
Privacy critique of WhatsApp - DyslexicAtheist
https://twitter.com/DoubleJake/status/1234071075258019840
======
davidweatherall
I don't see an issue here at all. I don't think anyone expects whatsapp to be
a super privacy focused app? There are plenty of alternative messenger apps
that are privacy focused if that's your requirements.

I strongly believe if you asked the majority of users with an engineering
background if they thought whatsapp kept a log of "all your contacts and group
names, past and present, covering multiple phones you've connected to the
account, plus your account info" \- they would say yes. These seem like pretty
normal things for a messenger app that's focused on UX rather than security to
store?

~~~
JakeDavis
Most people do think WhatsApp is a privacy focused app. Not everyone reads
Hacker News and knows the basics of this sector. They are mostly bamboozled by
the E2E encryption argument and fail to see the rest.

~~~
chrisseaton
> You're wrong - most people do think WhatsApp is a privacy focused app.

How do you know this to be true?

> I feel like you just read the first tweet in a seven part thread and came to
> a weird conclusion based on an argument that was never made that way.

Why are you being so snarky to anyone who disagrees with you in this thread?

~~~
JakeDavis
I give regular public talks on this matter and ask entire audiences these
questions. Most people do think WhatsApp is sort of vaguely more secure than
say SMS or Skype and are surprised to learn that it's more complex than E2E
encryption. Most people also aren't aware of Edward Snowden beyond just a name
in a newspaper.

I'm not being snarky, just direct (kind of typing these fast to talk to as
many folks who are interested as possible) , sorry if it came across badly to
you, that wasn't the intention

~~~
jamespo
What kind of talks are these? I'd be surprised if the audience represented the
general Whatsapp userbase.

~~~
DyslexicAtheist
that is argument is a strawman. The general WhatsApp user-base will never
watch a tech talk on _any subject_ for the same reason somebody with a driving
license will usually not watch videos about how a combustion engine works.

OP is well respected in the infosec community and the fact that he gets
attacked and downvoted here tells more about the HN community's ignorance
about something that should actually be muscle-memory for anyone who works in
Tech. Many commenters here seem to just shovel JSON from A to B in their day
jobs, so no surprise that this thread feels more like something you see on
Reddit.

~~~
dang
Come on, please don't defend one person by slurring others. That just makes
this place even worse.

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

------
skrebbel
I think titles like this are actively harmful.

WhatsApp is the only mainstream messaging platform that uses proper end-to-end
encryption by default. From what I've understood, it's much safer than other
popular alternatives, such as texting, Facebook Messenger, Slack, iMessage,
and, yes, Telegram.

Sure, it's still not perfect. But to casual readers, it's totally not obvious
that if WhatsApp is a "dumpster fire", all popular alternatives except Signal
and Matrix and the likes are a nuclear disaster.

Nobody at WhatsApp claims that it's good for overthrowing your government. But
if I want to send a password to my sister without having her install an app,
just to satisfy her brother's tin foil hat, I think WhatsApp is a much better
choice than every other option I have readily available.

We should stop driving people from somewhat secure tools towards insecure
tools.

~~~
DyslexicAtheist
> From what I've understood, it's much safer than other popular alternatives,
> such as texting, Facebook Messenger, Slack, iMessage, and, yes, Telegram.

you forgot WeChat, which is also pretty secure provided that you trust the
CCP.

> We should stop driving people from somewhat secure tools towards insecure
> tools.

you think that Signal is an insecure tool when compared to WhatsApp?

~~~
skrebbel
No, but a non security geek will not, when reading a headline calling WhatsApp
a dumpster fire, think of moving to Signal. They'll likely move to eg
Telegram.

------
bristleworm
Some valid points there. The problem, for me at least and I guess many other
people, is that the vast majority of my contacts uses WhatsApp. I know this
probably will never happen, but what I'd love to have is some kind of
universal messaging app that connects to all services I want to use. Back in
the late 90s there were plenty of internet messengers such as ICQ and Yahoo!
Messenger, and IIRC it wasn't long before universal clients were developed.

~~~
BiteCode_dev
I've heard that one before.

All my contacts are on msn.

On skype.

On myspace.

On facebook.

Now on whatsapp.

It will change.

The only things that haven't up to now are postal addresses, emails and phone
numbers.

~~~
pbhjpbhj
I ended up getting a Microsoft mail account because it was the only way (for
us) to respond to customers who used MS's email. So email isn't immune from
walling off of gardens either.

~~~
72deluxe
That sounds wrong. Is your DMARC / DKIM / SPF set up wrong for your email
provider or something?

Are you constantly marked as spam?

~~~
pbhjpbhj
It was a couple years ago now, SPF and DMARC (but not DKIM iirc) were sorted.
At the time MS used a third party who you could pay to get "vetted", I got a
response that the problem was our server host's had another IP (not the one
our emails were sent from) that had once had spam sent from it. So the facts
we were responding to customer emails, that our domain had ~12 years of good
behaviour, and our email servers IP being clean weren't enough. Even
"whitelisting" the domain from the Hotmail/Live/Outlook.com end didn't work.

I'm still smarting, we still sometimes have problems (from a different host
now) but just resend via an outlook.com address and it's fine.

So, no never had our domain marked as spam on any dbl that I've checked (but
only done that sporadically).

We also had a blip with Gmail around the same time (but not the exact same
time), but I reported it as a false positive and it was fixed in a few days;
no problems since.

We were/are sending so few emails (<1 day average) that it's not worth me
spending a couple of days trying to see through the murk of MS to fix it.
We're probably not losing any revenue, just have to treat MS sent emails
differently to everyone else's.

Sounds wrong to me too ;o)

~~~
72deluxe
That's a pity. I wonder how you ever get off some organisation's bad lists!

------
ajconway
To sum up, WhatsApp stores metadata that's required to run the service, and
previous contacts and groups on top of that. The additional information is
probably retained in order to fight spam (not an easy task in an end-to-end
encrypted setting with more than one billion of users).

Facebook may be evil, but not because of WhatsApp.

------
graynk
Now, I hate WhatsApp as much as the next guy, but no matter how much I re-read
this thread I can't see the issue for the life of me. Isn't it obvious it's
doing all those things? Of course it stores all your groups, of course it
syncs all your contacts: it explicitly asks for permission to do so.

------
fyrefoxboy12
pretty misleading title. not exactly clickbiat, since it provides some
"dumpster fire" aspects, but leaving the title like this alone makes it seem
that, in its totality, it is a dumpster fire.

------
tdons
I'd like to stop using WhatsApp but it's complicated.

The foothold it has over here in Europe (The Netherlands) is enormous.
Everybody uses it, there's even neighbourhood watches that use it, see:
[https://cdn.nieuws.nl/media/sites/305/2015/12/05153708/atten...](https://cdn.nieuws.nl/media/sites/305/2015/12/05153708/attentie-
whatsapp-buurtpreventie.jpg)

Any advice? Just pull the plug and pay the social cost?

~~~
72deluxe
Yep! I'm not on it and never have been (I've been through all the IM systems
over the years - MSN, ICQ, IRC, Skype, Hangouts, GChat, GTalk, AIM Messenger,
Yahoo! Messenger, iMessage literally used every single one, forced to use the
memory hog Slack at work) and thought I didn't want to jump on the next
bandwagon since SMS fills 99.9% of my needs, and if not, just email me.

Turns out that people don't bother communicating with you if you're on SMS,
and can never be bothered to write an email.

This implies that the communication they were going to send is not important.
If it were, they'd write an email. And people don't like the cost of MMS and
soon stop sending me stupid pictures.

I can archive email + SMS, not any of the other chat systems.

I hardly get bothered by any notifications or interruptions or silly photos
unlike my wife's phone that is constantly binging and buzzing and silly
comments from "family chats" and work chats eg. "lol rofl haha random internet
picture"

It's refreshingly quiet.

If others can't be bothered to find a method to communicate with you, they
can't be very sociable? Their friendship and social interaction with you seems
to be tied to an app. That's not a social cost - that's a social price.

------
ailideex
WhatsApp is certainly not the least tolerable of all the dumpster fires that
are the IM apps that exist today.

I really like the ideas behind matrix.org but that is a dumpster fire of epic
proportion.

------
whywhywhywhy
Keep seeing people who are privacy focused complaining about apps that rely on
phone numbers for sign up and identification. Honestly would think if you're
concerned about that then handing over your phone number should be the last
thing you're doing.

------
ReptileMan
Soo just like any other messenger app ever? All the drawbacks are shared. It
is not only whatsapp. The idea that with a social graph and metadata you can
abuse stuff is hardly novel.

~~~
bilekas
Not exactly, and its a bit ignorant to claim that..

Storing that amount of information for extended period of time, cataloging it
under your identifiable information was not done by all messenger apps.

If I leave a WhatsApp group immediately after I don't like what was posted,
the data will still reference me.

That's not great. It doesn't need to be permenant. Thats kinda the point.

------
bArray
Is the back-end of WhatsApp like the back-end of the Facebook and Messenger
apps? I.e. loads of teams, lots of redundant code, massive attack surface,
constantly breaking, etc?

~~~
DyslexicAtheist
their broken input sanitation suggests exactly that. e2ee is just a marketing
gimmick if the system as a whole can easily be pawned in other ways. NSO,
FinFisher and all the other players peddling exploits to low-ranking LE are
having a field day with WhatsApp for reasons that have nothing to do with
e2ee. WhatsApp is as much snake-oil as Telegram, and OP was right in calling
it a dumpster fire.

------
dirtydroog
The amusing thing is that he complained about this on Twitter. Twitter... the
4chan of messaging.

~~~
JakeDavis
Hi I'm the OP of this thread. It's not a complaint at all, it's just awareness
raising. This stuff is really obvious. Twitter is a tool used by the masses so
why not use it to educate and inform.

------
izacus
No, WhatsApp is not a dumpster fire. It might be a dumpster fire in ONE aspect
the some of people care about, but:

It is also one of the most responsive messengers out there. It's also one of
the rare messengers what are reliable also on 2G and other very slow and
spotty networks. It's also one of the rare messengers that includes video
calls, voice calls and mutiple other features that make communication easy. It
supports groups, invitations via links and multiple other features that make
coordination of communities easy and seamless. And it also doesn't lose all
your messaging history everytime your phone breaks.

Privacy crowd needs to start understanding this and needs to stop behaving
like robots who don't understand WHY people use these apps although they might
be "dumpster fire" in that one privacy aspect. And then move to fix Signal and
other to make sure they're not "dumpster fire" in aspects the wide users
actually care about.

~~~
JakeDavis
No one is disagreeing with any of those things, the thread was intended to be
"from one aspect only". Here is something I wrote last year covering the
issues you just raised. [https://risky.biz/e2e-not-pointless-
but/](https://risky.biz/e2e-not-pointless-but/)

~~~
DCKing
Whatsapp adopted the Signal Protocol back in 2015. They unilaterally started
enforcing E2E for _billions of people_ despite not having any obvious business
case for it. And they implemented it well: it's not optional, and completely
seemless for all users. It just works in Whatsapp's otherwise great UX. Just
the fact they have E2E alone makes Whatsapp better than any reasonably popular
alternative - it's better from a privacy perspective than Facebook/Instagram
messages, Google Hangouts, Telegram, email, sms text, RCS (not really popular
but hey), Slack, Discord, Skype and any old school messengers.

I mean I guess it kinda sucks that Whatsapp isn't Signal, or E2E Jabber, or
E2E Matrix. But man, it could've been so much worse. It _was_ so much worse. A
global network accessible to and used by billions of people sending E2E
encrypted messages was a privacy activist's wet dream 6 years ago. Whatsapp's
move to E2E alone is amongst the most impactful changes in real-world privacy
on the entire internet.

Calling _that_ a 'dumpster fire' because they transparently communicate they
still know metadata about you really _does_ make you seem like a robot.
'Dumpster fire' is not a synonym for 'has room to improve'. This kind of talk
is par for the course on Twitter surely, but not it's not unreasonable to
expect some flak for it.

~~~
ur-whale
> And they implemented it well

How would you know? Is WhatsApp source code available anywhere?

