Evan Prodromou
I need someone to change my mind.
I have seen a few posts suggesting that people change from WhatsApp to Signal.
Both messaging platforms are end-to-end encrypted (E2EE).
Both use the same E2EE protocol -- Signal's.
One is run by Meta, the other by the non-profit Signal Foundation.
Evan Prodromou
So, here's my concern: if you don't want to use WhatsApp because it's owned and operated by Meta, that means you don't have a lot of confidence in that end-to-end encryption.
And if you don't have confidence in it when it's run by Meta, why should you have confidence in it when it's run by Signal Foundation?
I assume this is because even when conversations are end-to-end encrypted, there is data exhaust around the edges -- like the timing of conversations, or profile data.
Evan Prodromou
@Infoseepage Why?
Evan Prodromou
Is that roughly it? Or am I missing something important about this?
Evan Prodromou
@emu There's a whole thread. Basically, change my mind that the difference between WhatsApp and Signal is big enough that you should change from one to the other.
My first instinct is, you should use the E2EE messaging system run by the company you don't trust, so you don't get a false sense of security.
Emu Otori
Evan Prodromou
Does Signal do a good job of throwing off that extraneous data, like by initiating random conversations, or keeping profile data encrypted on the client or something?
Evan Prodromou
@majorlinux absolutely, but that's not a change for security's sake.
Marcus "MajorLinux" Summers
@evan I mean, it could also just be the fact that people don't want to support the company openly supporting fascism.
But that's just me.
Raphael Lullis
The concern is not about the encryption, but metadata.
Facebook can know, e.g, that you are having health issues just because you've been talking with your doctor.
The app can still track your location.
The app can still capture shots of your video stream and analyze what you are doing, or listen to your conversation to find keywords relevant to advertisers.
Nemo_bis 🌈
@evan WhatsApp's E2EE is only for show. It's documented that Facebook Inc. can decrypt everything e.g. for the purposes of backup. The mechanism by which they hold and give access to the decryption keys is not publicly documented. Allegedly "decrypted backups" reduce this attack vector, but I've not confirmed whether that's the case.
https://security.stackexchange.com/a/145636/47770
https://snee.la/posts/the-workings-of-whatsapps-end-to-end-encrypted-backups/
Nemo_bis 🌈
This doesn't mean said encryption is completely useless. It's a protection from some attackers, just not WhatsApp/Facebook itself nor from anyone who can persuade WhatsApp to provide the decryption keys (such as the USA government and perhaps soon EU governments).
Evan Prodromou
@SupportGrapheneOS_667 very good audit!
Support GrapheneOS 667
Bruce Schneier made an audit:
https://www.33rdsquare.com/signal-vs-whatsapp/
There is also an enhanced fork of Signal called: #MollyFOSS for #android
Evan Prodromou
So, as far as I can tell from the thread, here are the reasons, in roughly descending order for importance from me:
1) Signal is Open Source
2) Signal does a better job encrypting metadata and other incremental improvements in security
3) People trust Signal much more than Meta
4) People want to show alignment with Signal more than Meta
I think these are pretty convincing. Thanks all who replied!
Rui Seabra
@evan
WhatsApp is E2EE to your contacts *and* the CIA server. ;)
Douglas Patriarche
@evan Agreed! These are the same reasons for my using Signal and avoiding WhatsApp.
Nemo_bis 🌈
@nobody Exactly.
Else, Someone
@nemobis @evan One could start the argument by just asserting that the whole point of E2EE is that trusting the clients on both ends is "enough", in the sense that it makes no difference whether the channel and the server are compromised.
With Signal one tends to trust the client because it's open-source and the releases are (claimed to be) reproducible. With Whatsapp... well maybe you could inspect its traffic with mitmproxy idk, but ultimately there's no reason to trust the client
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.