Hacker News new | comments | show | ask | jobs | submit login
“How do I choose not to share my account information with Facebook?” (whatsapp.com)
539 points by SnaKeZ 243 days ago | hide | past | web | 308 comments | favorite



There are three active threads about this, the present one and these other two:

"WhatsApp is going to share your phone number with Facebook": https://news.ycombinator.com/item?id=12358751

"Looking ahead for WhatsApp": https://news.ycombinator.com/item?id=12358205

Normally we'd merge the threads, but the discussions are large and come from three different perspectives, so that might not be best. HN practice is to have one front-page thread at a time about a story, but if you're concerned about the topic you might want to check in on the other discussions.


This is an incredibly ugly dark pattern.

The 'share information with Facebook' nugget is hidden behind a toggle at the bottom of the screen, and will be guaranteed to be missed by the 99% of users who just want to talk to their friends.

Then, once you've agreed to the terms and conditions, you've got a completely arbitrary 30 days to read an online article which tells you what you've signed up for before WhatsApp is irrevocably sharing your data with Facebook.

You can build an incredibly accurate picture of people's lives from metadata alone - WhatsApp know it and Facebook know it.

Not only that - when WhatsApp start building out these 'brand' relationships which will look a lot like helpful information at first - you'll be loading your data into that brand's custom FB audience too. And you won't have an opt out because, y'know, reasons.

This is very obviously not the WhatsApp that promised not to fuck with its users when Facebook bought it out.


When you will try to actualy delete your fb account (at least when i did it some time ago). Its a minefield of dark patterns. First you need special link, because you can only deactivate from settings. Then you will have to go through pile of emotionaly draining photos of friends with claims that they will mis you and you wont be able to see what they are doing with their lives. Then few traps with agreeing about deletion with switched meanings of buttons. In the end you wont actualy be deleted. You will be put to deactivate mode for 14 days, if your browser accidentaly auto logins then you have to do it again. After 14 days you are sent email and if you miss it and wont acept it in certain time - you wont be deleted. Of course since 1. 1. 2014 it realy doesnt matter because facebook keeps your data even if you delete account. (i deleted it just before 1. 1. 2014 and i still think they kept all the shit, because how would anyone know).


I've heard that rather than deleting your FB account, it's better to turn it into a piece of obviously-fictitious performance art. Don't try to remove your data from the Internet (which is futile; you know Facebook still has it on some archive somewhere anyway). Instead, replace it with nonsense. Set your interests to your competitors so that you get notifications everytime they release a new feature, and full information about their advertising campaigns. De-friend your actual friends, and friend random celebrities. Make your political views insane. Post status updates generated by Markov-chain or recursive neural net; if you're feeling particularly bold, you could try to reverse-engineer the weights on Facebook's classifiers by generating data and seeing what sort of ads you get.

Chances are, doing this will get you kicked off Facebook and deleted pretty quickly. And if it doesn't, you've just fucked with not just Facebook, but all their advertisers. GIGO.


Here is an idea. Get a bunch of cute pictures of cats or babies from the internet. Add text with anti-FB messages and a link to these HN threads. Then write a script to upload the photos to your account, preferably on an endless loop.

If FB does not block/delete your account, it will be non-stop hilarity for your friends, who will probably share the pics too and maybe some of them will actually pause and think. If they do delete your account, you are now mostly free from their clutches without unnecessarily defacing your own profile.

Someone please write this script and put it on GitHub. :-)


I have a dormant facebook account that I can't be arsed to delete, I need this now.


> which is futile; you know Facebook still has it on some archive somewhere anyway

If Facebook does this with the data of an EU resident, they are breaking the law. The Irish Data Protection Commissioner has audited Facebook and found that their deletion of user data was in compliance.


Sounds like you could achieve this easily by feeding your facebook account's updates from a markov chain bot set to train on the @realDonaldTrump twitter feed.


Then you get fired/don't-get-that job when someone takes offense at something "you" have written. Going random is risky.

See Microsoft's Tay: http://gizmodo.com/here-are-the-microsoft-twitter-bot-s-craz...


I was expanding on how to achieve "Make your political views insane. Post status updates generated by Markov-chain or recursive neural net". Did you mean to reply to the grandparent rather than me?



Why not just post a nipple?


Simple and beautiful.


I've thought about posting some really over-the-top shock/porn imagery to my Facebook wall, basically making it look like it was hacked. Maybe then they'll cancel my account, like I've asked them to do several times.


Random evil thought: could you sell your Facebook account to hackers? You've built up a multi-year reputation as a "known good" account; that'd be incredibly valuable to someone trying to generate cross-correlations between your interests and their product. After all, the whole reason Facebook is worth $300B is because they have all this data on their users; since it's your data to begin with, shouldn't you be able monetize it just the way Facebook does?


I'll start the bidding at 33 cents.


It could sour your relationships with actual friends. But if you're ok with them being deceptively advertised to, maybe they weren't such close friends to begin with...


Unfriend the ones you care about a few weeks beforehand.


I don't think "hackers" in this context is the right term for people who game the advertising/metadata industry. Maybe "independent advertisers"?


More likely the hacker would rather use it to steal your identity and f. you over very, very hard. Much more lucrative than spoofing with a "known-good" account, right? So you'd really, really better trust those hackers you're selling to.


It seems that would be confusing (at best) for your contacts that remain on Facebook.


Presumably you would tell them via backchannels (or even Facebook) that you were doing it.


Someone needs to make a good market for this.


Already exists for Twitter and reddit accounts. I'm sure spammers will pay for good fb accounts too.


I would lean more towards setting up a script that will post whatever the 400th most popular story on Google News, thus destroying your demographic membership. Turn yourself into noise.


Sorry, I'm new to Markov Chains, but recently I've been thinking about a way to "beat" ML algorithms of GOOG, FB, etc. So that the information stored about me is NOT true. For example, if someone keeps searching for "LGBT" while he/she is not one, GOOG will assume he IS one, or at least, interested in the topic. My question is, is there a general method for beating ML/AI algorithms and stay hidden from them? Thank you.


If you watch the following video from Google (for about 5 minutes from the marked location), it looks like these algorithms have a pretty big blind spot: the unknown.

https://www.youtube.com/watch?v=sphFCJE1HkI#t=7m50s

So you can use Google itself to find words which are obviously not well known (just construct a dictionary filled with random characters and see how many results come back for each word). Take a passage of clean text, and randomly replace the nouns in the text with these garbage words (capitalize the first character), and post it to your social network. The surrounding text will provide legitimacy, but the garbage words will probably throw off the algorithms. Do it often enough, and someone at Google will probably investigate the issue :-)

Or maybe go and get public domain text which has a lot of words which are not in use today and fill up your FB/Google/Twitter feeds with such data. My view is that such data will very likely throw off the existing algorithms, and if people do it at sufficient scale, we may discover that ML algorithms are only as smart as the training data set.


Markov chains aren't really relevant here - they're a way to generate random but "seemingly plausible" data - but yes, there is a way to fool the type of convolutional neural networks used in image recognition. Paper here:

http://www.evolvingai.org/fooling


I thought about trying something like that to get my HN account deleted.


I recently deleted an old account, and it was significantly easier than before: I just clicked a link on one of the help pages, entered my password, and that was it. And this was for deleting, not deactivating, my account.

It used to be more difficult: I remember following the process you're describing for some other account I had. It might still be that difficult in some cases, I don't know.


They still won't delete your information from their servers, and they'll keep a shadow profile of you as long as you keep sending requests through the like buttons..


Depends on the jurisdiction. In the EU (maybe only Germany?) you can legally request all information Facebook has on you, as well as request that all information is removed (as long as it's no longer needed for billing purposes, etc.).


I deactivate all the time. Hit "I don't find Facebook useful.", and its just two click away from deactivation.


> I accomplish nothing all the time. Hit "I don't find Facebook useful.", and its just two click away from feeling like you deactivated.


Most don't like hearing this: if you don't want your personal information to be shared, don't use these "social media" tools.

I suspect that you'd be familiar with LinkedIn dark patterns [0] too.

[0] https://medium.com/@danrschlosser/linkedin-dark-patterns-3ae...


It's not that simple. There are many many ways that your information can end up being referenced in an identity graph and be discoverable by Facebook that don't involve signing up for Facebook at all. It's more - don't sign into a public wifi network, don't hand over your email address at a checkout, don't sign up for a store card.. oh, and don't sign up for Facebook either.

Not just that, but even if your number is not shared with Facebook, but Facebook knows that ten of your friends all contact you three times a week, you're still in the graph even if you're not personally receiving advertising.


> There are many many ways that your information can end up being referenced in an identity graph and be discoverable by Facebook

Of course, it's not simple.

Additional measure might include using browser extensions like Ghostery, uBlock origin.

I know people find it hard to do, but avoid using Google search. Use Duckduckgo instead.

Block ads. Some sites refuse to load up for that reason. I'm ok giving those a pass :)


iirc duckduckgo isn't the best. disconnect is better


That practice can be fought more easily in courts. Also the more user deleting they're accounts the less "friends" you have that share your number with facebook.


"Don't use these tools if you value privacy" is not that far off from "If you have nothing to hide, why are you afraid of surveillance?" An observed life is not a free life. Many people have to use social media to communicate with family, work associates, etc... In many cases, facebook messaging has replaced methods of communication that did not rely on the content or metadata of messages for profit. All that really matters is if this was legit and FB assumed people would have no problem with it then they would not have hidden it.


You said a whole lot but never actually articulated your point. I'm assuming it's something about how it's not fair that you find Facebook to be useful. Could you clarify?


I find Facebook to be a boring site, with friends complaining about the same things day in and day out, with an occasional link about something interesting, but mostly filled with inspirational memes and images that I don't particularly find relevant. Sure, I could better curate my friends list and follow a wider range of pages and topics, but then aren't we back at something like MySpace, where the idea was to follow everyone and everything you found interesting?

The problem with Facebook's usefulness isn't that I find it useful, it's that everyone else in my circle finds it useful. This means that any event, major life change like marital engagements and announcements of expectancy or child birth, and general updates of wellbeing from my elderly family are all communicated via Facebook. For example, a friend of mine from high school recently had a child. I had not logged into Facebook for over a year, and suddenly found myself embarrassed for my lack of keeping up with her when I ran into her at the grocery store while she was chasing down a toddler who had escaped down an aisle. I did not have the slightest clue as to her family status, because I stopped logging into Facebook to receive those updates and she stopped going out to parties and bars where we normally would run into each other (to avoid drinking and cigarette smoking), and it just appeared like we drifted apart.

Even now, some friends of mine are planning a trip together, and it's entirely done within a closed group on Facebook. There is no way for me to participate in this trip without maintaining some status on Facebook, else my significant other will have to just relay all that information, which is tiring, and prone to the "telephone" effect.


>it just appeared like we drifted apart.

And that's life. Perhaps you weren't that close enough anyway to find about the child. And that's life too.

The notion of "being connected" with all the people you knew is is similar then the "I need to be happy, if not something is wrong with me" and got introduced with modern social media (particularly Facebook).


But is it easier to 'drift apart' from people you know if you're the only one they need to remember specifically call or send email to, when they can in general assume that all their friends sort of follow their FB updates? But it's awkward if you're the only one who keeps contacting them.

If you have already hard time building very durable friendships and are sort of hang-around member of your social circles, the social media -- if you refuse to use it -- does not exactly make your life easier.


Yeah, the social media caters to peoples laziness (hence "connect to all the people you know easier"). But this connection is very shallow and as you said if you're the only one who is trying to maintain a connection apart from consuming "social broadcasts", well, then the relationship is destined to drift apart.

I guess it's a matter of personal preference, I rather have 3 good connections then 10 (not to mention 100, which is ridiculous) shallow ones and when we randomly see each other, there's no "guilt" looming around the meeting.

IMHO this coincides with two recent HN posts about accepting mediocrity [1] and stopping to eternally seek happiness [2].

[1] https://news.ycombinator.com/item?id=12335367

[2] https://news.ycombinator.com/item?id=12345608


You don't have to find facebook useful or like it to be coerced into using it. If your friends and family organise everything by facebook because they find it useful, you have to use it or you'll miss out. Much like if you don't use gmail and hate it, google still have enough of your mail to put you in prison because at least half the people you're emailing do use it.

It's like opting out of electricity - pretty theoretical. So we regulate it so it doesn't f. us over too badly. This is what needs to happen here.


Regulation isn't the only option. Decentralization would work better: it would make impossible for any big company to exploit the information of Billions of people, not just illegal.

We don't need Gmail. We could have Freedom Boxes to host and send our mail instead (and filter whatever spam gets out our infected Windows machines). Right now we can't because of the spam filtering policies of most big players, but if everyone have a Freedom Box that's no longer an issue.

Likewise we don't need Facebook, though since I don't use it unless coerced to I don't know what a replacement should look like.

We don't need Twitter.

We don't need YouTube. Or at least we won't need it when our broadband finally get freaking symmetric as it always should have —not happening any time soon despite making absolute sense on the fibre. Then we could just upload our videos from our Freedom Box with a peer-to-peer protocol.

We don't need Dropbox. Distributed backup is a thing, and keeping those backups secure is easy —except for the master passphrase, but you can at least write it down if you're afraid of forgetting it.

Search engines… well, we don't know how to decentralise them yet. The rest is a solved problem: we only to get the logistics and usability straight –a rather daunting task unfortunately.


Is email not sufficient to communicate with family, work associates, etc.?


I've thought about building something that gives a social network type experience that is built on top of email. Any status update would get sent out to an email list of your connections, and all the emails could be put in a specific mail folder using standard rules. A front end app would then scan that folder and give you a personalized page that represents the latest status based on what it sees in that folder. The raw messages themselves may contain various control messages (such as "friend requests" and "drop requests", but otherwise can be directly viewable too. But the main interface would be from a front-end app that runs on the user's PC or mobile device.


I recall (but can't find) having seen a social network built on Keybase.io's encrypted filesystem (KBFS), where your public data is signed stored in your public folder, and your private data is encrypted and shared with only those you choose. Everything is based on files.


I love this idea (if only for the motivation behind it).

How would your "normal" mail client filter out the messages that are for this app? People have lots of different mail clients which they might not be able (or willing) to configure. Or would you expect a dedicated address.


The problem, of course, is who builds/maintains this, how do they get paid, and how do you pay the server fees.


The app would run on the user's local PC or phone, and it would access data directly from their mailbox (and create a local DB from that data). So no backend server to worry about.


Without a third-party managing associations, how do you maintain that "friendship" is consensual? In other words, how do you prevent "I have your email address" from meaning "you're my friend now."


When you send a friend request to someone, their stuff is shared with you only if they accept the request on their end. If they reject the friend request, then anything coming from you that they don't want can be handled as spam (the client side software would just filter the content itself in that case).


Almost all email clients have some sort of filtering. And the email messages would all have a keyword in the subject line, so filtering could be accomplished by that (or via an x-header). The app itself could automatically create the filters for various web hosted email systems too.


Email is also under marketing surveillance, unless you refuse to correspond with anyone using gmail. I've known only one person willing to go to those lengths to make a point.


If you have a good alternative email I'd be down for that at least. Hosting your own turns out to be surprisingly difficult.


Make that surprisingly easy. Been doing it for more than a decade now, just on my house ADSL connection. It helps that a friend has agreed to host a backup MX.


Really? My email tended to be blacklisted and treated as spam and I had poor filters and search. Help me out here lol.


If you send email directly from your machine by looking up MX records from a home ADSL line, then yes this will happen. Instead, you should send your mail via your ISP's outgoing SMTP server, using the mail submission port number 587. Your ISP should provide this service, and you will probably have to authenticate using your username/password associated with your internet connection.


It is pretty good but they are directed messages and I think people look for something where they can check on their own terms what a person is up to.

I recently opened an account on Diaspora using the sechat.org pod. It has been a fun experience so far. The network effects mean that moving your friends over to it will be another matter. But it has been fun to use.


slack and facebook exist because many people view email as insufficient

also, it's email. yes, it's highly insufficient


That's completely wrong.

There is not, and has never been, an inalienable right to use somebody else's property (aka Facebook's network) to communicate. You are not entitled to coerce Facebook into building their product to work the way you want. On the contrary, it's Facebook's right, as the owner and creator of their platform and network, to handle all of the network traffic that you are voluntarily sending them however they want.

There are more communication methods available today than ever before. If a person you are trying to contact has stubbornly refused to use all of them except Facebook, that is not Facebook's problem, and it doesn't make them obligated to you in any way whatsoever.

If you don't like it then send an email, send a text message, call them, write them a letter, visit them, hire a courier, fax them, use another social network, etc.


Opining on the fact that FB messenger has replaced traditional forms of communication is not the same as an endorsement for an inalienable right to privacy everywhere. It's far too complicated of a topic to be boiled down to a talking point. It isn't even the core issue here. The problem is that FB knew this was wrong, so they hid it and hoped no one would notice.

> "If you don't like it then use X or Y"

If you are not aware that a service you're using is spying on you how are you supposed to know you don't like it in the first place? The cynical answer is that you can just expect them all to spy on you by default. Well if that's the case then we are getting back to the debate about privacy being an inalienable right.


By your argument, it is the right of Fedex/UPS/whatever to handle all of the parcels that you voluntarily hand over to them in whatever manner they want.


Huh? I don't use facebook, and yet it knows about me because I am in other people's contacts and some of those people had to share their contacts with facebook.

Fuck facebook a thousand times over.


That doesn't work because it's not just what you share with the social networks but what others share about you and how they're able to link those little facts to create a full picture. (Or what the social networks collect on you from other places.)

Facebook had a leak ~3 years ago that showed it: http://www.zdnet.com/article/anger-mounts-after-facebooks-sh... but there have been darker efforts to do this since at least 2006 or so that I've found.


It's not enough to not use these tools, it becomes a requirement not to share your personal information with any VC-backed startup in case it's sold in the future. Which is a ridiculous standard to hold users to.


That's like saying "If you don't want to eat horse meat, don't eat fast food." Your solution works, but it's entirely reasonable for a consumer to want to get the positive parts of a good or service (even a good or service you don't like) without the negative parts. Market pressure and regulation are both good ways to make it happen.


In this case, market pressure derives from users deleting their accounts.

For a long time people where saying that ads/tracking is good because nobody is willing to pay for software/service/social media. Well users were paying for whatsapp. There was no need to sell it to facebook, nor there was a need for facebook to use these dark patterns with whatsapp.

Regulation should be an exception. Free markets work pretty well in practice.


> nor there was a need for facebook to use these dark patterns with whatsapp

Facebook needs to recover it's investment in WhatsApp. No?


> if you don't want your personal information to be shared, don't use these "social media" tools.

Since Faceook is using cookies and is able to read your data from other websites than FB alone, can you please fix your sentence to read this:

> if you don't want your personal information to be shared, don't use internet. period.


There are very simple blockers that can block all Facebook cookies on other homepages. uBlock for example has the option to remove all social media icons and that includes the tracking cookies.


This argument is become less and less valid as social media accounts become more and more indispensable for leading a normal modern life.

Sure, you can still e-mail, call, sms or heck, even visit your friends and family IRL. But not having a social media account sure makes it more inconvenient. All your friends use these networks.

In a couple of years not having a social media account will be seen as equivalent to not having a bank account, or a passport, or a phone number. Sure, it's possible to live like that. But it sure is inconvenient.

Aside from that, as others have mentioned in this thread, even if you don't have an account Facebook, Google, LinkedIn, etc. have your data already. You can be sure one of your friends has uploaded their contacts to WhatsApp, including your phone number and mail address. Facebook has detected your face in a photograph your cousin uploaded. Google has all of your self-hosted mails because all of your friends use Gmail.

If you don't want your personal information to be shared, you need to live like a hermit.


I'd argue it's more meaningful, not more cumbersome. Do you only exclusively communicate with people via Facebook today?


I just found another one (while trying my 'free trial' of LinkedIn Premium):

* You have to enter a credit card number to begin the 'free trial', for a 'seamless experience' (ie. so we can bill you if you forget to cancel).

* You have to cancel your free trial 1 day or more before the end of the trial period to avoid being billed for the next month (at least I hope it's "1 day or more" and not "exactly 1 day"... the exact wording is "If you wish to avoid being charged for your free trial, you must cancel the trial one day prior to the auto-renewal.")

* You can't then delete your payment method at the same time, and must remember to do so after the end of the billing cycle.


There's a reason most people don't like hearing that: it's not a solution. I could try to explain, but Moxie Marlinspike did it a lot better: https://www.youtube.com/watch?v=eG0KrT6pBPk


> You can build an incredibly accurate picture of people's lives from metadata

Or as former Director of the National Security Agency, Principal Deputy Director of National Intelligence, and Director of the Central Intelligence Agency., Gen. Michael Hayden, said :

"We kill people based on metadata"

https://www.youtube.com/watch?v=UdQiz0Vavmc


Making this an opt-in is automatically illegal in the EU anyway, which makes the fact that they rolled it out like this very surprising.


Someone has to sue them, now. And it costs a huge sum of money, like 10k+€.


>This is very obviously not the WhatsApp that promised not to fuck with its users when Facebook bought it out.

Exactly my point, when whatsapp was bought, they said all these things, that whatsapp doesn't sell out customer information, that whatsapp will never have calling facility because they want to focus on texting alone.

I think they should remove the "why we do not sell ads" too, there is no point in this two faced behaviour.


It's right next to the sign saying "Beware of the leopard". How could you miss that?


Happened to me this morning, needed to check a whatsapp message, some stupid new terms update so i just hit ok so i can access my account.


> WhatsApp know it and Facebook know it.

The NSA knows it too


Man, remember the late 90s and early 2000s, when the IM scene was a mess of incompatible networks like ICQ and AIM and MSN Messenger, and people were like "fuck this" and came up with this protocol that was interoperable with all the others through gateways and also it was extendable, and we could all be happy together?...

/grump

The worst part is that WhatsApp is actually based on Jabber >:(


I recently started looking into XMPP again a few days ago. I have a few ideas for projects built on top thereof.

Can anybody recommend XMPP servers? I know duckduckgo has an XMPP service up and running, but I can't seem to find any relevant API documentation. All I found was this [0], which doesn't go into details about encryption settings and isn't very useful for programmatic interaction.

[0] https://duck.co/blog/post/2/using-pidgin-with-xmpp-jabber


I use prosody and it's really slick.

Extensions that implement server-side XEPs are really easy to add on as well. Just git pull the community XEP repo and then add a line to the ini and you can add more superpowers. I have it on a cheap VPS. I'm using conversations with it and it has been mostly flawless. Now I just need a good linux application that understands OMEMO. There's a Gajim hack, but it's kind of messy.

[0]: https://prosody.im/


Conversations.im has made great progress in making XMPP usable on mobile devices, although its services don't seem ready for public adoption quite yet. There are very few XMPP servers which support the XEPs Conversations does so while federation is theoretically possible, it is not yet a reality.

https://account.conversations.im/


The new extensions are all public and supported by the two main server implementations, prosody and ejabberd. You can nicely ask your server operator to enable them.


See also zom.im - wraps up otr and xmpp in a package along with boatload of cuteness - and is FOSS:

https://github.com/zom/Zom-Android


Thanks. I can't really justify using a paid XMPP service, though. I was hoping for something indefinitely free.

(Maybe I should look into running my own server...)


You do not need an account at conversations.im – the app works without it.


Ah, okay. I misunderstood. Cool!


Yep. In addition to that, it’s also FOSS¹ and you aren’t limited to only getting it from the Google Play Store; it’s also distributed² on F-Droid³ too. One thing to note though is that the version of Conversations on F-Droid doesn’t support push notifications, since that functionality uses Google Cloud Notifications.

――――――

¹ — https://github.com/siacs/Conversations

² — https://f-droid.org/repository/browse/?fdid=eu.siacs.convers...

³ — https://en.wikipedia.org/wiki/F-Droid


If you only need voice + video, Ostel has been running for a few years.

https://ostel.co/


I used ejabberd (https://www.ejabberd.im/) and it was fairly easy to get up and running and make minor tweaks like logging conversations, but I can't say about encryption but it seems to have it from cursory web searching. It's Erlang so that was an interesting learning hurdle.


I'm a big fan of jabber.at; it should support most modern XMPP features. Dukgo is notorious for not supporting new features and having large ammounts of downtime, I would not recommend it.


Openfire is actively developed. https://www.igniterealtime.org/projects/openfire/


I used tigase server and tried building an open source messaging client that you can use to chat as well as share your realtime location with your friends and groups : https://play.google.com/store/apps/details?id=co.getintouch....

Never took off in developed world but I strangely got plenty of users in Iran & middle east


Consider looking at matrix.org and vector.im as an alternative that won't make your eyes bleed from the Xcessive nature of XMPP.


And yes, I absolutely realize that the protocol had flaws, was overly verbose, the base spec required a continuous connection which is hard/impossible on mobile networks, its extensibility meant that clients could end up with little common compatibility, etc etc... But still.


A continuous connection is actually desirable on mobile networks to save battery; your phone can turn the radio on to a power saving mode if you use a single TCP connection and no traffic is being sent and only wake it up again when it gets a paging message alerting it that there is new data to be sent down over the TCP connection. However, if you use something that requires multiple connections (eg. to poll and see if new data is available), you will have to put the radio into full power mode every time you poll to check if there's new data.


Very tangential: which server do you personally use Conversations with, and does it have gateways to other networks?


The protocol is an absolute nightmare to work with, even when you're only using it for your own internal systems and so control everything that's involved. I heard that WhatsApp stopped using it long ago, and if so, that wouldn't surprise me.


This is untrue; WhatsApp still uses a profile of XMPP with a custom compression layer.


Please elaborate on what exactly you dislike about XMPP.


Jabber is still around and works, there is nothing that stops you from using it.

However, clearly people prefer to use other systems, such as Whatsapp. They offered something different (and simple) enough that it enticed people to use it, and so they have the users. It would appear that people just don't care enough about interoperability to switch to something else.


> Man, remember the late 90s and early 2000s, when the IM scene was a mess of incompatible networks like ICQ and AIM and MSN Messenger, and people were like "fuck this" and came up with this protocol that was interoperable with all the others through gateways and also it was extendable, and we could all be happy together?

IRC is still alive, at least.


> The worst part is that WhatsApp is actually based on Jabber

I'm missing something here; why is this a bad thing?


It's ironic; that albeit they started with an open federation protocol they don't federate and are essentially a proprietary service.


XMPP isn't an "open federation protocol" it's just a protocol that includes a means to federate; doing so is a matter of server preference. It would be great if more large services federated, but I'd rather have them use XMPP and not federate than build more custom protocols and not use XMPP at all so that I can't write a third party client for them.

My point is that being based on XMPP is still a good thing, regardless of whether they federate or not.


The whole point of XMPP is interoperability, so saying some proprietary service uses it internally is useless for the rest of the world without interoperability.

Can you connect with third party clients? Can they federate? Are they contributing to the protocol? No.

So what's good about it?


Big proprietary users of protocols tend to discover bugs in them, that they feed upstream, even if they run otherwise closed networks.

E.g. it benefits you that Google uses TCP internally, even if you can't get on their network? Why? Because they've submitted patches to Linux to make it work better.


> E.g. it benefits you that Google uses TCP internally

But they didn't modify TCP to prevent interoperability did they?


So what if they did? How are we any worse off than if they'd written their own TCP replacement from scratch to begin with?

Maybe someone outside Google gains nothing, but presumably their engineers will spend less time reinvesting the wheel, which is a net gain for humanity in less time wasted.


> but I'd rather have them use XMPP and not federate than build more custom protocols

Well, bad news then: They never federated and they modified their implementation of XMPP to the point of third party clients not being able to connect.


as is (original) hangout, facebook chat and probably much more.

in the early days both worked with external clients/servers too.


It's kind of pointless, Facebook owns Whatsapp so they have all that info anyway.

'The Facebook family of companies will still receive and use this information for other purposes such as improving infrastructure and delivery systems, understanding how our services or theirs are used, securing systems, and fighting spam, abuse, or infringement activities.'


Exactly. Moreover, a look at the permissions required by Facebook app would reveal how much information it collects about you:

  Device & app history

    retrieve running apps

  Identity

    find accounts on the device
    add or remove accounts
    read your own contact card

  Calendar

    read calendar events plus confidential information
    add or modify calendar events and send email to guests without owners' knowledge

  Contacts

    find accounts on the device
    read your contacts
    modify your contacts

  Location

    approximate location (network-based)
    precise location (GPS and network-based)

  SMS

    read your text messages (SMS or MMS)

  Phone

    directly call phone numbers
    read call log
    read phone status and identity
    write call log

  Photos/Media/Files

    read the contents of your USB storage
    modify or delete the contents of your USB storage

  Storage

    read the contents of your USB storage
    modify or delete the contents of your USB storage

  Camera

    take pictures and videos

  Microphone

    record audio

  Wi-Fi connection information

    view Wi-Fi connections

  Device ID & call information

    read phone status and identity

  Other

    download files without notification
    adjust your wallpaper size
    receive data from Internet
    view network connections
    create accounts and set passwords
    read battery statistics
    send sticky broadcast
    change network connectivity
    connect and disconnect from Wi-Fi
    expand/collapse status bar
    full network access
    change your audio settings
    read sync settings
    run at startup
    reorder running apps
    set wallpaper
    draw over other apps
    control vibration
    prevent device from sleeping
    toggle sync on and off
    install shortcuts
    read Google service configuration


Just out of curiosity, are there any permissions they don't try to get?


Anybody know which of these apply to the iOS ecosystem?


What happens if you deny it those permissions? (Android >= v6).


I've turned them all off and nothing has broken so far, but then again I'm a pretty passive user of Facebook.


I don't mind Facebook having access to my mobile number. I mind them mining that data and then pushing advertising to me when they said before that they _wouldn't_ do this.

Quote from the announcement (https://blog.whatsapp.com/499/Facebook):

> And you can still count on absolutely no ads interrupting your communication. There would have been no partnership between our two companies if we had to compromise on the core principles that will always define our company, our vision and our product.

Today's announcement (http://www.bbc.co.uk/news/technology-37184651):

> The updated privacy policy also paves the way for businesses to send messages to WhatsApp users.

Facebook has used their market dominance to restrict competition so we can't avoid advertising. I'm not normally one to get angry and start waving pitchforks, but for me, this is clearly an abuse of their monopoly.


Or... you know... just use something like Telegram that isn't owned by Facebook. Their data-sharing / privacy policy is pretty simple https://telegram.org/privacy

1. Sharing data

We never share your data with anyone. No.


Telegram uses a home-brewed crypto protocol and posted a challenge to break it by pasting some ciphertext. In my eyes they're ridiculous.

Just use Signal Messager.


The author of Signal (Moxie Marlinspike) seems actively hostile to not only federation efforts but also compatibility with other clients, even one that only removed the dependency of Signal on Google Play Services: http://news.dieweltistgarnichtso.net/posts/signal-lock-in.ht...


Yeah. Telegram is sketchy, and their "we are Russian math PhDs, we don't need to listen to other people about crypto" attitude is very unhealthy, but unlike Moxie, I can at least think we are on the same side.


Not to mention the questionable ethics of supporting companies that are so blatantly anti-user. Facebook and Google can now tout "Moxie approved" crypto while their business models of surveillance remain intact.


Federation and security is a hard problem. The code is there for anyone to use, but it's an entirely reasonable and prudent security decision to announce your lack of support for a forked version using the same servers.

(Also, does Telegram have a version without Google Play Services?)


The XMPP ecosystem has federation, security and almost every client can talk to almost every server. If Moxie Marlinspike claims that interoperability does not work well in the context of instant messaging, I see this as him trying to manipulate the users so they do not judge him for his behaviour.


The XMPP ecosystem doesn't have security anywhere comparable to what we're talking about (well-implemented, end-to-end, forward-secure, multi-device messaging).


>multi-device messaging

Correct me if I'm wrong, but I don't think that Signal supports this feature


It does, but it's beta and Android only: https://whispersystems.org/blog/signal-desktop/


About Telegram: the fdroid version has no google dependencies, AFAIK


Why don't you just link his blog post on federation instead of misrepresenting his opinion?

https://whispersystems.org/blog/the-ecosystem-is-moving/


I did not know that blog post. However, it does not give evidence that Moxie Marlinspike is friendly to federation and third-party clients. If anything, it shows that he opposes open, interoperable protocols as well.

Moxie Marlinspike asserts that federation needs standardization and that standardization inhibits changes. He also asserts that protocols have to change to keep up with changing requirements. His unspoken assumption is that it is impossible to create real-world forward-compatible protocols.

While I agree with the first assertion, I strongly disagree on the latter two. Consider that protocols and data formats that do not have to change exist. An encoding like UTF-8 will probably never have to change to keep up with new codepoints. Also consider that forward-compatible protocols and data formats exist. HTTP seems to be a very good example for that.


I've been thinking about this a bit, and I think it would be possible to setup a non-profit, 'Federation Authority' (if you will), that could transparently govern a network of independent operators (that interoperate). Wikipedia works pretty well (IMO), and there would be an opportunity to iterate on their model (e.g. live web stream of board meetings).

I believe with enough traction, we could get hedge funds to give money while shorting the publicly traded companies that operate walled-garden networks.

N.B. I read your link when it was written originally, and have not taken the time to go at the issues raised point-for-point, but I'd like to see more efforts made in the direction I mentioned above.

Edit: The protocol has to have federation built-in from the beginning, and the ability of any server to granularly discriminate against any given TLD at their operator's discretion.


Even worse, he tries to deny people their legal right to build their own clients to services they have the right to use.

Which is a legal right in the EU (and even allows you to reverse engineer proprietary code for the purpose of writing your own system that interoperates with a proprietary one), so this is very sketchy.

Moxie seems like a Google-employee.


He doesn't. You just can't use custom clients with his server.


Signal uses a home-brewed crypto protocol(^) and their CTO disallows third party clients, even based on their own open source code.

Just use XMPP.

(^) Granted, moxie can be considered a crypto expert, and the design got some public auditing.


The Axolotl key management algorithm was jointly developed by Moxie and Trevor Perrin. Both of them are widely respected in cryptography, and the protocol has undergone formal cryptanalysis.

A novel crypto algorithm someone puts up on GitHub is "home-brewed." The Axolotl algorithm can no longer fairly be described as "home-brewed."


You can go start, pay for and manage your own server set and go hog wild writing whatever client you want to.


I notice nobody in this thread has yet mentioned the FOSS (Apache license), cross-platform, encrypted messenger ChatSecure https://chatsecure.org/

The Guardian Project writes a bunch of nice software https://en.wikipedia.org/wiki/The_Guardian_Project_(software...


Why not use Conversations.im? https://conversations.im/

It’s actually usable, supports a lot more encryption methods, is more up to date, and actually looks okay.


> supports a lot more encryption methods

That sounds like an anti-feature.


Who keeps the lights on? The app is free, i have never seen any ads.


Just wait till they get enough users. And then we will see their real business model.

At the end of the day, all these guys get enough users and then the users are just too tied to the platform to make an easy move.


WhatsApp users to receive adverts: http://www.bbc.co.uk/news/technology-37184651


Private funding. It's in their FAQ.


If only more people used Telegram.. I love it, but only a couple of friends use it.


For me, Telegram's small user base is actually what got me on it. My whatsapp is full of way too many groups that I can't leave without negative social consequences. So the one group that I cared about the most (a group with my siblings), we all decided to move to Telegram and haven't looked back since! It's awesome to just have the few closest people on an app and not having to fear that you'll accidentally send a message to the wrong person or group.


Regarding negative social consequences ... Today I switched phones and wanted to transfer my Whatsapp contacts to the new phone. What Whatsapp did: Somehow they managed to delete me from each and every group I had been in, deleted every chat and I cannot access this anymore. I already had to explain to three friends why I left our group as they were furious because we had talked about important things in those groups.

Just to say this didn't happen with Telegram. Recovered everything smoothly with no errors.


This happens because whatsapp stores all the information in your phone itself. On the server side, at least before FB bought it, they didn't store your info. this is the reason their team was so small despite the billion users, because they just need to store data on a need basis, since they were a paid messenger.

The moment you switch phones, all the data is lost, because they do not have it in the cloud! This is the reason your phone needs to be connected to Internet when using whatsapp web or whatsapp desktop, because they literally stream your data i.e. chats from phone to desktop!

Telegram is a cloud messenger, data is stored in the cloud and loaded everytime in your devices, ironically this makes whatsapp better than telegram :D at least before facebook bought it.


That's strange. You can backup WhatsApp data at least on iOS.


Well... I did, at least I thought so. I had it on "weekly" but am not able to recover it. Doesn't matter, just wanted to make the point that I'm in favor of adapting a new messaging up not as widely used as WhatsApp.


> deleted every chat

Whatsapp never stores the chat history anywhere. All conversations are encrypted end to end.


many, but afaik still not all. when they released encryption it only worked when all involved clients were android (or ios i dont remember)


My grandmother uses a Nokia C3. Until she switches, every group in which she participates will not be encrypted.

It says on the Nokia C3 version of the app that Whatsapp won't support that device next year, possibly because of that.


You can backup WhatsApp chat history on iCloud.


False, you can store it locally and/or in the cloud. End-to-end my ass.


>You can store it

I didn't say you can't, I said Whatsapp doesn't store it. I meant to say that it won't automatically backup and restore your stuff when you change phones.

You have to backup the data yourself in an sd card or a cloud service that you choose. It isn't stored in Facebook's servers.


They hit 100 million monthly active users back in Feb. I'm not sure that's a small user base by most of our terms.

https://en.wikipedia.org/wiki/Telegram_(software)#Usage_numb...


I think they meant by the small user base in your friends. :)


Try to convince them anyways. Once they get past the grumbling of installing a new app and the entirely hypothetical inconvenience of having multiple chat apps, they'll realize that in practice it isn't really much cause for inconvenience.


Having to look in half a dozen apps to track down information is not a hypothetical inconvenience.


Oddly enough I expected to run into that problem, but in practice it's hardly ever been an issue. I think in my particular case it helps that I generally insist on using email or telegram for communication where it's important to find it again later.

But you're right. At times I've had to search for information because I didn't remember which communication tool we used.


I work on lots of projects with lots of people, and I end up with hundreds of conversations spread over Email, SMS/Signal, Facebook, Skype and WhatsApp. It frustrates the hell out of me. The great thing about Signal for me is that it also handles SMS so there's no extra app to check. But yeah, no group chats, no desktop client, most conversations are unencrypted anyway because normal people don't care about privacy. If anybody were to ask me to use Telegram I'd be pleased they had an interest in encrypting our communications but annoyed about having to install yet another app.


Yeah, in your situation I understand the frustration.

By the way, if you're using a Mac you might like 'Franz': http://meetfranz.com/


does Telegram offer voice messages and calls?


No, and a lot of people don't like it because it's cloud based too.


Is this really a concern people have? Do people think on-prem is somehow inherently more secure? They expose their services through the internet. Minus a few details it's all the same. There are pros/cons in both sides.


Recorded voice messages yes.

Live / phone call style voice messages no.


There was a serious FUD campaign started by one of the developers of now competing app Signal a few years ago. Now if you mention Telegram on Reddit you're immediately bombed with "OMG TELEGRAM CRYPTO IS BROKEN!" even though 0 people on earth have ever provably decrypted a Telegram message. They even offered a $300K bounty where you could act as the server... no takers.


I don't have skin in this game, but I want to mention that contests are not evidence of security. Furthermore, cryptographers other than those working at Signal have expressed distrust for its security.[1][2]

What Telegram should do to earn the trust of the technical community (specifically, the security savvy people who criticize it for unorthodox encryption methodologies), is contract a real audit from a leading security firm that specializes in cryptanalysis, like Riscure.

[1]: https://twitter.com/matthew_d_green/status/72642891296898252...

[2]: https://news.ycombinator.com/item?id=9775080


>is contract a real audit from a leading security firm

Suggestions like this do nothing to dispell the image that modern security firms are little more than a protection racket. If you don't pay for "an audit" from an "industry leading" firm, you'll be shunned by everyone.


You pay for an audit, or you release the code/algorithms for the community to publicly audit.

Otherwise, you're just making claims that are unbacked by anything. Presumably only the fact that there hasn't, yet, been a public exploit. But that's not a useful metric.


What's your alternative suggestion?


Somehow, I don't think you are going to find more sympathy for Telegram's broken crypto (or Signal's "FUD" campaign) here on HN.

At the end of the day, for many nerds looking at these two pieces of software and their developers-- Moxie comes out looking a lot more serious about privacy and more experienced with crypto than Nikolai and Pavel. To say nothing of Telegrams closed source cloud app model, questionable financing strategy or debatable ties to the Russian intelligence apparatus.


> questionable financing strategy or debatable ties to the Russian intelligence apparatus.

Soo you counter FUD with FUD. Great strategy!


Well... People said to them "don't roll your own crypto. Whatever you've got going now doesn't look too sane".

The Telegram devs more or less said "f*ck you, we are programming world champions and PhDs".

Then, about 6 months after they were all cocky, a russian guy showed that the telegram server could mitm every secret chat by providing the client with shitty entropy. Either it was a back door, or the telegram devs showed that everyone else was right.

Don't use it for the crypto. If that is what you want, use something else.


Does Telegram use E2E encryption by default now, yes or no?


Probably not, but the hilarious thing is that a year or so after attacking Telegram for that, the developers of Signal took a substantial chunk of cash from Google to promote Allo as using Signal Protocol and end to end encryption, even though it's disabled by default so Google can mine your chat history for ad targeting (and enabling it has the inconvenient side effect of disabling your own local chat history).

Basically, it's about the cash. Signal's business model is to convince everyone that their protocol is the only secure one and charge everyone to licence it. If that means promoting non-E2E services that store and mine chat history, that's fine so long as they pay up.


> charge everyone to licence it

What?

The protocol is publicly described. They've blogged about it. I can imagine people being able to reconstruct it from memory.

The first Google result for "signal protocol license" is https://whispersystems.org/blog/license-update/ , clarifying that it's under GPLv3 (i.e., patent grant) with an exception for the App Store. Has anyone paid money to license the protocol? Has Signal asked for money? Is it even possible to give them money for the protocol?


GPLv3 is cool as open source goes, but is pretty restrictive. Basically you can't link to it and distribute your app without it being open source. A company like Google can probably not use it.


What I meant with GPLv3 is "and they are even willing to grant any patent rights to the general public". I don't know if they hold patents on it, but if they either don't, or are willing to license them freely, then you can implement the protocol from the public documentation of it.


That's not true. The patents grant in GPLv3 or other licenses (like APL) only holds if you're actually using that project in your work. So either you fork the GPLv3 project, and comply with a compatible license, or you don't have a patents grant.

This is basically why Google could be sued by Oracle, because Dalvik and their class library based on Apache Harmony were not a fork of OpenJDK.

Of course I cannot speak for Signal's protocol. Maybe it has no traps. I'm just commenting on that license. It's a strong license that makes some demands: good fit open source but bad for Google.


Sorry, I am being unclear. I don't mean that GPLv3 gives you a patent grant for all implementations, yes. I mean that the willingness to license code under GPLv3 means that there's an upper bound on how much Open Whisper Systems cares about licensing the protocol for money.

Which brings me back to the original question—why do we think that OWS's pushing of Signal Protocol is about money? Yes, I expect that for Allo they got paid by Google to write and maintain some code. But I don't think that their general claim "Signal Protocol is good crypto for everyone solving this problem" is motivated by money, because so many people solving this problem could use the GPLv3 version.


> Has anyone paid money to license the protocol?

As Allo is not GPLv3, they obviously got it under another license.


Is Allo using the same code, or a different implementation?

(And it's not so obvious to me. The thing I linked is licensed under GPLv3 + MPL if used on the App Store. You can totally ship an Android app that runs a separate GPLv3 subprocess, and an iOS app that uses it under the terms of the MPL. The GPLv3-subprocess thing is what JuiceSSH does for running Mosh.)


It does not use end-to-end encryption for normal chats. They're encrypted only during transport on the network, but stored as plain text on the devices and on the Telegram servers in order to make multi-device sync and searching easier. Only "Secret chats", which are restricted to one device on each side, are encrypted end-to-end.


If their own FAQ is correct, then definitively NO.

Q: So how do you encrypt data?

We support two layers of secure encryption. Server-client encryption is used in Cloud Chats (private and group chats), Secret Chats use an additional layer of client-client encryption. All data, regardless of type, is encrypted in the same way — be it text, media or files.

Our encryption is based on 256-bit symmetric AES encryption, RSA 2048 encryption, and Diffie–Hellman secure key exchange. You can find more info in the Advanced FAQ.

https://telegram.org/faq#q-so-how-do-you-encrypt-data


I don't believe so. You have to use "secret chats".


For most people the fact that it does not makes it useful. It goves you good multi device support similar to facebook messenger.


Multi-device support and message sync do not necessarily preclude end-to-end encryption. Of course, it's a lot easier to accomplish these without end-to-end encryption.

Wire [1] (which I discovered a few months ago) is a platform that has end-to-end encryption, multi-platform support and multi-device sync. It also has text chats, voice calls, video calls, doodling, etc. The UX still needs a lot of improvement (compared to Telegram).

[1]: https://wire.com


It's not FUD if the skepticism is valid


How much is a Telegram exploit worth? Maybe more than $300K.


It's not clear to me why anyone would use Telegram over Signal.


Telegram is way ahead on several fronts - UX, feature rollout speed, message delivery speed, multi-platform support, multi-device message sync, etc. Signal is still improving slowly and is nowhere close to Telegram (in my experience) in any of these areas. Of the three apps I use for messaging, my current position is that Telegram > Wire > Signal.


Thanks for explanation - sounds like it's generally a tradeoff of UX vs. Security, didn't know things were that much better in the Telegram world.

Seems to me though that if you're willing to use telegram you might as well just use iMessage or What's App though?


> sounds like it's generally a tradeoff of UX vs. Security

Not necessarily. Wire has shown that a Telegram like UX is possible with end-to-end encryption, multi-device sync and multi-platform support. It's just that Wire and Signal are slow in catching up and seem like they need a slightly larger team and/or better management of the development.

> didn't know things were that much better in the Telegram world.

I keep trying any new messaging platform like this, especially if it promises privacy and better security. So I'd recommend you try Telegram and see for yourself what it provides. I'm heavily impressed by what it offers and use it as my primary messaging client, but don't like the crypto and the fact that normal chats are not end-to-end encrypted.

> Seems to me though that if you're willing to use telegram you might as well just use iMessage or What's App though?

That depends on which company one is more comfortable with on the privacy front. I don't consider iMessage to be equivalent to Telegram in features or UX (it's actually inferior and has issues with handling SMS as a backup option). WhatsApp being connected to Facebook is a no-no from the privacy point of view.


> Not necessarily. Wire has shown that a Telegram like UX is possible with end-to-end encryption, multi-device sync and multi-platform support. It's just that Wire and Signal are slow in catching up and seem like they need a slightly larger team and/or better management of the development.

To clarify not that it's a fundamental tradeoff that you can't have end to end encryption with good UX, but that the current choice between Signal and Telegram is a choice between security (Signal) and UX (Telegram).

From everything I've read you'd probably be better off trusting iMessage or WhatsApp over Telegram.


Signal has a Google Play Services dependency and through that makes meta-data visible to Google.


Almost all apps on Android are signaling push notifications through Google's play services, because keeping your own connections open keeps the phone from going in standby and thus it leaks battery. I doubt that Telegram doesn't use it.

And on push notifications, the app only receives a signal that there's fresh content to be requested. There shouldn't be any metadata leaked. Source?


Features / usability over perceived improvements to privacy / security.

If you had actually used both, it would be clear why people use Telegram over Signal.

Signal doesn't even have a desktop client for any OS!


> Signal doesn't even have a desktop client for any OS!

[1] https://whispersystems.org/blog/signal-desktop/


> Signal Desktop is a Chrome app

So yeah, the statement from parent still stands.


So this argument is just a technicality. Please understand a little more about the background:

There is basically one person writing the app[1], and given the company has just a few[2] people _volunteering_[3] for them, you cannot expect them to release a large amount of code across so many devices. They prioritized the highest volume first.

Open Whisper Systems primarily develops a strong encryption protocol (Moxie's efforts). If you didn't realize, this protocol was adopted by WhatsApp[4] and also Facebook Messenger[5]. So, the developers of those other applications needn't spend time/resources on the encryption, but can release Desktop clients for people like yourself to enjoy.

People who use Signal trust Moxie. People who dislike Signal _may_ care more about features than the security properties of the software (note, WhatsApp doesn't open-source their software[6], and Telegram instead bets people cannot break their encryption[7]).

Also, their app will supposedly run on any OS that Chrome runs. I'm sure that was the intention.

[1] https://github.com/WhisperSystems/Signal-Desktop/commits/mas...

[2] https://whispersystems.org/#team

[3] https://whispersystems.org/workworkwork/

[4] https://www.whatsapp.com/security/WhatsApp-Security-Whitepap...

[5] https://whispersystems.org/blog/facebook-messenger/

[6] https://www.whatsapp.com/opensource/

[7] https://telegram.org/blog/cryptocontest


The line between desktop and web apps is becoming more and more blurred these days, so this seems like an inconsequential argument.


It's not even a web app. It's a CHROME app. A web app would be accessible via any browser. But nice to see the Google propaganda working.


Who finances Telegram? Who pays for the serves?


> Pavel Durov, who shares our vision, supplied Telegram with a generous donation through his Digital Fortress fund, so we have quite enough money for the time being. If Telegram runs out, we'll invite our users to donate and add non-essential paid options to break even. But making profits will never be a goal for Telegram.

- https://telegram.org/faq#q-how-are-you-going-to-make-money-o...


Who funds their "crack our encryption" contest[1]? I imagine also the same pot?

[1] https://telegram.org/blog/cryptocontest


Yeah, I think the "pot" might just be Pavel's bank account. He also recently offered to fund $1 million of grants: https://telegram.org/blog/botprize. I assume he announced the Crypto Contest and hoped/assumed nobody would win.


Mostly? The Kremlin...


It's all in their FAQ.


You're right, that's the reason why I didn't install WhatsApp et similia


If you're in the contact list of anyone who uses WhatsApp they already have your info.


It's not owned by Facebook yet.


My problem with whatsapp is that there's no way to use it without giving access to my entire contact list to the app. And that's out of the question for me.


On iOS you can actually deny access when the OS prompt comes up and WhatsApp will still work. You just have to start conversations using a phone number instead of a name/contact. I use it this way, and it is a little inconvenient but I feel better not uploading my phone book.


While this is noble of you, I guess 99% of your (and mine) contacts won't do the same. So you're protecting your friends, while your own number is still shared with Facebook.

This is what annoys me the most. I can't control what people put in their address book about me (physical address, email, photo, phone number, maybe even more infos) and who they share my info with.


There's XPrivacy out there, which proxies apps' requests for various information like contacts or location. But you need a rooted Android phone to use it.


as a workaround, on an iPhone you could move your 'sensitive' contacts to another app, like "Contactshield".

then you can safely share your 'normal' contacts with Whatsapp.


I thought with Android Marshmallow and iOS you can deny access to contacts. I guess if you're not on Marshmallow or higher, you're not going to get this benefit


A lot of apps these days will not run unless they get access to the data they request. What I would like to see is android having the ability to give empty sets of information if so chosen instead of denying access, or to compartmentalize applications access to shared resources more.


You can't get what's app to do anything if you don't grant it access to your contacts. I ended up creating a new user profile on my phone based on a new Gmail account just to run what's app...


some austrian lawyer recently argued that this is even illegal in the EU. not necessary for whatsapp but for the user who is stupid enough to willingly upload data that does not belong to him.


The Facebook family of companies will still receive and use this information for other purposes such as improving infrastructure and delivery systems, understanding how our services or theirs are used, securing systems, and fighting spam, abuse, or infringement activities.


So when you remove that tickbox "Share my account info" - your data still gets shared:

"The Facebook family of companies will still receive and use this information for other purposes such as improving infrastructure and delivery systems, understanding how our services or theirs are used, securing systems, and fighting spam, abuse, or infringement activities."

Never does it say, you won't get ads. But if you share, you will get "improved ads".

Am I reading this right?


I would just assume anything you do on the Facebook family of applications, is using your information to maximize revenue. Regardless of what tick boxes you check.


I don't have the Share my Account option on Android.


Perhaps you accepted the new terms more than 30 days ago and instead of showing a greyed-out checkbox, they simply hide it altogether.


More likely he hasn't received the relevant update yet.


Or maybe because Facebook app isn't installed? I don't have it on mine, so maybe they're not 'linked'


Neither do I. My app was updated last night. I don't use Facebook, but I as I can't opt out I can't assure myself that the will be no sharing with their 'partners'. So I am out.


Same here, I went through all settings twice and checked for sw updates. No luck so far. I miss the days when all friends were on IRC...


I just got the notification today. Looks like I simply hadn't upgraded.

False alarm!


Linkability at its best. Been saying for years that FB is trying to help establish the single-sign-on for all to access the internet. Thats why every major email and social outlet are demanding you input your phone number and secondary email alongside your existing account info. Eventually this will help the government know who is behind each IP address. No need to keep avoiding the phone number security prompt at the top of FB anymore, they already have it through their acquisiton of whatsApp, what a shame.


How much do you want to bet they will make sharing mandatory in 6-12 months? Opting-out is a fig leaf to head off bad press in the short term.


Are we supposed to congratulate WhatsApp for doing something that should be expected with 1.0? Furthermore, your default is incorrect; sharing info is opt-in.


> your default is incorrect; sharing info is opt-in.

Uh, I mean, that's the whole point of facebook.


So this was quite expected anyway. Though initially the acquisition seemed to be a defensive one where FB prevents Wechat kind of features coming from Whatsapp, the amount of data whatsapp has, is a treasure trove for all the advertisers and as a public company, FB just did what is expected by the shareholders.

But it's kinda scary that emperor Zuck has so much power over the people, like FB/Messenger/Whatsapp/Instagram are the top apps everyone uses. I am glad Snapchat didn't sell out.


So much power? You give him power. Just delete your facebook account and uninstall their apps!


And watch your friendships grow stale, lose touch with your family members, opt out of knowing about upcoming events...

The phrase "network effect" exists for a reason. Where people don't think about keeping in touch with others in any terms other than Facebook, refusing to play along with Facebook comes with serious consequences.


"And watch your friendships grow stale, lose touch with your family members, opt out of knowing about upcoming events..."

And how exactly do you think these things worked before Facebook?

"Friends" who don't want to make the effort to stay in touch outside of a dead-simple social app aren't friends, anyway.


"worked" is the key word here.

When the letters were the common way to contact people, people would contact you by letter. If you refused to communicate in different ways than with letters, people would communicate less with you than with others, because it would be a pain in the ass. They'd organize a party on short notice, and then realize that the letter won't reach you in time (or that they don't have envelopes and stamps anymore because they no longer send letters).

The same applies to this sort of app today, sadly.


Only more so. Back when people kept their address books in actual books, you wouldn't, for example, miss getting a wedding invitation, because you weren't sent one, because the people getting married forgot to think about anything except their Facebook contacts list when they made their invitation list. Because everyone's on Facebook.

I almost caved, the second time that happened. What stopped me was being prompted for my email account credentials, so Facebook could mine my more than decade-long correspondence for social graph data. I know enough about abusive relationships not to overlook an opening boundary test like that. So that was the end of my Facebook experiment. In any case, by that point the damage was probably done.

Someone else here said something about having his Facebook departure be a conversation starter. Doesn't always work that way. When I tell people about that email prompt, they just look at me funny and go "you know you can skip that, right?" Which, of course, I do know, but see above re: abusive relationships. Maybe I can talk my way out of taking a punch this time, but every time?

That metaphor doesn't seem to cut much ice with anyone, though. No idea why. Maybe it's a little over the top. Maybe people are just so accustomed to think about Facebook as part of the environment, and take it totally for granted, that it doesn't occur to them to regard what I'm saying as anything but incomprehensibly weird. Maybe I'm an obstreperous pain in the ass. I'm sure at least one of those is true. But who knows? I mean, I don't ask; I just steer the conversation somewhere more mutually enjoyable, because I go to bars to drink and enjoy talking with people, not to pretend to be Richard Stallman.


Yeah, it is too over the top for most people. I don't move in tech circles, and the few friends who I do speak to about this, tend to dismiss this as tin foil hattery.


I mean, yeah, that's easy to say and all, and it makes you feel special and everything. It's also horseshit.

The problem is not that your friends don't care enough about you to keep in touch by means other than Facebook. The problem is that Facebook has so completely insinuated itself into and throughout a billion people's interpersonal relationships that your friends don't even think about keeping in touch by means other than Facebook.

Put another way, we find ourselves in a situation where a single, rather secretive corporation mediates the interactions of a significant fraction of the species, and has already been known to manipulate the perception of its users in ways which might be to its benefit. When I was a kid, this would've been no more than fodder for third-rate dystopian sf which even fans of the genre mostly wouldn't take seriously. And yet, somehow, here we are.


It's your fault too, you know? Why give the fault to a corporation when we are giving them pieces of our lives?

Fights aren't easy, but this fight is important for our society and our children.

> Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.

This is a fight, our fight. For freedom, free speech and privacy.

> I mean, yeah, that's easy to say and all, and it makes you feel special and everything. It's also horseshit.

I bet it makes you feel special writing that phrase (isn't it?).


It's nice to live in a world where everything is simple. I wish I did.


I wish it too. But it's your choice. Also don't write stuff like this....

> Put another way, we find ourselves in a situation where a single, rather secretive corporation mediates the interactions of a significant fraction of the species, and has already been known to manipulate the perception of its users in ways which might be to its benefit. When I was a kid, this would've been no more than fodder for third-rate dystopian sf which even fans of the genre mostly wouldn't take seriously. And yet, somehow, here we are.

...because you don't really care.


I think it's adorable how you just casually assume I have a Facebook account and I'm speaking in purely theoretical terms here.

It's not that I don't want to see Facebook killed with an axe. I'm just not so foolish as to imagine that browbeating people will make that more likely. Don't confuse the two.


I'm really sorry, I generalized. I read your other comments, thanks for standing against facebook.


Honorably said, sir. I thank you.


Please be careful about rationalisation of things. Its easy to build up argument for why you need to have Facebook. We all know how dark the waters of Facebook are (with all the tech knowledge, monetising schemes and smelly dark patterns). Yet very few actualy at least try to do something about it. Its part addiction, part fear and well i dont know what. I think that least everyone here should do is to think about the problem hard and try to be honest with yourself. I bet you believe in net neutrality and open-source. Well Facebook is in direct opposition of that. It realy is, we all know it. Even though they make open-source software they would love to see world where Facebook is the net (look at India and Facebook net).

Who else should stop using the Facebook than the people who actualy understands how it works.

I am saying this becuase over a year ago i deleted FB. It was more for the fact that i started to measure how i use FB and i realized i was giving it quite bit of my focus. It wasnt taking much of my time but it was constant distraction. So i stopped. After 14 days i never felt urge or need to use facebook again. Seriously it was like some spell. And outcome? All the worries about not being able to reach foreing friends or see what are my friends up to. Well the interesting people luckily found another way to contact me and since then all the important stuff was much more focused. Other people started to talk with me, they had a reason to talk with me in a pub because they got something new i didnt know about. And leaving fb became theme for conversations because people wondered why i did it.

And its not only me, there are 4 people i know around me who came to the same conclusion. None of us came back.

Btw when you will try to actualy delete your fb account, its a minefield of dark patterns. First you need special link, because you can only deactivate from settings. Then you will have to go through pile of emotionaly draining photos of friends with claims that they will mis you and you wont be able to see what they are doing with their lives. Then few traps with agreeing about deletion with switched meanings of buttons. In the end you wont actualy be deleted. You will be put to deactivate mode for 14 days, if your browser accidentaly auto logins then you have to do it again. After 14 days you are sent email and if you miss it and wont acept it in certain time - you wont be deleted. Of course since 1. 1. 2014 it realy doesnt matter because facebook keeps your data even if you delete account. (i deleted it just before 1. 1. 2014 and i still think they kept all the shit, because how would anyone know).


Yeah, hey, thanks, that's all great advice except I never had a Facebook account in the first place. I mean, I'm sure whoever you imagine yourself to be talking to would find all that super useful, though.


Good. It was worth it anyway. I was replying to rationalisations of the situacion. That can be seen everywhere.


It was worthwhile, and well said. I'm sorry for snapping at you about it.


I'm trying to find more info about https://wire.com

They would seem to be doing all the right things, such as OTR and not rolling their own protocols, but I've only been able to find a couple of opinions and nothing concrete.

The fact that they've made effort to open source it and are letting people write their own clients for it is encouraging, but not proof that it's a solid system.


I discovered Wire a few months ago and have been impressed with its feature set. While Wire states that it is using axolotl ratchet, note that it is not the same as the Signal protocol used by Signal. Apparently Wire took the axolotl ratchet (the one Signal started with) and created a custom version for its own use. Moxie stated something of this sort in a comment recently on HN. There have also been some conflicts between Wire and OpenWhisperSystems (searching the web, in addition to reading up on Wire's site, will show you different sides of this).

To avoid confusion about axolotl ratchet and its usage, OpenWhisperSystems changed the name of the protocol used to Signal protocol in March. [1]

[1]: https://whispersystems.org/blog/signal-inside-and-out/


Thanks for the response. My sense from the information is that the protocols are extremely similar, the implementation is the primary difference.


Just made an account. Looks pretty good so far. A huge plus, imo, is that they don't require a phone number at all.

However, I am afraid I won't be able to convince anyone to use it :(


It must be one of the cleanest Android apps I've ever seen, yet alone messenger apps. The settings are well done, it performs great and doesn't even run a service (at least the Play Store version). Think I'm going to try to bring some of the close friends/family to this.


I am reading the opt out agreement as far too specific. It says do not share info with Facebook for improved ads experience. MEANING SHARE info WITH FACEBOOK anyways, even if you are not interested in ads.

I don't want any of my info shared. Yet there is no way to opt out of it.


FTA

> The Facebook family of companies will still receive and use this information for other purposes such as improving infrastructure and delivery systems, understanding how our services or theirs are used, securing systems, and fighting spam, abuse, or infringement activities.

So you can't not share.


If only there existed a peer to peer solution that doesn't require trusting a central host


A fundamental limitation of the peer to peer setup for messaging is the lack of a reliable way to send a message while your contact is offline. If your answer to that is to have intermediaries that are always available and can store and forward, you run into issues of needing a lot of these intermediaries in a mobile centric(low power, intermittently online) world.


Bitmessage?


I had few enough people who I've communicated with via Whatsapp that I was able to simply delete my account. I hope that means they'll actually purge my data rather than sharing it with Facebook.

This is one of the problems of digital identity--privacy has a latent value. The company you choose to share data with today, may choose choose to share with / merge with a third party in the future.


Having removed the app a while back but not formally deleted my account, seems like I have to re-install, dig up my account again, then opt out.

What a hassle.


I don't see the data sharing opt-out thingie with FB as the big news today.

The big news is that your eye-balls are officially for sale now. Marketing is specifically mentioned as a new form of communication towards the users. No banner ads (yet), but other formats.

It was good, while it lasted.

PS to WhatsApp: If you manage to launch a no-data-sale privacy option for x$/y, I signup in a heartbeat.


Guys, there's only one solution. Delete your accounts and uninstall the apps. That's it!

Here's the link to delete your account. https://www.facebook.com/help/delete_account


I deleted my WhatsApp account the moment I learned it was acquired by Facebook. Unfortunately, I have to use Facebook for certain purposes to reach certain people. So Facebook very likely has more information (including my phone number) from other Facebook users and WhatsApp users who have me in their contact lists.


What if I don't have that option in Whatsapp? Does it mean you can't opt-out after 30 days?


You're probably (like me) on version 2.16.9, released 8/15/16, and haven't received the new TOS update yet.


That's how it looks to me. I don't have the option.


Probably they didn't update the app yet?


I wonder, what are the odds of success if someone starts a paid social network say for 5$/month. Ad-free, no-snopping, secure social network. E.g. Diaspora pod with good UI and more features. Would you be willing to pay for it?


I thought an SSL encryption would not let 'anyone' else read your messages. So that means even if whatsapp promises SSL encryptin, they can read our messages? Is it technically possible? Forgive my ignorance.


from https://www.whatsapp.com/legal/

- Your messages are yours, and we can’t read them. We’ve built privacy, end-to-end encryption, and other security features into WhatsApp. We don’t store your messages once they’ve been delivered. When they are end-to-end encrypted, we and third parties can’t read them.

So they can share location, phone number, contact book, maybe chat group names if they're not encrypted, and maybe the people participating in those groups, the online/offline status, who and when you call, what else am I missing?


I just got the prompt to accept the new terms.

1) you did not have to scroll to opt out. 2) opting out brought up a toast saying "when you tap 'agree', your account info will be used to improve your Facebook ads and product experiences" 3) there was a " X not now" option in the top right corner.

I chose that.

Edit: no app update was required. I'm guessing in the future, the could push ads the same way


This seems like a potentially stupid question, but the link only shows how to do it on an android device. The terms sprung up on me in the iOS app (I have yet to update it) and thankfully I found the hidden toggle button. There does not seem to be an equivalent way to turn off the sharing of data on my iOS device, so if anyone has found a way, please tell me about it.


You can't. According to them, even if you opt out:

>The Facebook family of companies will still receive and use this information for other purposes such as improving infrastructure and delivery systems, understanding how our services or theirs are used, securing systems, and fighting spam, abuse, or infringement activities.


hi, am Anderson, i had my friend help me hack my ex's email, facebook, whatsapp,and his phone cause i suspected he was cheating. all he asked for was a his phone number. he's email is (cyberlord7714@gmail.com)..IF u need help tell him Anderson referred you to him and he'll help. Am sure his going to help you do it, good luck


If people want to use snazzy services but don't want to pay, and then outlaw collecting private information, presumably the owner of the snazzy service will find some more complicated or secret way to monetize its users?


It's interesting that Facebook Messenger still doesn't have ads. It even supports using it without a Facebook account (although you do need a phone number and it appears to be slightly limited)


I cannot wait on Matrix protocol, I just hope it will be used.


sooo, apparently there's only a limited time period (30d) where you are allowed to opt out of the data sharing...

>> After you agree to our updated Terms of Service and Privacy Policy, you will have an additional 30 days to make this choice by going to Settings > Account > Share my account info in the app. If you do not want your account information shared with Facebook to improve your Facebook ads and products experiences, you can uncheck the box or toggle the control.


There's already two threads on the front page about the WhatsApp TOS change, do we really need a third when this link is already in one of the top-voted comments?

https://news.ycombinator.com/item?id=12358205

https://news.ycombinator.com/item?id=12358751

Duplicate threads like this just dilute the conversation especially when the comments made here are already opinions voiced elsewhere.


Ironically, I just whatsapped all my "non-IT" friends on how to "not agree" by finding the hidden data sharing checkbox.


  The Facebook family of companies 
  will still receive and use this 
  information for other purposes...
Answer:

YOU DO NOT.


I wonder how Moxie feels about being used in what looks to be a pretty spectacular privacy bait-and-switch.


One question no-one is answering. Will this be pushed in the future, or have we accepted the terms earlier?!


My phone does not show 'share my account info' option... Please can you help me


So what does this change mean if you're using WhatsApp while not having a Facebook account?


that's not a serious question right? why you are even using anything Fb touches/owns/operates is the real issue


in Dutch we have a word for this, called "poppenkast".

Translated literally it means "puppet-show"...


Simple, just don't use WhatsApp.


I'm not sure how much help this would be, but also make sure to delete your WhatsApp account before you stop using it (instead of just deleting the app and abandoning the account).


> the discussions are large and come from three different perspectives

The discussions have ballooned, but having read the other two in the morning, this one just feels like a rehash of the same privacy concerns folks have raised. And for anyone reading about possible solutions to their concerns, they'd have to jump between 2-3 different threads now.

I'm glad there's at least WhatsApp thread is on front page for everyone's sake, but personally I felt like the Looking ahead for WhatsApp discussion covered much of what's being said here. The difference is that poster didn't have as good of a title and submitted it when much of the West Coast was still asleep.

Also, while this site doesn't have the resources to comb and diff each new thread to make sure it's not a dupe, I wish more users would point this out when it does happen. At the very least, thanks for pointing out the two existing threads, but we shouldn't be afraid of merging threads to make it easier for future users to reference (if they do).


Fair enough, but I don't see a clearly better solution. Do you?

Since this is a bit meta I've detached the subthread from https://news.ycombinator.com/item?id=12361031 and marked it off-topic.


Edited my comment to clarify some things, but a solution is that if someone points out a thread is a potential dupe, be more open to the possibility of merging that discussion?

Especially since the bulk other thread was already talking about privacy concerns and most users would go down that route.

Also, you already do a great job moderating here, but this is just one of those few situations where I'm in disagreement with you on this particular instance.


-->How do I choose not to share my account information with Facebook?

Answer: Don't use Facebook.


Not true. They still build shadow profiles of you.


That's the NSA funded wing of Facebook. (Don't tell anybody)




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: