WhatsApp Encryption, a Lawsuit, and a Lot of Noise è un ottimo articolo di Matthew Green, esperto di crittografia e professore della Johns Hopkins University, sulla recente causa di uno studio legale nei confronti di Meta in cui si sostiene che WhatsApp non sia in realtà end-to-end encrypted. Alla causa è seguito l'appoggio, ovviamente, dei soliti mistificatori Elon Musk e Pavel Durov.
Il riassunto è che le accuse sono completamente infondate e che se WhatsApp stesse facendo qualcosa di losco ce ne saremmo accorti e sarebbe la frode più grande della storia della tecnologia. "Se stai commettendo un crimine, farlo in un modo che sia rilevabile forensicamente è molto stupido".
Given the closed-source nature of WhatsApp, how do we know that WhatsApp is actually encrypting its data? The company is very clear in its claims that it does encrypt. But if we accept the possibility that they’re lying: is it at least possible that WhatsApp contains a secret “backdoor” that causes it to secretly exfiltrate a second copy of each message (or perhaps just the encryption keys) to a special server at Meta?
I cannot definitively tell you that this is not the case. I can, however, tell, you that if WhatsApp did this, they (1) would get caught, (2) the evidence would almost certainly be visible in WhatsApp’s application code, and (3) it would expose WhatsApp and Meta to exciting new forms of ruin.
The most important thing to keep in mind here is that Meta’s encryption happens on the client application, the one you run on your phone. If the claims in this lawsuit are true, then Meta would have to alter the WhatsApp application so that plaintext (unencrypted) data would be uploaded from your app’s message database to some infrastructure at Meta, or else the keys would. And this should not be some rare, occasional glitch. The allegations in the lawsuit state that this applied to nearly all users, and for every message ever sent by those users since they signed up.
Those constraints would tend to make this a very detectable problem. [...] If you’re going to (metaphorically) commit a crime, doing it in a forensically-detectable manner is very stupid.