The Guardian v WhatsApp

What happened?

The Wrong Approach

While the technical parts of Mott and Boelter’s falsehoods have been addressed well, the legal and political angle seems to have been missed.

For those who care about this sort of thing, WhatsApp provides an option to enable a warning when a user’s identity keys change. More importantly than this fact itself, however, is that these are the identical default and setting that are provided by Google Allo for incognito chats. And more important still: while the default is the same, the “show key changes” option is wholly absent from Apple’s Messages, which avoids mentioning identity keys to its users altogether.

If these folks were serious about reporting a “vulnerability” to the public, why not at least mention that Google’s end-to-end-encrypted solution as well as Apple’s platform have the same “backdoor”?

More importantly: why did The Guardian focus on Facebook’s WhatsApp when it is materially better for verifying keys and telling users about key changes than Apple’s iMessage clients are?

Trusting Identity Keys

In the wake of this minor piece of misinformation, one important question remains hanging: can law enforcement force Google, Apple, or Facebook to lie to users about their friend’s identity keys?

You see, when I message Bob over iMessage or Allo or WhatsApp, I am trusting Apple, Google, and Facebook to correctly forward me the identity keys unique to his devices. These identity keys are what allows me to encrypt my messages in a way only Bob’s devices can decrypt.

I have looked and cannot find any, but if there is a legal method by which anyone can force an American company to lie to a user about how many devices another user owns or what their keys are, I’d be curious to learn about it.

[good follow-up discussion here]