16 comments

[ 3.3 ms ] story [ 44.9 ms ] thread
What happens when the user changes the privacy settings? Whatsapp allows you to stop publishing this information.
I've been using WhatsApp on Android lately since I thought they partnered with TextSecure and were encrypting recent Android <-> Android messages behind the scenes. Is this not the case?

My impression was that WhatsApp was the most private/secure text messaging app at the moment, but this is making it seem like maybe it's not.

Then the PR worked. The partnership was announced but the encryption isn't enabled yet.
I don't think that's correct. I was going off of WhisperSystem's announcement[0] where they say:

"Your messages may already be encrypted. The most recent WhatsApp Android client release includes support for the TextSecure encryption protocol, and billions of encrypted messages are being exchanged daily."

[0] https://whispersystems.org/blog/whatsapp/

It's not clear to me at all from that quote - I want to know that my communication is encrypted end-to-end, not that it may be encrypted. The rest of their statement is marketing speak.

(Not negative toward you, of course; you're just quoting)

Not exactly. Currently (2015-02-09), end-to-end encryption aka protocol 2.0 is enabled between android clients using the latest version. Note: only message contents are e2e encrypted, metadata remains accessible to WhatsApp servers.

Other clients (iOS etc) still use the old WhatsApp protocol, for now.

This 'WhisperSystems' account is not controlled by anyone associated with the Open Whisper Systems project. Whoever this is, please stop claiming to represent us.
WhatsApp is one of the least private and least secure apps at the moment. If you want security, you should use ChatSecure or Threema, which are properly encrypted.
This has nothing to do with e2e encryption, this is only the metadata of your profile, status and when you are online. I thought it was pretty well known by now that WA shares that info of you with everyone who has your phone number. The content may be encrypted, but it is anything but private.
I'm confused about what is being leaked here.

The information which the writer says is somehow available unintentionally to my contacts is pretty much the information I provide freely to my contacts, e.g. my profile picture, status.

Okay my online/offline status, if I set that to hidden, fair enough, they should fix that, but I'm just a bit confused about the other bits.

Agreed. Telling the world I'm online on WhatsApp is little more than telling them I've got a mobile phone. This proof of concept doesn't know who I'm talking with, what I'm saying, my location or any other personal information, so I don't really care.

I'm a law-abiding middle-class white Western male, so I don't want to assume that my flippancy should be shared by everyone. So, who should be worried by what the OP is saying?

It's not clear from the article whether the data is available to the world, or only to my contacts. If it's public, that's worse, but, while it's not good to leak 'private' information, I've seen a lot worse.
My wish: WhisperSystems finally gets their act together and releases the TextSecure for iOS that they've been talking about for two years[1]. I still can't send a message from my Android phone to an iOS user. TextSecure is one of the best secure messengers out there[2], but until iOS support is out it's mostly proof of concept to me.

[1] https://whispersystems.org/blog/sure/

[2] https://www.eff.org/secure-messaging-scorecard

"WhatsSpy Public is an web-oriented application that tracks every move of whoever you like to follow" is a stretch. When I read this clickbait headline I thought it could track GPS location, but the actual privacy leak is much less scary:

- Online/Offline status (even with privacy options set to "nobody")

- Profile pictures

- Privacy settings

- Status messages