://vinayh.com/posts/2021-08-28/
[+] [-] JohnJamesRambo|4 years ago|reply
[+] [-] zionic|4 years ago|reply
[+] [-] erdos4d|4 years ago|reply
[+] [-] account-5|4 years ago|reply
What's the point? I've never felt the need to go back and read any messages I've previously sent. I have no idea why you'd keep them. And also can you imagine if someone got hold of your life's worth of messages?
[+] [-] Tenoke|4 years ago|reply
[+] [-] 2Gkashmiri|4 years ago|reply
https://jknewsline.com/parras-email-whatsapp-data-to-be-acce...
Here is how political vendetta is taken against people. This news is just a few months old.
I am not on WhatsApp for a couple of idealogocal reasons, this being one of them
[+] [-] TedShiller|4 years ago|reply
[+] [-] josh_today|4 years ago|reply
[+] [-] Andrew_nenakhov|4 years ago|reply
[+] [-] leonixyz|4 years ago|reply
[+] [-] whitetrump|4 years ago|reply
[deleted]
[+] [-] AUSNA-ZI|4 years ago|reply
[deleted]
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] annadane|4 years ago|reply
"See? We're not like them"