I still generate random passwords for the questions. I don’t like that someone who knows me well could use them to gain access to an account.
… but yes we definitely need extra fields for storing that and lots of other related data.
I’m a 1Password user and one of the features I really like is that it saves ALL of the fields from a signup form along with the password. That has saved me a couple of times where I needed to know some value I had entered at the time I created an account.
The slippery slope argument is no doubt a valid one. But Apple specifically implemented (almost) the CSAM scanning after being threatened by multiple politicians - notably Lindsey Graham - that if they didn’t find a solution that they would legislate a backdoor into the OS for law enforcement. I think Apple was doing everything they could to appease the demand without actually violating users’ privacy. While it’s clear they failed to please end users, the solution itself was pretty ingenious.
> Also that apparently Facebook stores the conversations in plain (or easily decryptable) text.
This. Even with E2EE enabled, that only protects your conversations as they travel between you and facebook's servers. It does not mean that the messages are protected from facebook being able to see them. People should have zero expectation of privacy on facebook's platform(s).
That is not true. For both messenger and whatsapp, e2ee messages are not only encrypted between you and facebook servers, they are encrypted end-to-end and only decryptable on the devices. Please reconsider your level of confidence in your understanding of this.
I do not have any information about the current state of messenger, so I cannot comment.
Here is my issue with WhatsApp though:
How will I know that Meta is still shipping an application based on an uncompromised version of the Signal protocol, without malicious modifications?
Auditing is the normal answer.
Sadly, Meta is not ISO27001 certified, so there's no trustworthy external audit trail.
Barring that, who is capable of auditing Meta to confirm this? Who can see the client and server sources to confirm that there is no MITM? Only Meta, on both counts.
I have to trust their word for it and I'm incapable of trusting them.
It doesn't matter whether end (you) to end (facebook) encryption is enabled or not. That only protects data "in transit". The information is still accessible in to facebook "at rest". Enabling E2EE should give you absolutely no sense of privacy from Facebook because it doesn't exist.
This is contrary to the universally understood meaning of E2EE (as in, end to end between the two participants in the conversation). I'm not one to blindly take Facebook's PR statements at face value, but if you're making the claim that Facebook is deliberately advertising E2EE while secretly redefining the term to mean non-E2EE, you should have some strong evidence. Those sorts of linguistic gotchas don't work in real life or in a courtroom.
… but yes we definitely need extra fields for storing that and lots of other related data.
I’m a 1Password user and one of the features I really like is that it saves ALL of the fields from a signup form along with the password. That has saved me a couple of times where I needed to know some value I had entered at the time I created an account.