How might the Chinese government be blocking only specific types of WhatsApp traffic?
Given that Whatsapp traffic has end-to-end encryption, ...
End-to-end encryption neither implies anonymity nor that the underlying protocol is unrecognizable to an eavesdropper and doesn't reveal any meta information at all.
In fact, obscuring protocols to hide them from firewalls is notoriously difficult and finding out enough to block the traffic can be fairly easy. In the case of WhatsApp, it's also irrelevant that E2EE is used, because WhatsApp adds an extra layer of encryption between client and WhatsApp servers anyway (formerly via TLS, now Noise Pipes). So the fact that users additionally get E2EE via the Signal protocol has limited impact on traffic analysis.
There are some obvious ways to block WhatsApp traffic without having to bother with encryption:
Block the servers. WhatsApp publishes the IP pool of their messaging servers. (The IPs used to be listed here and have since been moved to the Facebook Mobile Partner Portal.) But even without a ready-made list of IPs it would be fairly easy to reverse-engineer a list of servers by just using the app and observing the traffic. (That's an entirely common technique - similarly, the Tor network has suffered in the past years from China blocking the majority of their public relays.)
Block the protocol. The government could use heuristics to recognize and block the transport protocol. Blocking based on traffic patterns has worked in the past for BitTorrent, Tor and others but might come with a notable overhead. (I can't comment on whether this approach is practical.)
One way to block media files in particular would be by identifying large uploads. It might also come in handy that WhatsApp doesn't send images the same way as ordinary text. Instead, clients encrypt and upload attachments separately and then just send a message containing the key to the upload.
Since the news report states that no files could be sent at all, it's plausible that the government just temporarily blocked the attachment upload servers (which would leave plain messages unaffected).
The process for sending attachments is detailed in the WhatsApp Security Whitepaper:
Transmitting Media and Other Attachments
Large attachments of any type (video, audio, images, or files) are also end-to-end encrypted:
- The WhatsApp user sending a message (“sender”) generates an ephemeral 32 byte AES256 key, and an ephemeral 32 byte HMAC- SHA256 key.
- The sender encrypts the attachment with the AES256 key in CBC mode with a random IV, then appends a MAC of the ciphertext using HMAC-SHA256.
- The sender uploads the encrypted attachment to a blob store.
- The sender transmits a normal encrypted message to the recipient that contains the encryption key, the HMAC key, a SHA256 hash of the encrypted blob, and a pointer to the blob in the blob store.
- The recipient decrypts the message, retrieves the encrypted blob from the blob store, verifies the SHA256 hash of it, verifies the MAC, and decrypts the plaintext.
First, WhatsApp messages always pass through WhatsApp servers, so it is easy for the Chine government to identify WhatsApp exchanges. Next I do not know if different types of messages use different servers, but a text message will be much shorter than image or video, and is likely to be sent in one single packet. So it would be enough to abort any exchange to or from a WhatsApp server where the total size is over a certain threshold.
But the linked article declares that the disruptions were not continuous, so it may be possible that China censors are still experimenting with their blocking rules.