Read the founder exit letter. whatsapp is definitely not e2e encrypted for all features.
You leak basic metadata (who talked to who at what time).
You leak 100% of messages with "business account", which are another way to say "e2e you->meta and then meta relays the message e2e to N reciptients handling that business account".
Then there's the all the links and images which are sent to e2e you->meta, meta stores the image/link once, sends you back a hash, you send that hash e2e to your contact.
there's so many leaks it's not even fun to poke fun at them.
And I pity anyone who is fool enough to think meta products are e2e anything.
> with "business account", which are another way to say "e2e you->meta and then meta relays
actually its a nominated end point, and then from there its up to the business. It works out better for meta, because they aren't liable for the content if something goes wrong. (ie a secret is leaked, or PII gets out.) Great for GDPR because as they aren't acting as processor of PII they are less likley to be taken to court.
Whatsapp has about the same level of practical "privacy" (encryption is a loaded word here) as iMessage. The difference is, there are many more easy ways to report nasty content in whatsapp, which reported ~1 million cases of CSAM a year vs apples' 267. (not 200k, just 267. Thats the whole of apple. https://www.missingkids.org/content/dam/missingkids/pdfs/202...)
Getting the content of normal messages is pretty hard, getting the content of a link, much easier.
iMessage is not on the same playing field as Whatsapp and Signal. Apple has full control over key distribution and virtually no one verifies Apple isn't acting as a MitM. Whatsapp and e2e encrypted messenger force you to handle securely linking multiple devices to your account and gives you the option to verify that Meta isn't providing bogus public keys to break the e2e encryption.
For iMessage, Apple can just add a fake iDevice to your account and now iMessage will happily encrypt everything to that new key as well and there's zero practical visibility to the user. If it was a targeted attack and not blanket surveillance then there's no way the target is going to notice. You can open up the keychain app and check for yourself but unless you regularly do this and compare the keys between all your Apple products you can't be sure. I don't even know how to do that on iPhone.
never thought about using csam image hash alerts as a measure of platform data leaks (and popularity as i doubt bots will be sharing them). that's very smart.
and show that fb eclipse everyone by a insane margin it's scary!
about your point on business accounts, the documents i reviewed included dialog tree bots managed by meta. not sure if not having that change things... but in that case it was spelled out that meta is the recipient
Its more a UX/org thing. In iMessage how do you report a problematic message? you can't easily do it.
In whatsapp, the report button is on the same menu that you use to reply/hide/pin/react.
Once you do that, it sends the offending message to meta, unencrypted. To me, that seems like a reasonable choice. Even if you have "proper" e2ee, it would still allow rooting out of nasty/illegal shit. those reports are from real people, rather than automated CSAM hashing on encrpyted messages. (although I suspect there is some tracking before and after.)
Its the same with instagram/facebook. The report button is right there. I don't agree with FB on many things, but this one I think they've made the right choice.
You leak basic metadata (who talked to who at what time).
You leak 100% of messages with "business account", which are another way to say "e2e you->meta and then meta relays the message e2e to N reciptients handling that business account".
Then there's the all the links and images which are sent to e2e you->meta, meta stores the image/link once, sends you back a hash, you send that hash e2e to your contact.
there's so many leaks it's not even fun to poke fun at them.
And I pity anyone who is fool enough to think meta products are e2e anything.