Slashdot Mirror
WhatsApp Warns Free Google Drive Backups Are Not End-To-End Encrypted (zdnet.com)
On November 12th, WhatsApp users on Android will be able to back up their messages to Google Drive for free and it won't count towards Google Drive storage quotas. But, as WhatsApp warns, those messages will no longer be protected by end-to-end encryption. ZDNet reports: While Apple iOS users may elect to use iCloud backup storage options, Android users store theirs through Google Drive -- but alongside the changes, WhatsApp has reminded users that once communication, chat, and media is transferred away from the app, end-to-end encryption is no longer in place.
Some users may think that backup services will have the same level of protection as the app. However, this is not the case and the reminder is important for those interested in protecting their privacy. In WhatsApp support documents, this separation is now explicitly mentioned. "Media and messages you back up aren't protected by WhatsApp end-to-end encryption while in Google Drive," WhatsApp says.
Some users may think that backup services will have the same level of protection as the app. However, this is not the case and the reminder is important for those interested in protecting their privacy. In WhatsApp support documents, this separation is now explicitly mentioned. "Media and messages you back up aren't protected by WhatsApp end-to-end encryption while in Google Drive," WhatsApp says.
Just to be clear, the ONLY part that is new is "won't count towards Google Drive storage quotas".
Nothing changes, you could (since probably before Whatsapp was really popular) store the un-encrypted backups on GDrive and it's off by default and you are warned that they aren't encrypted. Local backups aren't encrypted too by the way, unless you have some kind of device encryption.
The end-to-end encryption is only on-the-fly. You start saving shit you need to trust the place you save it to. It's just like ssh, there is encryption for the connection and there is even an ephemeral symmetrical key agreed upon on the spot but you need to take care what to do with the stuff once you start logging or redirecting to files, etc.
Most people don't care anyway. Many of the services aren't end-to-end encrypted (Email, SMS, Yahoo Messanger - rest in peace-, Google Talk or whatever they call it nowadays, Facebook Messenger unless you're using secret conversation or something and so on).
Sure, they could encrypt the backups but the user would have to manage (think store safely) the keys. Do you really expect most users to be able to get the key they set/saved years ago when the old phone breaks (or is lost) and they need to restore the backup to a new phone? Especially if is a key with enough entropy (think a complicated passphrase) that they aren't supposed to be using anywhere else?