Remember this is the same company that just gave police DMs that aided in an abortion investigation. If those had been end to end encrypted that risk would not have existed, but they made a business decision to leave the application vulnerable to spying for profit reasons. That is a vulnerability, in the same way we call it a vulnerability when an entity man-in-the-middles a browser to spy on people.
Personal user browsing or communications leaking in plain text to private companies without explicit and obvious user consent puts users at risk, and is a vulnerability. It just so happens to be one arising from malicious profit seeking behavior that happens to be the status quo.
Not having https was once the status quo, and a boon for corporate spying, but we call that a vulnerability now because the abuses became too big too ignore.
I don't think the GP is saying that Meta should have ignored a lawful order. I think they're saying that they shouldn't have put themselves in the position of being able to render that information, and only have done so because it's profitable for them to do so.
It’s really painful to see all of these encryption holes in every product we use daily. Apple claims privacy, yet your whole phone sits unencrypted on their server ready to be served to anyone who asks (assuming you back up your phone to iCloud)
End to end encryption is only useful when the software on each end is open source and deterministically built/distributed by third parties with accountability.
Even Signal or Google/Apple could ship a bad Signal app update to targeted devices to dump convos if ordered. If you use Matrix with a client from an F-Droid build or a reproducible build from debian etc, then the Matrix developers literally could not comply with orders to obtain your plaintext content.
Encrypted but they have the keys so they can serve it to anyone who asks. That’s why “end-to-end” is subsequently mentioned as an “additional” step for certain data. It should all be end-to-end like iCloud Keychain is, at least on demand.
Users are given the choice to accept risks that are buried on page 7 of privacy policies only a lawyer could understand the tricks in.
Services knowingly endangering unknowing users for money should be like cigarettes and be forced to say on the signup page in big bold text they can and will sell user data to anyone, including law enforcement.
Users largely think free services are like public libraries and do not default to expecting they are being exploited for money. Element, Wikipedia, and duckduckgo exist for free without selling user data so it is not a given that exploitation is always present in free services.
This isn't a consumer choice issue. People love morphine too, it doesn't mean Amazon can sell it to them. If Apple enforced its own rules in this case, Facebook would just have to act like any other developer and find some revenue streams that comply with established privacy norms.
Personal user browsing or communications leaking in plain text to private companies without explicit and obvious user consent puts users at risk, and is a vulnerability. It just so happens to be one arising from malicious profit seeking behavior that happens to be the status quo.
Not having https was once the status quo, and a boon for corporate spying, but we call that a vulnerability now because the abuses became too big too ignore.