• h_ramus@lemm.ee
    link
    fedilink
    English
    arrow-up
    13
    arrow-down
    16
    ·
    9 months ago

    WhatsApp is end-to-end encrypted. How does all the data magically show up when you change phone which doesn’t have the same private key as the old phone? It’s like having a lock on your front door and giving the keys to a random neighbour. Most folks trade convenience for privacy or security. That trade is looking less and less appealing by the day.

    • TheMurphy@lemmy.world
      link
      fedilink
      English
      arrow-up
      32
      ·
      9 months ago

      Ehm, they don’t show up magically.

      You have to backup directly to your new phone, otherwise it won’t get transfered.

      I just did this, and I can 100% confirm that not backuped data won’t go to the new phone.

      • killeronthecorner@lemmy.world
        link
        fedilink
        English
        arrow-up
        14
        ·
        9 months ago

        Which is also exactly how Signal works too; I migrated both two days ago. Process was virtually identical.

        I much prefer Signal, but can’t judge WhatsApp to harshly on this tbh.

          • NicoCharrua@lemmy.ca
            link
            fedilink
            English
            arrow-up
            1
            ·
            9 months ago

            Doesn’t necessarily have to be the same. Afaik the signal protocol is for sending messages, not for transferring backups of chats.

            Whatsapp actually lets you back up all your chats, unencrypted, to Google Drive or iCloud. Definitely not the same as Signal.

      • RageAgainstTheRich@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        9 months ago

        Also when logging in on the website version on pc, you need to keep whatsapp open on your phone to sync old messages and media to your pc if you want to be able to see them there.

      • h_ramus@lemm.ee
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        2
        ·
        9 months ago

        Thanks. I stand corrected. I was one of those that paid $1 for life when WhatsApp was a new kid on there block but haven’t used it since news broke that Facebook acquired them like a decade ago. At the time, you had a new phone, your messages would transfer. Dunno how it is today after all those years but seems to be similar to Signal.

        Based on the stories coming up on Facebook and their lack of moral / humane boundaries I still won’t trust them not to have access to a private key when their app is so invasive. Their whole model is based on behind the curtain trafficking.

    • bamboo@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      9
      ·
      9 months ago

      If you get a new phone and don’t import anything from your existing phone, then messages you receive will be unable to be decrypted. Since WhatsApp uses the Signal encryption protocol, it’s fairly detailed how receiving a message which can’t be decrypted can start an initialization to the sender to retry sending the messages: https://signal.org/docs/specifications/sesame/#retry-requests-and-delivery-receipts

      The signal app will prompt you when a contact’s public key is updated, but IIRC, by default Whatsapp will not do this, and it will automatically happen under the hood, which is why it appears like magic.

      • h_ramus@lemm.ee
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        Thanks. Haven’t used them in like a decade so things seem to have changed. At the time, new phone meant your messages transferred automatically.

        At the same time, even if Facebook requires a backup for the messages to show up, as the app is close sourced, how would one know for sure whether the app doesn’t harvest the private key anyway?

        • bamboo@lemmy.blahaj.zone
          link
          fedilink
          English
          arrow-up
          2
          ·
          9 months ago

          Sounds like you used Whatsapp pre Signal which happened in 2016: https://signal.org/blog/whatsapp-complete/

          With regard to private key, for backups, this relies on the HSM in Apple and Android devices, so the private key is engineered to never be accessible by Facebook. Here’s how they say they use the HSM to encrypt the backups: https://engineering.fb.com/2021/09/10/security/whatsapp-e2ee-backups/

          There’s no way to be 100% certain, but if Whatsapp were found to have access to the private keys, it would be huge damaging news, so why would they risk it? Security researchers can watch the traffic going to/from the app and the OS APIs being called, and can see the HSM being invoked. Despite it being closed source, that doesn’t mean it’s less secure and there’s no one verifying the security claims.

          • h_ramus@lemm.ee
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            1
            ·
            9 months ago

            Thanks for explaining. It’s interesting and outside metadata there could be a case for data being secure. However, this is the same company that lied and got fined in the EU when they asserted that they wouldn’t be able to link WhatsApp and Facebook identities. This allowed the merger to happen. Security and privacy being something that the average Joe doesn’t care that much, it wouldn’t be too much of a negative impact when they already have so much bad press on other matters. Finally, from an ethical perspective, I’ll give this corp a miss. Values don’t really align with my personal ones even if privacy and security were beyond reproach.