[HN Gopher] Court orders WhatsApp to suspend users sharing pirat...
___________________________________________________________________
Court orders WhatsApp to suspend users sharing pirated movie
Author : curmudgeon22
Score : 80 points
Date : 2021-05-25 01:48 UTC (21 hours ago)
(HTM) web link (torrentfreak.com)
(TXT) w3m dump (torrentfreak.com)
| sneak wrote:
| Another set of people learning about how untenable Facebook's
| censorship regime is in the long term.
|
| I just wish they'd cast a wider net.
| dartharva wrote:
| The movie in question is getting streamed at a pay-per-view price
| of Rs.249, and is failing to generate revenue magnificently. It
| should have been obvious, no one is going to pay theatre-ticket
| prices to watch a silly[0] movie on their little phones.
|
| [0]: https://youtu.be/jD-jxRrSANY
| WhyNotHugo wrote:
| What theatre-owners fail to realise is that many people pirate
| the movie not to avoid the payment, but because MANY people
| hate theatres as an establishment.
|
| I want to watch in a small, portable screen changing positions
| on my couch, not sitting in a static position for over an hour,
| on a huge screen, full of lines, people, smells, and even 20
| minutes of ads.
|
| I wouldn't mind paying the price TO SEE A MOVIE. It's just that
| all the rest of the theatre experience is crap.
| karatinversion wrote:
| Well, I could see several hundred people in the world doing
| this, but as a fraction of the relevant category?
|
| Did you yourself refrain from piracy when all the movie
| theaters were closed for the last year?
| screye wrote:
| A similar point was made by Gabe Newell about gaming. Piracy
| is first about access and convieneience.
|
| Also, most cases of piracy are of those who otherwise
| couldn't afford or would not have paid the theater
| experience. So the pirate is a ghost customer who only exists
| in the pirated world.
|
| I never paid for western shows up until Netflix came along. I
| never paid for games until steam started using regional
| pricing. I never paid for music until Spotify.
|
| In every case it was about access, convieneience and the
| willingness of the service provider to meet me where my
| wallet was.
| BiteCode_dev wrote:
| Can't really blame facebook for once. Even 0bin.net must obey
| take down requests. In fact, we often have to comply for requests
| that don't match our jurisdiction because hosting will shut you
| down without checking anything.
|
| Facebook have their own infra but still, they can't ignore the
| law.
| tgsovlerkhgsel wrote:
| > when provided with evidence showing that any other WhatsApp
| user is infringing Zee's copyrights by selling copies of its
| film, WhatsApp must suspend the corresponding accounts within 24
| hours.
|
| So this does not require Whatsapp/Facebook to proactively monitor
| its network and suspend users who share it (if it did and
| Facebook complied, it would disprove their claim that e2e
| encryption as they use it provides sufficient privacy).
| freeone3000 wrote:
| Facebook manages the keys, and can download your entire chat
| history to a new device. What privacy is their implementation
| actually providing?
| tgsovlerkhgsel wrote:
| As I understand it, _with backups disabled_ , at least the
| text messages are protected. I would expect file contents of
| unknown files to be protected but file hashes to potentially
| leak.
| calt wrote:
| Do they manage the private keys?
|
| I always thought that they only managed the public keys.
|
| I thought that your backup is stored in iCloud or Google
| Drive unencrypted. Facebook doesn't have direct access to
| that. You phone must be already logged in to those services.
| cesarb wrote:
| AFAIK, there are two kinds of private keys here. There's
| one key used to encrypt the backups, which can be either
| local (on the device) or sent to Google's or Apple's
| servers; that key is AFAIK kept by Facebook (unlike Signal
| which asks you to write it down), but it's useless without
| the backup files, which most probably Facebook cannot
| access directly. The other key is the ratcheting end-to-end
| encryption key, and AFAIK that's only kept by the device
| itself; if you have the right option enabled, you can see
| whenever someone you're talking to installs WhatsApp or
| Signal on a new device, since you'll be warned that the key
| has changed.
| wyldfire wrote:
| They broker the public key exchanges and IIRC the clients
| trust the broker when it claims that the previous key owner
| (definitely not Eve) has generated a new keypair. There is
| a setting (opt-in!) to even see when this occurs but once
| it does your oh-so-compliant client has already re-
| encrypted the old messages with the recipient's new pub key
| and sent them along. This behavior is by design.
|
| Some folks will tell me "but it's end-to-end!" and it feels
| kinda like they're telling me that it's "what plants
| crave."
|
| EDIT: if you don't believe me, turn on the setting, have a
| friend reinstall the app and watch the re-keying happen.
| It's indistinguishable from an attack unless you trust the
| broker. If you trust the broker, then why claim it's "end
| to end"? Also refer to the various articles that describe
| this behavior that WhatsApp says is by design.
|
| Double EDIT: why is it this way by design? Because it would
| be a PITA if every time you replaced your lost phone your
| buddies got a warning that looked like "Either Dave has got
| a new phone or the NSA is attacking you. Resend ten years
| of hilarious memes and intimate conversations to whoever is
| on the other end?" Real cryptography comes with real
| inconveniences when you lose your keys. It's the same kind
| of headache with securing cryptocoins - if you lose the
| secrets you lose the money. Trusting an agent is the only
| way to escape, but it comes at a significant cost.
| Cryptocoin custodians like exchanges get attacked all the
| time. And communication broker/relays get lawful intercepts
| all the time.
| cesarb wrote:
| > Resend ten years of hilarious memes and intimate
| conversations to whoever is on the other end?
|
| AFAIK, it won't resend already received messages; if the
| other end didn't have a backup, these ten years of old
| messages are lost for that end. I don't know whether it
| will resend sent but not yet received messages, and it
| certainly will use the new key for new messages (but at
| that point, you already received the "key changed"
| alert).
| thaumasiotes wrote:
| > if it did and Facebook complied, it would disprove their
| claim that e2e encryption as they use it provides sufficient
| privacy
|
| You made me envision this "end-to-end encryption" scheme:
|
| - Alice sends a message to Bob. True to its word, WhatsApp
| encrypts the message on Alice's client and transmits it through
| to Bob without the WhatsApp server ever being able to read the
| message.
|
| - Bob receives the message, which is decrypted for his viewing
| by his WhatsApp client.
|
| - Bob's WhatsApp client reads the message and reports it back
| to the WhatsApp server.
| henearkr wrote:
| Exactly. So e2e makes sense only when the client is open
| source too.
|
| Signal got this right.
| cantrevealname wrote:
| > _Bob 's WhatsApp client reads the message and reports it
| back to the WhatsApp server._
|
| In every copy of the app, WhatsApp explicitly says, "Your
| messages, calls and status updates stay between you and the
| people you choose. Not even WhatsApp can read or listen to
| them."
|
| Of course, the scenario you describe is possible, but
| WhatsApp would be lying.
| WhyNotHugo wrote:
| WhatsApp's TOS uses to state that the encryption key stays
| on device.
|
| This changed a few months ago.
| dTal wrote:
| >Not even WhatsApp can read or listen to them
|
| WhatsApp is already lying. It _can_ , as demonstrated
| above.
| PeterisP wrote:
| A lawyer could argue that sending a hash of the transmitted
| file (or, preferably, locally verifying the hash against a
| blacklist) is substantially different from sending/reading
| its contents.
| pjc50 wrote:
| The encryption may be E2E. The _key management_ is obviously
| central, as you can figure out by asking how whatsapp web
| works.
| BenjiWiebe wrote:
| WhatsApp Web works by reading/sending messages through your
| phone.
| petronio wrote:
| It says "when provided with evidence", so I would assume it
| doesn't require active monitoring from WhatsApp and is more
| like a DMCA takedown request.
| elliekelly wrote:
| I'm not sure I would consider a DMCA takedown request
| "evidence".
| WhyNotHugo wrote:
| Odd narration though. What constitutes "sufficient evidence"?
| Is WhatsApp now the judge of this?
| petronio wrote:
| Most likely, because if they refuse and it's infringing
| then it's them (WhatsApp) getting dragged to court for not
| following the court's orders. I suspect it'll end up
| similar to how most service providers handle DMCA
| takedowns: honor it without question. If it's invalid, the
| affected party can take it up with whoever submitted the
| request as far as WhatsApp is concerned.
| sp332 wrote:
| Yeah but a DMCA takedown is focused on the content, not on
| deleting a user's account. Not after one "strike", anyway.
| mrzimmerman wrote:
| That's true but the Digital Millennium Copyright Act is a
| US law and this is an Indian court. So it's similar in that
| what has to be reported is the act of a user sharing the
| content, but the reaction the platform has to take is
| different.
| pmlnr wrote:
| > So this does not require Whatsapp/Facebook to proactively
| monitor its network
|
| Welcome to Article 11 & 13: https://juliareda.eu/eu-copyright-
| reform/
| Kbelicius wrote:
| FFS, those do not require active monitoring. Article 17,
| formerly known as article 13, explicitly states: "8. The
| application of this Article shall not lead to any general
| monitoring obligation. ".
| tremon wrote:
| _general_ in that statement is a weasel word, and including
| it in the official article text is a clear indication of
| intent:
|
| "Yes, we recognize this requires setting up a monitoring
| infrastructure for compliance with the article, but we
| reserve the right to publicly condemn any company that uses
| that same infrastructure for self-serving purposes."
| pmlnr wrote:
| Lol. Then how else can it be followed?
| Kbelicius wrote:
| You could, you know, read the article before you start
| spreading FUD about it. Maybe the answers you seek are in
| it.
|
| In the end it doesn't matter how it will be followed. If
| general monitoring is the only way to follow it then
| nobody needs to follow it. Simple as that.
| pmlnr wrote:
| Time will tell. Sadly, in my read, "no general
| monitoring" and "mandatory upload filters" are not the
| same, and thus, not mutually exclusive.
| Legogris wrote:
| Anecdata: I recently shared a private FB event link with a
| friend over WhatsApp (DM, not group chat) while we were in the
| same room. She saw and opened it. Some hours later it was gone
| from both of our chat histories on all devices, with no notice
| of deleted messages. Earlier and later messages were intact.
|
| I don't see how this could happen if that claim was true.
| rand49an wrote:
| Whatapp does have a list of banned hashes for images so that
| certain images cannot be send - this hash check is done on
| the client so as not to break e2e encryption.
|
| The same can surely be done with web links.
| throwaway67114 wrote:
| Source?
| [deleted]
| sergiosgc wrote:
| I have a more clear event: At my company we regularly
| communicate single use credit card numbers for company
| purchases. One of those was sent via WhatsApp, and stolen.
| Neither the origin phone nor the destination phone were
| compromised. The card was used to purchase Adwords, the
| transaction originated in the US (we are in Europe).
|
| Our theory is that at least images on WhatsApp are human-
| reviewed, and one reviewer saw the credit card go through and
| took the opportunity.
|
| We reversed the transaction and switched to Signal...
| rand49an wrote:
| How do you know the card wasn't compromised before it
| reached you?
| sergiosgc wrote:
| It's a virtual card, generated in the banking app, to be
| used one single time. The card never existed outside the
| bank IT systems or the phones involved in the
| communication.
| throwaway67114 wrote:
| At least on android, most whatsapp data is stored in a
| folder named whatsapp, which can be accessed by any app
| with storage permission. So you can see all sent/received
| images and videos in photo viewer apps etc. Signal stores
| them in a place which at least in Android 11 can't be
| accessed by other apps.
| morsch wrote:
| > I don't see how this could happen if that claim was true.
|
| I don't see the relation. They could (and I'm sure they do)
| attach a message id to the e2e-encrypted payload, shared
| between message sender and receivers. They could remotely
| delete messages by id, either by design or through a bug.
| None of this requires breaking e2e.
|
| I mean, I'd argue that remote message deletion by id should
| not be possible (i.e. the client should not permit it) and
| certainly not without user notification, but that's a
| different matter.
| Legogris wrote:
| Deleted message contained more text than only the link. The
| event was quite small and local (social event with <200
| participants). The organizer (a friend of mine) had asked
| people to not share the link via social media.
|
| While what you're saying is theoretically possible, I find
| it such a stretch that the only reasonable explanation save
| for some very unlikely bug is that message contents are
| indeed accessed in some form outside of our own devices.
| cantrevealname wrote:
| It would be terrific to find a way to reproduce this.
|
| What do you believe is the likely reason for the link to
| be deleted? Do you think that the organizer (your friend)
| did something at his end that caused the link to be
| deleted everywhere? I.e., he wanted to delete the link.
| In that case, it should be possible to reproduce this.
|
| Or do you think Facebook or WhatsApp disapproved of the
| link and therefore deleted it? Was it something
| controversial or against Facebook rules? It could be
| possible to reproduce that as well if a group of users
| shares an equally controversial link.
| Legogris wrote:
| I agree. It really beats me. The organizer did write on
| the event info page something like "don't share on SNS".
| While it's a curious coincidence that it's specifically
| this link that gets deleted, AFAIK there's no way for an
| organizer to prevent sharing apart from making the event
| private and requesting attendees in free-text to keep it
| to themselves.
|
| The only thing that I think could potentially be
| controversial would be that it was a social gathering
| during the pandemic. The event page itself was and still
| is up. If it was deemed against FB rules I'd expect it to
| be reflected in some way on FB, and not just by deleting
| WhatsApp messages refering it.
|
| I really can't give a good reason apart from "some ML
| model got triggered somehow, which prompted a human
| somewhere to look at it for a couple of seconds and click
| the delete button"
| StavrosK wrote:
| WhatsApp visits links to generate a preview, so
| presumably FB knows the content of your message because
| at least the link is leaked.
| rapnie wrote:
| Yes indeed, to request the OpenGraph metadata. Though
| technically not needed I assume that any hyperlink will
| be readable by WA/FB. Anyone knows if these requests go
| via their own servers?
| StavrosK wrote:
| I just checked the web UI by pasting a link and didn't
| see a request go out to the domain, so I assume it went
| through the websocket to FB.
| dartharva wrote:
| When did this happen? They hadn't implemented E2E Encryption
| before 2016.
| Legogris wrote:
| During 2021.
| lifty wrote:
| Regardless of e2ee, they might have code bundled in the
| WhatsApp app that just deletes local video messages based
| on a hash. That wouldn't break encryption.
| tutfbhuf wrote:
| You cannot and should not be able to use a hash or
| rainbow table for encrypted messages. If that is possible
| (you don't use a nonce), then your encryption is broken
| since many common messages can be looked up in a rainbow
| table and you can use replay attacks.
| mimi89999 wrote:
| That would have to happen on the device before encryption
| or after decryption.
| Mindwipe wrote:
| Whatapp's client applications already do this before
| encryption to check against a list of hashes of child
| abuse material.
| tutfbhuf wrote:
| This is of course great, but such hash based filters for
| images or videos can be circumvented easily by just
| flipping one bit (without corrupting the file). I guess
| what we really need is some kind of ML trained filter
| that has a great rate of success and a very low false
| positive rate.
| Legogris wrote:
| It was an event link, think: > The event
| next week: > https://....
|
| (Neither of us remember if those two lines were distinct
| messages or two lines in the same message; regardless,
| neither is there anymore)
| tffgg wrote:
| Same message doesn't mean same hash. Usually a nonce is
| used and if not: WhatsApp uses the Signal Protocol, which
| uses different keys for each message
| jeroenhd wrote:
| The client can delete the message if the decrypted hash
| matches a certain blacklist. It doesn't have to happen on
| the FB servers.
|
| Such a mechanism allows governments to turn WhatsApp into
| a propaganda machine very easily, though, so I'm not sure
| if I would consider such a mechanism for my app if I were
| in a similar position.
| Barrin92 wrote:
| Given that WhatsApp is by default E2E encrypted and I think this
| includes group chats and files this is probably not even possible
| at any meaningful scale.
| Thorentis wrote:
| Well, we're about to find out whether the trust people placed
| in a closed source chat app that claimed to be secure was well
| founded or not.
| mschuster91 wrote:
| One may not help but wonder if the real reason behind this is not
| a movie with abysmal ratings, but rather a desire by the Modi
| government to get precedence that Whatsapp can be ordered to
| suspend accounts at arbitrary accusations.
|
| "Pirates" first, and the next wave will be people critical of his
| government and especially his Corona clusterfuck. The Modi
| government already ordered Twitter to silence critics.
| PicassoCTs wrote:
| If you steal a candy bar, is it proportional for the state to cut
| electricity to your house?
| TomGullen wrote:
| That's not a very good analogy
| codeisawesome wrote:
| Are attachments (like photo and video contents) E2E encrypted on
| WhatsApp?
| throwaway888abc wrote:
| I just read yet another naging popup with assurances that my
| messages are private and encrypted, so how can Facebook read
| message to supposedly pirated movie ? .... and to accept new
| policy
|
| 6 sense above the E2E encryption ?
|
| How they do this ?
| yumraj wrote:
| One option is to do it at the client layer, before messages are
| transmitted and have left your device.
|
| Note: I'm not advocating they do this or supporting the ask ,
| merely providing a technical option.
| Areading314 wrote:
| you could do it by hashing the content and then sending back
| the hashes to some server for them to check
|
| but really if the code is not open source it doesn't really
| help for them to claim E2E. You don't really have any
| guarantees they won't circumvent encryption.
| ab_testing wrote:
| Whenever you communicate with a user or a group on WhatsApp,
| your phone number is visible to that user or group. If anyone
| of the users in that group is a rat, they can divulge all the
| conversations to law enforcement including all group member
| details.
|
| Bottom line choose your friends wisely or join seedy groups
| with caution.
| MertsA wrote:
| Not possible, this order is to ban a list of users who got
| caught and future reported users not to try and identify the
| copyrighted material itself.
| mr_toad wrote:
| > How they do this ?
|
| Easy, someone squealed.
|
| All the encryption in the world won't do you any good if the
| recipient of the message can't be trusted. And the larger the
| group the more likely it is that someone is a bad actor.
| salawat wrote:
| One thing I've always wondered, and I think IETF needs to get
| a working group on.
|
| _Where do snitches fall in reference to handling of
| evilness[originally defined in RFC3514]?_
|
| Should the evil bit be set in reference to the activity of a
| group in isolation of the maliciousness of an implementation
| of a system operating on a network medium?
|
| Example:
|
| > _A group uses a tool or protocol legitimately in the way in
| which it was designed [non-evil manner] to facilitate an
| illegal workflow [debatably evil, but at a level irrelevant
| to the network]. Based on RFC 3514, this group carrying out
| the illegal activity in a way not malicious on the to tge
| network SHOULD NOT set the evil bit; they are up to no
| mischief within the context of the network. as they are
| making use of hosts as they were designed to be used. A
| snitch within the group, however, SHOULD set the evil bit,
| and furthermore, if IPv6, should set the attack identifier to
| something appropriate since they are exploiting the implicit
| trust of the network in a malicious way [see RFC 's 7258 and
| the IPv6 relevant part of 3514]_
|
| Clearly, there is intent based on related work with optical
| switches and routing that the evilness bit should cascade
| appropriately between contexts, such as there being evil
| lambdas, and evil polarizations, etc.... How then, does one
| then handle the problem of "relative evilness", in which the
| state of the evil bit is dependent on higher order
| constructs, in particular where higher order activities are
| directly recognized to be a form of network attack, thereby
| warranting the setting of the evil bit by one party or the
| other? Note, this issue does not just impact the criminal
| element, as the same setup could easily afflict law
| enforcement by which a snitch jeopardizes _legal_ activity
| through the same attack pattern, or rogue law enforcement
| participating in unlawful surveillance jeopardize the safety
| and integrity of the network.
|
| I believe the very future of security on the Internet and the
| integrity of activity mediated over it is at stake if we
| cannot reach a rough consensus on this topic.
| fwn wrote:
| Not sure if I understood you correctly.
|
| In our context "evil" just meant that someone breached the
| secrecy a group assumed to be a shared value.
|
| Encryption is never evil and the tools used to facilitate
| communication in democratic societies should not be
| equipped with traps to enforce whatever power positions
| exist at one time.
| danielheath wrote:
| The "Evil Bit" RFC is one of the famous April Fools jokes
| produced back when the standards body retained an
| excellent sense of subtle humor.
|
| I think it's safe to assume anyone that referencing it is
| doing so for comedic purposes.
| salawat wrote:
| It is indeed a safe assumption in this case. I was trying
| to sneak in a "snitches get stitches" jab to balance out
| this year's establishment of the Protocol Police, but
| couldn't quite pull it off.
| fwn wrote:
| Ha, thank you. I had no idea.
| https://en.wikipedia.org/wiki/Evil_bit
| perryizgr8 wrote:
| Everybody knows you use Telegram for such purposes. Don't know
| why people are doing it on Whatsapp.
| baby wrote:
| WhatsApp encrypts your conversations end to end via the state
| of the art Signal protocol, Telegram doesn't.
| ekianjo wrote:
| and everything is closed source so all bets are off.
| baby wrote:
| I mean if that's your issue Matrix is your best bet, not
| telegram
| ekianjo wrote:
| Where did I advocate Telegram ?
| baby wrote:
| Look at the thread
___________________________________________________________________
(page generated 2021-05-25 23:02 UTC)