> [We'll] show you more relevant ads if you have an account with them. For example, you might see an ad from a company you already work with, rather than one from someone you've never heard of.
I'm not sure WhatsApp understand why people advertise.
I'm not sure you understand the modern advertising landscape... Reminding customers of your brand and products through retargeting is very big business
That works for regular purchases, but not for every company. I recently bought a car and did extensive research prior to the purchase. Basically from the day I bought the car (and stopped searching) they started showing me ads. It's 2 months ago and I still see barely anything else. Doesn't seem very effective..
That's an attribution problem rather than a retargeting one. A long period of research prior to car purchasing is well documented[1] - the problem you have here is the conversion hasn't been connected to the retargeting. If they had an efficient way of saying "Excellent - after 10 weeks of research dx034 has actually bought the Audi" they could switch you off. Until that's noted, or you drop out of the 'this is the longest period people are likely to shop for' bucket, you're going to see the ads.
This title is very misleading to the point that it's the exact opposite of what the post says:
"We won’t post or share your WhatsApp number with others, including on Facebook, and we still won't sell, share, or give your phone number to advertisers."
> Even as we coordinate more with Facebook in the months ahead, your encrypted messages stay private and no one else can read them. Not WhatsApp, not Facebook, nor anyone else. We won’t post or share your WhatsApp number with others, including on Facebook, and we still won't sell, share, or give your phone number to advertisers.
Edit: That paragraph relates to your WhatsApp number. It is true that they do plan to share your phone number that you signed up with. You can opt-out though: https://www.whatsapp.com/faq/general/26000016
This is a dark pattern. In fact, once you say "Agree" you only have 30 days to opt-out.
> After you agree to our updated Terms of Service and Privacy Policy, you will have an additional 30 days to make this choice by going to Settings > Account > Share my account info in the app.
from the page
>The Facebook family of companies will still receive and use this information for other purposes such as improving infrastructure and delivery systems, understanding how our services or theirs are used, securing systems, and fighting spam, abuse, or infringement activities.
So even if you do opt out,it really does not make a difference.
>Account Information. Your phone number, profile name and photo, online status and status message, last seen status, and receipts may be available to anyone who uses our Services, although you can configure your Services settings to manage certain information available to other users.
> Facebook and the other companies in the Facebook family also may use information from us to improve your experiences within their services such as making product suggestions (for example, of friends or connections, or of interesting content) and showing relevant offers and ads. However, your WhatsApp messages will not be shared onto Facebook for others to see. In fact, Facebook will not use your WhatsApp messages for any purpose other than to assist us in operating and providing our Services.
The only guarantee that seems to be given is the the messages will not be shared onto Facebook( It can still be used by them)
and the [...]assist us in operating and providing our Services,I would like to see what Whatsapp describes as 'providing our Services',if they one day define 'providing contextual ads and product suggestions' as their Service we really have no option here.
Also
>New ways to use WhatsApp. We will explore ways for you and businesses to communicate with each other using WhatsApp, such as through order, transaction, and appointment information, delivery and shipping notifications, product and service updates, and marketing
This shows that once businesses onboard on Whatsapp (looking at it as wannabe WeChat),then this becomes a part of its services thereby allowing our information to flow out too.
Yes it does, they won't connect your profiles and target ads based on your info.
The paragraph you quoted reads like a standard provision to allow using Facebook's CDN/Datacentres and to integrate some of their teams (abuse/spam).
Of course there's no guarantee that they won't violate the terms and still use it for ad targeting. But that's no different than before..
> This means, for example, although some information will be shared with Facebook (such as your phone number), that information will not be seen by other people on Facebook.
This line certainly makes it sound like they are sharing your phone number with Facebook to me:
"And by connecting your phone number with Facebook's systems, Facebook can offer better friend suggestions and show you more relevant ads if you have an account with them."
Once you say "Agree" you only have 30 days to opt-out.
> After you agree to our updated Terms of Service and Privacy Policy, you will have an additional 30 days to make this choice by going to Settings > Account > Share my account info in the app.
----------------
> Why we don't sell ads
Advertising has us chasing cars and clothes, working jobs we hate so we can buy shit we dont need. - Tyler Durden, Fight Club
Is there any way to keep WhatsApp and Facebook separate? It seems that either a) I use WhatsApp and have Facebook collect my data, or b) don't use WhatsApp.
There seems to be a complete lack of choice with what they do with my data.
Email is not p2p. And building an encrypted p2p is technically hard. Building a p2p even without encryption has UX problems. The other problem is how to make money from it? What's the incentive (for a private) to build it?
1. They still censorship telegram which means they can read messages locally. With new updates whatsapp could have new rules to censor or modify "dangerous" (to them) messages.
2. E2E encryption is implemented now, what about the future?
Previously WhatsApp had subscriptions ($1/yr) and were proudly ad-free. Facebook scrapped subscriptions and is about to add Ads. WhatsApp also never shared your number with anyone; sharing your number with advertisers is undoubtedly corrupting WhatsApp.
Yeah, I actually paid for the 3 year subscription. Now I can't even see the option. It was a big differentiator in my opinion. Their logic was sound too - even at $1 a user they could make a $1bn a year. (Even in developing countries - because of the networking effect - people would have paid that modest fee.)
Thanks for doing it. If the whole community of hacker news decided to avoid shady companies like facebook we would probably be all better by now. As technology enthusiasts, I think we have a lot of influence on our relatives/friends.
To all reading, please consider deleting your account from shady companies.
Or scrub your HN post history of old content. Even Facebook lets you go back and (one by one, painfully) delete all your old content all the way back to day one. Of course they're probably soft-deleting everything, but they provide the ability.
Funny irony that Facebook gives me slightly more control over my content than HN!
Nope, I'm not trying to compare the privacy ethics of each site (that would be a pretty lopsided comparison). Just pointing out a conspicuously missing feature.
Why is Facebook shady? They provide a free service and get paid by using your info to target ads. Of course they haven't been perfect, but it's hard/impossible to run a company of that size without ever doing sth controversial.
Most of that are valid business decisions. Just because you disagree doesn't mean that FB is shady. You're free not to use their service.
Political censorship is often mentioned in these discussions, and it's exactly what I meant with controversial. I don't think there's a way to satisfy everyone. Telegram doesn't censor and they're known to be the favourite tool for many terrorists to communicate, which is something that would probably upset more FB users than censoring critical posts.
The tax policy could be different, but Facebook is no other than most American companies. Other services will only have different policies if they are either not based in the U.S. or don't make enough money abroad to justify these constructs. It's the job of the Government to introduce more sensible tax laws, not using Facebook won't change anything.
What's the issue with using your "real name"? Honestly I think that should be the policy more places, so people aren't hiding behind their online personas.
To defend minorities. Image a group of transgenders on facebook that want to talk about they daily lives, social relations, etc. With pseudo-anonymous accounts they can do that freely, on facebook they risk to be vandalized, insulted, etc.
I generally agree with Stallman here, in that people should be allowed to use pseudonyms, but I often wonder if the pseudonymity that places like Twitter, reddit et al. provide just serves to facilitate widespread abuse and harassment. Online harassment is a pretty big problem, especially against women. [0]
>Why is Facebook shady? They provide a free service and get paid by using your info to target ads.
That's shady enough in my books. Charge for the damn service, instead of going into ever increasing depths to try to milk out ad money from the users (in deals that they are seldom if ever informed of).
> we want to explore ways for you to communicate with businesses that matter to you too
Empty marketing speak, that sentence has zero information content. It just leaves me vaguely worried that they don't seem to be up-front with whatever they are about to do.
I'm just glad that FB doesn't have my number and doesn't have access to my contact list.
But Facebook will not know it's me because FB doesn't have my number. At worst, all FB know is that some people have my Whatsapp number. That doesn't help FB serve targeted ads to my FB account.
FB is constantly popping up a message to me saying, "Is (xxx) xxx-xxxx your phone number? Confirm it now to secure your account" despite the fact that I have never given them my phone #, nor ever used Whatsapp. I'm sure they know perfectly well it's you, they just aren't (for whatever reason) doing anything about it yet.
If I hash your number that you installed whatsapp on and get X, and then hash your number in Facebook and get X, and then realize that X == X, then I just matched your contact list in WhatsApp with all of your data in FB, all without explicitly sharing your phone number.
Even better, I now can match up all your friends, and all of their likes and dislikes, and make some educated guesses about what your likes and dislikes are.
Hashing, long story short: put some data in, like a phone number, and get a unique, unguessable strong back -- the same string, every time.
Some quotes from a What's App blog post from 4 years ago titled "Why we don't sell ads"[0]
"Remember, when advertising is involved you the user are the product."
"Your data isn't even in the picture. We are simply not interested in any of it."
"When people ask us why we charge for WhatsApp, we say "Have you considered the alternative?"
So they aren't showing ads themselves, but they are shipping your data out to another entity that is. Seems worse to me.
Interesting question is if you sell out your app for a ton of cash, there isn't any structural issue preventing remaking it in the pre-sold out version (well maybe the original authors sign a doc that says they won't but others don't). So in theory you all can move another service with morals intact. But that is "hard" because your friends don't feel like moving. So the moralist says to their friends, "fine but I won't chat on whatsapp" and then they find their friends like them but not enough to change the app they use. So the moralist now has no friends (or they are always grumpy because their friends chose convienience over privacy) and they have to vent that frustration on the people who sold out.
It is a really interconnected set of issues, where the simplest person to blame is often not the actual problem.
I guess their excuse is that then they were still an independent company. But everyone should know that this is Facebook's modus operandi now.
"Relax everyone, we're just introducing this new type of tracking technology to improve our services and your security! It's not like we're going to use it for ads or anything like that - that's crazy talk. Just trust us."
Two years later:
"So, everyone, you know that tracking technology we launched earlier? Yeah, we're going to use it now to *improve you ad watching experience"! (you've already forgotten we promised not to do it, right? Okay, good.)"
Out of curiosity - will you compromise a little bit[1] on your principles if someone offers you 19 Billion USD? Honestly, I would. And I think almost all the people in the world would. So I don't see anything funny / surprising here.
[1] - going from "won't show ads" to "ship data to someone else who will show ads" is not a big step. Just for perspective, some people are literally willing to kill others for far less.
Then you don't have principles, you have exorbitant prices for your labor. Principles can change, yes, but if they do so only because there is a reward involved, then you are no different than my cat near dinner time. In fact, my cat may have more principles as he wont stop puking on the rug no matter the bribe I give him.
Define price. There are many worlds that we all live in without money. In many worlds and cultures, that 'price' is your honor or the price of your soul. And the value of those types of things is often worth more than any amount of money. Cincinnatus is a good example of this, though there are many many others. When you read about the lives of monetarily wealthy people, they will often tell you that the money does not matter after a certain point. That family and friends matter. I agree with you that we all have a price, but for a lot of folk, that price is not measured in dollars, but in lives, in the soul, or in honor.
Oh come on. Look, I don't like it either but we're talking about an awful lot of money. This is a pretty tired argument but the fact remains that if your scruples bother you you could take those billions and feed the hungry/house refugees/fund your own private messaging startup for the few people out there who care about privacy. The last part is sad, but really, most people just can't be arsed.
I usually find that any arguments following the phrase "come on" are garbage.
If you'll sell out millions of people who trusted you, and then pat yourself on the back for mailing a check to "help" another group of people you'll never know, then more power to you if that helps you sleep at night.
Have you no honor or sense of duty then? What the hell is money anyways? Will your wife or husband really care if you make a dollar more or a million more? Will your true friends give a damn if you treat them to dinner every night and not be allowed to return the favor? What does your daughter mind if the book you read her before bed is engraved with gold? Does the extravagance of your son's wedding make any difference in his love for you? What a shallow life you must live if all you can think of is money. I'll grant, giving those dollars to the poor is a noble deed, but where did they come from, at what cost? Raise the taxes, encourage your representatives and senators to give much more to the poor and none of us have to pay for it with our souls.
You're talking about "honor and sense of duty" as if these people took 19 billion dollars to kill off 1 million innocent children or something.
A single person didn't even make this decision. If you were the original creator of WhatsApp, no matter how "honorable" you are, you'll still get Ned Stark'd and everybody else will vote for $19 billion dollars over your silly "duty to the customers."
19B is a HUGE number, which literally changes lives. If my spouse and kids find out that I earned that much by switching my stance from "allowing no ads" to "allowing ads", then they would totally support me.
Not just them, every single person I know (friends, family, coworkers..) would support my decision. And I have a fairly large social circle. So in that sense, changing one's stance is completely "normal"; whereas refusing 19B just so that "you won't have to serve ads" seems "abnormal".
If I were in the position of WhatsApp, I would prefer not to sell user info on principle...but I might also have other principles that say I could do enough good in the world with $19B that it overcomes the evil of selling out a messaging app to Facebook.
I get where you're coming from, but I think you're ignoring the utilitarian argument that can be made in this kind of situation.
I'd say if you reject any offer at any price, you don't have principles. You have dogmas.
Let's concoct a toy. You own 100% of a company. A suitor offers to buy it for $100bn. Not negotiable is that they will use 1,000 child laborers post-acquisition.
One could say refusing the $100bn to "save" the thousand from child labor is principled. More compelling, at least for me, is that one turned down the opportunity to go to Mars or rid the world of the guinea worm and possibly other bugs or cure this or that in exchange for feeling good about delaying the hiring of a thousand children.
Both calculi can become dangerous if taken too far. The balance arises in price.
>Let's concoct a toy. You own 100% of a company. A suitor offers to buy it for $100bn. Not negotiable is that they will use 1,000 child laborers post-acquisition.
>[by] refusing the $100bn ... one turned down the opportunity to go to Mars or rid the world of the guinea worm and possibly other bugs or cure this or that
The buyer that had the $100bn to spend also had those opportunities but was willing to exchange them for buying your company. So claiming the decision not to sell is somehow reducing e.g. the number of trips to Mars seems disingenuous.
So this raises an interesting point. You could claim that everyone has a price, which may well be true. And if that is the case we should change the focus from just switching to the next new platform that promises [security/privacy] as a short term thing until someone offers them enough money. Instead we should focus on [building/using] something where no-matter the price offered the operators don't physically have the ability to hand over the data.
Stop using mobile phone numbers as account Id's might be a good start.
I say this solution is better - "changing the focus from just switching to the next new platform that promises [security/privacy] as a short term thing until someone offers them enough money".
Anything else (removing profits from equation) will be fighting against human nature to enrich oneself.
Man to woman: "Will you sleep with me for a million dollars?"
Woman:"Yes"
Man:"I don't have a million. How about one dollar?"
Woman:"Of course not. What kind of a woman do you think I am?"
Man:"I think we have already answered that question. Let us now see if we can agree on a price"
Finally Facebook is making use of WhatsApp! How much ever carefully worded blog it could be, my brain considers it as "we will customize your facebook ads based on your whatsapp posts"!
I doubt they will use our messages because you know, e2e encryption.
This (very carefully worded) blog post only mentions using our phone numbers.
Facebook has them, as well as a surprising number of advertisers and they'll be able to use it to determine more precisely your interests/needs/buys (because advertisers get your number from various sources like restaurants, shops, garages, etc.) and tailor their ads using that.
At what point do phone numbers become obsolete? Considering that I basically never call anyone, or receive calls (I do use voice communication but it's all voip), and that nobody where I live now uses SMS, what's even the point of that number?
Don't think it will happen soon. Phone numbers have the advantage that they are harder to misuse than email addresses while being partly anonymous and company independent. Furthermore, you can provide some identification without using another password. Nearly everyone has one and you have a 1-1 relationship to (most) phones.
I actually think that phone numbers will become more important with more apps using it as an account (e.g. Google Duo).
Maybe they could use WhatsApp to reach out to us -- ie. what used to be an ad on facebook will be a private message via WhatsApp telling you about the latest and greatest from your favourite fast food restaurant.
On a different note, they keep saying that nobody except the parties directly involved are able to read the e2e encrypted messages. They could be lying, couldn't they? Who knows that they (or somebody else) doesn't have a master key?
I wonder how they will do this with end to end encryption. They could have the app report back if any keywords are used. Also who you contact and how often.
With end-to-end encryption they won't be able to read the content of your posts. However, I guess they can tell who you spoke with and when, so it adds to Facebook's social graph.
I can imagine Facebook advertisers eventually being able to push messages to WhatsApp.
Open Whisper Systems' Signal is an open-source, end-to-end encrypted messaging client which can handle your regular SMS/MMS traffic, as well as (better) encrypted text communication between any number of Signal users, and encrypted voice calls. It not only encrypts content in transit, but stores it encrypted on your device as well. It has clients for iOS and Android. It also has a beta desktop app in the form of a Chrome app which can sync with your phone.
Never been to India. But Thailand, Cambodia, Singapore, Japan, Taiwan, all use LINE. (and whatsapp) but I have 2 conversations on WhatsApp and dozens on LINE.
Granted I don't know anyone in Australia/New Zealand using LINE. (I live in Singapore)
Asia is much bigger than Thailand, Cambodia, Singapore, Japan and Taiwan; so the statement "Good thing Asia uses Line more than What's App." is incorrect. Also, WhatsApp is still more popular in SG than Line amongst the local population.
From what I read in the article they don't want to show ads in Whatsapp, they only want to use your meta data to target FB ads. If your whatsapp number is not on Facebook that shouldn't be an issue..
They could sell access to a business API: just a way for business to communicate with users from corporate numbers accessed through an API, instead of forcing companies to respond to customers by hiring an employee to type text on a phone.
Seems that the endgame now when end to end encryption is well known, desirable and serves as a product advertisement, that they'll just go after metadata and focus on that instead.
I don't get this part:
"We won’t post or share your WhatsApp number with others, including on Facebook"
and then
"And by connecting your phone number with Facebook's systems, Facebook can offer better friend suggestions and show you more relevant ads if you have an account with them"
How are they matching up accounts without sharing my phone number with Facebook?
It's just hashed. I.e., pick a unique number that matches your phone number and just always use that one instead, because the value in your phone number is not the functionality of calling you, but matching you up with all of your other metadata, content, "Likes", etc.
So the goal isn't to sell YOU. You are boring and prosaic. No advertiser cares about you personally.
We'll make money by selling your likes and who you're connected to in this fuzzy, aggregate format. Advertisers want to sell to a group of people who look just like you.
but the key space is way too small for a hash to be a meaningful anonymization mechanism. It's too easy to build a rainbow table for possible phone numbers.
The algorithm and salt are irrelevant. There are only so many phone numbers... You could brute force the hash of a phone number in seconds on any modern computer.
Given any input domain, you can choose an algorithm that will make bruteforcing the entire domain take as long as you like. As an extreme example, bcrypt with a work factor of 20 takes over a minute to calculate a single hash on a high-end desktop. (Of course, whether whatsapp are actually doing any of this is another question).
Ok, there is no _practical_ algorithm that would matter for a keyspace this small. Assuming they are hashing the values at all, I think it's pretty unlikely they are using a high work factor KDF...
With one hash, that would obviously be impossible. With millions? Trivial... Particularly when you already know the phone numbers for many of the users (those who have added their number to their profile), and you can match against contact databases.
If you're going to cheat by using your contacts database, why not just ask your colleague for the original data?
Even with hundreds of millions of observations, the space of possible hashing algorithms that map phone numbers onto those hash codes is infinite. Well, not infinite, but the space of functions that map phone numbers onto whatever domain the hash codes have is mind bogglingly large.
This is probably spot on, and the bit I missed when reading. So they share your phone number and contacts (or Facebook and Whatsapp use the same hash off your phone number and share that), but Facebook promises not to put the number you have in Whatsapp on the website.
Hashing your phone number and linking it with other phone numbers (also hashed) meets all of their promises and yet still allows them to build an object graph of who's connected to whom, who communicates when, how often, and with whom, and match all that data with what's in facebook already with the data that's in your address book on your phone, even if you never install the FB app...
So basically they're going in the direction of WeChat. People won't see advertising, but businesses will pay to let you interact with them on the WhatsApp platform.
That "Option 1" optout is the darkest dark pattern I've ever seen. A secret hidden checkbox that only shows up if you tap "yes, I'd like read 2000 words of legal jargon", which doesn't do anything anyway, because either way Facebook is getting your phone number. They just might choose not to use it for ad targeting if you check the box.
Gross, gross, gross.
Also, has anyone else noticed "to fight spam and abuse" is the "think of the children" of Internet services? Any invasive technique (SMS verification, browser fingerprinting, trying to sniff out unique hardware hashes, DRM) is always presented as "fighting spammers". Just an interesting sidebar.
> because either way Facebook is getting your phone number.
Correction - Facebook already got your numbers (and has been doing recommendations based on them).
I've been noticing Facebook recommendations based on Whatsapp numbers I have for many months. So they already have the numbers. But they're probably legally obliged to announce it in a privacy policy change that they will use them to target ads at you.
They surely do have my numbers i.e the phone numbers in my address book (for other people), but do they actually have my number? Every time I visit the facebook website i get a popup asking me to update my profile with my phone number. Note that I do not have the facebook app installed.
Even in your case, there are some possible ways for Facebook to know your number. People on your "friends" list may have allowed Facebook to sync their contacts (and allowed continuous sync) from their address books on email accounts or with the Facebook app on their devices. Especially if any of them are or were using a version of Android older than Marshmallow (6.x), where app permissions are/were granted at installation time on an "grant all or can't-use-the-app" basis, here are the permissions they have definitely granted the Facebook application [1]:
* Contacts
find accounts on the device
read your contacts
modify your contacts
* Phone
directly call phone numbers
read call log
read phone status and identity
write call log
Even if different people in your address book use slightly different names to refer to you in their address books, it wouldn't take a lot for Facebook to figure out what your number is. And just because Facebook asks you for your number, it does not mean it isn't using information obtained from others.
I find this so creepy. I get recommended people on facebook such as my Phsyio, whos number I don't even have saved. I've just spoken to him on Whatsapp. Bizarre.
Privacy requires both communicators to agree on the level. For example if your Phsyio's address book has your number and that address book is shared with Facebook, then Facebook knows the two of you communicate.
I got a recommendation to befriend a workmate's daughter. Workmate has no FB account, the only way they made the match was after he sent me a WhatsApp message.
wonderful, a successor for whatsapp is now getting its chance. Everybody i know was using gmail for sending messages, and then they did a few awkward redesigns and told us that we should not expect too much in terms of privacy [1]. Whatsapp got its chance and promised privacy and integrity - and everybody started to use WhatsApp instead of mail (still they have to store the messages on the server for delivery and don't tell you for how long they do that). I guess new startups that do messaging get another chance.
I bought an Ubuntu phone and tried to get my friends to switch to Telegram. Too much momentum with Whatsapp and only 1 in ten users seems to even understand the privacy issues let along get them to act on it.
After some of my friends swiched a few groups, switching has happened naturally group by group since Telegram arrived and today I just have to struggle with my siblings and a local group that also contains a number of elderly people that I won't force to change.
(For those who are not aware Telegram is dimilar to Whatsapp but with less focus on formal verifiable crypto but with other advantages like not-owned-by-neither-Facebook-nor-Google, simpler anf more powerful UI, opensource, a choice of multiple clients, better desktop client, bot API etc etc. The lack of verifiable crypto is still an issue but as long as Facebook owns Whatsapp it seems crypto doesn't help too much :-/ )
i am not so sure here; Malcolm Gladwell says that social things depend on a small number of highly connected trend setters - i would think that these trend setters would understand the privacy requirement because they know that their influence is derived from trust (and trusted communication); Also privacy problems seem to be a major turning point where communication gadgets fall out of use.
It uses the same crypto as WhatsApp (same developer), but values your privacy and has properly working audio calls - better than WhatsApp in my experience.
It's essentially WhatsApp minus Facebook. And it's open source.
The company (and person - Moxie) behind Signal, OpenWhispherSystems, worked with Google and Facebook to add end-to-end encryption to Facebook Messenger, Google Allo and WhatsApp. It's literally the same protocol and Moxie is a highly regarded cryptographer / security researcher.
I like the idea, but don't know of a good method to get my contacts to use Signal as well without making myself look extreme in my views.
Any suggestions for this? For example, do you know of any short and crisp messages that get the point across, without getting into a never ending discussion of privacy and its value?
I would recommend that you try Signal, Wire and any other messaging platform with just one or two close people. Once you get a hang of the user experience and see any deficiencies and any annoyances first hand, you can decide whether it's even worth asking all your other contacts to try them.
My advice: Except Telegram, none of the others (Signal or Wire) are ready as a replacement for WhatsApp in UX or speed as of this moment. But Telegram has end-to-end encryption only for device specific, one-to-one chats (called "Secret chat"). Normal chats are only encrypted during transport and are stored as plain text on the servers and on the devices to support quick searching and multi-device/multi-platform sync.
Signal is quite slow at message delivery, to start with. It's not easy to know if a message was delivered at all. That's the main reason I almost stopped using it.
Secondly, Signal does not have multi-device support and multi-device sync. Coming from Telegram, where I can catch up on messages on multiple devices and choose to switch to a computer keyboard to respond with longer messages, as opposed to a small touchscreen keyboard, I very much prefer having the ability to use different systems. Signal's desktop "app" is just with Chrome and AFAIK, it needs to be authenticated every time (with Telegram, I authenticate my desktop app once and it works fine across restarts). It's still tied to one device (the phone).
Wire allows users to signup or find other people using phone number or email address. Even Telegram depends on a phone number as the sole identifier for a user.
Overall, none of the current set of messaging apps or platforms are extremely appealing to me. All of them have some drawbacks. My dream platform would be a "decentralized and federated" system like email without having to be in individual walled gardens.
Or try Wire [1], which has a much richer feature set (voice calls, video calls, text chat and doodling) than Signal and is also slightly faster and more reliable in my experience. It's also multi-platform, provides multi-device sync and is end-to-end encrypted (although with a different custom protocol compared to Signal, albeit using the older and confusing name 'axolotl ratchet', which Signal no longer uses).
There's a table comparing Wire and other systems here. [2]
I still have Signal and update it whenever there are updates, mainly to see what's new or changed, but prefer Wire for the better feature set and UX. Telegram still remains my most used messaging client due to its UX and speed (even Wire is slow and lacks some basic features like message delivered and message read indicators).
I've been waiting for a long time to switch to Signal (or to Wire), but the improvement seen is quite slow over time (just my experience). Telegram has been moving rapidly on feature addition.
Exactly. The most important reason to use Signal is the trustworthiness of the developers. Moxie is a highly esteemed security researcher / public figure. I trust him to (1) implement the protocol properly (which is really hard) and (2) respect my privacy and (3) not sell out like WhatsApp did.
The thing is, as long as we're using phone numbers as user handles, you have to trust the provider with your phone book. Signal tries as hard as possible to avoid it (all phone numbers are hashed), but if they wanted, they could simply brute force all the hashes since the search space is so small. There's no good solution to this.
No, they're doing that already. The issue is that phone numbers are so short that you can just calculate the salted hash for all of them. You don't need any rainbow tables for that.
I agree on that point and would rather prefer something that is a viable business. But it doesn't seem feasible to implement because most people wouldn't pay for messaging anymore. As another data point, Signal doesn't have a monetization strategy either.
It seems like we (most humans who use communication devices) are doomed to be stuck in advertising-based-single-corporate-walled-garden solutions.
> Signal doesn't have a monetization strategy either
They don't have to - Open Whisper Systems is a non-profit with strong community support. It works out so well that they actually pay any contributor a few dollars per commit. That's the best monetization there is for an organization which serves the community.
Wire is VC funded by Iconical/Janus Friis (Skype co-founder who is also the co-founder of Wire) and will monetize with premium features. Can't share more at this point, I'm afraid.
Some of the "basic" stuff is actually surprisingly complex to do without compromising some other aspect IF we at Wire were to stick to always-E2EE-everything mantra. Case in point - delivery notifications. We're actually looking into them now.
Great. I understand that basic stuff could be complex, and I do prefer end-to-end encryption. I can't wait for these (and newer) features to be available so I can move out of Telegram. :)
Has Signal fixed the multi-device issues (like not being able to use multiple Android devices)? Last I checked having multiple mobile devices was impossible.
No but neither does WhatsApp. The reason for this is that it's incredibly hard to properly do end-to-end encryption with multiple devices. It's a trade-off you have to accept if you want secure end-to-end encryption.
The way it works with WhatsApp and Signal is that your key is generated on your phone and never ever leaves it. The web client actually establishes a connection to your phone and routes all messages over it.
Now, the Axolotl ratchet protocol does support encrypting messages to multiple keys (it's what they use for group chats), but doing it properly requires time and effort in order to remain secure.
I know WhatsApp doesn't do it but proper multi-device support is something I require to move. At the moment I just use a private XMPP server so while it isn't technically "end-to-end", it's practically end-to-end as I control the server.
I do that too, but it doesn't work outside of a close group of friends.
For me, multi device support is not important since I have my phone with me all the time, and if I'm on my laptop there's the web client.
Apparently XMPP with Conversations + OMEMO provides secure multi device support, haven't tried it though and I'm not sure if I could get any of my non-tech friends to use it.
We've solved the multi device issue at Wire (wire.com). Causes some challenges - larger payload, not super fast performance in browsers once you hit certain level of connections and messages, but very, very usable.
You're seeing this everywhere because spam and abuse make everything suck. That's reality. Any service that doesn't have some way of fighting it eventually devolves into a cesspit.
If they had promised to only use it for anti spam then maybe.
Just guessing here but:
Now they have been very open about their intentions to use it to target ads and I cannot see any reason they should have to embellish this more than necessary so I guess this is the absolute minimum their lawyers told them they could get away with.
I deleted my WhatsApp account and uninstalled it from my phone the same day Facebook bought it. It was a only a matter of time when WhatsApp becomes another data collection and ad delivery platform.
202 comments
[ 4.0 ms ] story [ 228 ms ] threadI'm not sure WhatsApp understand why people advertise.
[1] https://www.thinkwithgoogle.com/research-studies/zmot-auto-s...
"We won’t post or share your WhatsApp number with others, including on Facebook, and we still won't sell, share, or give your phone number to advertisers."
not with
> not with
Wow that is cleverly evil
> Even as we coordinate more with Facebook in the months ahead, your encrypted messages stay private and no one else can read them. Not WhatsApp, not Facebook, nor anyone else. We won’t post or share your WhatsApp number with others, including on Facebook, and we still won't sell, share, or give your phone number to advertisers.
Edit: That paragraph relates to your WhatsApp number. It is true that they do plan to share your phone number that you signed up with. You can opt-out though: https://www.whatsapp.com/faq/general/26000016
> We won’t post or share your WhatsApp number with others, including _ON_ Facebook.
Is just saying that your number won't be visible to your facebook peeps. Which does not mean that Facebook (the company) won't get access to it.
This is a dark pattern. In fact, once you say "Agree" you only have 30 days to opt-out.
> After you agree to our updated Terms of Service and Privacy Policy, you will have an additional 30 days to make this choice by going to Settings > Account > Share my account info in the app.
I can't see such an option.
So even if you do opt out,it really does not make a difference.
[Edit] : More excerpts from the TOS(https://www.whatsapp.com/legal/#privacy-policy-information-y...)
>Account Information. Your phone number, profile name and photo, online status and status message, last seen status, and receipts may be available to anyone who uses our Services, although you can configure your Services settings to manage certain information available to other users.
> Facebook and the other companies in the Facebook family also may use information from us to improve your experiences within their services such as making product suggestions (for example, of friends or connections, or of interesting content) and showing relevant offers and ads. However, your WhatsApp messages will not be shared onto Facebook for others to see. In fact, Facebook will not use your WhatsApp messages for any purpose other than to assist us in operating and providing our Services.
The only guarantee that seems to be given is the the messages will not be shared onto Facebook( It can still be used by them) and the [...]assist us in operating and providing our Services,I would like to see what Whatsapp describes as 'providing our Services',if they one day define 'providing contextual ads and product suggestions' as their Service we really have no option here.
Also >New ways to use WhatsApp. We will explore ways for you and businesses to communicate with each other using WhatsApp, such as through order, transaction, and appointment information, delivery and shipping notifications, product and service updates, and marketing
This shows that once businesses onboard on Whatsapp (looking at it as wannabe WeChat),then this becomes a part of its services thereby allowing our information to flow out too.
Third part :
> This means, for example, although some information will be shared with Facebook (such as your phone number), that information will not be seen by other people on Facebook.
Yup that's just clever wording.
As if we were worried that they would post our numbers to our FB friends...
> After you agree to our updated Terms of Service and Privacy Policy, you will have an additional 30 days to make this choice by going to Settings > Account > Share my account info in the app.
I can't see the option either.
---------------- > Why we don't sell ads Advertising has us chasing cars and clothes, working jobs we hate so we can buy shit we dont need. - Tyler Durden, Fight Club
There seems to be a complete lack of choice with what they do with my data.
Why isn't there a popular p2p solution to messaging (other than email)?
They can tell all they want, but I won't trust them until I (or someone I trust, e.g. Debian, FSF, etc.) see the code.
Also being end to end encrypted does not block whatsapp from censoring you or your friends/family! See how they "disabled" links to telegram https://orat.io/blog/as-of-today-whatsapp-is-blocking-telegr... and removed the telegram page from facebook.
1. They still censorship telegram which means they can read messages locally. With new updates whatsapp could have new rules to censor or modify "dangerous" (to them) messages.
2. E2E encryption is implemented now, what about the future?
Previously WhatsApp had subscriptions ($1/yr) and were proudly ad-free. Facebook scrapped subscriptions and is about to add Ads. WhatsApp also never shared your number with anyone; sharing your number with advertisers is undoubtedly corrupting WhatsApp.
To all reading, please consider deleting your account from shady companies.
Handy links http://justdelete.me/
Funny irony that Facebook gives me slightly more control over my content than HN!
The tax policy could be different, but Facebook is no other than most American companies. Other services will only have different policies if they are either not based in the U.S. or don't make enough money abroad to justify these constructs. It's the job of the Government to introduce more sensible tax laws, not using Facebook won't change anything.
[0]: https://www.theguardian.com/lifeandstyle/2016/mar/08/online-...
Yes online harassment is a BIG problem but forcing to reveal your identity may not be the best solution.
That's shady enough in my books. Charge for the damn service, instead of going into ever increasing depths to try to milk out ad money from the users (in deals that they are seldom if ever informed of).
Empty marketing speak, that sentence has zero information content. It just leaves me vaguely worried that they don't seem to be up-front with whatever they are about to do.
I'm just glad that FB doesn't have my number and doesn't have access to my contact list.
If I hash your number that you installed whatsapp on and get X, and then hash your number in Facebook and get X, and then realize that X == X, then I just matched your contact list in WhatsApp with all of your data in FB, all without explicitly sharing your phone number.
Even better, I now can match up all your friends, and all of their likes and dislikes, and make some educated guesses about what your likes and dislikes are.
Hashing, long story short: put some data in, like a phone number, and get a unique, unguessable strong back -- the same string, every time.
https://simple.wikipedia.org/wiki/Cryptographic_hash_functio...
Some quotes from a What's App blog post from 4 years ago titled "Why we don't sell ads"[0]
So they aren't showing ads themselves, but they are shipping your data out to another entity that is. Seems worse to me.[0] - https://blog.whatsapp.com/245/Why-we-dont-sell-ads?
Though I have to admit, the opt-in is not mentioned as such.
Edit: F*CK. It's opt out. https://www.whatsapp.com/faq/general/26000016
That won't be legal in some european countries...
The vilified philosopher Groucho Marx once said:
"Those are my principles, and if you don't like them... well, I have others."
Sad but very common these days...
It is a really interconnected set of issues, where the simplest person to blame is often not the actual problem.
"Relax everyone, we're just introducing this new type of tracking technology to improve our services and your security! It's not like we're going to use it for ads or anything like that - that's crazy talk. Just trust us."
Two years later:
"So, everyone, you know that tracking technology we launched earlier? Yeah, we're going to use it now to *improve you ad watching experience"! (you've already forgotten we promised not to do it, right? Okay, good.)"
[1] - going from "won't show ads" to "ship data to someone else who will show ads" is not a big step. Just for perspective, some people are literally willing to kill others for far less.
https://en.wikipedia.org/wiki/Lucius_Quinctius_Cincinnatus
If you'll sell out millions of people who trusted you, and then pat yourself on the back for mailing a check to "help" another group of people you'll never know, then more power to you if that helps you sleep at night.
lmao this is really quite true.
A single person didn't even make this decision. If you were the original creator of WhatsApp, no matter how "honorable" you are, you'll still get Ned Stark'd and everybody else will vote for $19 billion dollars over your silly "duty to the customers."
Welcome to the real world.
Not just them, every single person I know (friends, family, coworkers..) would support my decision. And I have a fairly large social circle. So in that sense, changing one's stance is completely "normal"; whereas refusing 19B just so that "you won't have to serve ads" seems "abnormal".
I get where you're coming from, but I think you're ignoring the utilitarian argument that can be made in this kind of situation.
I'd say if you reject any offer at any price, you don't have principles. You have dogmas.
Let's concoct a toy. You own 100% of a company. A suitor offers to buy it for $100bn. Not negotiable is that they will use 1,000 child laborers post-acquisition.
One could say refusing the $100bn to "save" the thousand from child labor is principled. More compelling, at least for me, is that one turned down the opportunity to go to Mars or rid the world of the guinea worm and possibly other bugs or cure this or that in exchange for feeling good about delaying the hiring of a thousand children.
Both calculi can become dangerous if taken too far. The balance arises in price.
>[by] refusing the $100bn ... one turned down the opportunity to go to Mars or rid the world of the guinea worm and possibly other bugs or cure this or that
The buyer that had the $100bn to spend also had those opportunities but was willing to exchange them for buying your company. So claiming the decision not to sell is somehow reducing e.g. the number of trips to Mars seems disingenuous.
Stop using mobile phone numbers as account Id's might be a good start.
Anything else (removing profits from equation) will be fighting against human nature to enrich oneself.
Man to woman: "Will you sleep with me for a million dollars?" Woman:"Yes" Man:"I don't have a million. How about one dollar?" Woman:"Of course not. What kind of a woman do you think I am?" Man:"I think we have already answered that question. Let us now see if we can agree on a price"
The end-to-end encryption cannot be reviewed because the source is closed.
Getting a prepaid SIM card with a number I have power over to disclose to only whomever I want is still great in my book.
On a different note, they keep saying that nobody except the parties directly involved are able to read the e2e encrypted messages. They could be lying, couldn't they? Who knows that they (or somebody else) doesn't have a master key?
I can imagine Facebook advertisers eventually being able to push messages to WhatsApp.
Open Whisper Systems' Signal is an open-source, end-to-end encrypted messaging client which can handle your regular SMS/MMS traffic, as well as (better) encrypted text communication between any number of Signal users, and encrypted voice calls. It not only encrypts content in transit, but stores it encrypted on your device as well. It has clients for iOS and Android. It also has a beta desktop app in the form of a Chrome app which can sync with your phone.
https://theintercept.com/2016/06/22/battle-of-the-secure-mes...
Granted I don't know anyone in Australia/New Zealand using LINE. (I live in Singapore)
https://blog.whatsapp.com/245/Why-we-dont-sell-ads?
The only reason I hang onto it is that someone with my contact number might send me something & I still need my cell number to access it otherwise.
As opposed to FB/WhatsApp looking for other (ad companies) customers?
If I pay for a service membership and then you make it free, that doesn't mean you get to do whatever you want with my data.
This could also power things like https://getmagicnow.com/ on Whatsapp.
How are they matching up accounts without sharing my phone number with Facebook?
So the goal isn't to sell YOU. You are boring and prosaic. No advertiser cares about you personally.
We'll make money by selling your likes and who you're connected to in this fuzzy, aggregate format. Advertisers want to sell to a group of people who look just like you.
but the key space is way too small for a hash to be a meaningful anonymization mechanism. It's too easy to build a rainbow table for possible phone numbers.
Given any input domain, you can choose an algorithm that will make bruteforcing the entire domain take as long as you like. As an extreme example, bcrypt with a work factor of 20 takes over a minute to calculate a single hash on a high-end desktop. (Of course, whether whatsapp are actually doing any of this is another question).
I'll give you an example. Here's a hashcode from a real phone number: 1786883671916465751. What's the phone number I used to generate it?
Even with hundreds of millions of observations, the space of possible hashing algorithms that map phone numbers onto those hash codes is infinite. Well, not infinite, but the space of functions that map phone numbers onto whatever domain the hash codes have is mind bogglingly large.
metadata, all the way down.
That "Option 1" optout is the darkest dark pattern I've ever seen. A secret hidden checkbox that only shows up if you tap "yes, I'd like read 2000 words of legal jargon", which doesn't do anything anyway, because either way Facebook is getting your phone number. They just might choose not to use it for ad targeting if you check the box.
Gross, gross, gross.
Also, has anyone else noticed "to fight spam and abuse" is the "think of the children" of Internet services? Any invasive technique (SMS verification, browser fingerprinting, trying to sniff out unique hardware hashes, DRM) is always presented as "fighting spammers". Just an interesting sidebar.
Correction - Facebook already got your numbers (and has been doing recommendations based on them).
I've been noticing Facebook recommendations based on Whatsapp numbers I have for many months. So they already have the numbers. But they're probably legally obliged to announce it in a privacy policy change that they will use them to target ads at you.
* Contacts
find accounts on the device
read your contacts
modify your contacts
* Phone
directly call phone numbers
read call log
read phone status and identity
write call log
Even if different people in your address book use slightly different names to refer to you in their address books, it wouldn't take a lot for Facebook to figure out what your number is. And just because Facebook asks you for your number, it does not mean it isn't using information obtained from others.
[1]: https://play.google.com/store/apps/details?id=com.facebook.k...
(Check the Permissions section at the bottom of the app page and click on "View details" to see the list of permissions it asks for.)
I got a recommendation to befriend a workmate's daughter. Workmate has no FB account, the only way they made the match was after he sent me a WhatsApp message.
[1] http://techland.time.com/2013/08/14/google-says-gmail-users-...
After some of my friends swiched a few groups, switching has happened naturally group by group since Telegram arrived and today I just have to struggle with my siblings and a local group that also contains a number of elderly people that I won't force to change.
(For those who are not aware Telegram is dimilar to Whatsapp but with less focus on formal verifiable crypto but with other advantages like not-owned-by-neither-Facebook-nor-Google, simpler anf more powerful UI, opensource, a choice of multiple clients, better desktop client, bot API etc etc. The lack of verifiable crypto is still an issue but as long as Facebook owns Whatsapp it seems crypto doesn't help too much :-/ )
It uses the same crypto as WhatsApp (same developer), but values your privacy and has properly working audio calls - better than WhatsApp in my experience.
It's essentially WhatsApp minus Facebook. And it's open source.
The company (and person - Moxie) behind Signal, OpenWhispherSystems, worked with Google and Facebook to add end-to-end encryption to Facebook Messenger, Google Allo and WhatsApp. It's literally the same protocol and Moxie is a highly regarded cryptographer / security researcher.
Telegram, which some are suggesting, has encryption as opt-in and their encryption scheme has been widely criticized for being dodgy (see: https://moxie.org/blog/telegram-crypto-challenge/).
I like the idea, but don't know of a good method to get my contacts to use Signal as well without making myself look extreme in my views. Any suggestions for this? For example, do you know of any short and crisp messages that get the point across, without getting into a never ending discussion of privacy and its value?
My advice: Except Telegram, none of the others (Signal or Wire) are ready as a replacement for WhatsApp in UX or speed as of this moment. But Telegram has end-to-end encryption only for device specific, one-to-one chats (called "Secret chat"). Normal chats are only encrypted during transport and are stored as plain text on the servers and on the devices to support quick searching and multi-device/multi-platform sync.
Secondly, Signal does not have multi-device support and multi-device sync. Coming from Telegram, where I can catch up on messages on multiple devices and choose to switch to a computer keyboard to respond with longer messages, as opposed to a small touchscreen keyboard, I very much prefer having the ability to use different systems. Signal's desktop "app" is just with Chrome and AFAIK, it needs to be authenticated every time (with Telegram, I authenticate my desktop app once and it works fine across restarts). It's still tied to one device (the phone).
Wire allows users to signup or find other people using phone number or email address. Even Telegram depends on a phone number as the sole identifier for a user.
Overall, none of the current set of messaging apps or platforms are extremely appealing to me. All of them have some drawbacks. My dream platform would be a "decentralized and federated" system like email without having to be in individual walled gardens.
One checkmark: delivered to server, two checkmarks: delivered to recipient. Works for me.
> Secondly, Signal does not have multi-device support and multi-device sync. > Coming from Telegram
Telegram has, to my knowledge, either end-to-end encryption or multi-device sync.
There's a table comparing Wire and other systems here. [2]
I still have Signal and update it whenever there are updates, mainly to see what's new or changed, but prefer Wire for the better feature set and UX. Telegram still remains my most used messaging client due to its UX and speed (even Wire is slow and lacks some basic features like message delivered and message read indicators).
I've been waiting for a long time to switch to Signal (or to Wire), but the improvement seen is quite slow over time (just my experience). Telegram has been moving rapidly on feature addition.
[1]: https://wire.com
[2]: https://wire.com/privacy/
The thing is, as long as we're using phone numbers as user handles, you have to trust the provider with your phone book. Signal tries as hard as possible to avoid it (all phone numbers are hashed), but if they wanted, they could simply brute force all the hashes since the search space is so small. There's no good solution to this.
I ask knowing very little about their security model.
It seems like we (most humans who use communication devices) are doomed to be stuck in advertising-based-single-corporate-walled-garden solutions.
They don't have to - Open Whisper Systems is a non-profit with strong community support. It works out so well that they actually pay any contributor a few dollars per commit. That's the best monetization there is for an organization which serves the community.
The way it works with WhatsApp and Signal is that your key is generated on your phone and never ever leaves it. The web client actually establishes a connection to your phone and routes all messages over it.
Now, the Axolotl ratchet protocol does support encrypting messages to multiple keys (it's what they use for group chats), but doing it properly requires time and effort in order to remain secure.
For me, multi device support is not important since I have my phone with me all the time, and if I'm on my laptop there's the web client.
Apparently XMPP with Conversations + OMEMO provides secure multi device support, haven't tried it though and I'm not sure if I could get any of my non-tech friends to use it.
wire.com/privacy for security whitepaper.
Next up: These guys are selling booze to support AA!
Just guessing here but:
Now they have been very open about their intentions to use it to target ads and I cannot see any reason they should have to embellish this more than necessary so I guess this is the absolute minimum their lawyers told them they could get away with.