>If WhatsApp decides to MITM your chats, it can't do so retroactively due to the properties of the protocol.
Can't they just set you up as a new device? The user wouldn't know if they left the notification at the default setting.
Whatsapp would not MITM ever single user. They would carefully target particular individuals.
Well it's difficult for WhatsApp because it's closed source, so they can do whatever they want.
But let's assume the client app was open source, and WhatsApp decided to reset the key for some targeted users. Most users wouldn't realize, but if one did, then that would be very bad for WhatsApp. It would be all over the media. That's why it cannot be done at scale.
That's why it cannot be done at scale with Signal, too. Even if the users mostly ignore the "new key exchange" notification. If Signal MITM conversations and one person manages to prove it, then Signal is done. That's a pretty strong incentive for them not to do it.
I think they could do literally anything, because it is closed source; including forging random keys or ignoring the notification setting, ...
Assuming one of those billions users is a motivated security enthusiast, WhatsApp is not able to perform MITM attacks at scale, as it would be trivial to prove. If WhatsApp decides to MITM your chats, it can't do so retroactively due to the properties of the protocol. If you're a high-profile target, you should verify your keys.