Comment by foresto
2 days ago
> I assume that Meta has a backdoor into WhatsApp conversations
They don't need a back door when they control the front door: the app. End-to-end encryption doesn't protect the endpoints.
(In other words, your concern is warranted.)
You're absolutely right. End-to-end encryption protects message content, but WhatsApp still collects metadata, which is incredibly valuable.
Even though they can't read your messages, they know who you talk to, how often, when, and for how long. They also track your device info, IP address (which can reveal your location), network details, and app usage patterns.
And this data isn’t just sitting there—Meta uses it. For example, if you chat with a business on WhatsApp, you might start seeing ads for that business on Instagram or Facebook. They don’t need to read your messages when they can infer so much just from how you use the app.
Disclaimer: Comment translated from Spanish and corrected by Chat GPT.
> Even though they can't read your messages
I've long wondered if this is actually true.
If I have a closed-source app and claim (and can verify!) E2EE, surely I could still read every message from my closed-source app, within the app itself, and you'd never know.
I've never been a mobile app developer but I've been a desktop and web developer since the 90s so I don't know what apps can and cannot see but in a desktop app or web app, if it's on the screen, it's decrypted and I can put code in to read/steal it.
Am I missing something here?
At about 2:33:15 here, Zuckerberg somewhat alludes that Meta can take screenshots of WhatsApp messages.
https://youtu.be/7k1ehaE0bdU?t=9189
1 reply →
It's true in a sense - using an iPhone or an Android phone Apple/Google could be streaming your screen contents constantly, so even e2ee wouldn't help.
I just don't know if that is actually true, or if meta doing e2ee and then pinging your messages around from the app after they're delivered is true. I've no reason to believe either is.
And the default/largest homeserver, matrix.org, uses cloudflare, so all your data belongs to them as well.
It is disappointing that they use Cloudflare, especially since most Matrix metadata hasn't yet been moved to the end-to-end encrypted channel.
(Arathorn: is e2ee metadata still on the roadmap?)
But no, not all your data is exposed. The e2ee parts, like message content in encrypted rooms, are opaque to Cloudflare.
yup, encrypted metadata is very much on the roadmap. https://github.com/matrix-org/matrix-spec-proposals/pull/425... is one of the more recent proposals for it.