For those who don't know, newspapers often have a Reader's editor whose job it is is to criticise and be the voice of the readers inside the newspaper. In this case, this is written by that person for the Guardian after what would appear to be a thorough investigation of the matter.
There's a lot of people here saying this should have happened faster, they're likely right, but also, given how extensive and thorough this is, it is more likely an example of how old-school editorial rigour just takes a lot of time.
6 months isn't just "a lot of time". 6 months is "let's wait until everyone completely forgets about this and hope we can slide the apology under the radar".
I feel that it took long because the security "issue" is not discussed on technical merits anymore.
The technical side of the study is very well understood by practically anyone. People have different type of opinions on the matter not because they misinterpret the technical details but because they have different expectations on how the privacy situation will end up being for different groups in the light of this knowledge.
So all of this makes it way harder to define if the story was overblown or not. Apparently Guardian editors ended up thinking that it was indeed, after giving it a long consideration. This is not a technical fact (and it cannot be), it is just their interpretation of it (and also the interpretation of many security experts but that's not the point).
Could you explain why you believe this is about opinions and interpretations, not the technical facts? I disagree with that assertion, but would really be interested to know if there is something I am missing.
Because technically a "flaw" in the system, however impractical to be exploited, did exist and it would be correct to point to that fact. Discussion of if this reaction is overblown and if it would direct users to more dangerous methods of communication is where it stops being technical.
It could be that I am the one who is missing something. That's why we are discussing here, right? :)
Sure, but I think you might be missing an important aspect. The system is designed to not block communications upon key changes, just display an alert so the other user knows (And can verify out of band if they are about to discuss a sensitive topic). The initial "vulnerability" seemed to just be based on an opinion that it would be more secure if it did indeed block communications (until manual verification was performed) upon key changes.
You are correct that it is impractical to "exploit" the chosen design, I think the bigger issue their portrayal of this as a vulnerability rather than a security suggestion.
This is not the biggest flaw! It was that messages that are in flight (sent, but not yet delivered) still get delivered if the key changes. Only after delivery does the sender get notified of the key change. The last time, I gave example where a protest organizer (Bob) is detained by the (secret) police in the period leading up to a protest, and denied access to their password-protected phone that's switched off. All the police has to do is wait for a while, then pop the SIM into a new phone and presto, they get all the incriminating messages that were sent by co-conspirator Alice while Bob was detained. Only after delivery onto the police phone does Alice get notified that Bob's key has changed.
If I'm not mistaken, they called this a "flaw", not a "vulnerability", which definitely wouldn't have been correct. I personally would have preferred "trade-off" but I'm honestly not sure about the word "flaw".
My general point is, even if they made some technical errors as well, their consideration, I believe, was more about the consequences of their interpretation.
> They called it a "backdoor", and reported it as a game-over vulnerability.
I didn't remember that and it seems to have been removed from the article (with a note on the end which I have missed). Well, that's just sensationalism and must have been picked up way earlier in a sane review process. I stand corrected.
"The original article – now amended and associated with the conclusions of this review – led to follow-up coverage, some of which sustained the wrong impression given at the outset. The most serious inaccuracy was a claim that WhatsApp had a “backdoor”, an intentional, secret way for third parties to read supposedly private messages. This claim was withdrawn within eight hours of initial publication online, but withdrawn incompletely. The story retained material predicated on the existence of a backdoor, including strongly expressed concerns about threats to freedom, betrayal of trust and benefits for governments which surveil. In effect, having dialled back the cause for alarm, the Guardian failed to dial back expressions of alarm."
The "flaw" was a choice of default preferences which are fundamentally a UX/security tradeoff: WhatsApp did not notify users about key change events by default.
Those who value maximizing security at all costs, even to UX, disliked this default.
WhatsApp was trying to switch end-to-end encryption to on-by-default for its over a billion users. An understandable requirement of doing so was to ship E2E encryption in such a way that did not involve changes to the UX.
Whether or not this tradeoff is the best compromise is certainly debatable, but it is just that: a tradeoff, not a "backdoor", not a "vulnerability", and not a "flaw". It's a deliberate design decision.
Why is it not a "backdoor", not a "vulnerability", or "flaw"? Well, let's examine what would happen if the default were reversed: let's say users were notified by default. Would this keep them more secure?
I have doubts. These notifications are not high signal or immediately actionable. They do not indicate an attack. They indicate "a key changed" and whether or not that's abnormal is up to users to determine. The overwhelming majority of these events will be innocuous, leading to alert fatigue. It's also unclear how well an average end user would even understand or be able to react to these alerts.
I am certainly willing to give WhatsApp's UX designers the benefit of the doubt here. UX design is hard and the tinfoil hat crowd saying things to the contrary have a history of producing unusable software by demanding security misfeatures which tick off a box on a threat model without actually improving user outcomes.
While some people in the tinfoil hat crowd seem to think bombarding users with a bunch of low-signal security alerts is a good idea, practitioners working with IDS/SIEM systems probably have a different opinion: that low quality / low signal alerts are worthless.
There are solutions to providing high-quality signals about key change events to users without asking them to manually confirm key fingerprints in person, but they are complicated, haven't been largely deployed, and it's still unclear how they'll work...
I'm talking about CONIKS and Google Key Transparency, which implement logs which users' own devices can monitor to discover changes to their keys as advertised through a key server. These systems can ask a very simple question to users when this happened: "Did you just log in on another device?" If they didn't, the user can select no and publish an alert indicating they were compromised.
The public editor, in private communication, attributed some of this delay to his difficulty in finding independent experts who hadn't signed the open letter.
Apparently if you're so wrong that an entire field disagrees with you, you can get anything printed in the Guardian.
> attributed some of this delay to his difficulty in finding independent experts who hadn't signed the open letter.
They emailed me asking why I hadn't signed and if it meant that I didn't agree with the petition.
Funny thing, two reasons why I hadn't signed. First, it was because I only caught the petition when it was already deep with many people I respect a lot and I felt I added nothing
And second, I was conflicted because i'd previously had a disagreement with The Guardian on another story that got kicked up all the way to editorial and I felt was never adequately resolved and was largely swept under the rug.
After that experience I didn't feel that The Guardian were genuinely going to make a best effort to resolve what was their own mess, again.
edit: to add, it drives me fucking nuts every time I hear someone repeat "I heard WhatsApp is insecure". Thanks again, Gruardian.
It's a kind of interesting problem to have. I can see the logic in trying to find someone not on the letter to verify that what it says is true... but when literally everyone agrees, the logic falls apart.
I suspect this might be the side effect of excessive CYA. I'm not happy with it, but there have been so, so many articles that get the basic premises of tech completely wrong that I think I'd still rather them take an excessive amount of time checking than publish another ill-informed piece.
I really do not see the logic in seeking input from those who did not sign the letter. The reason I signed was specifically to help show them that a very large number of infosec experts disagreed with the reporting (And I am sure that is the reason many others signed).
Few of the people on the list have any, at least obvious, position outside of their field. The purpose of seeking input is to make sure that this isn't 72 "climate change deniers" in fringe positions or with their own "custom" organisations.
I understand what you are trying to say, but you might want to check out the full list. It contains people who have various strong opinions on different nuanced security related topics, yet all agree regarding this. I think that is why it is strange to brush aside the signatories.
> It contains people who have various strong opinions on different nuanced security related topics, yet all agree regarding this.
But it takes a while to verify this if you're not already familiar with it (I'd argue that's a reason why they shouldn't have published the article to begin with, but w/e)
The public editor wouldn't know any of that. It's pretty much thier job to not take someone at thier word. Even if he could verify each person's contribution, their position in the field and the relevance of these facts to this issue he still can't be sure that this isn't e.g. some fight between two sides and that this group isn't in minority to 172 other experts that think differently. It's out-of-band verification if you so will.
More likely that The Guardian weren't very good at finding any experts before or after the story. Apparently if you don't expose a distinguishable interface to the rest of the world journalist won't find you.
Don't play dumb, David. The list of signers is extraordinary and surprising, especially to people like us who actually work in the field. This isn't a bunch of random Twitter people.
More importantly: your comment leaves the impression that there were notable people in the field who had a problem with the letter. If an expert working in messaging security didn't sign it, you and I both know that's probably just because they weren't aware of it (or, at the time, The Guardian's story).
Maybe I'm wrong (or lacking context), but FWIW I read baby's comment to mean that the public editor's claim that he had difficulty finding non-signers is silly.
It's not silly. I am not at all surprised that The Guardian was ultimately unsuccessful at finding someone reputable that works in this field to contradict the open letter.
It's their institutional lack of "old-school editorial rigour" that got them into this mess. The article gives no indication of what they have done or will do to prevent such poor reporting going forward. In the six months it took them to publish this they could have taken some steps to ensure their team has the resources it needs to better report on these areas in the future. Unfortunately, I think this op ed is too little too late for the Guardian as far as their credibility is concerned.
“Our followers on social media and our readers across the internet have come together to collectively serve as a modern watchdog, more vigilant and forceful than one person could ever be,” he wrote. “Our responsibility is to empower all of those watchdogs, and to listen to them, rather than to channel their voice through a single office.”
That's funny, because I don't see the logic there beyond it sounding superficially like a savvy decision to cut costs and leverage the community, however the role shouldn't really be a single person in the modern era, but an advocate collating voices and ensuring the editors and writers are informed by an opposing (or descenting) voice within their ranks or you risk a form of 'group think', which I believe probably had more to do with the Guardian's error than anything else.
"Our followers on social media and readers can be ignored a lot easier than a guy in our office, so when complaints come in, we can simply sweep them under the rug"
I would greatly disagree with that. The rest of the world can see complaints on social media, whereas no one knows if the guy in the office is being ignored.
These days people get so worked up on social media anytime a brand does anything (i.e. people getting mad a cinnabon for their carrie fisher bun pic - http://cbsnews3.cbsistatic.com/hub/i/r/2016/12/27/a9c2ac0c-3...). I think social media can serve as a watchdog for more important issues, too.
The New York Times retiring their ombudsman was high profile news, but is there actually a trend of (quality) newspapers removing that role from their staff? The NYT move was widely criticised by its peers (not just by the other ombudsmen, but by the newspapers themselves in their respective editorials).
I think this is a really thorough mea culpa which is quite impressive, given the frequent failure of other newspapers to publish a prominent apology when they have got things far more wrong than this.
> I think this is a really thorough mea culpa which is quite impressive
It took almost 6 months of badgering for that to finally happen though, despite an extensive and widely signed (by experts) op-ed pointing out how wrong and dangerous it was barely a week after the original article was published, and calls for corrections/retractions started within days if not hours.
> given the frequent failure of other newspapers to publish a prominent apology when they have got things far more wrong than this.
Getting things "far more wrong" matters less when it doesn't put lives at stakes, and you don't need to believe me on that, this correction article makes that point:
> During the review I independently confirmed that a Turkish government official had used the article when, in effect, attempting to deter users from WhatsApp.
> It took almost 6 months of badgering for that to finally happen though, despite an extensive and widely signed (by experts) op-ed pointing out how wrong and dangerous it was barely a week after the original article was published, and calls for corrections/retractions started within days if not hours.
Completely agreed, but they do fully concede this in their retraction:
>This made a relatively small, expert, vocal and persistent audience very angry. Guardian editors did not react to an open letter co-signed by 72 experts in a way commensurate with the combined stature of the critics and the huge number of people potentially affected by the story.
It might have taken a while for their internal review to complete but, honestly, what more can we ask for but an honest admission like this? If more media outlets could meet this standard we'd be in a much better place.
Could they have come back to us faster, yes, but an honest, well thought through apology with all these details included is a really strong response and I'm not going to complain.
We can always complain about why not this or that, but it seems we are never satisfied even when we get what we want.
Yes, we should be skeptical of all news sources, but from my experience, traditional newspapers tend to consistently misreport information security news.
I personally only trust security blogs and Twitters operated by certain security experts when it comes to news about security. I have a list of about 30 or so experts I trust.
I know that's not really practical advice for a typical person, though.
I think the Guardian handled the retraction and apology as best they could, and they deserve props for that, but it seems the hit-miss ratio for infosec stories is very poor for most "mainstream" sources out there (as much as I despise the "MSM" term).
As an ordinary guy for whom IT security is just one of many topics in which I'm interested, what do you suggest? I can't follow 1000s of blogs that cover all my interests.
And how do I choose reputable blogs in the first place? Do I trust reputation on HN and Reddit?
In the end, sure some articles will get some things wrong. But I would like to see evidence that they get it wrong more often than any other general source of news.
A few of these can occasionally be biased when there's a political edge to something, but some others I trust: Moxie Marlinspike, Daniel Bernstein, Dan Kaminsky, Rob Graham, Thomas Ptacek, Michał Zalewski, @SwiftOnSecurity (semi-parody account, but trustworthy info), Tavis Ormandy
>An investigation by the FBI has concluded that Russian hackers were responsible for sending out fake messages from the Qatari government, sparking the Gulf’s biggest diplomatic crisis in decades.
>It is believed that the Russian government was not involved in the hacks; instead, freelance hackers were paid to undertake the work on behalf of some other state or individual.
They could've easily made the headline "FBI: Qatar hackers of Russian nationality". By making the first 2 words of the headline "Russian hackers", they're obviously trying to take advantage of the recent surge in reports over Russian state-sponsored hacking. Most readers who see that headline are going to assume they meant "Russian state hackers", until they read the second paragraph.
That said, I don't see any factual errors in the article itself.
Did you read it? This is a lawyers carefully worded article to avoid being sued...
> "I accept the consensus view of the experts and, in consultation with editors, have arranged for the coverage to be amended and for a note to be added drawing attention to the review and linking to this column.
> I do not agree with critics that the story should be entirely retracted."
Huh? Accepting a consensus view is a really shifty way to avoid acknowledging being blatantly wrong.
I try to avoid making a habit of commenting on things without reading them, and also of over-quickly assuming that others do so.
> This is a lawyers [sic] carefully worded article to avoid being sued [...] Accepting a consensus view is a really shifty way to avoid acknowledging being blatantly wrong.
This leads me to question whether you read the article, or simply picked out snippets to support your preconceptions. Let's take some other quotations:
> In a detailed review I found that misinterpretations, mistakes and misunderstandings happened at several stages of the reporting and editing process. Cumulatively they produced an article that overstated its case.
> The most serious inaccuracy was a claim that WhatsApp had a “backdoor”
^ these look like an acknowledgement to me.
Furthermore, to refute your selectively used quotation above:
> I am not an expert in this field. For the review I consulted suitably experienced experts other than the 72 who had already declared their view. [...] I found a consensus that [...]
The author is accepting the consensus view amongst the experts with whom he spoke, since, as he acknowledges, he is not an expert in the field. This seems to me to be an emminently sensible approach, which most journalists would do well to follow.
It absolutely was a thorough mea culpa. You are also absolutely correct that it was not, at all, a timely mea culpa. The lack of timeliness makes it a much less impactful mea culpa, as public consciousness of the issue is likely drastically reduced, and there will likely be many who now remember the initial uproar but never see the correction.
It astonishes me that the Readers' Editor, someone with long experience in journalism, thinks retracting this story would mean taking it offline as if it never happened.
Frankly, I think this is a weak response. There is nothing in this investigation they could not have cleared up in January; instead, they dawdled and now they equivocate.
Pretty much every single person I know outside of the Bay Area and not working in tech believes that the government and the corresponding corporations running the service are reading all of their messages on:
* Whatsapp
* FB Messenger
* iMessage
* Hangouts
They also all believe that the police can look at their Facebook posts because they have special access.
This is precisely why there was minimal reaction to the Snowden revelations - what revelations?
Your claim was not that Google or Apple can update their software at will, it was specifically that Google or Apple can read existing WhatsApp messages that have been already sent (particularly ones that utilize e2e). This is not something that security engineers agree with on record. Can you find a cadre of security engineers that agree with that?
Further, there is the implication in your comment that Android and iOS are less secure than some other format (assumedly a linux or bsd variant desktop OS) for secure messaging. I'd be shocked if you could find a group of security engineers that even agreed with that. You certainly will find lots of them that disagree, so its in question at least.
I'd go further and suggest that if I made the proposition that from a security perspective you were best served by using e2e encrypted WhatsApp purely from an iOS or Chromebook that I'd gain more agreement from the security community than any other proposition about messaging formats other than "don't use electronic messaging for secret things".
> Your claim was not that Google or Apple can update their software at will, it was specifically that Google or Apple can read existing WhatsApp messages that have been already sent (particularly ones that utilize e2e).
Yes, being able to update their software at will enables them to read messages that have been already sent, even with e2e encryption.
> Further, there is the implication in your comment that Android and iOS are less secure than some other format (assumedly a linux or bsd variant desktop OS) for secure messaging.
Endpoint security is a can of worms. There is no simple conclusion to be taken from my comment, except for the literal meaning.
If you are implying that any system with auto updates could swap in malicious software I'll buy that. But you pointed out iOS and Android specifically. Most (all?) OS have auto update features and by enabling them you open yourself up to this vector.
> This is precisely why there was minimal reaction to the Snowden revelations - what revelations?
Or perhaps the 1984 Orwellian explanation - fear of surveillance curtails dissent.
E.g. perhaps there was minimal reaction because while people had always joked about the Govt. reading their messages, when Snowden revealed it was utterly true, and way worse than anyone had supposed, they became afraid to voice dissent about surveillance.
They were right to fear this as Snowden's stated reason for whistleblowing was not the existence of mass surveillance but because the mass surveillance was not for national security but its primary goal was to protect the program of mass surveillance.
Snowden revealed this: that the primary mission of the spying was to keep the spying secret and those who opposed the spying faced the greatest extra-legal retaliatory attacks. [1]
As the recent cataclysmic cyber attacks have shown national defense was not a priority for those 3 letter agencies developing weaponised exploits.
The weaponised exploits they screwed us all over by letting fall into the wrong hands, e.g. Wannacry an American state sponsored cyber-weapon funded by US tax-payer monies that wrecked the UK's National Health Service and now threatens international shipping - oopsie.
Maybe one day they'll issue a correction for their PRISM reporting too. The solution is exactly the same as the solution in this case: the editors should demand that the journalists verify their claims with experts.
I think it is too late - Any refuting of the original narrative will get you labeled a shill, "JTRIG", or discussion turns to "well you can't know what is going on for sure"
Speaking of security, the new possibility of a Google Drive backup for WhatsApp messages and files has been quite overlooked imo.
This backup is not e2ee, which means that if the other part is backing up data in Google Drive, then at least part of you WhatsApp history is not e2ee. Yes, it might be encrypted whithin Google Drive by whatever secure methods Google chooses, but not by you.
Good on them for admitting to all these flaws. I'm especially interested in the fact that government officials seem to be citing articles to push people to certain communication channels.
"People believe that you perform due diligence on matters critical to their lives and safety."
And at the bottom of the open letter many security experts have signed in support. That is, "signed" in the colloquial sense.
Small digression-- let's say a person tasked with reviewing a story in the Guardian is not an expert in security. They would really love some way to start with one or two security experts they know and trust and "fan out" to other experts based on their relationships.
Is there a quick and easy way for the journalist to do that by looking at the names of cryptographers listed at the bottom of a webpage?
Also: can someone explain what "due diligence" means? Is it the expectation here that a journalist not only report what would look reasonable to a non-journalist reader, but also use their considerable skill to ensure that they present their readers with verifiable facts, to the best of their ability? Even if it takes a considerable amount of time and effort on their part? Even if verifying the evidence relies on clunky, cumbersome tools that no one wants to spend time using?
Sad that the writer (calling herself investigative journalist - https://twitter.com/manisha_bot ) of the flawed article does not even mention the amended article in her twitter account.
Incidentally, I wondered whether the Guardian has blocked the site or did something stupid, since the page took so long to load. I thought AMP stands for ACCELERATED?
Edit: Actually, repeated loads take exactly as long (seven full seconds); but the scrollbar already has the correct page size. Probably some buggy scripting.
As someone who opens most links in new tabs (particularly when scanning the HN front page), my reaction was "Wow, that finished loading really fast!" based entirely on how long it took the favicon to replace the spinner in the tab.
Why not? I think this title "Guardian admits WhatsApp story was flawed" reflects the content better. The original title "Flawed reporting about WhatsApp" could have meant many other things. For example, the article might have complained about flawed reporting of other newspapers.
I like this title better, and the likelyhood that I'd have clicked on it would have been less with the original.
Just because somebody wrote that rule down doesn't mean you have to follow it, much less enforce it. Do you believe in it yourself, in absolutely every case, or do you follow it just because it is a rule? I'm not trolling, just curious. I find to many people on the net follow rules blindly. Rules are crystallized attitudes of communities. They shape the community, but the community also shapes the rules. If people would never break a rule, not even a little bit, they would either never change, or only change to be more strict over time.
Why am I loosing so many words over this? Why do I say you shouldn't bother that much, but then myself bother so much to write this? Because I don't want the moderation on HN to become like Wikipedia or Stack Overflow.
Personally I couldn't care less about the "Guardian admits…" narrative. The article is a genuinely informative analysis that would be done a disservice to be framed as support for an apology.
>Do you believe in it yourself, in absolutely every case, or do you follow it just because it is a rule? I'm not trolling, just curious.
I don't think you're trolling. I understand your viewpoint. I'm against selective enforcement. If there's a rule, and it isn't applied evenly to everyone all the time, it is a weapon of oppression. It is like the electronic form of white privilege.
Weeell, I'm not sure I like your comparison with white privilige, but I get your point. I see that kind of selective enforcement happen IRL too often. Ideally of course you'd adapt the rules to be a bit less strict, and find a middle ground.
You are being downvoted substantially, but I think that, although it's not a huge deal, you're right. A better title is simply: 'Guardian: "Flawed Reporting About WhatsApp"'
The idea on HN is to let readers make up their own minds. If you'd like to say what you think is important about a story you submit, that's fine, but please do so in the comment thread. Then your view is on a level playing field with everyone else's.
The title of the article from the linked page is, “Flawed reporting about WhatsApp”. What editorializing are you referring to, and what is your suggested title?
* If the original title begins with a number or number + gratuitous adjective, we'd appreciate it if you'd crop it. E.g. translate "10 Ways To Do X" to "How To Do X," and "14 Amazing Ys" to "Ys." Exception: when the number is meaningful, e.g. "The 5 Platonic Solids."
* Otherwise please use the original title, unless it is misleading or linkbait.
Use the original title. I've seen many informative titles smacked by this and made less informative. Here, an informative title is made less informative and clickbaity, with no action taken so far.
Again, the original title was "Flawed reporting about WhatsApp". I'm a frequent reader of this kind of news but I seem to have forgotten that it was the Guardian that caused this kerfluffle. The OP's title is accurate to the content while giving much needed context. The original title makes it seems like the article is about "flawed reporting" in general, which is incorrect.
I'm under the impression that this refers to the primary point of the comment. But fair enough. I have removed the part of the comment where I indicated I flagged this submission for editorializing in the title.
FWIW, the site worked completely fine for me in Firefox with JavaScript and cookies disabled, and even Lynx worked (but shows some mustache syntax that would be hidden by CSS otherwise).
This entire conflict just seems completely absurd to me - why on earth are the 72 "experts" who signed the open letter so quick to trust WhatsApp without access to the source code?
The experts (no scare quotes needed, they really are experts) were commenting on the story's facts as presented. There was no need to read the source of whatsapp, as the facts as stated in the original article were overblown and based on fundamental misunderstandings of cryptography.
The entire story was based on the question of "what do you do when someone you're communicating with using encryption changes keys?" Whatsapp chose to dynamically use the new key, rather than fail & force the user to verify the new key in some out-of-band way. This was described as a "backdoor" in the guardian story. That was simply false. Even calling it a vulnerability is a mis-understanding of how cryptography works and of the risk involved in that design decision.
Thank you for actually replying instead of downvoting...and I'll admit, the scare quotes may have been a bit too much!
That said, the open letter plainly states "WhatsApp effectively protects people against mass surveillance."
How do they know? From this, and the entire tone of the letter, it looks to me like they're still implicitly trusting that WhatsApp does what it claims to do. I see absolutely no reason to do so, and am utterly baffled that top security experts do.
More emphasis should be put on this. Those who know how to reverse engineer apps already look at the code, regardless of source code availability. But posting some machine code to debunk the original story would not do much good, seeing as those who might be unsure would likely not know how to read assembly.
It's still not entirely accurate, or at least conclusive, that WhatsApp effectively protects people against mass surveillance. It might be that there's enough other sources, messages aren't that valuable in the first place or even that mass surveillance itself, between target surveillance and everyone being a public person, isn't that important to protect people against.
I think it's much easier to conclude that WhatsApp protects peoples messages from leaking or being abused by providers and other "softer" merits.
I'm saying that both the claim that "WhatsApp is effective" and that "it is effective against mass surveillance" might be untrue even if it is effective at E2E encryption.
You can argue that WhatsApp itself de facto doesn't effectively protect (against mass surveillance) because it only works with instant messages and a lot of data isn't instant messages. You can argue that there is still mass surveillance of metadata. And that governments could enact secret laws to force vendors to engage directly in mass surveillance of their customers through the OS (less likely in the US, more so in China, especially as Google isn't present).
Sure, it's a nitpick. It's implied that it's effective because it's a good way to use E2E. But it not necessarily explored in the article whether it effectively protects people. I'm sure someone thinks that PGP was effective against mass surveillance too. So it becomes and issue over what you think is worth protecting.
> are capable of reverse engineering and analyzing Android apps (i.e. WhatsApp).
Did you do that before signing the letter?
> Furthermore, if you can verify that the app does what it advertises...
Without reproducible builds you can only verify the specific version of the app on your device. It's quite a leap from there to say 'Whatsapp is safe for you, too, regardless of your use-case'.
There's a lot of people here saying this should have happened faster, they're likely right, but also, given how extensive and thorough this is, it is more likely an example of how old-school editorial rigour just takes a lot of time.