WhatsHerBucketU.S. officials urge Americans to use encrypted apps amid unprecedented cyberattack
circuitfarmerIt’s probably also good practice to assume that not all encrypted apps are created equal, too. Google’s RCS messaging, for example, says “end-to-end encrypted”, which sounds like it would be a direct and equal competitor to something like Signal. But Google regularly makes money off of your personal data. It does not behoove a company like Google to protect your data.
Start assuming every corporation is evil. At worst you lose some time getting educated on options.
mosiacmangoEnd to end is end to end. Its either “the devices sign the messages with keys that never leave the the device so no 3rd party can ever compromise them” or it’s not.
Signal is a more trustworthy org, but google isn’t going to fuck around with this service to make money. They make their money off you by keeping you in the google ecosystem and data harvesting elsewhere.
google isn’t going to fuck around with this service to make money
Your honor, I would like to submit Exhibit A, Google Chrome “Enhanced Privacy”.
How To Turn Off Google’s “Privacy Sandbox” Ad Tracking—and Why You Should
Google has rolled out "Privacy Sandbox," a Chrome feature first announced back in 2019 that, among other things, exchanges third-party cookies—the most common form of tracking technology—for what the company is now calling "Topics." Topics is a response to pushback against Google’s proposed...
Thats a different tech. End to end is cut and dry how it works. If you do anything to data mine it, it’s not end to end anymore.
Only the users involved in end to end can access the data in that chat. Everyone else sees encrypted data, i.e noise. If there are any backdoors or any methods to pull data out, you can’t bill it as end to end.
micballinThey can just claim archived or deleted messages don’t qualify for end to end encryption in their privacy policy or something equally vague. If they invent their own program they can invent the loophole on how the data is processed
Or the content is encrypted, but the metadata isn’t, so they can market to you based on who you talk to and what they buy, etc.
This part is likely, but not what we are talking about. Who you know and how you interact with them is separate from the fact that the content of the messages is not decryptable by anyone but the participants, by design. There is no “quasi” end to end. Its an either/or situation.
It doesn’t matter if the content is encrypted in transit if Google can access the content in the app after decryption. That doesn’t violate E2EE, and they could easily exfiltrate the data though Google Play Services, which is a hard requirement.
I don’t trust them until the app is FOSS, doesn’t rely on Google Play Services, and is independently verified to not send data or metadata to their servers. Until then, I won’t use it.
Provided they have an open API and don’t ban alternative clients, one can make something kinda similar to TOR in this system, taking from the service provider the identities and channels between them.
Meaning messages routed through a few hops over different users.
Sadly for all these services to have open APIs, there needs to be force applied. And you can’t force someone far stronger than you and with the state on their side.