It is end to end encrypted but they can just pull the decrypted message from the app. This has been assumed for years, since they said they could parse messages for advertising purposes.
this post was submitted on 27 Jan 2026
787 points (99.6% liked)
Technology
79355 readers
4180 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
it’s not even that: they just hold the keys so can simply decrypt your messages with out your clients intervention any time they like
Yep, If they can access messages that are deleted from your device, then they have the keys.
load more comments
(1 replies)
If I am not adding my own private key to the app, like in Tox, I don't trust their encryption.
What's stopping the app from keeping your private key and still not encrypting anything?
I'm not trying to be difficult here, I just don't see how anything outside of an application whose source you can check yourself can be trusted.
All applications hosted by other people require you to react positively to "just trust me bro".
Or, if the app has the private key for decryption for the user to be able to see the messages, what's stopping the app from copying that decrypted text somewhere else?
The thread model isn't usually key management, it's more about the insecure treatment of the decrypted message after decryption.
Tox also isn't that great security wise. It's hard to beat Signal when it comes to security messengers. And Signal is open source so, if it did anything weird with private keys, everyone would know
And Signal is open source so, if it did anything weird with private keys, everyone would know
Well, no. At least not by default as you are running a compiled version of it. Someone could inject code you don't know anything about before compilation that for example leaked your keys.
One way to be more confident no one has, would be to have predictable builds that you can recreate and then compare the file fingerprints. But I do not think that is possible, at least on android, as google holds they signature keys to apps.
load more comments
(2 replies)
load more comments
(14 replies)
load more comments
(2 replies)
Why am I not surprised? Whether there is no end-end encryption, they have a copy of every key, get the decrypted messages from the client, or can ask the client to surrender the key - it does not matter.
The point is that they never intended to leave users a secure environment. That would make the three latter agencies angry, and would bar themselves from rather interesting data on users.
Assume the same for Telegram and pretty much any chat platform that controls your private keys.
The telegram was clear as a day they announced cooperation with the Russian government and they unblocked it. That was way before the whole France fiasco, I doubt they're actually giving up the keys to France. I'm from East and many say that Telegram now is essentially a Russian weapon. Surveillance at home, total free reign (sell drugs, spread CP, etc.) in west.
If you're American, I believe Telegram is actually safer than Whatsapp, as long as you can ignore the dirty side of it (surface deep web?), hence why Europe wants it under control
Just assume any digital platform you're using isn't safe at this point.
DUH
No if this is proven it would be a real scandal and would bring a lot of users to better alternatives.
If it's false that's good too, since then WA has e2e encryption
would bring a lot of users to better alternatives.
Most users of whatsapp don't care about e2e. They hardly even know what it is.
No but average people understand the concept of meta reading and accessing your private message. That would be a scandal and righly so
Right. This place sometimes forget that we are tiny community of techies that hate the system. Makes me see this place as a bit of a circlejerk at times.
Yeah the venn diagram overlap of “people who understand and care about e2ee enough to drop a messaging app for not supporting it” and “people who use whatsapp” has to be a sliver
load more comments
(3 replies)
load more comments
(36 replies)
Shocked, I tell you
The biggest news is that Slashdot is still alive.
So, is it basically treating every message as a "group" message where it sends it to some system WhatsApp account and then also to your intended receiver? This is what I'm assuming based on them supposedly being able to see deleted messages. Also would let them say it's technically still "E2EE" since it's indeed E2EE to your receiver, but it's also E2EE to them as well.
Ah yes, good old E2E AWA3E.
"End to end, and we are also an end".
The E is for "Everyone"
I guessed you meant "end to end, as well as 3rd end" before reading on.
The S is for Security.
simpler than that in most likelihood… meta is the key holder so login and password recovery is simpler (or at least that’s the excuse they give): you login, they send you your key, which they can also access (and decrypt your messages) whenever they like
If that is the case though, its not E2E it's client server encryption and then server client encryption back. thats just deceptive marketing at that point.
load more comments
(7 replies)
I thought they stole Signal's code ( I know it's open Source but still ... Taking free code to profit from it is quite a fucktard move) to achieve e2e encryption? Who could have thought they weren't honest in their intention!?
/S
load more comments
(1 replies)
Slashdot. I have a very low 3 digit UID. I followed Rob Malda's blog before he registered the domain.
I remember having Netscape open on the site and reading it. I walked a couple blocks to by a pack of smokes. Got back home and refreshed the page. Noticed a new post with site registration available, so of course I did.
To this day I still get password reminder requests to my email that I never sent.
I still comment and sometimes get some people replying noticing the low UID.
Silly I know, but it's cool to me anyway.