And if so, why exactly? It says it’s end-to-end encrypted. The metadata isn’t. But what is metadata and is it bad that it’s not? Are there any other problematic things?
I think I have a few answers for these questions, but I was wondering if anyone else has good answers/explanations/links to share where I can inform myself more.
…if someone reports them
That means if they want to see your messages they do it anytime, not only when someone report it.
If a government want access to the messages they can access.
I would assume the contents of a message are resubmitted by being reported. Therefore not proofing that messages can be read by WA. However WH can change the encryptionkeys anytime without the user knowing and therefore breaking encryption anyways.
Just want to note that the article you linked is referencing a guardian article that has a note from the editor titled “Flawed reporting about WhatsApp”. The thing they call a “backdoor” is the app reencrypting undelivered messages and resending them if the recipient’s keys change. This means if you don’t have internet or uninstall WhatsApp for a while, someone who clones your sim card and sets up WhatsApp with your number could read all the messages sent to you in the meantime. This in no way breaks encryption.
One could argue that WhatsApp could spoof a key change in their servers and read the messages themselves, but if we’re not trusting WhatsApp on integrity to begin with it shouldn’t be what the server could do that worries us. In a closed source app they don’t need back doors for surveillance.
but how can they read them when its encrypted?
Unlike other messaging apps, they have access to encryption keys, when you change devices you only need to fill the phone number and all of your messages are available.
On other apps like Signal or matrix, you need to backup or export your keys to other devices, otherwise you can access previous messages.
It’s like you own an apartment and the doorman have keys to all apartments, if you lose the key the doorman can give you a copy, but also have access to your apartment when it pleases.
Don’t you need to have backed up your messages in Google drive to be able to restore them when changing devices? And up until the multi device update when someone changed their phone you’d get a text saying your encryption keys with them has changed.
And I remember talks in matrix about the need for a single password solution to appeal to masses.