What is Facebook going to do? A suggestion.

The WhatsApp retransmission vulnerability has gained a lot of public attention today led by an article published by The Guardian. So what can Facebook (the owner of WhatsApp) do now? I think chances are pretty low that they come forward and say "yep, this is a backdoor, here is a copy of the NSL". Will they say "yep, this is a critical vulnerability, but it took us 8 month and 20 newspaper articles to fix it, because ... crrzzz ... crzzz ... the connection is really bad ... can you hear me? ... duut duut duut"? Unlikely. So the only option for them I can think of is to say "It's not a bug! It's a feature! It increases usability!".

Of course this is not a good argument. As Eike Kühl pretty well describes, this functionality only increases usability in a rare corner case: When you dump your phone in the ocean and you need a month to get a new one. Then everyone who has sent you a message during this period will not need to press an additional "OK" button.

I don't know about you, but the door of my apartment has a lock and I need a key to open it. Sometimes the inevitable happens and I forget my key inside my apartment and I only realize this after closing the door. Then I need to call and pay someone to come, check my ID, and open the door. This is very inconvenient. It would be much more convenient if the door stayed unlocked day and night. But am I willing to trade the worse security for the convenience? No! Just like in the case of automatic WhatsApp message re-encryption.

So here is my recommendation to you, Facebook: Say that this was intended as a feature, but acknowledge that you have made the wrong security trade-off. You can keep your face and fix the vulnerability. To restore trust into your messaging platform you should release the source code of the clients. Your business asset is not the source code of the messenger app, it is your massive user-base. The source code of your highly scalable server infrastructure is a true business asset but that part you don't have to disclose. For the client software there are anyways enough open-source solutions available that any competitor could just pick up.

After you have done that, you should consider working towards reproducible builds. This will again boost trust in your platform. And finally, if you could avoid storing all the metadata about us, like Signal claims, that would be even better!