EDIT: Practical example. After collecting enough data about user X I create a table about the probability of this user being online in a given few-minutes time ranges. Then I check the online frequency of that user compared to the online statuses of another user Y. If the difference compared to the expected probability is significant, than I can suspect the two are chatting.
Another thing I can use is that attivation delay of the online status, since often X sends a message to Y and this results in, a few seconds after, Y to be online, and then the contrary.
Let's say one of your contacts chats a lot because it's a chatty person. They're online far more than another person. What if that other person only chats on the bus on the way to and from work at roughly the same time every day to tell their wife they're on the way home. This activity will overlap with the chatty person's activity all the time.
By your rationale, they are having a conversation, maybe cheating, and maybe having a work affair.
I think the more contacts a user that are active, the higher probability that your model predicts they are having a "conversation" with another user. You'll probably find that your thresholds are really hard to fine-tune: maybe we say A chats with B if abs(A.activeTime - B.activeTime) < threshold, but that threshold is going to be super hard to find* and even harder to validate.
Sure, there is some information here (the picture probably being the most concretely weird) but the fact that you can just go to the App and check a box for privacy means that this seems like not a huge issue.
Yes, WhatsApp made the software, but its your responsibility to apply your own privacy settings.
We are worried about the NSA collecting metadata, but you dismiss this as an end user problem. Famously this is why Facebook has its settings to be opt-out instead of opt-in, because a high percentage of users never changes the default.
I do get Caveat Emptor but a lot of people do not understand the meaningful implications of privacy.
Edit: On the other hand it would perhaps be better to have it on 'Contacts only' as the default, but you could still monitor your colleagues as they probably have you in their contacts anyway.
I think this shows how some seemingly trivial data points on an individual level can allow one to build something way more than the sum of parts at a mass surveillance level.
And select no contacts on that screen. This is on the Android app, I'm not familiar with the web version.
Edit: Discovered that one can share only with "My Contacts" these information. I am surprised I haven't seen this before or maybe the if you do not share, you cannot see info box misguided me into not restricting to my contacts these informations.
If you think two people talking with each other outside of "state secrets type shenanigans" is a big deal, you're wrong.
There are much easier, much more accurate ways to discover "cheating" than online times for WhatsApp...
I figure five eyes already had this information. I think they would have tools to decrypt all communications from any app, by using rooted phones that scan their own memory for common crypto libraries and then extract the keys.
On the initial run it would not know where to look, and the phone would be set up to go through a proxy that blocks all non-decryptable communications, to avoid detection. A profile would be extracted to quickly and silently extract the keys from the phone's memory and subsequently send them to the decrypting proxy.
Then on the second run, the phone would be wiped/reset and the decrypting/blocking proxy would attempt to decrypt the communications that are now extracted from the phone in real-time. The wipe functions to avoid detection (it makes it look like the phone is simply crashing). Perhaps the wipe would include changing some device ID's and the source IP.
Rinse, repeat until only decryptable signals leave the phone.
(Something similar could be done with stubbing the encryption code in memory and then "moving" it to the proxy.)
Either based on virtualization tools or on memory inspection. Or perhaps ring -1 based.
The kind of tool I wish every techy had, so they could easily discover what their apps are really doing.
I've seen footage, I stay noided, I've seen footage, I stay-
Edit: If you know of similar or related tooling, please let me know! I want this software.
LineageOS (previously CyanogenMod) had a Privacy Blocker or something like that, which you could block specific apps access to major APIs like Media Access, Phone ID Access, etc. It's been a while since I last used that, don't know if it still exists, but it sure helped my paranoia. It was fun seeing apps trying to access all sorts of stuff on my phone just to see them being denied access.
Nice Death Grips reference btw.
I have "Status privacy" and "Last seen" set to no one, I assumed that included "If I am online right now".
The initial website display comes from a QR code you can on your phone, which the website then gets authorized by. Could they not then limit queries to that account?
I could be way off the mark, but it seems to me like the worst of this could be mitigated quite easily without much loss in functionality for users?
> All of the information sent back is the following:
Why would you post information in a status update if you don't want it to be public? Why would you use a picture you want to keep a secret?
First of all, the privacy issues from WhatsApp have been discussed many times before. Yes, the default option "public" is bad, and just like making your profile picture on facebook "public" means anyone can scrape it. The fact that its a mobile app doesn't make it different from a website.
Secondly; people in the comments talk about the fact that you cannot control your precense in WhatsApp, and yes that is indeed a serious privacy problem which has been discussed before, but this article mentions nothing about that.
Third; WhatsApp monitors their network for non-user clients (to prevent spam and non-official clients). You may be able to request profile pictures of 500 people, but what about 1 million? Iterating over such a large set will likely cause a ban of your WhatsApp account, which means you need to spent another 10 bucks on a SIM card which will make it unfeasable to exploit.
4 years of experience with chat-bots on the WhatsApp network. I got a lot of SIM cards banned from WhatsApp by experimenting how far I could go. Not only sending messages, but also scraping.
Such limitations can be bypassed. For example one can use botnet of hacked Android phones or buy thousands of SIM cards in bulk or maybe even some virtual phone numbers.
I'd think most people are pretty aware of how public the Whatsapp info is.
Sadly not shocked enough to even change the privacy settings. Or - beware - deleting WA.
I wonder if Trump uses Whatsapp on a personal phone?
I'm totally shocked... maybe I will make a story or picture on my public Instagram about that issue ;)
This functionality is pretty much what made WhatsApp so easily accessible for anyone in the first place.
>We collect information about your online and status message changes on our Services, such as whether you are online (your “online status”), when you last used our Services (your “last seen status”), and when you last updated your status message.
>Your phone number, profile name and photo, online status and status message, last seen status, and receipts may be available to anyone who uses our Services, although you can configure your Services settings to manage certain information available to other users.
"B-but people don't read those!" - well then maybe that's something to worry about instead of complaining about an API which is the nature of the product.
When you're added to a group with a person in it who's not in your contacts, their messages have the name linked to their account in the corner.
Or is it sent by the client itself?
Made me laugh.
With modern Android's anti-spam features, I can even dodge spam calls to my phone, so this is not a problem for me.
With those modern anti-spam features, you leak all call details to those providers. Read up their ToS.
I'd like to know more about the anti spam features. Right now, my anti spam tactic is if an incoming call doesn't start Google voice saying "to accept press one", it is likely something I don't care for.