Pika

as much as I would love this. If it ever did become a thing, what you would see wouldn’t be companies taking the fine, you would see companies “off-branching” and having income be reported on a parent company that is contracted to the offending company. like in the case of alphabet, they would likely just migrate the android division to be a contractee that they have full control over that they never terminate the contract for. They no longer “own” android legally, they contract android to do their bidding. So when it ends up in court, it ends up as a “well Android did it not us” much like how Amazons third party delivery services worked when they tried to enforce unionization laws.

some important clarification though, that is a hard cap, realistically it will likely be quite a bit less.

Concidering that they were estimated to be making 31 billion USD off the android ecosystem alone back in 2016 over 10 years 2006-2016, im sure it’s not even a drop in the bucket now.

I don’t see any company jumping at the rim to implement these though, especially considering the high chance that it will just be overturned next party flip. Stuff like this needs bi-partisanship and transparency otherwise it just gets revoked when the party flips again.

it’s a waste of money until it’s clear both primary parties agree with the change, the fact it had to be done in silent/under the table says everything about the volatility of this change.

ok yea, I do agree with that POV on it. A ghost key like that would be within spec, cause yea at that point it would just be another member. I wasn’t taking it as an additional group member though, since the whistleblower is stating that they can put in any user id and have access to all messages live, that would mean they would have a ghost user on all messages period regardless of if its a group chat or not.

That wouldn’t be implausible though.

So, with facebook if you lose your device, you can register a new device to the account and recover your messages using a 6 digit security pin or a recovery code.

This means that your messages are stored in decryptable format either via a private key being stored, or as a separate server encrypted form in a backup.

I just had to go through this with my grandfather a few months back.

I don’t agree that would fit the protocol of end to end, that’s a common misconception, E2E by design means that it’s encrypted from the sender to the intended recipient. When you send a message the intended recipient isn’t the server, it’s the user you are sending to. That type of system would be called an encrypt in transit or a server client encryption not E2E. If they are classifying it as E2E that would be incorrect.

A classic example of a server client or encrypt in transit would be HTTPS, the server acts as a middleman between the clients, meaning that it decrypts the message then re-encrypts the message to the designated choice.

With an e2e system, the message the server transmits is never decrypted, the server already knows the destination based off the public key

honestly, with how much my grandfather uses facebook, and how often he clicks the stupid scam ads, this might be a valid option for him that is easier.

This ofc is if they decide to launch this program for <3$ a month. If it’s anything more than that I see it flopping on entry.

edit: looking at the article, I’m seeing 4EUR/m… yea 5$ isn’t horrible, but at the same time that’s probably too high for him to even consider it. That’s 2$ less than a yt lite premium subscription, and that’s a platform where ads actually get in the way of things.

Man, you just brought back memories. I forgot qtox was even a thing. I think I still have my profile saved in my dev folder somewhere for my account

If that is the case though, its not E2E it’s client server encryption and then server client encryption back. thats just deceptive marketing at that point.

considering that you can decrypt facebook e2e encryption with a 6 digit security pin… yea Facebook at least has the private keys backed up server side.

Fully agree that in this case if the claim is true (they have had a few of these claims), it’s likely whatsapp either making itself a companion app that’s hidden, or has some form of escrow in place to allow deciphering the messages. (Considering Messenger allows decrypting e2e chats with a 6 digit security pin, I’m leaning towards an escrow)

I was just mentioning that this isn’t a fault of it being centralized, this is a design choice by the company when implementing e2e encryption, and that a properly functioning system would never give the server the ability to decipher the messages in the first place.

Just because it’s centralized doesn’t mean that it falls under this risk sector. Theoretically if the app was open sourced and was confirmed to not share your private key remotely on generation (or cross sign the key to allow a master key…), then the most the centralized server could know is your public key, the server wouldn’t have the ability to obtain the private key (which is what is needed to read the e2e encrypted messages)

This process would be repeated for the other party. The cool part of that system is you can still share your public keys via the centralized server, so you wouldn’t need to share the key externally. You just need to be able to confirm that the app itself doesn’t contain code to send your private key to the centralized server. Then checking integrity is as easy as messaging your friend to post what their public key is, and that public key would need to match the public key that the server is supplying as your contact.

The server can’t MiTM attack it because the server has no way of deciphering the message in the first place, so the most it could do is pass the message onto the proper party whom has the private key to be able to decrypt it.

Not that I have any other suggestions aside from signal though, there aren’t many centralized e2e chat services. Most use client to server encryption which would allow decryption server side.