WhatsApp Encryption, a Lawsuit, and a Lot of Noise ⇥ blog.cryptographyengineering.com
Joseph Menn, the Washington Post:
Most of WhatsApp’s 3 billion users probably don’t know it, but a prominent Los Angeles law firm is trying to speak on their behalf in a lawsuit filed against its owner Meta that alleged the company can “access virtually all of WhatsApp users’ purportedly ‘private’ communications.”
Security experts questioned the lack of technical detail in the lawsuit, and WhatsApp denied the claims.
I read the suit (PDF) last week after I stumbled across it while trying to find a different Meta lawsuit on CourtListener, and it can be accurately summarized as big, if true, with a heavy emphasis on if. There is basically no evidence presented for the claims, and I wrote it off as some kind of rambling nonsense because I completely missed it was filed by attorneys working at Quinn Emanuel.
The Internet has mostly divided itself into people who already know these allegations are true, because they don’t trust Meta and of course Meta can read your messages — and a second set of people who also don’t trust Meta but mostly think this is unsupported nonsense. Since I’ve worked on end-to-end encryption for the last 15+ years, and I’ve specifically focused on the kinds of systems that drive apps like WhatsApp, iMessage and Signal, I tend to fall into the latter group. But that doesn’t mean there’s nothing to pay attention to here.
Hence: in this post I’m going to talk a little bit about the specifics of WhatsApp encryption; what an allegation like this would imply (technically); we can verify that things like this are true (or not verify, as the case may be). More generally I’ll try to add some signal to the noise.
Green is careful to describe the limited visibility any outsider has when it comes to closed-source applications. Even so — and even with Meta’s scumbag reputation — it is difficult for me to believe the company is simply lying about end-to-end encryption, and Green presents compelling evidence for why this is unlikely. A vulnerability? Perhaps. But the claims in this apparently serious lawsuit go well beyond that.