WhatsApp backdoor allows snooping on encrypted messages

Current thread on the response to this article: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=13394900" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=13394900</a>

Well, I kind of feel that I have to repost my comment on this old thread[1] with regards to the government of Egypt blocking Signal application:<p>&quot;Isn&#x27;t it &quot;weird&quot; that they chose to block Signal app and not the signal-protocol based Whatsapp? If Whatsapp really implements the same kind of security and privacy measures that Signal does, why is Whatsapp allowed to continue operating? If signal is preventing them spy on users and they ban it, is in&#x27;t it safe to assume that Whatsapp is NOT preventing them spy on users, so they let it operate? Wouldn&#x27;t you expect Whatsapp to be also targeted, especially considering the broad user-base it has compared to Signal? Yes, I know they had blocked Whatsapp in the past, but they didn&#x27;t block it now. Which means that something has changed in the relationship of the Egyptian gov and Whatsapp since 2015.&quot;<p>1. <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=13219304" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=13219304</a>

I remember receiving the downvote brigade[1], when Moxie himself said that I should trust WhatsApp without having the source code and the ability to put it on my device.<p>We (even a &quot;smart&quot; community like HN) clearly do not have the ability to think critically about security, and even when our leaders are sincere -- and I really don&#x27;t mean to suggest Moxie&#x2F;Signal was complicit in this move -- we still rush to defend our champions so quickly that we don&#x27;t even think about what&#x27;s going on.<p>However something really important is that this might be mere incompetence: FaceBook might not have any mechanism for launching this attack, they just thought the notification message was annoying so they didn&#x27;t display it. To that end we need to be vigilant about stupidity as well.<p>Where does it end? Will we actually stop being okay with buffer overflows and sloppy programming? Or are we going to continue trying to &quot;be safer&quot; and use &quot;safe languages&quot; and continuing to try to solve the problem of too much code to read clearly with more code.<p>[1]: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=11669395" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=11669395</a>

Some more background:<p>This was presented in the lightning talks at 33c3, starting around minute 48: <a href="https:&#x2F;&#x2F;media.ccc.de&#x2F;v&#x2F;33c3-8089-lightning_talks_day_4" rel="nofollow">https:&#x2F;&#x2F;media.ccc.de&#x2F;v&#x2F;33c3-8089-lightning_talks_day_4</a><p>Here&#x27;s the congress wiki with some more links: <a href="https:&#x2F;&#x2F;events.ccc.de&#x2F;congress&#x2F;2016&#x2F;wiki&#x2F;Lightning:A_Backdoor_(&#x2F;Bug%3F)_in_WhatsApp" rel="nofollow">https:&#x2F;&#x2F;events.ccc.de&#x2F;congress&#x2F;2016&#x2F;wiki&#x2F;Lightning:A_Backdoo...</a><p>And a blogpost: <a href="https:&#x2F;&#x2F;tobi.rocks&#x2F;2016&#x2F;04&#x2F;whats-app-retransmission-vulnerability&#x2F;" rel="nofollow">https:&#x2F;&#x2F;tobi.rocks&#x2F;2016&#x2F;04&#x2F;whats-app-retransmission-vulnerab...</a>

The key part is this, and it was apparently reported back in April 2016 with Facebook replying it&#x27;s &quot;expected behavior&quot;, it&#x27;s not something a general attacker can do but it would enable WhatsApp&#x2F;Facebook to read conversations:<p>&gt; WhatsApp has the ability to force the generation of new encryption keys for offline users, unbeknown to the sender and recipient of the messages, and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered.<p>It&#x27;s worth noting as the article says, that this is built <i>on top</i> of the Signal protocol. In Signal, a similar situation with a user changing key offline will result in failure of delivery. Within WhatsApp under Settings&gt;Account&gt;Security there is an option to <i>Show Security Notifications</i> which will notify you if a users key has changed.

Nothing to worry about according to Gizmodo:<p><pre><code> &gt; The supposed “backdoor” the Guardian is describing is &gt; actually a feature working as intended, and it would &gt; require significant collaboration with Facebook to be &gt; able to snoop on and intercept someone’s encrypted &gt; messages, something the company is extremely unlikely &gt; to do. </code></pre> <a href="http:&#x2F;&#x2F;gizmodo.com&#x2F;theres-no-security-backdoor-in-whatsapp-despite-report-1791158247" rel="nofollow">http:&#x2F;&#x2F;gizmodo.com&#x2F;theres-no-security-backdoor-in-whatsapp-d...</a><p>I, for one, certainly cannot imagine Facebook collaborating to such an extent with the government.

At the risk of stating the obvious: there is real benefit to using an entirely decentralised open source comms system like Riot.im (Matrix) or Conversations (XMPP), where you can pick precisely which app to run, who to trust to build that app, who to trust to advertise your public keys, and who to host your server.<p>It&#x27;s inevitable that big centralised services like WhatsApp or even Signal are going to be under pressure from governments to support lawful intercept; in many countries it&#x27;s essentially illegal to run a communication service that can&#x27;t be snooped under a court order. Multinationals like Facebook are neither going to want to break the law (as it ends up with their senior management getting arrested: <a href="https:&#x2F;&#x2F;www.theguardian.com&#x2F;technology&#x2F;2016&#x2F;mar&#x2F;01&#x2F;brazil-police-arrest-facebook-latin-america-vice-president-diego-dzodan" rel="nofollow">https:&#x2F;&#x2F;www.theguardian.com&#x2F;technology&#x2F;2016&#x2F;mar&#x2F;01&#x2F;brazil-po...</a>) - nor pull out of those territories (given WhatsApp market penetration in Brazil is 98.5% or similar).

No matter what IM service you use: As long as they manage the public keys for their users, they will be vulnerable to exactly this problem. This isn&#x27;t just WhatsApp. This applies to iMessage and Signal too.<p>In all cases, we rely on the word of the service provider that they don&#x27;t sneak additional public keys to encrypt for into the clients and in all cases we hear that doing so would cause a message dialog to appear, but we have zero control over that as this is just an additional software functionality (yes. Signal is Open Source, but do you know whether the software you got from the App Store is the software that&#x27;s on Github?)<p>Also imagine the confusion and warning-blindness it would cause if every time one of my friends gets a new device I&#x27;d get huge warnings telling me that public keys have changed.<p>This is a hard problem to solve in a user-friendly way and none of the current IM providers really solve it. Maybe Threema does it best with their multiple levels of authenticity.<p>As such I think it&#x27;s unfair to just complain about WhatsApp here.

From the outset I&#x27;ve always expected that a backdoor was present in Whatsapp. In fact, I&#x27;d be surprised if they hadn&#x27;t granted themselves some special capabilities with regards to the content of the communications. Touting their end-to-end encryption has enticed many people to trust the product, sometimes with strong conviction, while giving themselves a monopoly on access to communication perceived as secure by the end users. It stands to reason that claims about security and privacy of an end product (the Whatsapp app), no matter how lofty the goals that its creator (especially a murky company like Facebook) has purportedly set out to realize, can be verified without being completely open. There is software out there like OpenSSL that is developed by PhD&#x27;s, and is completely open and available to anyone who wishes to validate its security, yet vulnerabilities are found years after they&#x27;ve been introduced into the code. Claims to Whatsapp&#x27;s security&#x2F;privacy are preposterous a priori.

&quot;Asked to comment specifically on whether Facebook&#x2F;WhatApp had accessed users’ messages and whether it had done so at the request of government agencies or other third parties, it directed the Guardian to its site that details aggregate data on government requests by country.&quot;<p>This is why people should try and use Signal instead of WhatsApp. You can&#x27;t trust Facebook to care about your privacy.

More details in &quot;WhatsApp Retransmission Vulnerability&quot; [1] from April last year.<p>[1] <a href="https:&#x2F;&#x2F;tobi.rocks&#x2F;2016&#x2F;04&#x2F;whats-app-retransmission-vulnerability&#x2F;" rel="nofollow">https:&#x2F;&#x2F;tobi.rocks&#x2F;2016&#x2F;04&#x2F;whats-app-retransmission-vulnerab...</a>

C&#x27;mon we know this already, it&#x27;s not a backdoor.<p>This has been known and is discussed in the protocol and forums as the trade off in ease-of-use versus validation. For people wanting security, they simply check the verify keys, warn on key change. For people who don&#x27;t care as much about verifying the recipient, they don&#x27;t know about the feature, and don&#x27;t use it, but they still get pretty good security, can upgrade to verifying if the choose, all without having to re-key or change protocols&#x2F;messenger apps.

But if whatsapp owns the code, they don&#x27;t need a backdoor. They can simply push an update that sends a copy of the msg to whatever server they may like.

This is not a backdoor. It is a vuln, and it&#x27;d be nice if it wasn&#x27;t there, but this is not a backdoor.<p>There is no reason to assume this was &quot;snuck in&quot; with an intent to deceive users. Retransmission has been known and discussed repeatedly, months ago, and Facebook acknowledged it. What happened here is a choice of UX over security, specifically, choosing not to break existing WA users as they move them over to the otherwise great Signal protocol.<p>When a key changes, you can just keep trying, notify the user, or drop everything on the floor. If you want the latter, use Signal.<p>It would be nice if WhatsApp made 2 the default, and 3 optional. Right now 1 is the default and 2 is the option. The trick is to get the UX somewhere where normal people can do something useful with that information.<p>If you are at all upset about this, you are not a target WhatsApp user. It&#x27;d be nice if they changed this, but for the love of all that is good and holy, stop calling it a backdoor, because it isn&#x27;t. Words mean things.

&gt; The desire to protect people&#x27;s private communication is one of the core beliefs we have at WhatsApp, and for me, it&#x27;s personal. I grew up in the USSR during communist rule, and the fact that people couldn&#x27;t speak freely is one of the reasons my family moved to the United States<p>Jan Koum and Brian Acton, founders of Whatsapp

I think it&#x27;s pretty obvious that we cannot trust any messenger app that is closed source or relies on some company&#x27;s service infrastructure. If it&#x27;s closed source, you cannot possible know what it does. If it&#x27;s relying on a company&#x27;s infrastructure, it&#x27;s likely to be banned by oppressive governments (and that includes most of the so called &quot;free world&quot;). In frustration over my own Government (Norway), I started last year a project to launch a new IM client based on the legacy TorChat protocol (<a href="https:&#x2F;&#x2F;github.com&#x2F;jgaa&#x2F;darkspeak" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;jgaa&#x2F;darkspeak</a>). It turned out to be way more work than I expected - so it&#x27;s been on hold for a few months while I spend time on some more urgent projects. However, I think p2p IM software, based on open source, over Tor (or similar technologies) is the only way to preserve privacy and confidentiality in the future.

Has anyone heard anything from Moxie Marlinspike on this? Would be interesting to hear his perspective - Open Whisper Systems helped out with the encryption.

It doesn&#x27;t matter whether you use WhatsApp, Facebook Messenger &quot;Secret Conversations&quot; or even Signal app (or PGP or any public key based communications system)!.<p>If you are not verifying key fingerprints out of band, then you are potentially vulnerable to a malicious server MITMing new sessions.<p>If you want secure end-to-end messaging, verify keys out of band, do not solely trust a 3rd party for key exchange!

Is anyone surprised? Facebook owns them, and Facebook has been in the back pocket of the intelligence agencies for at least half a decade.

Does anybody seriously still doubt that all the main US tech&#x2F;communication products all have backdoors?

The biggest security issue on WhatsApp are the backups, especially the cloud backups not the protocol and this so called &quot;backdoor&quot; itself. Pictures not encrypted on backups, encryption keys of backups stored on WhatsApp side which might or might not (???) have access to your cloud backups on Google Drive and iCloud. If a government (USA?) gets access to one of your or your friends backups and the encryption key it can see all of the conversation. This is for me the weakest point of WhatsApp.

&quot;why don&#x27;t you use whatsapp now that it has built in encryption like your Signal?&quot;<p>meh.

I&#x27;ve used signal for quite a while but went back to Threema because the messages were delayed too often.<p>What are opinions about Matrix (matrix.org) used with the Riot client?<p>This combo checks all the boxes that Signal checks (including the Olm ratchet, a close relative of the Signal ratchet), and adds :<p>- decentralization (run your own server)<p>- no need to disclose your phone number

&gt; Boelter said: “[Some] might say that this vulnerability could only be abused to snoop on ‘single’ targeted messages, not entire conversations. This is not true if you consider that the WhatsApp server can just forward messages without sending the ‘message was received by recipient’ notification (or the double tick), which users might not notice. Using the retransmission vulnerability, the WhatsApp server can then later get a transcript of the whole conversation, not just a single message.”<p>Actually it is not that easy. Signal protocol [0] does not have any inherent delivery notification, but it is implemented in the application [1]. If attacker wants to deliver messages two-way without delivering receipts, it has to recognize them somehow. Of course you can try to guess by not delivering the first message after each delivery, but it seems too unreliable for a backdoor.<p>[0] <a href="https:&#x2F;&#x2F;whispersystems.org&#x2F;docs&#x2F;specifications&#x2F;doubleratchet&#x2F;" rel="nofollow">https:&#x2F;&#x2F;whispersystems.org&#x2F;docs&#x2F;specifications&#x2F;doubleratchet...</a><p>[1] <a href="https:&#x2F;&#x2F;support.whispersystems.org&#x2F;hc&#x2F;en-us&#x2F;articles&#x2F;212535538-How-do-I-know-if-a-message-has-been-delivered-" rel="nofollow">https:&#x2F;&#x2F;support.whispersystems.org&#x2F;hc&#x2F;en-us&#x2F;articles&#x2F;2125355...</a>

&gt; in many parts of the world, people frequently change devices and Sim cards. In these situations, we want to make sure people’s messages are delivered, not lost in transit.<p>That quote sounds even more alarming to me than the description of the backdoor. Because, as I read it: the unencrypted message is not stored on the device, but somewhere else. How else would they be able to still deliver a message, using a new encryption key, even after the sender switched to a new phone?

&gt; Boelter reported the backdoor vulnerability to Facebook in April 2016, but was told that Facebook was aware of the issue, that it was “expected behaviour” and wasn’t being actively worked on. The Guardian has verified the backdoor still exists.<p>This is really damning on the part of Facebook and WhatsApp! How could they just brush this off as &quot;expected behavior&quot; and wasn&#x27;t being actively worked on? I guess their priorities are where a social media company like Facebook would have them be - make more avenues to monetize the usage.<p>The initial response from the WhatsApp spokesperson is just PR speak, and really terrible for a response (until the direct question came up and another statement was issued).<p>It&#x27;s sad that Signal and Open Whisper Systems are being dragged in here, because many people may just look at the headline, probably skim the beginning of the article a little bit and assume that the OWS implementation is the culprit or that OWS is somehow complicit in this.

Use Signal. Get everyone around you to use it. Seriously. Facebook is a for-profit that gets all of its money from ads (just like Google), would you seriously expect them to protect your privacy?

Why do we sit here and argue about whether people should use WhatsApp or Signal? It&#x27;s Facebook. How can we talk about Facebook as a serious candidate for private end to end messaging when they&#x27;re one of the world&#x27;s biggest data brokers? Why wouldn&#x27;t you just use Signal and recommend it to everyone?

I&#x27;m not a crypto guy, but I&#x27;m trying to understand how this backdoor could be used by governments or WhatsApp&#x2F;Facebook itself. I&#x27;m not entirely sure how such an attack based on this backdoor would work.<p>The article says that WhatsApp servers have the ability to trigger the clients to generate new keys, but even with new keys how can the server read the messages at all? Has the server got a copy of the new generated keys?<p>Probably there is something big I&#x27;m missing.

I had a conversation about whatsapp capabilities recently with an assistant state AG. This person debunked the notion that whatsapp is secure from government snooping and further intoned that you don&#x27;t even need a FISA court to provide a warrant to get to the target&#x27;s information. Any judge can issue the warrant for a line tap and the target would never be the wiser as they are sealed in secrecy.

For everyone who is (rightfully) upset about this: turn your anger into action, donate to people who are actually concerned about your privacy and who are taking action to defend it. I suggest OpenWhisperSystems:<p><a href="https:&#x2F;&#x2F;freedom.press&#x2F;crowdfunding&#x2F;signal&#x2F;" rel="nofollow">https:&#x2F;&#x2F;freedom.press&#x2F;crowdfunding&#x2F;signal&#x2F;</a>

It&#x27;s a typical example to CONVENIENCE.<p>It&#x27;s convenient to re-send the message.<p>No one serious of privacy would ever use Facebook &#x2F; WhatsApp.<p>So the title is a click-bait. The decision behind re-sending is based purely on convenience and cost-benefit analysis.<p>Actually I think they should display a notification &#x2F; popup &#x2F; warning whatever.

Without being open-source, who can assure that there isn&#x27;t always encryption with a second backdoor key ?<p>I can&#x27;t easily even see a hash of my key, how do I know it has or hasn&#x27;t changed? It&#x27;s pretty easy to have a feature that only shows some of the keys changes and not all of them.

How do I know that my Android phone doesn&#x27;t have a backdoor keylogging everything that I type and uploading it to Google&#x2F;NSA each night?<p>I haven&#x27;t rooted and installed wireshark on this device, but even if I did it could just not send it whilst that is logging. Or, it could be that wireshark doesn&#x27;t see everything. Or I just wouldn&#x27;t notice as there are many packets going back and forth between my phone and Google.<p>I suppose I could install Cyanogen and not install Gapps. But then, how do you know that Cyanogen isn&#x27;t compromised?<p>Life&#x27;s too short. Facebook messenger is convenient and most of my friends use it so I go for it. I just assume that all of my communication and more seriously location data for the last few years are logged with the intelligence agencies.

&gt; […] In the WhatsApp case, chat data is end-to-end encrypted, and there is nothing the company can do to assist the FBI in reading already encrypted messages. This case would be about forcing WhatsApp to make an engineering change in the security of its software to create a new vulnerability -- one that they would be forced to push onto the user&#x27;s device to allow the FBI to eavesdrop on future communications. This is a much further reach for the FBI, but potentially a reasonable additional step if they win the Apple case.<p>[1] <a href="https:&#x2F;&#x2F;www.schneier.com&#x2F;blog&#x2F;archives&#x2F;2016&#x2F;03&#x2F;possible_govern.html" rel="nofollow">https:&#x2F;&#x2F;www.schneier.com&#x2F;blog&#x2F;archives&#x2F;2016&#x2F;03&#x2F;possible_gove...</a>

In countries like Mexico, carriers do not charge your data use of fb and WhatsApp. They offer it as free social network. I am sure government is behind of such a good will to users from big companies. You get free communication in exchange from your privacy.

This headline is not the article headline. It&#x27;s not a small change either. There is a huge difference between:<p>&quot;WhatsApp <i>vulnerability</i> allows snooping on encrypted messages&quot;<p>and<p>&quot;WhatsApp <i>backdoor</i> allows snooping on encrypted messages&quot;

Facebook 100% reads your &quot;encrypted&quot; WhatsApp messages. I had a conversation with someone about a very unique topic on WhatsApp, 5 minutes later I see remarketing ads on Facebook about the same topic.

Well, if anyone is surprised by this... you really should&#x27;nt have been.<p>I still use it. Lock in effect. But I never would have trusted their encryption nearly enough to send anything sensitive.

Some of my friends refuse to use LINE, claiming WhatsApp is totally secure and LINE is really insecure.<p>If my messages are going to be read I would rather they be full of stickers.<p>I love LINE.

Look there&#x27;s no defense against the company WhatsApp itself. They are managing the public key infrastructure AND the message forwarding infrastructure.<p>The clients are not verifying the keys independent of WhatsApp. If WhatsApp have to (pushed by governments) or want to (FB advertising enrichment) they can always MITM conversations.<p>The question is whether others can read the data in transit - and the answer is still no.

This is why you should never trust proprietary secure messaging solutions that offer you both the client and the channel.<p>The future of trusted secure messaging will be open source, auditable, independent non-native clients that connect and send over third party message channels independently.<p>See <a href="https:&#x2F;&#x2F;www.seecret.io" rel="nofollow">https:&#x2F;&#x2F;www.seecret.io</a>

I feel like this shouldn&#x27;t surprise me, but I had a lot more faith than was probably warranted in the guys behind WhatsApp. Part of it was I was so impressed with their backend tech, I just felt these were people like me that had similar cares and concerns that I do, including security, privacy, and performance. So when they implemented the Signal protocol, it was like a sign that I really had been right to trust them.<p>This is a sad day, because BILLIONS of people use WhatsApp. I wish I could get everyone to convert to Signal, but as I travel around the world WhatsApp is the most used way to communicate with people. Just today I added two additional local contacts to my WhatsApp so I could communicate here with them.<p>I wish I had a clearer understanding of the incentives here. Is this pure government strong-arm style coercion with NSLs, or is this intentional malfeasance on the part of executive management hoping to data mine for their own profits? Is it an innocent mistake? The technical talent was there to do this right, and they flubbed it anyway. WhatsApp implementing the Signal protocol was one of our great hopes for having legitimate worldwide secure communications in the hands of everyone in the coming decade. Now it&#x27;s all lost...<p>:*(

I am flagging this article, as the headline and first few paragraphs are very misleading, based on my understanding from: <a href="https:&#x2F;&#x2F;tobi.rocks&#x2F;2016&#x2F;04&#x2F;whats-app-retransmission-vulnerability&#x2F;" rel="nofollow">https:&#x2F;&#x2F;tobi.rocks&#x2F;2016&#x2F;04&#x2F;whats-app-retransmission-vulnerab...</a><p>They make it sound like an intentional backdoor has been introduced to WhatsApp to facilitate monitoring.<p>Rather, it seems like there&#x27;s a weakness in the implementation, where if a message is undelivered, an attacker could trick the sender&#x27;s client into sending the undelivered message to a new key they control.<p>That does seem like a weakness, but not an intentional backdoor as the article initially lead me to believe. I could see how someone would trade off ease of use and message delivery with security and make that call.<p>Yes, it could be a subtle backdoor (with limited exploitation), and yes, open source clients would be great. But real end users use WhatsApp to encrypt their private messages on a scale never before achieved, because of the usability tradeoffs they&#x27;ve made. I think we should bear that in mind before describing any implementation tradeoff as a &#x27;backdoor&#x27;.

&gt; The recipient is not made aware of this change in encryption, while the sender is only notified if they have opted-in to encryption warnings in settings, and only after the messages have been re-sent.<p>Surely this is backwards. It&#x27;s the <i>recipient</i> who is notified about key changes when the relevant setting is enabled.

The complaint here seems similar to complaining ssl is insecure because the certificate authorities can create certificates at will.<p>Whatsapp can&#x27;t do this without leaving traces and if they did this on a larger scale without only doing it with people that don&#x27;t care to look for the signs, someone is bound to find out.

Who would have guessed..

I think it is worth changing the behavior of the client to fix this. At time of sending the recipient&#x27;s key is known -- there should be no circumstances where the message is re-encrypted for a different recipient without the sender&#x27;s explicit involvement...

Seeing as we&#x27;re on the topic of encrypted comms, anyone have an analysis&#x2F;critique of SpiderOak&#x27;s &quot;Semaphor&quot;?<p><a href="https:&#x2F;&#x2F;spideroak.com&#x2F;solutions&#x2F;semaphor" rel="nofollow">https:&#x2F;&#x2F;spideroak.com&#x2F;solutions&#x2F;semaphor</a>

Does the safety numbers verification do anything against this, or can they bypass that as well?

So this was on the front page with 1302 points at time of writing, and now it&#x27;s nowhere to be found...<p>Is there a quirk with HN&#x27;s algorithm that I&#x27;m not aware of, or is there something else afoot? A mass-flagging? A manual take-down of sorts?

Doesn&#x27;t this mean that only subsequent messages can be decrypted? i.e. Whatsapp has provided forward secrecy (as long as they haven&#x27;t been using this trick from the initial secrets that were set up)?

The moral of the story is, don&#x27;t exchange messages electronically if you are expecting privacy.<p>The only real private way of exchanging information is face-to-face in a private place.

How does one protect oneself for this?

Wait... you mean key management is hard to get right with a large and distributed userbase? Who knew?

Doesn&#x27;t this mean that only unsent messages are vulnerable, as they are sent with the new key?

Yeah, really pretty much confirms what everyone already believed.

I can&#x27;t believe that so many apparently security conscious people accepted WhatsApp as being OK. For years we&#x27;ve known and been told that any security software must have publicly available algorithms and source code. And then all of a sudden WhatsApp was lauded for protecting users&#x27; privacy when it is itself proprietary, closed-source program, owned by a company notorious for not not respecting user privacy.

I find this hardly surprising. Somehow the USA government is very, very good at convincing companies to spy on their users.

Are there are recommendations for video chat &#x2F; conference calling yet? Googling around leads one to believe that WhatsApp&#x27;s is the most security-minded video calling available that&#x27;s widely available...

If You&#x27;re Not Paying for It; You&#x27;re the Product;

I am not a security expert, but for me Moxie lost his credibility, even though he maybe one of the best crypto experts out there