
WhatsApp Blocking Encrypted Calls to All Saudi Numbers - waffle_ss
https://gist.github.com/kaepora/152d9a30650c8828d9d4c21a0910bd19
======
united893
They're simply providing a better user experience. The Saudis blocked
encrypted calls, and users would have wait staring at frustrating repeated
timeouts and long 'connecting' hangs.

Therefore Whatsapp simply said OK, let's just improve the users experience by
giving them an immediate error informing them.

~~~
eridius
The gist explicitly claims that's not possible. Specifically, it claims that
there's no way for the Saudi teleco to distinguish encrypted phone calls from
encrypted messages, and since you can send encrypted messages to Saudi users,
there's no technical reason why you can't also call them. The implication is
that if WhatsApp did allow the calls, the Saudi telecos might block both calls
and messages (since they can't distinguish them), and so WhatsApp disallows
calls to avoid provoking them. And the OP's point is that WhatsApp should
detect whether the user is actually in-country and allow the calls if they're
in another country (since the Saudi telecos won't matter there).

~~~
moxie
The author is incorrect. While Signal Protocol is used to communicate an SRTP
master secret and a session id, the clients still need to do an ICE handshake
in order to establish communication with each other before the responder can
even ring. It is very straightforward for SA to block that traffic, and it is
established fact that they do.

It seems as if WhatsApp is short circuiting this frustrating series of
timeouts to improve a flaky seeming UX. That strategy does negatively effect
people on the internet who register for WhatsApp with Saudi VoIP numbers when
they're in France, but it is a much clearer UX for almost everyone who is
actually a Saudi WhatsApp user or calling actual Saudi users. What the author
is demanding is a worse UX for the same outcome.

It sounds like there might be room for improvement, but I have a feeling that
if WhatsApp were recording their users' locations in order to provide a more
advanced location-aware version of the same strategy, people would not be very
happy about that.

~~~
stefs
so this does affect foreign users using saudi telcos (roaming/wireless)? how
about not blanket-blocking by country code, but by country-ip lookup?

~~~
pfg
Seems like a lot of effort for an edge case. Now you've added a dependency on
some network service you need to access (and from WhatsApp's POV: maintain)
before placing outgoing calls. If you use GPS instead, you're dependent on
having the location permission (which is not needed to run WhatsApp in
general), and you're draining everyone's battery and adding latency to get a
sufficiently accurate location lock. Doesn't seem like it would be worth the
trouble to me.

~~~
jlgaddis
There would also be a number of people complaining loudly, demanding to know
"why does WhatsApp look up my exact location [using the GPS] at the precise
time I make a call!?".

Good luck convincing them that the location is not being logged permanently by
WhatsApp servers -- or even sent to them in the first place.

------
spacefight
This case is a brilliant reminder to anyone working in deep packet
inspection/blocking/filtering tech that your work negatively affects the
safety of millions of people in such countries at once.

~~~
s_q_b
_This case is a brilliant reminder to anyone working in fiber optics that your
work negatively affects the safety of millions of people in such countries at
once._

But seriously, deep packet inspection is evil now? It's an extremely useful
security tool.

~~~
spacefight
Why do you misquote me?

Yes, it might be useful for some folks - it's really bad for others. People
have died because of oppressive regimes targeting dissidents that way.

~~~
s_q_b
It wasn't a misquote. It was intentionally exposing the absurdity of the your
argument.

The idea that anyone working on technology that _could_ be used for
surveillance is morally culpable is flat wrong.

People have died because of fertilizer and particle physics. It does not make
chemical engineers or physicists evil.

~~~
spacefight
Your argument reads to me as "people kill people not guns".

Yea I know, morale is a difficult topic these days.

~~~
s_q_b
That's trite.

Your argument is essentially "engineers at steel plants make steel, which can
be used to make guns, which can be used to kill."

At some point, the chain of causality is so remote that assigning unequivocal
judgments of evil becomes logically absurd. Are port scanners evil now too?

------
CiPHPerCoder
I'd be interested in hearing WhatsApp's response to this.

Or moxie's, for that matter. He's been contacted by the Saudi government
before and publicly turned down their offers to be complicit in their human
rights violations. (He also wrote the encryption that WhatsApp uses.)

[https://moxie.org/blog/saudi-surveillance/](https://moxie.org/blog/saudi-
surveillance/)

More importantly, can anyone independently verify this? :)

~~~
moxie
I have no special insight, but it's a fact that SA drops VoIP traffic. The UX
for that is pretty bad, calls fail to connect by timing out after 5min or
whatever, and people are left trying over and over again or waiting around
hoping the call will connect. I think it could make sense to short circuit
that process and display an immediate error to the caller that lets them know
this call just isn't going to work.

The author's suggestion that it's impossible for SA to block VoIP without
blocking messaging is incorrect.

------
subliminalpanda
WhatApp does the same for UAE numbers. If I initiate a call to my sister who
lives in UAE I get an error saying that "Whatsapp calling is unavailable in
the UAE" or something along those lines.

We worked around it by installing Signal, but she needs a VPN to be able to
access it since it's completely blocked in the UAE (as well as Oman).

We get around this by texting each other before hand on whatsapp with the
keyword "vpn" and then talk to each other over Signal. Quite the hassle.

~~~
lorenzofb
Do you have screenshots of this error? If so, do you mind emailing me?
lorenzo@motherboard.tv (I'm a reporter at VICE Motherboard, btw)

~~~
jlgaddis
The OP included a screenshot [0].

[0]: [http://i.imgur.com/rQu9Ocf.jpg](http://i.imgur.com/rQu9Ocf.jpg)

------
jswny
I think it should be clear that the Saudi government are the ones who are
blocking this type of encrypted communication. WhatsApp is just taking the
handling of this blockage and integrating it into the app UX so that its users
understand what the problem is.

------
Torgo
Maybe they know it's going to be blocked anyway, and they are avoiding getting
into the cat and mouse game of trying constantly new ways to get around it and
are just telling the user they're not even going to try. It's not ratting
anybody out, it's not being complicit with anybody, it's simply saying it's
not even going to try to encrypt. It sucks, but you know who to blame? The
Saudi government.

------
mankash666
Governments threatening a blanket ban if they're cut off from eavesdropping?

Ironic that Saudi is chairing there world's human rights office and denying an
essential human right - right to private communication

------
EdSharkey
Thank you, WhatsApp! Oppressive governments, especially ones that have lots of
resources to torment their citizens, should not get to play with our toys.

~~~
littletimmy
Saudi Arabia is one of the main US allies in the region. Millions of tax
dollars go towards securing the Saudi regime every year through American
military bases in the country.

~~~
ZainRiz
Send tax dollars to dictators who execute people that ask for elections in
order to support...democracy?

------
Cyph0n
How about the opposite: does WhatsApp also block calls to a phone registered
in a foreign country but connected to Saudi WiFi?

------
616c
Same is true of Egypt as well, but I presumed that WhatsApp checks and knows
when telcos were just blocking degrading their service in generally, not
specifically for encryption.

Quite ironically, I wonder if the Saudis remember Moxie at all ...

------
zeveb
Tying an online messaging app to a phone number is fundamentally silly (attn
Signal developers). Having phone numbers as one search item among many makes a
lot of sense, but mandating a 1:1 relationship between phone numbers and app
identities is like mandating a 1:1 relationship between horse stalls and
automobiles.

~~~
pfg
It makes a lot of sense for mobile messaging apps, though, and that's what
both Signal and WhatsApp are. Phone number == username is an implementation
detail of Signal (the app) and WhatsApp and not something the protocol
dictates. Other implementations could easily handle things differently.

~~~
zeveb
> It makes a lot of sense for mobile messaging apps, though, and that's what
> both Signal and WhatsApp are. Phone number == username is an implementation
> detail of Signal (the app) and WhatsApp and not something the protocol
> dictates. Other implementations could easily handle things differently.

An extensible solution would be to use URNs as usernames, with tel:
([https://tools.ietf.org/html/rfc3966](https://tools.ietf.org/html/rfc3966)) —
or maybe sms:
([https://tools.ietf.org/html/rfc5724](https://tools.ietf.org/html/rfc5724)) —
URNs, e.g. tel:+1-201-555-0123 or sms:+12015550123. Then anyone who wanted to
could also register a client using mailto:jsmith@example.invalid.

Even better would be to use opaque user identifiers (maybe using their own URI
scheme …), with all the above used to search for other users.

Combine that with a server-mediated privacy-preserving contact list search
scheme, and you'd have a huge end-user benefit: persistent identities across
multiple devices, freed of the tiedown to telephones. Heck, it might even form
the nucleus of a smart PKI based on SPKI/SDSI, better than either the PGP Web
of Trust or XPKI's lunatic trust-all-of-the-CAs-in-the-world-to-certify-
everything-in-the-world model …

------
berns
At some point Whatsapp will be banned completely. Otherwise what would prevent
conversations using push to talk. I use it when my connection or the other's
end one is unreliable. What's the difference?

------
samer66
That is well known to many Saudis, you will have to create another account in
the app to regain ability to make calls.

