If you think there is no problem, you are wrong. The blog post does not show all the information leaks that this implies. Example: I can modify the script to monitor all the numbers I've in my phone, so that based on the online/offline status in a few weeks I can be able to guess who is having conversations together, discovering cheatings, work affairs, ...
EDIT: Practical example. After collecting enough data about user X I create a table about the probability of this user being online in a given few-minutes time ranges. Then I check the online frequency of that user compared to the online statuses of another user Y. If the difference compared to the expected probability is significant, than I can suspect the two are chatting.
Another thing I can use is that attivation delay of the online status, since often X sends a message to Y and this results in, a few seconds after, Y to be online, and then the contrary.
[then an HN user said she/he was not sure this was serious because maybe the users casually had similar patterns, so I replied:]
If you check the model I described in my comment, it should filter the "bus problem", since it will detect a chat only if, compared to the standard "bus time" probability of the user A chatting, it is chatting more if in the same range also B is chatting. If you add to this that people on Whatsapp usually do not talk to the exact minutes, it is definitely possible to create a robust system for guessing with good probability of two have often conversations. Also note that the phone numbers in input are not random, are the ones of a connected circle of persons. Add to this the fact that we can split the ranges even, potentially, by few minutes, and you can even detect interesting stuff for people having continuos chats with multiple persons like teenagers. Another thing that is possible probably is also "groups detection", since at new messages a set of users will activate at the same time.
[And the attack can be refined a lot with more powerful mathematical approaches]
The main objective, however, was not to stalk innocent users but to catch an anonymous IRC troll who was using an identless shell server in order to hide their real account name. Every time the troll wrote to IRC, the activity logger program showed typing activity from a certain user. After a few message exchanges during quiet night hours I was able to reliably pinpoint them.
It confuses my friends though, who write me more at night times than usually, luckily though I've a DnD mode that saves me from waking up. (confuses gf too)
Even if you don’t set away states, one can simply monitor every channel you’re in, every message you send, and then quickly determine what timezone you’re in, when you sleep, when you’re on vacation, etc.
Here’s an example graph of a user, every dot is a message: https://i.imgur.com/DrgVvVw.png and here one from a user with more regular sleep patterns: https://i.imgur.com/a1xdSqR.png (notice the timezone transition when daylight savings time starts? And notice how the user takes about 2 weeks to adjust?)
Anyhow, I'd disable showing online status, typing status, or automatically changing status based on activity.
This was a decade and a half ago, probably longer. The principle remains the same. No, no I don't want you to know when I'm in front of my computer, typing, or otherwise. If I want to appear online, I'll manually do so.
There's no way to disable that.
This is much more interesting because pretty much everyone only participates in discussions when posts are on the front page - it would be tough to schedule/delay a post and stay relevant. Also, the lock-in after 1 hour (or a reply) preventing deletion is huge.
Some HN participants are now kind of "whales" in the startup community - at the very least, this info could be used to schedule cold-pitch emails! (And this is across the entire archive of past users, not just current users. These habits need not necessarily change much.)
Timestamp metadata is all over the place - GitHub activity graph, blog post comments, etc. -- merging timestamps for the same person across their accounts on all the different services offers amazing insights.
The only way to "disable" this is to schedule things or provide garbage data (only when user input is given precedence - like with this tool: https://www.laurencegellert.com/software/github-graph-builde...).
* Entirely made up number.
That's the one and simple trick.
Only few people have sleep patterns like me (first, erratic graph), and I have them because I spend often my nights working on projects, trying to build new products, and once I've started one, it's hard to stop.
PS: It's not so much the images themselves but what they mean i.e. this analysis :)
There is a real need for a "tor delay" metadata-disruption-as-a-service, where random strangers invoke one another's web callbacks and report back the result in exchange for Bitcoin (Strangers on a Train -style). Someone put it on the block chain and start an ICO!
As I understand random strangers are logged on to tor and invoke each others' callbacks and give back results. Since all of them are anonymized, This is not at all similar to an exit node.
The only purpose of this is to make tor packet traffic patterns hard to follow :)
This could be a service, but not sure if this can be filtered out by the snooper. These will be one off requests from random nodes and will not affect your tor traffic pattern much because I posit the signal to noise ratio of your main activity will be pretty high. Hmm, :thinking: perhaps if we jack up this random traffic, would that hide your main traffic maybe.
Anyone who knows such analyses want to chime in? :)
Moreover if people are using all the time Whatsapp, it is again much more difficult to do.
But I agree with you, there are many situations where these could work
If you have so much money (spit balling here), you could buy google itself I think
There are easier ways to get data on people like their social profiles, and other online breadcrumbs like yelp reviews, any digital footprint really.
Another way is to buy databases of people. People have databases of HNIs, etc that you can purchase. This of course doesn't lend itself to much analysis but if the main purpose was to market to them or something like that, then databases work best :)
Fun fact, years ago I accidentally found out that my girlfriend at the time cheated on me on Snapchat, without me actually exploiting anything. She told me to join it with her, telling me that is going to be fun. Snapchat kept track of useds' activity and gamified it to incentivize you by scoring your activity then. Each person has a public activity score when you tap on their profile. One day, I noticed that her Snapchat had more than twice the score that I had. So I clicked on her profile and there it is some strange dude having a score higher than me, it turned out that was her """"ex"""" (I actually never asked her even for his name before, I found out only after that). I never consciously looked for anything, I trusted her 100%, the score was just there on my screen.
Thanks Snapchat for their stupid gamification efforts, otherwise I would have wasted more time on her. But since that accident, I never trust proprietary shit that has money to make, ads to sell, governments to please, and incentives to grow, even it says its selling point is to protect your privacy, like Snapchat. It's not about the "end to end encryption" or "finer privacy control" or "only allow when app is in foreground" or "restricted sharing" or "MIT open sauce license" or "export your data" or "only listening to hotwords" or "open APIs," it's about the intent. If the intent was to expand and make money, then all those techs won't be the magic pill that suddenly cures the ill intent. Anyway, privacy my ass, man.
This was back in spring-summer 2015.
Found it to be on "ghost mode (only me)." I never touched this setting before.
The real question isn't that what it sets by default, the question is why that chat app needs to know and log your location in the first place? Why does it not only get it and send it when you choose to share? What kind of enhancement does it give to your fucking """experience""" when it logs your location like that?
Shameless plug, I wrote a plugin for Chrome  and Firefox  to do just that.
(Facebook is the opposite of WhatsApp – you can disable your online/offline status, but not your idle time.)
Related question, does WhatsApp send the heartbeat only when I open the app, or every x minutes as long as it has a network connection?
It's certainly a more popular app outside of the USA. They initially gained traction because they were willing to make apps for things other than iphones and androids - which gave them a huge following in the developing world where people may still use 10+ year old candy bars.
SMS took off faster in Europe than in the US, but we've had bundled packages for so long that the individual cost per text wasn't such an issue, and now on many plans they're unlimited.
I guess the differing cost structure depending on who you're texting and from where may have spurred the adoption of WhatsApp, whereas in the US, even if you WERE paying per text, it was the same across a territory of many thousands of miles and hundreds of millions of people. And, the same way that many folks in the US do not even have a passport, they tend also not to have a reason to text internationally. The size and homogeneity of the country benefits the adoptions of some technologies, but hinders the adoption of others.
I think the reason is that a typical cell phone plan in Europe was like 5€ per month, plus 0.07 cents per text (or call minute). Whereas typical American plan was $50 month, but unlimited free text and calls. So people who text lot didn't want to pay even for the tiny amounts for individual text messages, and migrated to using apps.
The all-inclusive fixed price monthly plans are only now getting more popular in Europe.
But yes not every 2 minutes
Also the group messages are great. My housemates and I all talk via a WhatsApp group. It makes it far easier to hold a coherent group conversation when some of us aren't at home. SMS would be a ballache.
Oh and GIFs, voice messages, and videos can be sent in messages. Free calling too. I can call my friends in Australia for nothing, and it's not a bullshit experience like Skype.
I almost never send true blue SMS any longer.
* SMS don't have read receipt.
* SMS depends on cellular connectivity.
* SMS and MMS have very limited media transfer support.
* SMS don't have feature similar to groups.
I feel like this is a pro.
Yes, they do. iPhones don't seem to do that, but old GSM phones did it (like my first phone, Ericsson T20, which got released in 2000). Androids have read reports in the default message app, if I'm not mistaken.
Delivered vs read is only accurate if you have an eye tracker.
Obviously WeChat is not secure in any way, though ;)
And here the problem begins, a lot of software engineers seem to conflate this disinterest to stupidity and think this gives them a right to do whatever they want with other people's data.
There is a fundamental lack of understanding and respect of other people rights and privacy and an easy dehumanization that is disconnected from human society and the evolution of fundamental rights like like the right to privacy. Regulation will catch up and eventually address this as more people become aware but is a troubling reflection of a large part of the software ecosystem.
I suppose you could use that limit to set up enough WhatsApp accounts on proxies to effectively have access to all registered #s?
Is that the idea? Seems doable if you're not too risk averse, have no family and live in a country with weak extradition laws. Kidding, there's nothing illegal about any of this stuff or FB, Google and lots of other companies would not be in business.
FB would have a civil claim against you -- they paid several billion dollars for the legal right to all that user data!
Creating an app with the sole purpose of backdooring WhatsApp on a user's phone seems like it'd open you up to a lot of lawsuits. Ethically its a mite more questionable, but the original article is still unethical in that you're monitoring people without consent.
Like I said above, I'd do this just so that they'd crack down on it. It's still a "means justify the ends" argument, however, so you have to be quite comfortable with moral relativism.
Now, I just need to train people into calling me only between x:00 and x:05. But I don't get many calls anymore, everybody texts...
when you send a message from the Messenger app there is an option to send your location with it
the mobile app for Facebook Messenger defaults to sending a location with all messages
One thing I loved about ICQ-esque IM services was that you could clearly see whether a contact was online or not. I still feel weird starting a conversation on WhatsApp because of the lack of clear visual cues of the contact's status.
Very well written.
Is Facebook still spitting out similar crap? I checked the console and there is a reassuring looking message there, but I am not up to date.