Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Nonsense. Whatsapp owns both endpoints. They could know perfectly well what you write, when you write it, to whom, and anything their heart desires by way of their analytics. The messages themselves contains no business value to them. They could send it by carrier pigeon for all they care as long as the client is their product.


No. A user owns each endpoint. Whatsapp provides a service to the owners of the endpoints.

Yes, Whatsapp is in a position to act unethically and steal information, but that does not make Whatsapp the owner of anything.


Whatsapp is not something you can compile or inspect easily. They own the endpoint, in that specific meaning. They may not have root access on the device, but inside the client nothing is out of scope.

It is their client. Any data you enter into the client is data they 0wn.


You can definitely decompile WhatsApp on Android to inspect it. I'm sure security researchers do this regularly, including those looking for a bug bounty that could be life-changing.


You can always inspect what you are running right now. Again, they literally own the software. They could augment it at runtime, or do whatever else they desire. You have to trust them that they don't copy your data. How the transport protocol works is completely beside the point.

Security researchers analyze software in order to third party attack vectors. They do not analyze first or second party attack vectors, because that would be silly. There's simply too many of them.


They don't have to steal information in order to block inappropriate content. The app itself can detect and block without external intervention.


Presumably they would use edge based hash scans or ai models to detect unsavory content. But if the content is so extreme as to be unsavory, likely they will be legally required to report it to leo.

The next steps are leo seizing your device(s) or leo having WhatsApp start sending all your messages to them for review.

What happens when leo adds the hash of a state-loathed meme?


They "could" maybe. But since you seem to not have more information, we have to remain on the assumption that they're still using Signal protocol and can't see what the messange contents are.


They could use the signal protocol AND see the contents


Signal could still see the contents of your messages. Anything you enter into their app could be scanned or sent back in plaintext to some server, all prior to actual transmission via their protocol.

The only way to ensure that can't happen is to inspect the code and compile it yourself, or at least validate the hash of the binary you're installing. But we've also recently learned with the xz fiasco that you'll need to be sure to add checks all the way down.

Of course, you could always encrypt before entering the text into signal, but at that point why use signal?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: