can't be done without rooted phone.

can move media, but whatsapp still stores additional in original location

We’re incredibly excited to launch Element One!

It’s a complete messaging package - the Element app with high-performance hosting, the entire Matrix universe and bridging to WhatsApp, Signal and Telegram. All for just $5 per month. //

Element One is the quickest and easiest way to get unlimited bridging to WhatsApp, Signal and Telegram.

Just sign up from the Element website.
https://ems.element.io/element-one //

It’s also worth noting that end-to-end encryption is necessarily broken as messages to (and from) WhatsApp, Signal and Telegram pass across the bridge(s). The bridge(s) operates in Element’s trusted EMS environment, with no content scanning or datamining, but currently bridged conversations are not stored end-to-end encrypted in Matrix (they will be in the future).

Yesterday, independent newsroom ProPublica published a detailed piece examining the popular WhatsApp messaging platform's privacy claims. The service famously offers "end-to-end encryption," which most users interpret as meaning that Facebook, WhatsApp's owner since 2014, can neither read messages itself nor forward them to law enforcement.

This claim is contradicted by the simple fact that Facebook employs about 1,000 WhatsApp moderators whose entire job is—you guessed it—reviewing WhatsApp messages that have been flagged as "improper." //

The loophole in WhatsApp's end-to-end encryption is simple: The recipient of any WhatsApp message can flag it. Once flagged, the message is copied on the recipient's device and sent as a separate message to Facebook for review.

Messages are typically flagged—and reviewed—for the same reasons they would be on Facebook itself, including claims of fraud, spam, child porn, and other illegal activities. When a message recipient flags a WhatsApp message for review, that message is batched with the four most recent prior messages in that thread and then sent on to WhatsApp's review system as attachments to a ticket. //

Although nothing indicates that Facebook currently collects user messages without manual intervention by the recipient, it's worth pointing out that there is no technical reason it could not do so. The security of "end-to-end" encryption depends on the endpoints themselves—and in the case of a mobile messaging application, that includes the application and its users.

An "end-to-end" encrypted messaging platform could choose to, for example, perform automated AI-based content scanning of all messages on a device, then forward automatically flagged messages to the platform's cloud for further action. Ultimately, privacy-focused users must rely on policies and platform trust as heavily as they do on technological bullet points. //

Although WhatsApp's "end-to-end" encryption of message contents can only be subverted by the sender or recipient devices themselves, a wealth of metadata associated with those messages is visible to Facebook—and to law enforcement authorities or others that Facebook decides to share it with—with no such caveat.

ProPublica found more than a dozen instances of the Department of Justice seeking WhatsApp metadata since 2017. These requests are known as "pen register orders," terminology dating from requests for connection metadata on landline telephone accounts. ProPublica correctly points out that this is an unknown fraction of the total requests in that time period, as many such orders, and their results, are sealed by the courts.

Facebook is pushing a mysterious and aggressive ‘privacy update’ on WhatsApp users. Here’s why

Fri 14 May 2021 06.14 EDT //

Facebook, for its part, has spent the months since the announcement downplaying the significance of these privacy updates by arguing that its latest changes will only affect communication with business accounts (WhatsApp Business was launched in January 2018). In truth, the changes will allow Facebook to collect payment and transaction data from WhatsApp users, meaning Facebook will be able to gather even more data and target users with ever more personalized ads. WhatsApp has also removed a passage in its privacy policy about opting out of sharing data with Facebook. Facebook argues that this simply reflects what’s been in place since 2016. That is exactly the problem.

Today’s WhatsApp shares a great deal of information with Facebook it promised it wouldn’t, including account information, phone numbers, how often and how long people use WhatsApp, information about how they interact with other users, IP addresses, browser details, language, time zone, etc. This latest incursion has highlighted just how much data sharing has been going on for years without most users’ knowledge.

For Google, not buying WhatsApp in 2013 feels like a major turning point. Google would go on to launch seven competing messaging and video apps over the years: Google Hangouts in 2013; Google Spaces, Google Allo, and Google Duo in 2016; and Google Chat and Google Meet in 2017. The company also pushed for RCS over Google Messages in 2019. Cue's prediction that the company could "lose" to a Google-led WhatsApp now seems like a dream from a bygone era.

Cue also called messaging "one of the most important apps in a mobile environment," which represents a striking difference from how Google approaches messaging. At Google, messaging is only ever handled by an endless series of underfunded, unstable side projects led by job-hopping project managers. Google releases a new messaging app about every 12-18 months, making it very difficult for any single app to gain traction and reducing consumer confidence in any individual product. The heads of these projects often leave the company shortly after a splashy product launch, and with no top-down direction on what the company should support, the products usually start winding down once the leader bails.

Federighi's comments echo Apple's longstanding position that iMessage is a key lock-in component of Apple's walled garden and that the company shouldn't make it easy for "iPhone families" to incorporate Android devices. The Epic case earlier revealed a 2016 comment from Apple's Phil Schiller, saying that "moving iMessage to Android will hurt us more than help us."

We are making changes to our Terms of Service and Privacy Policy that relate to messaging between businesses and their customers on WhatsApp. We are also providing more information about how we collect, share, and use data.

WhatsApp caused a user stampede to rival encrypted messaging app Signal by sending users new terms and conditions.

Users were panicked by the notification WhatsApp sent out, thinking it meant the app would share more data with Facebook, its parent company.

In fact, WhatsApp was already sharing their data with Facebook — all the notification did was draw attention to it. //

What WhatsApp accidentally did with its notification was to highlight to users exactly how much of their data it was already sending back to the Facebook mothership. //

Woodward also pointed to WhatsApp's collection of metadata. "The perverse thing is that WhatsApp encryption is based upon the same as used by Signal, but whilst [WhatsApp] keep the content if your messages confidential they do harvest some metadata, and knowing who talked to whom, when and for how can be valuable data in targeting advertising by identifying affinity group," he said. //

While the new WhatsApp notification appears to be a PR blunder, Woodward doesn't think WhatsApp is in deep trouble long-term.

"WhatsApp still has a critical mass of users and many are quite relaxed about the unwritten social contract that says you can use our service for free in return for us using your data to make a profit," he said.

Telegram does offer “secret chats,” which provides end-to-end encryption, albeit only from one device to another, between just two people. It won’t sync across multiple devices and it won’t work for groups. Telegram says this is technically difficult to do, albeit both Signal and iMessage have managed to execute this level of encryption flawlessly. In reality, Telegram’s architecture is designed to provide fast and seamless multi-device access to a cloud repository—its priorities are different. //

The Signal settings you must change are the “registration lock” and the “screen lock.” Of these, the registration lock is the critical one. This means you’ll need that PIN to install your Signal account on a new phone, stopping anyone hijacking your account. If someone does hijack your account, they won’t get access to your message history—just messages sent while they have access. This is similar to WhatsApp, albeit such hijacks have become a major issue. As Signal gains popularity, the risk will increase.

WhatsApp, the Facebook-owned messenger that claims to have privacy coded into its DNA, is giving its 2 billion plus users an ultimatum: agree to share their personal data with the social network or delete their accounts.

The requirement is being delivered through an in-app alert directing users to agree to sweeping changes in the WhatsApp terms of service. Those who don’t accept the revamped privacy policy by February 8 will no longer be able to use the app.

#Q:

I am asking this because WhatsApp says it is end-to-end encrypted.

1. Are there any problems with sending a public key through WhatsApp?

2. There might be some objections to sending symmetric and private keys.

Under what circumstances can I send symmetric and private keys?

#A:

E2EE doesn't protect data at rest. Unlike Signal, WhatsApp doesn't encrypt internal message database. A forensic analysis can recover deleted messages in plain text if the lock screen password is known. WhatsApp daily chat backup encrypts message database with AES-GCM-256 key which is known to WhatsApp service (see How can WhatsApp restore local or Google Drive Backups?). Although, the chat backup is not possessed by WhatsApp service but Google Drive does if Google Drive backup is enabled. There you have no control of how it is used by state surveillance.

Apps with accessibility permission can see the content on the screen.

Sending passwords through Signal is somewhat safer if you implicitly trust the security of the device. Signal encrypts the message database with database encryption key which is itself encrypted with a key stored in hardware backed keystore (android 7+). That leaves deleted messages unreadable from forensic recovery even if the lockscreen password is known.

Private keys shouldn't be sent in any cases. It shouldn't be even available to you for sharing.