• micballin@lemmy.world
    link
    fedilink
    English
    arrow-up
    10
    arrow-down
    1
    ·
    14 days ago

    They can just claim archived or deleted messages don’t qualify for end to end encryption in their privacy policy or something equally vague. If they invent their own program they can invent the loophole on how the data is processed

    • cheesemoo@lemmy.world
      link
      fedilink
      English
      arrow-up
      11
      ·
      14 days ago

      Or the content is encrypted, but the metadata isn’t, so they can market to you based on who you talk to and what they buy, etc.

      • mosiacmango@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        14 days ago

        This part is likely, but not what we are talking about. Who you know and how you interact with them is separate from the fact that the content of the messages is not decryptable by anyone but the participants, by design. There is no “quasi” end to end. Its an either/or situation.

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          1
          ·
          14 days ago

          It doesn’t matter if the content is encrypted in transit if Google can access the content in the app after decryption. That doesn’t violate E2EE, and they could easily exfiltrate the data though Google Play Services, which is a hard requirement.

          I don’t trust them until the app is FOSS, doesn’t rely on Google Play Services, and is independently verified to not send data or metadata to their servers. Until then, I won’t use it.

      • rottingleaf@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        14 days ago

        Provided they have an open API and don’t ban alternative clients, one can make something kinda similar to TOR in this system, taking from the service provider the identities and channels between them.

        Meaning messages routed through a few hops over different users.

        Sadly for all these services to have open APIs, there needs to be force applied. And you can’t force someone far stronger than you and with the state on their side.

    • mosiacmango@lemm.ee
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      edit-2
      14 days ago

      The messages are signed by cryptographic keys on the users phones that never leave the device. They are not decryptable in any way by google or anyone else. Thats the very nature of E2EE.

      How end-to-end encryption works

      When you use the Google Messages app to send end-to-end encrypted messages, all chats, including their text and any files or media, are encrypted as the data travels between devices. Encryption converts data into scrambled text. The unreadable text can only be decoded with a secret key.

      The secret key is a number that’s:

      Created on your device and the device you message. It exists only on these two devices.

      Not shared with Google, anyone else, or other devices.

      Generated again for each message.

      Deleted from the sender’s device when the encrypted message is created, and deleted from the receiver’s device when the message is decrypted.

      Neither Google or other third parties can read end-to-end encrypted messages because they don’t have the key.

      They cant fuck with it, at all, by design. That’s the whole point. Even if they created “archived” messages to datamine, all they would have is the noise.

    • circuitfarmer@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      14 days ago

      Exactly. We know corporations regularly use marketing and doublespeak to avoid the fact that they operate for their interests and their interests alone. Again, the interests of corporations are not altruistic, regardless of the imahe they may want to support.

      Why should we trust them to “innovate” without independent audit?