It's harder for US folks to understand just how much of a monopoly WhatsApp has in Europe and the UK.
Pretty much all of our school and local community communication happens via WhatsApp. I'd change to Signal or Telegram in a heartbeat, but the inertia is so great it's not possible.
It pains me to say, but we're getting to the point where companies like Twitter, Facebook and Google need to be treated like utilities or something so that such moves as these can be scrutinised and controlled more effectively as Facebook could pretty much (within current law) introduce whatever policy they like and users would be faced with the option of accepting or being cut off from their local community.
Given the pandemic and the UK lockdown, this is not tolerable.
I'm also in the UK and I deleted WhatsApp 2 years ago when it became clear that Facebook intended to move in the direction of fuller integration (I deleted my Facebook account after 1 month of usage 10 years ago). However, I had to reinstall WhatsApp because all of my kid's sports activities and school updates are organised through WhatsApp groups and it is impossible to participate without WhatsApp. Much as I believe in the cause, I'm not going to go preach it to the volunteers who coach my kids' rugby team. The scary thing here is that the actual real-life "social network" has been privatised and monopolised, and now we can't participate in society in very important ways without going through Facebook.
I want to add that when I left WhatsApp (~2y ago) I deleted my account. WhatsApp kept accepting messages on my behalf. People didn't know I wasn't getting their messages. I'm surprised I don't see this mentioned to the point I wonder if I did something wrong at the time.
In the end, I reopened a WhatsApp account recently because everyone is using WhatsApp in France and I couldn't stand breaking everyone's efforts to bring us together during lockdown.
> People didn't know I wasn't getting their messages.
They saw 2 ticks, meaning delivered to your device? Or did they see one tick, meaning only delivered to the server?
If it's the latter, that's a reasonable choice for the server to make. The server has acknowledged receipt of the message, and failed to send it to your device.
If you wanted WhatsApp to advertise to your contacts that your account was inactive, you could have maybe sent them a message yourself?
I would wager that most people using WhatsApp know the difference between one tick (server receipt), two ticks (client receipt) and two blue ticks (client actually read it).
Marking "Server received message and is holding it for user" with the same icon as "server received message and determined there is no such user" is dumb and bad and wrong, and probably also a dark pattern in this case.
If you click on the message you get a Message Info screen which shows you exactly what the state the message is and the timestamps. It explicitly says "Sent"/"Delivered"/"Read" alongside the ticks and at what time it happened.
I can confirm my mother has no idea what these ticks mean. She can't make the difference between WhatsApp and iMessage either. At the time I left, I told her so and she kept wondering why I was not getting some of her messages (the ones she was sending on WhatsApp, that is).
Most users don't search for extra info screens and extra information in apps. ESPECIALLY not the older generations. I'd argue that the majority of people may understand the blue tick, but that _very_ few understand the difference between a single check and a double check.
Even the ones who do understand a little about the checks probably don't bother thinking about the difference between "sent" and "delivered". They'd understand it if it was pointed out to them, they aren't stupid. But they don't care enough to realize it because they shouldn't _need_ to understand it most of the time.
And even so, the checkmarks are very subtle and easy to not notice if you don't expect to need to look at them. A user is more likely to say "well it didn't give me an error so it must have sent, I wonder why nindalf is ghosting me" rather than "huh, I wonder if WhatsApp actually _delivered_ the message to nindalf, let me check"
I use it multiple times a day. I'm in half a dozen groups.
I use it somewhat reluctantly which might reduce the degree to which I actively seek out understanding. I wish we'd all go back to vendor neutral channels of communication but I also apprecitate the fact that it is less sucky than SMS.
What is with HN and throwing around words like dArK pAtTeRn?
No it’s not a dark pattern. They’re being as transparent as possible. If you long press the message and click “info” they even explain what each tick means and when each event took place. It’s literally not possible to be more transparent than that.
And before the privacy brigade who’ve not used the app show up, this is configurable. You can opt out of sending and receiving read receipts. And since it’s a closed app with no other implementation, you can’t circumvent that either.
he deleted his account. it's absolutely not reasonable to accept my message without informing me the user I'm sending to is not on the platform anymore
I can only guess that people sending messages to my cancelled WhatsApp account saw only one tick. That's still meaningless to less skilled users and there's no way to tell if the user has gone forever or if they're just offline for a bit.
Anyway, my point is that WhatsApp shouldn't silently accept messages for a non existent user no matter what weak signals you get. When you send a text message to a non existent number, you get an error. Same for an e-mail.
I can't help but think it's a way to deter users from leaving WhatsApp.
> WhatsApp kept accepting messages on my behalf. People didn't know I wasn't getting their messages.
As an FYI to you and anyone reading this, you can convert your account to a business account using WhatsApp for Business. It has an auto-reply feature that you can enable with a custom message, to inform people you've moved to whatever platform you've decided to move to.
When I switched from Windows to Linux, sure there were some inconveniences but with enough technical knowledge and a bit of inconvenience I was able to get by.
But social media? What do I switch to?
> This is precisely the dilemma in a nutshell.
Exactly my problem too (car mechanic, plumber, school parent committee, loads of my friends …) – I need my car fixed, I need my plumbing fixed, I need to communicate with other parents. I hate that I have no choice but to use a Facebook product when I am not even on Facebook!
Just thinking out loud here, as I was considering something like this.
I can also not give up the WhatsApp account due to the social pressure. What if I would use a second phone, a cheap one, used only for the whatsapp (and some other essential but privacy invasive apps). I would not have that second phone always with me, but it would provide me access to the social network I need without feeling tracked or providing more data than needed.
I do understand that this doesn't fix exactly the issue presented here, but I already assumed that whatsapp data was already in Facebook's hands one way or another. But I would limit the amount of information that WhatsApp can track about me by having this application on a phone which does not really represent my full actions as i don't have it with me.
Trouble is you are privileged enough to be able to afford two phones. For many families, even a $300 device is a significant expense. So if your approach was the only approach, only the rich would have privacy.
Thankfully his approach is not the only approach - just don't use WhatsApp! I never have despite the pleadings of my friends to use it.
If they can't be bothered to email or send an SMS to me or use Signal or video call via the multitude of alternative messaging services (Duo, FaceTime, Skype, Signal etc. etc.) I don't think they're that bothered about being my friend are they?
If their friendship hinges on me using a specific mobile app, that's a shallow friendship.
There's a "social capital" thing going on here. Your friends are usually willing to make some amount of effort to talk and hang out with you, depending on how close friends you are, but there are limits to that. Nobody wants to get together with someone who insists on doing everything their way every time. Most people don't care to spend what social capital they have getting their friends to use a different messaging app. You're only burning even more social capital if you try to lecture them about things they don't care about, such as Facebook having their personal information.
Particularly, this social capital is at its minimum when you're trying to develop new friendships. Good luck starting any when you refuse to use the app that everyone else in the area uses to communicate.
That just sounds like "everyone else is smoking, so I should start smoking too". Just because everyone else is doing it does not mean it is the right thing for you to do.
In this instance, if developing friendships relies on me sending my data to some unknown person the other side of the world so that they can build graphs on my activity and follow me around just because everyone else has decided that's what they want to do, then I would choose another path.
Wouldn't you? If not, please send me all your data and details of your activities, all the time. If you can trust that data to some guy you've never met in a datacenter, then why not send it to me. You've got my username - that's more than you'll ever know about the people looking at your data at Facebook.
> "everyone else is smoking, so I should start smoking too"
No, what they said is equivalent to "everybody is smoking but I'll annoy the hell out of them so they stop, and I'll refuse to meet them in person before they quit"
It's an individual-level realpolitik. You (the general you) are welcome to take such a stand if you care to, but the price is that your social opportunities may be severely constrained. There might be other things about you or your life that also constrain your social opportunities, things more important than who has your data, and if that's the case, then taking such a stand may leave you rather seriously isolated.
I would not "choose another path" because those things are more important to me. To be blunt, I'm not sending such data to any individual HN reader because that would have no relation at all to my practical ability to maintain friendships with people in real life.
You may have missed the point that in Europe, many many things are organised via WhatsApp. Kids football clubs, dance clubs, parents' evenings, school closures, social club outings, ...lots of things.
Other people are saying that in their countries, Health Services and bank transactions are coordinated via WhatsApp.
It's not just about messaging your friends, and for many people, "opting out" of WhatsApp is not a viable path.
I live in the UK. I understand that people arrange items via WhatsApp but it seems baffling to me. Why not just use email to notify people??
When you sign up to any service, they ask for an email address. They don't ask for a mobile number necessarily, and there is never a "my mobile number is on WhatsApp" checkbox. Why is the assumption of the organiser that you're on WhatsApp your concern? They have assumed you're on a certain platform, and it's their mistake.
It reminds me of the tidal wave of people suddenly abandoning their own websites and instead using "Find Us On Facebook". They might as well put "Use this keyword on AOL".
Facebook is not the internet, and WhatsApp is not the only communication method.
You can be as upset about the state of things as you want to be -- yes, it's wrong and broken and unfair -- but you can't change the state of things by just wishing hard enough. The GP's point stands, things are organized via WA, even though they shouldn't be, so your choices are exactly these:
- Use WA and participate
- Don't use WA, don't participate
- Go stand in front of the home of whoever organizes the activity and have a little one-person picket parade with angrily-worded signs -- this is the same as #2 but might make you feel better
I am not upset about it at all - I think you are projecting that. I don't use it and it doesn't affect me. I was just presenting the alternative mechanism of using the established communication method of email for notification of events since an email account is requested for most things (tax returns, bank account, most accounts).
Perhaps it's baffling, and perhaps I agree, but one cannot deny the reality. They don't use email, they do use WhatsApp, and not using WhatsApp is effectively impossible for people in that situation.
Seems a bit reductionist of the concept of privilege because everything becomes privilege as there is someone who has experienced worse with few options. For an extreme example, dying with cancer becomes a privilege compared to someone who loses their life immediately in an accident. Only one of those two has a chance to say goodbye as well as prepare their friends and family.
It’s not just reductionist, it’s a misuse of the word in a way that is becoming more fashionable. Buying phones does not come under the meaning of privilege, unless perhaps you’re in prison (I struggle to think of an example that might occur and isn’t patently absurd). The rest of us can walk into a shop, those things that are open to the public.
Hopefully this misuse is just a fad and we can go back to a more sensible use.
Exactly. Privilege can indeed be earned through hard work (without implying that's the only way to gain/earn it), and one is free to use privilege in life. It's still privilege, and the troublesome part is when that goes unacknowledged.
Please describe what you mean by “privilege”. Privileged enough to have a second phone? What does that even mean? Am I also privileged to have a second laptop and a PS4? Should I feel ashamed because of this and why, exactly?
If you can afford to have a throwaway phone with a second phone line of service -- remember, WA must be tied to a phone number, and you don't want to give FB your real phone number, right? -- then you are probably doing better than the average person. Remember all those articles about how the average US resident can't afford a single $400 surprise bill? That's called privilege. Nobody is saying to "feel ashamed" about it, just remember that if you're suggesting a second phone as an acceptable solution to this problem.
That wasn’t me, I did not suggest that. Though your choice of wording is horrendous and your understanding of the term “privilege” is ridiculously wrong and borderline humiliating. It is not a privilege if you earned it by hard work. I spent years, decades of my life learning languages, educating myself in tech, and now you are saying that I am more privileged than an average person because I am earning more? I don’t think so.
On Android you could use Shelter [1]. Might no be as good as as second phone but it heavily limits the data you expose. You can also freeze the app if you don't use it actively.
The biggest annoyance is that Android only allows having exactly one of those "Work Profiles".
>What if I would use a second phone, a cheap one, used only for the whatsapp (and some other essential but privacy invasive apps). I would not have that second phone always with me, but it would provide me access to the social network I need without feeling tracked or providing more data than needed.
This is what I'm doing currently: an old phone used exclusively for whatsapp (with an empty contact list); it always stays at home.
I only use it to coordinate kid's stuff (school, social activities, etc), so there is no problem with me not having it with me the whole time.
You can limit what an app can gather anyway, if you wish. If you would go to such extremes to have a second device just for WhatsApp, there are ways to hide things from it on your one main device, too. I go for microg in order to cut Google's surveillance, and usually allow no permissions on untrusted apps, so all they can get is the IP. You can mitigate that too when needed, though probably with more effort than is practical (accessing the internet is something that can also be restricted from default Android permissions).
When this article went up, I realized that I'd allowed WA to access my Contacts, so I went in and revoked that permission. It immediately reformatted my whole conversation list as phone numbers instead of names. I can't rename the conversation, but I can "add to contacts"... which inexplicably shows me my OS contact editor, which they're not allowed to read. So I guess that as punishment for not letting them constantly vacuum up my contact list and send it all to FB, they make it harder to figure out who I'm talking to. Classic FB.
I have a second dirt-cheap used phone with a disposable SIM card just for WA. But you could make a WA<->Matrix<->Signal bridge (https://matrix.org/bridges/) using a temporary phone no.
I've recently switched to using Whatsapp in an emulator, which is kinda similar. I even almost got a virtual camera working so I can share my desktop screen via whatsapp call (would be super useful for parent tech support). Laptop cameras should work fine though.
I used Bluestacks emulator (and Nox too, one has to be a clone of the other I guess) to run the app. For the virtual camera I used OBS with a plugin to emulate a webcam. This worked for the webcam feed in the browser, but in Windows > Camera it wasn't detecting anything. I got the same results when trying to use an old smartphone as a camera via DroidCam before I gave up.
I tried to run a branch of a charity without WhatsApp and Facebook for two years and it was impossible. I had to give in and sign up.
So, these things should be regulated and operated like utilities. Phone companies don't have the right to mine my contact list, and neither should Facebook.
And tell them what? Please all go install a different app? That only works if you can get everybody on board, it's unacceptable if a parent gets left out because he isn't there that day or cannot get it to work.
You would also have to explain to them that Facebook cannot read your messages, but they can see the meta data. And then you have to explain to them what meta data is.
I think your kid is not going to appreciate your efforts.
The point is that you can tell everybody why you don't like WA, and even come up with a really good way of explaining the problems to non-technical people. This might even work in some cases. The problem is that WA has an enormous head-start in Europe. So maybe you talk around your gym, but your kids' school can't justify switching. Guess what, you're still stuck picking between using WA and missing out on big chunks of your real life.
If you think privacy is important, you have to do something about it.
It's a lesson in civics. To do nothing and say nothing while expecting someone else to fight the good fight is poor citizenship, but it is very good consumerism.
Wow I had a similar experience at university. I only joined Facebook because my course had a Facebook group where we all communicated. Now this same hook exists in WhatsApp. It’s pretty crazy
the issue is that people would probably not want to pay for an app like WhatsApp, and so the 'free' alternative takes hold, and whoever controls that gets the cost of running the infrastructure in advertisement fees.
If some company could set themselves up as a utility, and the mobile network operators were to pay that company to run the messaging app + infra, then it could be made to operate like a utility and nobodies data would have to be sold.
I could remember initially paying for a Whatsapp subscription a couple of years ago, I was happy to do so as I believed they were providing an essential service.
In the U.S., my experience with Whatsapp was that I created an account and never used it once to communicate with anyone, then I deleted it.
I've also withdrawn from social media.
The exception for now is HN, because it's more of a forum, even when bad information sometimes instates itself as reality for a large conversation, like a big gathering of fans talking about their team that will inevitably fail to win or perhaps a bad STD.
I learn what others are doing through direct and intentional communication, even if technology is used or if the information is second-hand. I don't text back or call back immediately, which my friends and family forgive, but it sometimes seems to hurt my relationships.
I still worry of dependence on large companies, big data companies gathering more information about me than I know myself, and the potential of out-of-control AIs. However, I attribute these in-part to my own paranoid thinking that use my memories of large company layoffs, privacy concerns raised in the tech community, and mostly fiction.
While I've come to the realization that the act to trying to be happy and successful is the very thing that makes me unhappy, and I just need to exist, maybe becoming better at whatever I'm naturally good at, while being here and now with those I'm with, giving my service to them... I still keep wasting time replying about things that don't matter.
WA is not particularly good, it's just that I don't know anyone who doesn't use it (in the Netherlands), even when you want to contact helpdesks it is sometimes the preferred way. I mean, we have this in many streets: [0]
Without kids I could see myself getting away with not using WA, but with kids you are really setting yourself up for a very hard time (and prepare to be judged by other (annoyed) parents and your kid will feel the consequences at some point, the kids will miss out on critical and fun information).
WA has almost become what email used to be. Except that it's a controlled platform and we are locked into a single provider, a provider that once promised a focus on privacy and an app free of commercials, forever...
yep, here in the UK everyone I know uses whatsapp. Some people have telegram as well, but WA is the baseline. The only SMS texts I get are marketing and automatic notifications.
It's more reliable than sms - I used not to receive some of the texts people would send me, which caused all kinds of misunderstandings. I ended up doing experiments with friends sitting beside me just to prove my point. The same thing happened to family members.
I'm not sure what the problem was, but WhatsApp solved it.
I don't actually use SMS but I don't think that most people get read/receipt confirmation. The little check-mark system in WA is a big step forward compared to plain texting. Of course, similar features exist in other chat applications, but if the comparison is just between WA and SMS, that's a big difference.
At one point I had unlimited data (2011-ish?) for 5 eur/month and a text was 20 euro cents per 160 chars or so... So I guess providers wanted SMS to disappear here.
>Twitter, Facebook and Google need to be treated like utilities [...]
Our generation is reinventing the wheel here, our ancestors had exactly the same problems with the power, water, gas, telephone and rail networks (at some point in time, all those were unregulated and privately owned) and did exactly that. Critical infrastructure needs to be heavily, regulated if not outright publicly owned.
I think similarly to how europe has forced Banks to interoperate by making them write a protocol that can interoperate, governments need to force social media companies to write down a protocol and use it.
I like the analogy with utilities, but the issue is that we pay for electricity, but we don't pay for our usage of social media. As long as that's true we can difficulty do what I'm suggesting above
I think India's Unified Payments Interface is a better analogy here. From what I understand (as an outsider, so based only on what I've read) it provides a universal API for mobile applications to interface with banks, essentially standardizing the federation of bank transfers. Therefore, your account at bank X can be used to pay an account at bank Y for some service that uses app Z.
I wrote a tweet thread about this which I will post here for convenience:
Consolidation is a debt. You gain market cap at the cost of introducing systemic weakness and reducing broader market innovation. Once a company becomes a fundamental service they need to be regulated like a utility
(I will illustrate with Facebook)
Facebook can get the license to operate it but they also need to open up their API’s so others can build on top. These should become web standards governed by w3c.
Facebook is an interesting case as this system would remove all the perverse incentives driving their business model (no more ads). It would also crash their stock. That value hasn’t disappeared though, it has been pushed out to the edge nodes of their network (specifically the companies building on top of their API’s). My thesis is that this model will increase the overall pot while reducing the share the largest players have.
The knock-on effect of this is that investors will see this as the final outcome and be less incentivised to invest. That may be a problem as we don’t want to stop the emergence of billion scale companies altogether. Therefore a mechanism for the people to buy out the company at a fair legally agreed market value should be in place. This will stop crazy upsides and protect the undesirable downsides. The asset then becomes publicly owned but privately operated according to regulations.
AI would fall under the same model. With open API’s and standards anyone can get the data they need to build new AI companies. Especially feasible if we move towards self-sovereign identities and crypto methods of exchange.
To facilitate more small tech innovation we need to introduce a UBI. It will allow more people take risks with their time leading to more cottage innovation. In 100 years it will be a fundamental aspect of fiscal policy.
Additionally education needs to be refocused on making things. People are not equipped with the skills to build things. There is no better way to learn, grow and generate value. If we want a diversified small tech eco-system economy we need to focus on helping people develop the skills that make it possible.
I don't like the idea of government having full control of these services.
I believe that we need fully decentralized system, much like the e-mail, but realtime and E2EE. Sadly, it seems to me that we're taking the opposite direction. Just few widely used messengers, all of them are centralized, some of them have E2EE, but who knows for how long - EU commission seems to like the idea of breaking in. No matter what their intentions are, I didn't sign up for that.
In essence I agree with you, but let's not forget that in most countries, the government has already complete (albeit strongly regulated) control and access to postal services and everything that is sent through them, and I think most citizens (me included) are okay with that as well.
Furthermore; I'd much rather have the government spying in my stuff than Facebook selling my data to the highest bidder; at least if that were my only two choices.
Are you seriously comparing letters and private IM conversations? I don't know about you, but I received/sent maybe 5 letters in last 10 years, none of which were from/to another private entity.
> I'd much rather have the government spying
I consider this very short sighted and dangerours, but that's your choice.
> at least if that were my only two choices
Those are not your only two choices, that's kinda my point. We actually don't have to choose between a greedy company or a state. The only decision people need to make is centralized or decentralized system.
I share most of your sentiments, I really do. In a perfect universe, we'd all be using fully e2e-encrypted messaging systems. But:
> The only decision people need to make is centralized or decentralized system.
They already have this choice; Matrix and others exist for quite some time already. Yet it is evidently clear that your average citizen will flock to whatever messenger is the easiest to use and is already used by their friends/family. Security/privacy are second thoughts at best, if at all; and even if it were important, grasping the different implications of all the available options isn't exactly easy either.
And since we can probably agree that the vast majority of folks already "fail" to make the right choice in this regard, I'd much rather have a regulated, government-controlled messenger than some company like Facebook. The former is accountable to its citizens, the latter to its shareholders - if I have to pick my poison, the choice is clear.
> Are you seriously comparing letters and private IM conversations? I don't know about you, but I received/sent maybe 5 letters in last 10 years, none of which were from/to another private entity.
...because email and IM exist. they used to not exist and people sent paper letters to each other all. the. time.
now there are places and people I need a particular digital post office company to communicate with - and the worst part is, it's because they don't really care and thus force me to risk giving up my data if i want or need (read - am forced to due to life circumstances) to talk with them.
I think this trust difference is a general division between Europe and US. Europeans generally trust their governments more than private companies, and vice versa in the US. I would assume both have valid reasons for this on their own side of the pond.
For what it's worth, I too would trust the government a whole lot more than Facebook.
That‘s a good observation, and I agree, though I wonder why.
It would seem to me that Americans have had more experiences with bad companies, and Europeans more experiences with bad governments over the past 300 years...
If your public alternative can't win the users then "breaking the monopoly" will worsen the user experience. I don't want to live in that world - consider Telegram, a much better experience than WhatsApp, and it won over many users already. Evidently the monopoly is not as strong as is suggested. Telegram might not exist if there was a risk of losing the company. I don't want to be stuck with bad public software. In reality, when you destroy WhatsApp, people won't use the bad software, they will go to the next player and make it a "monopoly" because it most likely will be a better user experience.
At every step of the way, Facebook has leveraged its size and existing troves of data to undermine and buy out the competition. The goals of Facebook, Amazon, Microsoft and Google are the same - world domination. Same as any mega conglomerate of years past. The difference now is tech scale and the willingness of regulators to allow it to happen.
> They will probably be replaced by another company
Nobody has a chance, but different reasons in each company:
* What we have seen with Google - For a search engine, the more traffic you get the better results you can give (you can A-B test different algorithms for different queries, and optimise results). For new entrants they need to be popular before they can be better, which is a catch-22. Additionally Google has significant revenue which is very profitable because of it's monopoly position, and it can use this to reinvest in search technology to further widen the gap. It's going to take more than 2 people in a garage to beat modern Google at search!
* For a social network, Facebook buy out any potential competition when it's gaining traction to further solidify their monopoly. See WhatsApp, Instagram, Friend.ly e.t.c.
> For a search engine, the more traffic you get the better results you can give
Lately I have been noticing the opposite trend. Google search relevance is going downhil for me. I'm not sure when that started but I noticed it in 2019-ish last two years. Youtube search is so bad (note: I have history disabled), I rely on Google to search YouTube.
Playing cat and mouse with SEO seems to have taken its toll. I find myself going to DDG and Bing a few times a week. Before it was only Google.
> For a social network, Facebook buy out any potential competition when it's gaining traction to further solidify their monopoly.
Maybe, but each of those competitors is essentially a fad, and Facebook forcing WhatsApp users to login via Facebook, to me seems more like desperate move, than anything else.
I agree those acquisitions are IMO problematic, but I am not sure if they are strengthening Facebook, or killing it with a thousand cuts.
Blame Carrier. Modern SMS could have been great, but Carrier didn't want to lose the however minimal revenue they had with SMS. ( Not every countries has unlimited SMS across all Network and across the world )
Or Blame MSN, the Instant Messenger, when Microsoft refuse to admit defeat to the Smartphone platform.
So WhatsApp took over in EU ( I believe iMessages or SMS is still popular in France ), UK, SEA, Brazil, Hong Kong. Line in Japan and Taiwan, KakaoTalk in South Korea. Unsure about Australia and Canada. ( They use WhatsApp but not to the extent of countries listed above. )
And it is iMessages in US. I have no idea why that thing even took off. I have tried it dozen times over the years and every few months it has problem with message delivery, people in group not receiving any messages. Poor Searching capabilities etc....
Telegram has gain usage but for different kind of reason. And I dont see it ever being used in the same manner as WhatsApp.
So most of friends just clicked yes and share their Data. It is important to note despite the increasing hostility against FB on HN, and in Tech Circle, most people in the world seems to have no problem with it. I dont see WhatsApp going away any time soon.
Edit: How does this data sharing fit in with GDPR in EU?
> How does this data sharing fit in with GDPR in EU?
It actually doesn't fit at all. As long as "payment" for usage is based on agreement to share personal data it is illegally obtained consent. Either they are ignoring their lawyers or they should fire them.
EDPS Opinion 4/2017 on the Proposal for a Directive on certain aspects concerning contracts for the supply of digital content, 14 March 2017, p. 7.
"There might well be a market for personal data, just like there is, tragically, a market for live human organs, but that does not mean that we can or should give the market the blessing of legislation. One cannot monetize and subject a fundamental right to a simple commercial transaction, even if it is the individual concerned by the data who is a party to the transaction."
I think iMessage took off, because you don't realise it's not SMS. Open the Messages app, type a message, if there's an iDevice in the other end, BOOM, iMessage.
Where iMessage fails is when the device in the other end isn't an Apple device, or perhaps the contact previously used an iPhone, then fallback to SMS is troublesome.
Most of my familymembers will send an "SMS"... except it's via iMessage, but nobody knows or cares.
I have this problem. I use an Android phone, but have a Mac and iPad. My mum has no idea how to send an SMS to me so will send me messages on iMessage that I don't see for weeks because I haven't used the iPad or Mac (been working on Windows for a while writing code).
I'm in the opposite situation. A friend has iMessage on the computer but just SMS on the phone. There's no way to force send an SMS on iOS anymore. All the guides I've found just mention the "Resend failed message as SMS" but messages never fail, they're just queued on the computer.
Carriers now looking to RCS as the messenger alternative, but if they price it like MMS, they will kill it.
To do it cheaper, they have to give a large chunk of the service to Google, which gives Google the data mining opportunities :(
MMS is free at this point, in many countries. The carriers in those countries will make more money by using RCS, because it will use cellular data (at least if I understand it correctly), which isn't free.
My point being that I don't think many carriers care about text messaging, or phone calls. They sell you a fixed cost plan for those. The only thing that can really affect your price is data usage. If Google wants to deal with the hassle of managing a messaging platform, great, that's money save on running a service that isn't making money anyway.
GDPR still holds. The data can only be used in an aggregated from for advertising purposes within platform (facebook, insta, whatsapp) and not be sold to others. You have the right to have your data deleted upon request.
Ditched it about 2 years ago. And man, it's so hard! Literally everybody uses it here in the Netherlands as well.
I'm getting strange looks every day when people hear I don't use the platform. It's horrendous.
I also really fear for the moment where I've to tell a nice girl I met that I don't use the platform, and that we should use X other platform instead. I can imagine that to be a letdown or to be weird. That's insane to me.
I got used to the strange looks. I got the strange looks when people heard I didn't use Facebook. If you asked them to sign up to a website on the Internet that was popular in your circles just so you could be friends, they'd refuse, eg. "please sign up to basschat.co.uk because all my friends like bass guitars".
If their friendship relies on you installing an app on your phone, that's a very shallow friendship isn't it?
> If their friendship relies on you installing an app on your phone, that's a very shallow friendship isn't it?
This argument doesn't make sense. You can't just ignore practical aspects entirely and justify it with a cheeky "if they're truely your friends they'll accomodate ahah".
Sure if I want to send a private message to a friend I don't care whether its via SMS or whatsapp, but if I'm in a group chat with 5 of my friends I won't send a transcript of the conversation to the one person who doesn't participate.
Why not inform your friend of the outcome? Half of the group chats seem to be utter nonsense until a final outcome is made, particularly with arranging something.
Or would you not want your friend to attend?
The choice is: do I want my friend to be included in my activities?
The choice is not: do I want my friend to be included and also send all of his data to some people I've never met?
Your idea of friendship is rather strange. It appears to involve other people arranging your social life for you on your behalf, and then presenting the plans to you for your approval via the communication method of your choice.
As someone who lives in the Netherlands, I feel your pain. I don't think I can get my contacts to really switch to something else, and even if I could, new ones would use WhatsApp anyway.
I think your fear depends strongly on how open-minded/techie the girl is, though: I've used Signal to communicate with all of my Tinder contacts, but I will admit people remark on how it feels like a 'drug deal'.
That sort of behavior is very selfish, wouldn't you agree? You expect everyone to be annoyed and go through the hassle of contacting you, when you can't even keep one app installed to communicate with all of them.
And in a lot of countries you wouldn't lose access to "some groups" but you would lose access to ALL of them, from social, to every other group.
Sadly the law is written in a way that let’s the optional part be disregarded if the business considers the data that’s being shared necessary to run its business model... and advertising companies like Facebook will argue all data can help them sell ads better or for more money, hence all sharing of data shouldn’t need to be optional. This has yet to be tested in court, but both google and Facebook have taken this approach in their implementation of gdpr, leaving us wondering what the point was anyway... law without teeth :( the eu should have already slapped down google hard for their lack of an opt out, but it’s been years and still nothing. Seems the law makers aren’t really on the side of privacy after all.
Here all the kids use it as soon as they get a phone. If they can't write yet they'll send emojis (!!). The minimum age is just a meaningless smoke screen.
Yes, usage by kids is a real problem. My child is one of only two in the class that doesn't use WhatsApp. All the others do. They have what they call a "class group", even though not everyone is there.
When I try to tell parents how much Facebook learns about their kids (their friends, networks, and by merging data from different sources: habits, school, frequented locations, etc), they just roll their eyes. The response is "well everybody is tracking us, who cares".
All this even though there is Signal, which works JUST FINE.
Children luckily are much more flexible and chop and change with the wind. It's the older folks once something is established it ends up becoming bedrock and super hard to change. Parents/Adults are busy if something 'works', there's a lot of resistance to changing it.
Yes, though I feel like people are finally (slowly) waking up to the problems here. Both the US and the EU are finally looking deeply into Facebook and other big tech.
I don't think politicians are going to solve the problem for us entirely, but a bunch of us have been working on technical solutions for decades and they aren't the entire answer either.
A little regulation combined with the right alternatives may go some way. I'm optimistic, though we have a very long road ahead.
Thanks for the positive outlook among many negative ones :) I hope we can find a good alternative in the market. Anyone know of alternatives that allow end to end encryption with group chat support so far?
In Norway WhatsUp is popular, but my dentist still use SMS and email, and so other businesses that I interact with. My son’s school has own app for communicating with parents and teachers use Teams to present online lectures. My son uses Discord to talk to friends, but I think he is an exception.
What is really problematic is Facebook monopoly for organizing any social activities or events. There are simply no alternatives especially among 30-50 years old. Like the saying, “What parents were afraid video game would do to children, Facebook did to parents.”
I'm in Europe, and I'm doing it to the best extent that I can: no permissions allowed to whatsapp, no profile picture, no read receipts, no notifications, sending a standard message to all personal groups that 'lads, I'm moving to signal, ciao'.
Beyond that, I will not entertain personal messages on whatsapp, only work related. Each new person will be greeted with "Do you mind awfully if we use Signal?" Does this come off as self-important? Sure. But it helps that I don't care too much if it does. I had the same attitude quitting FB and Twitter too, I just don't need people that much. I don't have a 100 friends anyway. I have like 15 that I really want to keep in touch with. Those 15 will understand.
What when other new person suggests Telegram? I have like four different messaging apps on my phone: WhatsApp, Telegram, Wechat and Link. Don’t need one more random app lol
I’d love to switch to telegram, but their default messages aren’t even end to end encrypted. And secure messages are not available for groups. So it’s not a great option for privacy actually.
Not only Europe and UK, LATAM is also pretty much governed by WA. I remember one time I had a visit of some folks from Canada, they were very surprised that we used it as our main chat/communication app. When I asked why, they said "we don't hear from it (referring to WA) that much, we all just use iMessage" I guess in their context/community most people own iPhones.
Yep, in Australia I had basically never used WhatsApp. It's barely a thing. (However, Facebook Messenger dominates there, so it's not as if the privacy situation is any better, Facebook Messenger is just a better app/website to use).
Here in the UK I am literally required to be on WhatsApp to live in the building I currently live in. I have no choice in this matter. It's just the default messaging service for everyone.
If you join any kind of club? WhatsApp group. If you want to talk to someone about renting a room or apartment? WhatsApp chat. Live with housemates? WhatsApp group.
Plus the whole fact that if I deleted facebook, I would cut off contact with my friends and family (I can't expect like 25 people all to switch messaging services just for me). I would lose access to my thousand-dollar Oculus VR headset (I hate them so much for buying and linking facebook and Oculus, and hope a better competing standalone headset comes out).
And don't forget, you can't use an Oculus Quest with a blank facebook account you made just for that - they actually check that you're really using the account and force you to verify with photos and ID.
They are the absolute epitome of evil. Facebook, in many ways, but particularly in regard to Oculus, is a moustache-twirlingly, cartoonishly evil organization.
Could I just never buy an Oculus? Hopefully one day. But when not just your hobbies, but also your study and skillset and career prospects are right in that industry, you swallow your pride and make a damn facebook account.
I was also required to be in facebook groups for university classes back when I was a student. I HAD to be on facebook to get a degree. And for an amateur theatre group I joined.
Not to mention everything going on with misinformation about elections, vaccines, etcetera etcetera.
Some of this stuff is now moving to Discord, which is probably better than anything owned by facebook, but being better than facebook is a damn low bar, and Discord is still ultimately a for-profit corporation that would sell your soul if it made them a dollar.
This "just stop using it" attitude you always get on Hacker News and reddit about facebook and their various messaging platforms baffles me. Do you people not have lives? Jobs? Friends? Family? If you (in or out of a pandemic lockdown) want to do just about anything outside your house, or a whole bunch of things inside it, you need to use Facebook services.
It sucks and I've love to stop supporting them but it's not like most of us have a realistic choice.
> This "just stop using it" attitude you always get on Hacker News and reddit about facebook and their various messaging platforms baffles me.
Unfortunately, seems that for many people on HN, HN is almost all their online social interaction, + tech people on signal/mastodon. Some don't seem to understand the concept of having family and friends who are not tech-savy (or even hate tech). Or understand the concept of social capital.
> I can't expect like 25 people all to switch messaging services just for me
It’s not “switching”, they can start using another app and continue using whatsapp. I’ve done it with my family at least twice during the last 12 years, it was not that difficult.
When I lived in Russia my doctor messaged me via WhatsApp. I'm American so I was a little culture shocked, I don't know if this is standard procedure or anything but it illustrates how ubiquitous WhatsApp is.
I'm so anti-Facebook now that it's a part of the way I identify myself, and for all that I can't delete it.
I maintain contact with a friend in Germany via Whatsapp or Facebook messenger, and in this case it would be possible to use email (which is not nearly as casual as firing off a message in your spare moments) or some other service but it doesn't solve the problem about friend groups.
I have friend groups around the world that my only way to participate in is Facebook. I believe moving abroad is in my future again, and Messenger is detestably the only real way to keep up with my friends back home. Leaving Facebook and Messenger is like leaving a bar I hate; I'm only here for the people and I wish we could go somewhere else.
I've lived in Germany for years and I do feel like, if we're going to stereotype people by nationality, they're one of the most privacy-sensitive groups you'll find. This is the country where, by law, if somebody picks up a (land-line) phone in the house, any other phone currently in use has to shut off. I'm not saying you can definitely convince that friend to get off WA / FB, but it's worth a shot.
(I don't know what to replace it with -- I mostly use Hangouts but it really feels like it's falling apart.)
For younger friends, I found that they can sometimes install a 2nd messenger, depending on how close you are. Of course, if they already use 2 or 3, you might need to use one that they have.
I would suggest to check if they use Telegram/Line/Kakao/Hangouts, or suggest it to them. They are all closed source, but at least is the lesser evil?
I am in europe, switzerland and plenty of friends in austria. Yes many of my social circle have whatsapp but none is using it exclusively as it was some years ago.
People have the choice and use it. Not sure what is holding other circles back?
I havent had whatsapp in 4+ years and only rarely have to fall back to SMS
What is the alternative are your social circles using? SMS is the only alternative with a wide install base and the experience is inferior to WA,Telegram etc.
In France, SMS is still the most common, even though it is declining. I think it is historic: we had cheap unlimited SMS plans before internet data plans were common.
WhatsApp is popular but not a monopoly. Not really something to celebrate since its main "competitor" and #1 instant messenger app is Facebook Messenger. Skype and Discord are also significant, and I expect iMessage to be important too.
Based on all the groups my wife is part of, it seems other people get absolutely nothing done in life since they appear to be sending pointless messages on a group constantly. Her phone is constantly buzzing, and 99.9% of it is utter nonsense.
It seems to me that the inability to easily message a group would be a bonus and not a loss!
Net neutrality not existing helps WhatsApp and other services here, one cell provider for example offers 1 year unlimited WhatsApp+Facebook including voice and video calls for a total (not monthly!) cost of 3USD on a prepaid chip. So you can't call, you can't write SMS, you can't use the internet but you can use WhatsApp for almost no cost. If you are on a budget this is a no brainer, for comparison - 5GB full internet access on the same chip is around 5$.
How are you going to break such a monopoly supported by providers? At this point it is something all providers do so if one starts offering it all other providers have a competitive advantage because everybody is already using WhatsApp. I am not sure if Facebook pays these providers, my guess is not - they are pushed into this by their competitors.
Net neutrality is very important to not let this happen. Similar deals exist for other popular services: Instagram, Youtube, TikTok, Spotify, Snapchat, Twitter, Netflix to name a few
>how much of a monopoly WhatsApp has in Europe and the UK
Everything you said applies to the Indian subcontinent, SE Asia and South America which form the bulk of the WhatsApp user base as well but with lesser or no scrutiny whatsoever when compared to EU/UK.
It's a little more nuanced than that. I don't question that WhatsApp is huge, in some countries and social circles, but it's by no means dominating across Europe.
Personally I'm not really sure who's using WhatsApp, I know two or three WhatsApp users. They all use it because they have friends other countries, mostly the middle east.
If RCS actually becomes a thing, then I don't see much of a future for apps like WhatsApp.
I have no reason to believe it will ever take off: It's been dead in the water since 2012 or even earlier. It doesn't support end-to-end encryption. Carriers would like to charge for it.
Assign everyone an IP V6, there's plenty. Then treat that as our internet phone number. Define a chat protocol that contains the very basics and everyone has to support that. Want to send a chat, you have their IP V6. Exchange using QR code. No server necessary for the basics. If a text fails sending device can keep trying or just give up.
This approach ignores all the aspects that made whatsapp / chat services popular in the first place. A short list:
- Contact Discovery
- Group chats
- History / Log
- Shared message order
- Communication beyond text (emojis / reactions / inline images)
- Ability to receive messages while offline
- No need for technical skills
These aren't trivial features, they are prerequisites for any replacement, decentralized or otherwise. Just because we as developers like / tolerate things like IRC doesn't mean the rest of the world will accept it.
Unfortunately, IPv6 addresses have to be assigned by someone, and they typically change when moving around/changing provider. And you have to go trough the firewall...
I prefer something you can generate yourself, like encryption keys. That's the approach taken by yggdrasil (and cjdns before): generate an encryption key, map the public part to an IP address (there's almost enough bits in v6). Plus, it can easily be end-to-end encrypted.
Another plus is that you can generate as many as desired.
As for the protocol, Matrix is experimenting a bit with going p2p.
"Be the change you want to see in the world" -- I'm gonna have a go at switching as many people away as possible; friends, family, co-workers. It's all about critical mass so every step in that direction is a step toward your school and local community communications being on some alternative platform instead.
Why not make a local WhatsApp<->Signal bridge using Matrix (https://matrix.org/bridges/) and a disposable SIM card, and just use Signal app on your phone?
Same case here in India, Sucks to have these apps despite knowing what they are doing just because your School or College groups are on these platforms. I tried educating my fellow mates about this but seems unlikely that it will have any effect.
While WA is near ubiquitous in Germany, from my own experience many non-technical people in the UK prefer Telegram to WA. WA is the only way I can reach some of my contacts in Germany, but with my UK contacts I can avoid it altogether.
Just an obvious point - you don’t have to “change”. You can install both and use signal as much as you can. This costs you almost nothing, maybe just a little app switching. Not much to pay for a better world.
no they don't need to be treated like anything, they are completely new thing, so if you think that their dominant market position is an issue, they can be forced to implement public api(open standart), therefore unlocking their userbase and allowing infinite competition
Almost all public utilities have started as private companies of some kind. Broadcast, telecom and railway companies are the most recent examples. They started as private companies but then, due to limited spectrum, unification pressure, needing to include everyone including remote places and wasteful duplication got transformed into publically owned or at least publically licensed and regulated utilities (depending on which utility and country you are looking at).
So, while they are not yet public utilities, they should be turned into such.
I am in the EU, and this is what I have been presented with:
„ By tapping Agree, you accept the new terms, which take effect on February 8, 2021. After this date, you’ll need to accept the new terms to continue using WhatsApp. You can also visit the Help Center if you would prefer to delete your account and would like more information. To learn more about how WhatsApp processes your data, read our updated privacy policy“ (with an Agree button underneath).
I could close the window. But there is a hard deadline apparently: Feb 8th.
F* you Facebook. I‘d rather stop using Whatsapp altogether.
Edit:
Will start using Signal app, and for the transition period I‘ll keep an old smartphone with a throwaway Sim card and WhatsApp installed on it to keep updates from absolutely necessary groups I need to be part of.
As I understand it even with click thru agreement like this it is still illegal in the EU. Could be an interesting case on the way... I believe that WhatsApp only real option in this case is to stop serving the EU, which I feel as an EU residents could only be a good thing!
In addition, I vaguely remember something about the acquisition of WhatsApp by Facebook to be only approved under condition that exactly this kind of data sharing would not happen.
Although I have my doubts about it happening soon, because the immediate impact it would have on real everyday life could by rather disastrous initially (something Facebook no doubt is aware of), the EU should probably declare/certify Facebook as a rogue/criminal organization. I just can't see it any other way, with Facebook's blatant disregard for anything but its own greedy interests.
If Facebook keeps pushing their "luck" like this, it should simply have all its assets on EU soil frozen. If eventually rules a criminal organization, confiscated too. It would be very sad and unfortunate for any EU citizens working for the company, who no doubt have no say in Facebook's criminal enterprise. But the current status quo is becoming completely unacceptable.
History has plenty of lessons, about criminal organizations rising to (hard to defeat levels of) power. In many cases more than anything because both societies and governments/authorities failed to respond appropriately in time, when they still had a fair chance containing those (with far less effort).
All that is even without opening the can of worms that is the access US government agencies have to all of Facebook's data.
Signal is run by someone who hates repeatable builds and open platforms. Telegram is to the russian government what whatsapp is to the US government.
That is to say, both options are bad. Of course it is conceptually better to spread your information over many separate information silos so that your data is harder to correlate. That should not be the bar we aspire to though.
All of these apps seem to hate open platforms and third party clients; Signal just as much as WhatsApp. I wouldn't even mind using WhatsApp if I could just open a browser window on any modern computer and log on like I can with Twitter. But no, I need to have a smartphone with either Android or IOS. They all want that magic unique personal identifier that is the mobile phone number to prevent you from having more than one persona, and they all want their closed apps as the sole way of using their service.
Of course, that requirement is exactly how they implement the user lock-in, so it's not going anywhere until legislation forces them to open up.
I don't think it's the Russian government you should be concerned about when using Telegram. Sure, TG is far from a secure platform, but the Russians have spent considerable effort trying to shut it down so out of all the possibilities, I'd say TG being in Russian hands is among the smallest.
I've heard that before and the idea is reasonable but I must say if they've actually pulled of that stunt then it is amazing because I've seen nothing to suggest so despite being aware of the possibility for years.
> I know you’re not engaging in good faith but I’m adding this more for the benefit of onlookers
That was uncalled for. Please adjust your troll-detector and I'll adjust my wittyness dispenser ;-)
I am serious even when I'm joking, but I have never heard anyone saying that in full seriousness and also it feels like we should have known something: even the Russian secret service isn't perfect, in fact they've done some really big mistakes the last few years (in addition to their deliberate "mistakes" that they seemingly do to show off.)
that'll never happen - WhatsApp is almost WeChat for Europe, it's ubiquitous and the network effect is so strong you'll really struggle to get masses of people to switch away fom it.
99% of people outside of the HN bubble will just look at the dialog, click OK and carry on as normal.
Instead of surrendering we - technically aware people - should think about possibilities to make them respect privacy or think about ways to change the situation.
Yes but not clicking through the shrink-wrap agreement isn't a real way to do it. Legislation that requires people be able to say no to data collection without loss of service would go a long way.
I did the same. Mixed reactions, some shocked, some shrug and move on. And my friends are academically educated and relatively conscious of this issue I believe. Probably not the most representative sample...
> If you need to force people to use alternatives it's because they are not much better to begin with.
This isn't necessarily true - that's basically the problem with monopolies and the point of anti-trust. The network effect really can entrench an inferior product.
That's not a useful definition of better though. WhatsApp, Messenger, etc. are better because they're reliable and the people I want to talk to use them.
MMS messages are hot garbage but they're still better than a lot of alternatives because everyone with a phone can receive them.
Main reason I use whats app is because everyone else I deal with uses whats app, not because it has specific features. I could probably list a different chat app and social networking site for every time I switched a school and when I started to study.
I do personally believe that for all its faults WhatsApp is the best. It’s a pity about that but I guess FB have to pay all those great developers somehow. It’s up to regulation to set the boundaries for what’s acceptable in business so let’s see what happens.
> It’s a pity about that but I guess FB have to pay all those great developers somehow.
They could just run it as a paid service again? They had a minimal annual charge before the Facebook acquisition and probably could have raised that, instead Facebook made it "free" which should have been a warning sign of things to come.
One of the reasons the founders left was that FB wanted to put ads and track users, and didn't even want to try to make a Business paid version like WhatsApp proposed.
> Telegram is not even encrypted by default and there is no option for encrypted groups.
Friendly reminder that encryption is more than E2E-encryption despite what certain people on HN thinks.
Telegram is encrypted point-to-point by default. Same as banks, modern mail etc.
Can we stop spreading technical misinformation now, please? There's plenty of other issues with Telegram and if we stop crying wolf over the neighbors grand danois people might actually believe us when there is an actual wolf.
Who cares if it's "technically illegal" if there's no fines for it. I seriously doubt that the EU will grow teeth anytime soon (but I hope to be surprised!).
Yes, but both are examples of the EU not actually wanting to do the right thing, even if the courts say so. Privacy shield was shot down by Schrems in court, only to be replaced by the EU mumbling about "standard contract clauses, just do the same as before". No billions in penalties in sight.
Same for the Apple (and others') taxes in Ireland: While the Irish have been told by courts and the rest of Europe to collect the taxes they are owed, they just refuse to do so.
No you're out of date, the standard contract clauses thing was blown out of the water. It's a big problem for Facebook, not sure where it's at now.
Also your understanding of the Apple case is a little out of whack too. There's a lot of subtlety to it, but basically the court ruled in Apple's favour on a technicality and there is a revised appeal pending.
So you are going to move from one centralized, walled garden, privacy hostile platform that hard requires Google/Apple ecosystems to get signed updates... to another with identical drawbacks.
I suggest something that lets you use any client/platform you want, uses the same crypto primitives, and lets you choose what server/country your data is hosted in and change your mind any time, e.g Matrix.
How many times do centralized services like VK, WhatsApp, Instagram, Apple, etc need to get co-opted into enforcing the will of private entities or governments before we learn our lesson?
The only network services this won't become true of at some point in the future are those with decentralized clients and servers obeying a common documented protocol.
Matrix is riddled with bugs. While I agree with you that signal isn't all that great (they do some really good stuff and then make some really weird trade-offs), I've recently compared Signal, Wire, Threema, Jami, Briar, Element/Matrix, and Keybase.
The most mature app is Signal. It has the best usability to privacy trade-off.
Threema is the better choice if you don't mind not having a usable desktop client. For me that's a total deal breaker. It costs a one-time 5 bucks and it's totally worth that, if only it had so much as a usable web client (you need to open your phone and navigate two menus to enable the web client every time your phone changes WiFi or anything).
Wire is the better choice if you can sacrifice a tiny bit of usability for better privacy. It's sluggish is all, and (like Signal and most other services) uses AWS. Full disclosure: I was involved in a paid audit of Wire so I know more about the encryption protocol than I do about the other clients'.
Element/Matrix is the better choice if you'd rather make a trade-off towards privacy. Presumably the clients will mature, and between two years ago and one year ago they've made good progress. It's going less fast today but I still see things getting slowly better, and the decentralization works very well and fairly easy to setup.
If all you really want is a better privacy policy and want to ensure people stick around and don't uninstall it, Telegram is by far the usability winner and has a large network effect already. But it's a trade-off with the devil because there is zero encryption. They could ransom or sell our chat logs any time.
Briar and Jami have limitations that make it unusable for general purposes use with your mom. Facebook and Google's messengers I didn't look at for obvious reasons. Keybase was never end to end encrypted to begin with and now Zoom bought them so they'll probably shut down soon (also, bugs).
Rocket.chat seems only aimed at business users.
You can also do OTR over any platform you like, and I still have to try this overlay encryption system on Android (I forgot its name).
>> I was involved in a paid audit of Wire so I know more about the encryption protocol than I do about the other clients
Seeing as you mentioned Threema in the same post, I think I ought to step in here.
The encryption protocol for Threema is open source, using standard algorithms, not something they invented.
You, like I did for $my_org, can write your own software to send messages to devices running Threema using the Threema API.
Message contents are, of course, encrypted before submission to the API. Threema provide a number of SDKs to help you, but you are under no obligation to use it, you can write your own API submission client from scratch.
P.S. Not saying Wire is bad here. Wire is good. I use it alongside Threema myself for $other_uses. But I'm saying don't write off Threema under a false understanding that their encryption protocols are closed source.
That's a good point. Threema using standard libsodium cryptoboxes makes this easier to reimplement than these Axolotl-like protocols. Still, Wire has a bot API so you don't need to reinvent the wheel to integrate in a chat. Not sure that's any harder than using libsodium.
Afaik Signal doesn't have an API or SDK, there only seem to be third party implementations for bots.
Signal will by design likely be more stable than Matrix in the short term because it is a centralized dictatorship.
China can move fast for this reason too.
You have to decide if the long term consequences of a fast moving dictatorship are worth giving up the freedom of a sometimes messy democracy.
The internet is too important to herd all our services into control of dictators, no matter how benevolent.
We survived the dialup days for all the UX hell of many providers without giving AOL exclusive control in spite of them having the best UX.
I hope we can do the same with something as critically important as worldwide internet communications, but the marketing of dictators and their ability to move quickly is sometimes too hard to resist until it all backfires spectacularly.
That's what they want you to believe for some reason. Moxie went so far as to talk in the biggest hall at the last chaos communication congress about how important it is that we don't use decentralized services and clients.
I'm not buying it. Look at Matrix and tell me it's holding them back.
What's holding them back, perhaps, is not having a shitton of money in the bank like Signal, and they're actively supportive of decentralization which costs developer resources. Signal (or Matrix, for that matter) could not spend dev time on decentralization and just let the open source community do its thing. But that's not what Signal is doing, they're instead actively hostile towards it.
Or look at Telegram, they have an open network and third party clients. There also are unofficial clients that some people use. But what does the 99% use? The official clients. Signal's argument is that people might use insecure, unofficial clients. In practice, that's not what your average mom will do. (And it's not as if the official Signal app was audited either.)
I'm also not buying the "China can move faster" thing. They can be more oppressive without consequences, but is that really better? Does that "centralized dictatorship" allow them to be "more stable"? It's easy to say, and easy to see how indeed an oppressive government's decree can change things from one day to the next, but on that scale I think you need to consider more things than I am qualified to do before you can really say whether that is a superior system in a given situation.
I guess we conclude the same thing in the end, though, as you say "The internet is too important to herd all our services into control of dictators, no matter how benevolent."
> I'm not buying it. Look at Matrix and tell me it's holding them back.
The main argument against federated protocols playing well with security is that they have a harder time evolving. The example always given is email. Once Matrix has reached 500M users and several server implementations with less than 20% market share each, how can you be sure that it will keep improving contrary to email protocols? WhatsApp switched to E2EE in a matter of months, but most of our emails are still plaintext on the servers.
I like and use Matrix as a replacement for IRC, but I don't think they will catch up in terms of security with Signal in most practical situations (meaning, I want to send a message to a non-technical person). Both because of the fossilization associated with federated protocol (see above), and simply because developing a federated protocol is way harder and less forgiving than a centralized one.
Your argument about the "99% use" means that first that you don't need centralization if it's already centralized in practice, and second that it brings very little benefit (benefits only 1% of users). At that point, the (possibly low) costs of decentralization are not worth it.
Signal did not have a shit ton of money until a year or two ago. I like Matrix but it's main issue is still UI/UX on clients (especially around key management) - which is slowly getting better but still too complex for normal non-techie users.
> Wire is the better choice if you can sacrifice a tiny bit of usability for better privacy.
Do you mean better privacy than Signal? I was under the impression that Signal was significantly ahead of Wire in this regard with features like private groups and private contact discovery.
Private contact discovery and other metadata protection claims are largely security theatre. SGX is entirely broken and those with physical (and sometimes even remote) access can dump keys at any time.
They pinky swear they always patch and never dump keys when they have the chance though.
It's a security theater not only because someone broke it, but also because you can always just look at which IPs talk to which IPs. Even Tor has issues with preventing traffic analysis, except with Signal you can observe (or trust) a single party (instead of the guard and exit nodes) to get the data.
It's more of a trust thing than something you can technically solve while still having features like real-time calling. Hence Facebook being objectionable despite having encryption.
They're both hosted on USA-based services, they both have proper encryption on the client and apply it also to calls and video calls. There is no significant difference to me in terms of privacy.
Usability is slightly different, yes, and you might also trust Signal more because they do better PR (they say outright that they're from the USA and get money from Facebook, while Wire has devs in Berlin and claims to be a German company, while taking money from USA investors... which imo comes down to the same thing), or you might trust Wire more because they were actually audited at all.
For a family that are all on the same server, Nextcloud Talk is also nice and "relatively easy" to set up (and 0 effort when you already use Nextcloud). I am still desperately waiting on Talk being able to use the federation features of Nextcloud (so you can chat to users on other servers). That would increase my usage a lot, my parents are on another server (which admittedly also runs from my basement) and I have colleagues with their own server...
I do use Signal and Telegram with some friends, I really find the difference between WA and Signal to be small. Telegram though is a lot nicer as a platform, it has some channels I'm part of and the desktop client is much better. But this comes with privacy/security trade-offs as mentioned in this thread.
I also use Element.io for some channels and groups. I find it surprisingly nice. I may set up a server myself soon.
As someone who doesn't use WhatsApp, thanks for mentioning WA and Signal are not very different and that Telegram has better UX. That matches what I thought, but I didn't know and I was a bit worried what I'd be signing my family up for when asking them to switch away from Telegram.
Yeah, Signal used to handle changing phones pretty poorly but that is sort of solved now (you can store your groups and phonebook in the cloud behind a pin). Other than that it is really nice. The desktop client is arguably better than WA's web solution, although I have run into non-syncing messages, but, you can use the desktop client with your phone off, which is a major + imho.
Honestly, Signal is just super high quality when you take into account how privacy focused it is, I could easily replace WA with Signal, apart from "the network effect".
> you can use the desktop client with your phone off, which is a major + imho
Indeed, if it has to go through my phone it's nigh unusable in my opinion. Wire and Element/Matrix handle this properly since they don't depend on a phone number in the first place (so no need to tie it to your phone), only Signal and Threema are somewhat of a pain in this regard since you need to link it, and only Threema absolutely requires your phone to be online all the time.
They lie about encryption. They call themselves an encrypted messenger when they're not, at least not in the way that people expect nowadays. I volunteered for their support team a few years ago but was rejected because the first test question was about their encryption and I refused to lie (I said regular chats are encrypted but only to the server, i.e. that Telegram can read your messages which was true then and is still true today, and that you need to use secret chats for encryption.)
I ended up adding a paragraph about it anyhow but that's why, when starting to write the post, I didn't add Telegram to the list. There is also rocket.chat further down that I didn't mention on top, fwiw.
I should maybe have put it in the list on top. I initially listed only the encrypted messengers, but later decided to add a paragraph about Telegram anyway.
I don't like Signal's stance on forks (which is that they are allowed but may not use the official Signal network) but it hardly has identical drawbacks. Signal is open source, can be downloaded as an official APK and can be run on LineageOS without Google Play (notifications do require some emulation of Play Services calls, but that can be provided using MicroG).
"hardly has drawbacks" My notes on Signal contain the following:
+ It usually just works
+ Reasonable desktop experience (needs to re-link once a month or so, but otherwise independent and not terrible UX), good mobile experience
- Metadata handled by Amazon
- Phone number is a hard requirement, and changing your phone number means re-connecting to everyone
- Funding comes from Facebook from what I recall, and even with large amounts of their $100M invested, their expenses are 8 times larger than their income.
+ At least it's a foundation and their finances are not a black box!
~ With a build from an untrusted third party, you can make it work on Androids where Google Play Services are intentionally firewalled off.
~ No audit of the clients. The protocol, sure, but most bugs aren't introduced on a protocol level.
These are only things they could solve, i.e. that others do better. That their contact discovery solution (where you upload your phone book) is broken isn't a downside because nobody else has that figured out either.
That's rather broad, which metadata are you thinking about? Especially given the sealed sender feature. Assuming you have access to everything at Amazon, what can you deduce about Signal users?
I can think of:
- IP address (you can tell that this IP address sent some Signal message)
- size of messages
- timestamps of messages (when they were received by an Amazon server)
IP address leaks a lot of information but there are still workarounds, and it seems reasonable if you're in a no-trust model (meaning Signal's servers wouldn't be any better than Amazon's). In any case, that's way less information than other mainstream messengers.
On the other hand, one distinguishing feature regarding metadata is groups: group membership is not known by anyone outside of the group if I understand correctly, contrary to WhatsApp (and others).
The author is a toxic dictator who hates the idea of ceding power so that they can have a constructive and open protocol for everyone. That means the app should never be used, by anyone. If you're going to use software like this, you may as well stay with whatsapp - at least that has a lot of users.
I see mention of the toxic dictator stuff and non-reproducible builds mentioned through this thread - do you have info on that you can point me to? I am asking because a guy at work wanted me to install Signal as voice call quality on Duo was appallingly bad. Thanks in advance.
You can read about the stance in question on a lot of github issues, one of which is this one: https://github.com/LibreSignal/LibreSignal/issues/37 (not actually the signal repo, but moxie talks about the need for iron control over the platform). You can extrapolate consequences pretty far from what is said there, consequences which are well understood by moxie (if nothing else, you can see that time was spent thinking about environmental factors). To me this attitude is baldly toxic because it makes the world worse (in that it reinforces the opinion that centralised is better, which is at the heart of so many problematic digital services).
Thanks. Reading that thread, I think he is saying that he wants to remain centralised and federating third-party servers and traffic isn't his plan.
I know in theory that sounds "bad" but it's their service I guess? In the real world, centralised services seem to be the norm, eg. the postal service. They don't let random third parties take the mail and also mandate that you use their postage stamps to use their network, and only accept mail at their post boxes and mail offices. They don't let people inject mail into the vans along their postal routes, and don't forward mail that is from another delivery company, eg. DPD, DHL, FedEx.
I am not sure how else it'd work?? Surely it'd be like expecting the postal system to deliver FedEx's parcels, whilst not paying the postal system anything at all. That's unfeasible and unsustainable.
There's e-mail for one. A great good everyone uses, which is definitely decentralised (much to the chagrin of a few large providers, which continuously act in bad faith to centralise it as much as they can). Signal could have been that, but for (mainly) mobile messaging. Because they went the jaded route as you do it's now just another way for one person to apply his dictatorial view to the masses. I agree with you that in a mountain of shit you won't really notice a little bit more shit, but that doesn't make it anything but shit. It could have been better, it is not. That's something that deserves a little lamenting.
I can only guess but it may relate to Moxie's at times somewhat brash behavior in Github issues and an ongoing debate over centralized vs decentralized protocols (with him advocating the former). He gave a talk addressing the (de-)centralization topic at the Chaos Communications Congress in 2019:
How would we know? The signal app as most people understand it cannot be built in a reproducible manner. This means that most people will be using something that may as well be compromised. The author does not care. It doesn't matter what the source code behind it is, as an entity signal is hostile to everything a good messaging app should be.
The Java classes making up the application proper have had reproducible builds since 2016 [1]. The Play Services Signal relies on don't, but there are open source alternatives.
Another key difference would be the business model.
Signal being a non-profit[0] does not provide any guarantees for the app to not become 'hostile' in the future, but any such development motivated by personal profits would at least require a change of organization type, which I assume wouldn't go unnoticed.
It was well noticed when WhatsApp changed hands to Facebook, and yet the vast majority of users didn't move to anything else because of network effects.
Once users are in an ecosystem it takes years to convince them to change and only after they hit a high discomfort tipping point.
If Signal ran short on funding and got bought by Google or Facebook all the tracking would kick in and most users would stay.
We must stop herding people into walled gardens. It is unethical and always backfires.
Moxie highly discourages using the APK because it means turning on untrusted sources which is highly unsafe and bypasses signature verification.
It is one BGP attack or compromised CDN admin way from compromising the masses.
This is one of the few points I agree with moxie on.
The only safe way to install software on an Android device requires you bootstrap trust via a system supplied package manager that enforces signature verification.
Lineage grabs unsigned binary blobs from a separate account with little accountability ( https://GitHub.com/themuppets ) to limit the blast radius of illegally distributing them and does not ship a package manager at all.
They expect degoogled users to do disable system signature verification to use an alternative app store like F-droid. Lineage is great if you want to turn an old device into a game system or something, but it should not be used on a device you need to be able to trust.
The only Google-free option to have a signed system-verified app supply chain on Android is use a ROM that bundles F-droid as a system trusted app manager like CalyxOS, RattlesnakeOS, or my projects, aosp-build, and #!os.
While F-Droid is far from perfect it is the only alternative path and Moxie refuses to allow apps to be distributed there because he openly admits he wants the usage metrics that come from Google/Apple distribution.
In effect, you either use Apple/Google ecosystems to run verified binaries, or compile yourself every week or two.
APKs do not bypass signature verification. Android still requires all apks to be signed, and only installs updates to apks that were signed by the same original key.
As for BGP attacks, the apk is distributed using TLS, so it needs more than that. That being said, CDN hacks are definitely an issue. But so is someone hacking their play store account or Google play itself.
You have to turn on untrusted sources to sideload an APK. It will verify a signature. The problem is the OS has no anchor to know if that signature is by the key of the party you expect, or that of a malicious adversary. Once you pin the wrong key it is like getting a bad HTTPs cert on first connection. All bets are off moving forward.
The OS has no anchor when you obtain it from the play store either. Google play can absolutely send you a hacked app with a different signing key if they want to. Signatures play no role in the first installation, they only play a role in subsequent installations.
If you have downloaded the apk using http, you can still verify the signature before installing through other means, e.g. by comparing it to your friend's installed APK, using multiple ways to download the apk, etc. Can you do this with Google play?
As much as I loathe Google I do have a fairly high expectation that the HSM rooted key pinning infra of Google Play itself is less vulnerable to MITM than the standalone signing key embedded in an APK hosted on a CDN somewhere.
You also can directly download APKs from Google Play using Aurora Store and compare them to the standalone APK in theory, though both points of verification are against the same entity so it only rules out MITM on a CDN etc.
Problem is, who has time to do this for every single update? How many would even do it for the initial install? Most technical sysadmins don't even verify ssh host fingerprints unless automated CA infra does it for them.
Even if someone does do this religiously, in practice I suspect they will put off valuable security patches until they can manually verify every new binary corresponds with the published source code to rule out supply chain attacks etc.
If two totally independent entities compiled and published signed binaries and their hashes matched (when signatures are stripped) then there is some automated consensus there are currently no obvious supply chain attacks in play to protect users at large who don't have the time or experience to compile and verify against the published apk by hand or manually compare fingerprints. F-droid could keep the Signal Foundation honest if they let them but instead they say "trust us, or compile your own binaries" as if no middle ground exists.
Meanwhile I can hand my wife a phone with F-Droid and Matrix and know she can update reasonably safely without any manual key verification steps by me or her. Even when the signing key of matrix.org on Google Play gets compromised the blast radius does not extend to F-droid.
The more reputable independent package managers building, signing, and distributing protocol compatible binaries the better. Makes it impractical for even a sophisticated adversary to gain control. Also lets users to have the freedom to choose an easy automated install)update path for apps that respects their privacy by not requiring proprietary Google services.
> who has time to do this for every single update?
Again, you only have to do this for the first install. After that, the local OS takes over and rejects any apk signed with a different key. It's a TOFU system.
Directly installing APKs by hand is something that is only for people who know what they are doing. However, providing the APK for download is something that is helpful for 3rd party package managers, which can verify the hash.
> forks ... may not use the official Signal network
Is it technically prevented or just frowned upon? The former would be strange, because fixing a bug in your own private fork would also exclude you from the network.
There are forks of the Signal client that do use the OWS servers [1], but IIUC they are in violation of the OWS TOS. Certainly moxie has threatened to block forked clients, which is why F-droid won't host any of these forks [2].
I actually do not find this unreasonable, maintaining and providing backwards support everyone's custom version with their own quirks would be a big technical burden.
Moxie openly admits he centralized because it is easier and that decentralizing is too hard. We should all just give up and pick the least bad centralized service.
With that thinking we would all be using AOL.
Making a robust flexible protocol that can support a bunch of different client and service implementations is hard, but that is how we ended up avoiding email and web browsing being controlled by a single entity.
Matrix is solving the hard problem of providing the core functionality of tools like Slack and Whatsapp without sacrificing user freedom or asking you to trust any one entity.
This is what ethical engineering looks like, and I don't mind tolerating occasional growing pains in exchange for freedom.
Exactly this. You don't have to prohibit homosexuality just because you don't want to deal with adding support to your database of married citizens / prohibit forks because you don't want to support them.
The argument makes no sense. I can't decide if Moxie is a double agent with street cred or honestly trying to do good here.
I am generally a pretty decent read of people and in my observations and interactions with him I genuinely believe he believes a benevolent dictator building a centralized system is the only way to bring non-profit-motivated secure messaging to the masses, and that if one accepts this seemingly irrefutable truth, then the best candidate for the job is himself.
He is charismatic, highly intelligent, and lives by his own moral compass, rejecting FOSS ethos and silicon valley capitalist ethos alike.
> I suggest something that lets you use any client/platform you want, uses the same crypto primitives, and lets you choose what server/country your data is hosted in and change your mind any time, e.g Matrix.
I'll bite.
Who's paying for my johnchristopher@whatever.tld and for the data (avatar pictures, transfered files, chat logs) associated with it ?
Will the Matrix foundation let me use their services forever and for free ?
Will there be discussion on HN in ten years about getting your own custom domain and own federated server ? For one account only ? Like we have for mail regularly ?
Maybe you started on AOL and later realized AOL is terrible. You could export your address book and move to a client/server you trust more and notify all your contacts from the new location.
This is the same story on Matrix and what I mean when I say it is a freedom respecting decentralized service.
You are also free to run your own DNS to a dedicated EMS instance then later point to your own self hosted server later much like the freedom you have using your own domain and MX records on Google Apps allowing you to later move to a new email provider without having to update your social graph to change your address.
On Signal, there is no such option. You use their clients and servers forever, or GTFO.
> Maybe you started on AOL and later realized AOL is terrible. You could export your address book and move to a client/server you trust more and notify all your contacts from the new location.
The whole point is in avoiding starting with an AOL like service. So far only big matrix provider are reliable and performant enough to be usable. This is @gmail.com all over again but with @matrix.org tld.
Except you won't be able to carry your messages from a tld to another when you decide to rely on another domain name (your own or someone else's).
How long before Matrix foundation send messages telling users they are going to delete their rooms and messages if they don't log in once a year ? Or that they are now restricted your account to matrix.org rooms to "save operating costs" ?
The whole tech stack is free but operating costs are not.
> So far only big matrix provider are reliable and performant enough to be usable.
I've been running a Matrix homeserver on a 1/1 VM for years without any issues. There is no downside to choosing a small server, you can still federate with everyone else. That's the entire point.
Same here. Except joining rooms on federated instance need something beefier than my $5/month VPS SSD. And much more storage for data (pet peeve of mine: 4K avatars pics that are not resized and stored as is on my end of the federation).
Following the e-mail analogy: Inevitably, there will be contacts of yours who didn't get or read your notification, or contacts of yours who aren't in your contacts list.
Start on a server, but your real identity is attached to a cryptographic key, not an e-mail-like identifier. That would allow you to move around, and maybe one day get rid of domain names altogether (using something like yggdrasil or tor to host and connect servers, for instance).
> The only network services this won't become true of at some point in the future are those with decentralized clients and servers obeying a common documented protocol.
I didn't say all decentralized services are good. Just that decentralization is a prerequisite for something to avoid complete control by a single party long term.
A better example would be HTTP/HTML/JS. Sure it is not perfect and protocol updates are hard and slow due to endless implementations but we got a working decentralized internet out of the deal that is very hard for any single party to take over now, so I call that worth it over a single party enforcing proprietary protocols like AOL having a total monopoly.
Those that won't respect your ethics are not your friends.
I lost many of my contacts moving to Matrix but earned a lot of new high value ones that share my worldview to continue building a decentralized censorship resistant internet.
> Those that won't respect your ethics are not your friends.
This is kind of an unreasonable, one sided, stance. You exact everyone to simply follow you and your preferences with no regard for their preferences. Maybe you not respecting them and their worldview makes you the bad friend, not the other way around.
> I lost many of my contacts moving to Matrix but earned a lot of new high value ones that share my worldview
I don’t know if isolating yourself from anyone that doesn’t’ think and act the exact same way is a good thing.
If someone believe something is legitimately toxic to themselves or society, like being around smoke, consuming certain substances, eating meat, using walled garden internet services etc... They should not be peer pressured into giving up those views.
I for one avoid Google products for personal communications. A lot of long term friends decided they only want to socialize online with Google products fully knowing it excludes me, in spite of easily accessible alternatives like Matrix and Jitsi.
They are not using Google products because it makes the world better, they are using it because they don't like change, and changing to maintain a friendship with me was not worth trying to use less privacy hostile communication mediums.
Fair enough.
I for one would not exclusively socialize at a Brazilian steakhouse if I had a vegan friend in a given social circle.
I will go to great lengths to accommodate people that are acting on authentic ethical convictions but if someone is only doing something that conflicts with my ethical convictions because they can't be bothered to try something new, then they obviously don't value me, and I'll invest more time with people who do.
You should live your convictions and find people that either share them, or at least respect you enough to accommodate them.
I don't expect others to think or act like me, but I would expect that my legitimate desire to maintain privacy in personal communication to be respected by anyone worth my time.
Plenty of friends that don't share my views put up with using some open tools to keep in touch with me. I likewise accommodate some of their preferences that don't make any sense to me. Everyone has a mix of deal breakers and things they can be flexible on in any type of human relationship.
I would also add that Matrix, unlike any of the other networks discussed, offers the ability to bridge to all other networks being discussed so if you so desire you can have your open network cake and communicate with people on walled garden networks too.
Not worth the trouble for me and I don't even want to have accounts in these platforms or let them collect my conversations, but the path at least exists.
> Those that won't respect your ethics are not your friends.
Yeah right. I am not RMS, with lock-downs, curfews, social distancing etc I'm already isolated enough so I'm not losing my remaining contacts for some moral high-ground.
> So you are going to move from one centralized, walled garden, privacy hostile platform that hard requires Google/Apple ecosystems to get signed updates... to another with identical drawbacks.
Ideally we'd have a polished, decentralized app. Signal is a compromise. I don't think the drawbacks are identical:
Facebook's business model depends on violatings the privacy of the users. The Signal Foundation has no such need.
The client is open source. I see no reason to call Signal "privacy hostile".
* There is no OS verified path to install Signal or updates without being in Google/Apple proprietary ecosystems and submitting some usage metrics to them.
* You can't use signal on minority market share platforms even if they offer higher assurances of freedom, privacy, and security (RISC-V, OpenPOWER, etc.)
* Getting a phone number requires KYC in over 200 countries and carriers will happily sell you out as extensively documented and demonstrated by journalists buying owner info and GPS coordinates for any given phone numbers. Any service that hard requires a phone number is not prioritizing privacy.
* All metadata and TCP/IP metadata flows to a SPOF where signal employees, the ISP, or another entity inline could use network heuristics to deanonymize users, of dump the weak keys in SGX and get actual contact lists directly.
* If you want to use a privacy respecting signature verifying app store solution like F-Droid you are SOL. Moxie threatened to fight F-Droid or any other parties compiling/signing binaries from source code or doing forks or alternative implementations. He wishes to have complete control and the ability to rapidly push updates to all users quickly, be they benign or malicious. If someone coerces the signing key out of them, all signal conversations globally could be decrypted likely before anyone noticed.
I call all of this behaviour very privacy hostile. Published source code is moot if you are not allowed to use it or empower third parties like f-droid to hold it accountable.
Depending on your exact needs either Telegram or (preferably IMO) Matrix might be a solution.
(Yes, I think this is correct: For anyone who are currently on WhatsApp or anything Facebook for that matter even Telegram is a huge improvement in most ways.)
I get your point, but moving people to Signal has been an accomplishment on its own, you get to say "we should move to this new private app" only so many times, before your friends and family grab their torches.
The good thing is that matrix can be bridged to Signal[1], to allow for a smoother transition period.
This is also true with Whatsapp[2], but against their terms of service, so you risk getting banned, and built on reverse-engineering, plus you need an android VM of some sort.
I've been personally moving my family to Signal, since that provides the best UX and easier transition from Whatsapp. Once I'm comfortable enough with it, we'll likely transition to matrix.
What Matrix is missing is in my view:
- Client with simple UI, polished UX, and not just a smoking pot of features: FluffyChat[3] is mostly there.
- Server of which I can guarantee the uptime. Dendrite should lower the resource usage for a ~5-100 accounts server, and decentralised identities[4] would allow falling back to another server (such as a friend's).
We're mostly there, so I'm starting to prepare the switch, starting with my more technical friends, by setting a bridge up. Hopefully we can finally break that dependency on phone numbers (ideally, domain names as well with [4]) and move on to bey-based IDs.
If you want people to be privacy minded this is what you have to prepare them for, though. Signal could get bought out by a privacy-hostile company next year, or they could go out of business.
Telegram is not better than WhatsApp in the very important aspect that it is not end-to-end encrypted. You can balance up the risks of facebook inserting malicious code into their client against the risks of your data being accessable at rest on Telegram's servers, but it's not at all clear Telegram is in a better spot there.
e2e encryption is mostly moot considering neither the client-application nor -device are really trustworthy.
then there is the problem with push-notifications passing throu either google or apple as well as device-backups which both hand over your metadata and probably message content.
imo telegram is in a better spot simply because it is not affilliated with the facebook/google ecosystem but in the end it does not make much of a difference due to aforementioned systematic deficiencies.
imo good reasons to cash in on the platform compatibility and convenience of telegrams cloud-messaging architecture.
Perhaps people should be filling their throw away simcards with random people from the phone book.
I am mostly using Signal and will let my WhatsApp expire.
I also think matrix is great and would recommend setting up an account by installing element. I think growth in matrix will more fully undermine FB's position as well as Slack/etc.
It was always a clear business transaction: acess to a messenging service for access to meta data (and now message data).
I wonder how Out of curiosity:
Does anyone know how the new Whatsapp TOS differ from the Gmail TOS in regard to user data and privacy. How does the Facebook group use data differently than, say Facebook or Microsoft?
So what should self sentient person do, just lie down and accept the erosions of our blood won freedoms? No thanks. I have right now all my company talking to thousands of customers explaining this mess to them and helping those who need to switch to Signal. So yeah, fuck you FB!
Signal is no better. You fell into one marketing trap with WhatsApp and have now fallen for another.
Signal is another private entity with complete control of the servers and end client binaries. The fact they happen to open source the code is kind of moot since no services are allowed to write alternative implementations, no one can run their own servers or prove what code is running on Signals servers, nor can anyone even distribute reproducibly built binaries from said source code for accountability (e.g. f-droid).
There are so many better options. I suggest Element/Matrix which can even bridge to WhatsApp and Signal as needed thanks to community contributed bridges.
I thought Signal was open source, and the distributed binaries matched the source, and that is was allowed to run your own servers. Are the servers even open source?
Are there lirerature regarding the technical/conceptional bits Element/Matrix? What is the tradeoff there?
> I thought Signal was open source, and the distributed binaries matched the source
This is sort of true. The source is published and you can build your own binary. But given that you can't distribute Signal outside of official stores and can't pin the version in those official stores (unless you turn off updates on your phone entirely), it's not actually practical to run an audited version, yet alone to make your own changes to the code.
> and that is was allowed to run your own servers. Are the servers even open source?
EDIT: apparently there is now (purported) server source available, not that that means much when there's no way to even know which code a given server is running, yet alone run a server with different code. They claim that their E2E encryption means control of their servers doesn't matter, but their protocol analyses doesn't actually think about what an attacker might be able to do at the server level, IME.
> Are there lirerature regarding the technical/conceptional bits Element/Matrix? What is the tradeoff there?
It uses either the same ratchet protocol as Signal or a very similar one. E2E for group chats is more complicated but I don't think you're giving up anything.
I largely agree with you but I don't want to see misinformation spread even when it supports my view.
The signal server source code is open source now in theory, you are just not permitted to run your own server and have it join the Signal network. We have to take their word for it that they are running the code they publish.
We also only assume the published Signal binaries match the published source code. Moxie and team have exclusive control of the signing keys and Moxie said he will fight any third parties like F-droid doing from-source signed binaries outside the Google/apple ecosystems in spite of the accountability and removed SPOF it would offer.
If you choose to use a non Google/Apple platform or a freedom-respecting architecture like RISC-V or OpenPOWER you don't get to be on the Signal network.
This eliminates me from being able to use Signal. Talked to moxie at length about this but in the end he repeatedly admits he has no problem cutting off the few to enforce his vision for the many. He also frequently implies he sees himself as the only entity worthy of running the world's communications systems.
He is a smart guy and means well, but he is naive. Benevolent dictators are always replaced by less benevolent ones eventually. There is nothing stopping what happened to WhatsApp happening to Signal. You also have to trust the pinky swear offered by the Signal Foundation that they won't dump the keys from their SGX enclaves using any of a myriad of design flaws, and that they, their ISP, datacenters, and any three letter orgs tapping them will all throw away all the TVP/IP level metadata that centrally flows to their systems.
With Matrix OTOH, if those that host a given set of binaries/servers go evil or we simply want control of our metadata for sensitive channels, we can just use one of the alternative independent clients or a fork, switch to our own server or one run in a country or by an entity we trust more. We also still will be able to reach our social graph, just like switching an email provider.
Democratic control is messy, but I will take it over a benevolent dictator any day.
As for documentation, matrix.org documents the API and design choices of Matrix extensively and they welcome people making alternative clients and bridges to other networks because they believe the only safe and sustainable network services are open ones.
Element is really slow on mobile, Signal and WA show my list of conversations in fewer than 5 seconds. Element needs ~10 seconds just to load UI, then 10 more seconds to sync list of active conversations, then I enter into a conversation and it needs between 2 seconds and 2 days to synchronize e2e keys. I can literally leave the conversation open, phone in charger for night and it still can't sync message. How do I explain to my parents that their message from 2 days ago "call me when you're free" didn't arrive because Element couldn't read it? They changed name 3 times already, changing APP ID, forcing me to reinstall it on all devices, update all my bookmarks in browser, having to sync all keys between all devices, not only on my devices, but also my family members who were using it. Their initial-setup of the app is really bad experience. Sometime I can NOT have two devices online at the same time to login and send message from new third device. It's cool on browser, I had nothing bad experience on mobile + web.
Signal is simply best because it works as SMS client AND encrypted messages client. Best UI/UX, one app to rule them all, consistent behaviour, not owned by FAAMG.
Thanks for your insights, I’ll definitely look into Element/Mattix. I didn’t know Signal was just another scheme to collect private data. But I always knew that WhatsApp == FB yet I couldn’t do much due to network effects. Decentralizing the web has never been so important as now.
Signal is not another scheme to collect private data and anyone who makes such a claim has their own agenda to push (as you can see from the other comments in this thread made by this person.) Do a bit more research, get a wide variety of opinions, and then decide which factors are most important to you.
It’s the same as WhatsApp in some extent - always promised that they wouldn’t give up your data while they gained traction and then get acquired by Facebook and get forced to.
No, it is not the same. Signal is a registered 501.3(c) non-profit with a public board and cannot just decide to sell themselves and your metadata at some future point. Signal is also making ongoing improvements to protocols and apps to limit the amount of metadata that must be collected or that can be usefully held.
I don't think they -intentionally- exist to harvest user data. They just create a situation where they can be taken over by an entity that wishes to easily at any point, or maybe they are already tapped by an entity that has dumped their SGX keys and/or is tapping their network traffic to bulk harvest the metadata they helpfully centralize.
The founder of VK had good intentions and was willing to protect his users too. The Russian government replaced him with someone more ethically flexible.
The foundsrs of WhatsApp clearly never intended it to go in the direction it did post acquisition, but it was not their call.
Gathering all users to a single choke point on a single client on a single server infra is irresponsible and unsustainable. We have been here before.
Frankly, I don't even care if it uses end-to-end encryption at all if it's encrypted to my own server.
Of course, email goes between servers and then you definitely want to ensure the encryption is solid (it often isn't, so PGP is definitely good). I'm just saying that Wire/Signal/Threema/etc. having better encryption is in my opinion only important when you use Wire's/Signal's/Threema's servers. If you can and do host your own, especially if you host it at home, then in practice there is no difference.
Since most people don't do that, Signal/Wire/Threema/Matrix are of course the better options than PGP+email, but PGP+email is still an improvement over the status quo.
It doesn’t feel like a feature to me. And neither does the lack of deniability. They both feel like things that leak information that doesn’t need to be leaked.
Perfect forward secrecy requires two-way real-time communication, in order to construct a session key that can't be computed from just the private keys and the encrypted message. Therefore the way that PGP's lack of perfect forward secrecy is a feature is that it allows an encrypted message to be generated in a way that doesn't require two-way real-time communication, and can therefore be sent by email.
The trade-off is that you then don't have perfect forward secrecy.
Seems somewhat like threat model will determine the need for deniability etc. I don't consider myself to need it, and mine seems like a common enough case - compatible with a normal WhatsApp user's use case.
whatsapp and signal have forward secrecy, so if your private key is leaked it means that past conversations can't be decrypted. In reality it does not offer a lot of protection if you don't disable keeping logs (because losing your phone and malware are the only realistic ways of your private key being leaked). In addition the way that they have forward secrecy implemented it means that you have to decrypt every message posted in groupchats while you were offline sequently until the last one, which can take hours in an active (even if small) group if you are gone for a week. The other thing is that both of these apps to my knowledge do not warn you if a new key is added (I might be wrong here) so an active attacker can pretty much nullify the encryption, this is not an issue with openpgp.
To add to this: the point of the disappearing messages in signal is to enhance the value of the forward secrecy by not having the record of the messages (so long as both devices are using correct clients and no one is screenshotting messages.
The other feature is deniability: having an encrypted message and it’s decryption doesn’t give you any more information than a screenshot of the message in signal. There isn’t a way for the encrypted message to prove that it was legitimate as the previous keys are revealed in a way that means anyone sniffing the traffic could make a message encrypted with that key.
Afaik, the messages should be deniable as long as they are not signed, not sure how delta chat handles it though. Regarding deniability I personally would consider it as an anti-feature because the one receiving the message can't prove to the wider world that they received it from a certain person and similarly someone who is falsely accused of posting a certain message can't go and say "show the signatures of the messages or you are lying".
By the way, do you know if the one receiving the messages can force messages that are marked as "disappearing" to be kept?
It is true that messages would be deniable if they weren’t authenticated. The design of signal’s protocol is such that messages are authenticated but deniable: it is possible for the recipient to determine that the message was genuine (the information you want to send) but it is not possible for a third party to prove that a message was authentic (the information you don’t want to leak).
> The design of signal’s protocol is such that messages are authenticated but deniable: it is possible for the recipient to determine that the message was genuine
Via the use of MACs, yes. I never said otherwise. What I said before still holds, as the recipient you can't prove to others that you indeed received a message by a certain someone rather than forged it yourself to incriminate them.
I'd love to give up WhatsApp, but network effects are key here. I tried moving my extended family off WhatsApp onto Signal a couple of years ago and it failed miserably because the app wasn't nearly as easy to use, and they had all their friends on Whatsapp. Has anyone here had any success moving a large group of people onto something like Signal or Telegram? If so, do you have any tips?
I've used Signal for years, and for most of that time only had about three people who also used it in my contacts.
My wife recently got her entire extended family to use Signal. She has always refused to use WhatsApp. They all love Signal now, and use it all the time. However, this was during a family crisis.
During the Covid lockdowns, many companies I know used Signal as their preferred non corporate communication platform over WhatsApp... But again, that was a crisis.
It seems to be difficult to dislodge people from their preferred platforms without some kind of external driver to adopt it.
How well do Signal groups work these days? I tried moving friend groups to signal some years ago and even managed to do that for some large ones but the group chat just didn't really work. Keys changed and somehow the group got into a state where some people got messages and others didn't and the only way to fix it seemed to be creating a new group which, for large groups, isn't really an option and everyone ended up going back to whatsapp.
I'd love to use signal with more people but that, and the ux around changing phones means I can't really recommend it to anyone but the most technical of my friends.
Don't they all? But good news is that they have pushed code to allow for usernames (or not even that). It isn't open to the public (or beta) yet, but it looks like the feature is going to be released fairly soon.
That's my point. I hate systems that require a phone number, as they usually mean that I have a substandard experience when I'm not on my phone and I can't sign my children up so that we have a general chat tool.
The only option ends up being massively over the top team style chats like Rocketchat, Mattermost, Discord, or Slack. So we end up back on Hangouts.
A bit shit for general family conversation.
[Edit] If they do allow signing up/in with a username then I'll probably be all over it. That would be awesome news.
I'm curious why you value your phone number over your data.
I'm unsure if they will allow signups without phone numbers, but they don't store that information. Signal doesn't have it. [0][1] It is very possible they go around this though.
I think these are fair points. I'll mention that I predominately use the desktop client and it works well since I frequently leave my phone somewhere else. But doesn't seem like a right fit for you until usernames and multiple device signup. Both are in the works though so maybe good for you in the future but not now.
> I predominately use the desktop client and it works well since I frequently leave my phone somewhere else.
In my experience the desktop client is slow, buggy, and takes eons to start up. There's also no web version, making it awkward to use on computers other than your own.
I would be more willing to switch over to Signal if it wasn't so lacking in this regard.
Er, The third link doesn't even support your argument and the first two links are written by the same author.
-
Signal IS much better.
It's a nonprofit, not a commerical company.
There are arguments for and against centralized systems and forks of apps. The lead dev of Signal is concerned about interoperability; but still leaves users the option of doing things the way they would like with the open source code; it's just not 'supported™'
For my wife, she had to travel abroad and the family had to stay in contact with her. Since she absolutely wouldn't use WhatsApp, they all installed Signal, and discovered it's actually really usable now.
I can only speak for why one company adopted Signal over WhatsApp, but the main reason was that the company did not want their communication metadata tracked by Facebook. They were regarded as equivalent in terms of E2E encryption and functionality.
EDIT: They also did not trust Facebook entirely not to break the E2E in some way (eg cloud backups or whatever), and the message contents had to remain secure. It wasn't a huge concern, but all else being equal, Signal was the better choice.
In Europe the WhatsApp alternatives are generally framed as tools for pedophiles and organized crime. Even installing them on your phone may alert LEO that you're suspect. This move by Facebook is highly troubling.
My friends and family have mostly been using Signal for over a year and we never had such worry. I also know laywers, lawmakers, doctors and CEOs who are also using Signal for important communications.
Do you have an source for that claim. I am in Europe and have never heard that. The closest I know of is right wing groups using Telegramm for their Anti-Covid agitation.
Sorry, I have now spent almost an hour reading 7 articles of yours and, from my point of view, none supports your claim. Framing implys for me that some other person publicly claims something although that is not really the case (i.e Telegramm is not popular with criminals), else, it is just reporting.
Neither could I find anything matching your second point that installing any of these messengers might make law enforcement suspect you to be a criminal.
Sure the network effect is strong but let’s not forget how WhatsApp got here in the first place: people installing a strange new app, often shared by their friends via a text message invite link. I remember sitting in a circle with a group of friends one night 10+ years ago while each of us installed WhatsApp and had our first conversations on the app. It was a time when BBM was dominant and cross-platform messaging was new. Fast forward to today and already many of my groups are switching to Telegram or Signal.
The move can be made faster now because groups are so prevalent on WhatsApp.
Whatsapp had to compete with SMS, so when I was introduced to WhatsApp I thought it was a godsend and immediately adopted it. Also advertised it to all my friends. Switching now might be harder because there is a lot less to gain, besides some non-tangible “privacy”. What is this thing called “privacy”?
Even my mother, in her 70s, who somehow always manages to have a new virus or piece of crapware on her laptop every time I visit, knows about the importance of this thing called "privacy" and had no trouble grasping the idea that everything she shares on FB is recorded and used for advertising.
It's not a hard concept, and it's not just tech people who care about it. It doesn't require any knowledge of tech to understand.
On the other hand, she knows how to use FB messenger and my efforts to get her to switch to email/telegram have just caused confusion so far.
Am I off the mark in guessing your mother, in her 70’s has some strong opinions about one Senator Joe McCarthy or Hoover? Has she ever spoken much about living through that period-assuming your family are American?
My apologies for the imposition if that’s not the case.
I'm going to guess the downvotes are from people who don't know the history of people like McCarthy or Hoover's FBI and why someone who was lived through that era might be sensitive to and have opinions about topics of privacy[0][1]?
J Edger Hoover was a cross dressing homosexual who collected blackmail on political opponents while he was himself being blackmailed by organized crime.
They call everything "a myth" and then cite strong circumstantial and testimonial evidence that those "myths" are true, only to dismiss everything with hand waving about how "we'll never know" what his extremely private and mysterious sex life was like. Give me a break.
I was nodding along with your comment, wondering why it had been downvoted until I reached your last statement and couldn't tell if you were being serious or not.
The parent poster is likely mimicking the people asking why are you asking me move to another app when this app does everything fine?
To be honest, I'm not well versed in the debate of privacy, but invariably in discussing user tracking by BigCo's a lot of my friends just say "I don't care if they have my data, I've got nothing to hide."
I've been thinking about this a bit recently, and the saying should be extended to "I've got nothing to hide, now."
Things change and either you'll do something which you'll want to hide, or society/politics/community will change which you'll have something to hide.
An example in the first case is that you'll want to buy a secret gift for someone, but because of the tracking the surprise will be spoiled because they'll be seeing ads for it on their systems.
Are they not right though? People don't really care about "privacy", they just want it to work, and work with their friends. You or I can harangue all we want but it doesn't change the fact that people don't care in aggregate.
The next time someone says me "I have nothing to hide" I'm thinking of asking their salary because in my experience when people say that they actually mean they are not afraid of jail but would rather don't have a lot of details being made public like who they vote, their sexual preferences, their wealth or their personal opinion of a lot of their colleagues. Most of these details are easily inferred from their online behavior, not to mention personal chats. Part of the problem is that no one is going to say "I have something to hide". I'm not going to continue this rant because HN is not the audience that needs it but to summarize: defending privacy is an uphill battle and people are not right.
I think (and hope) he’s just relying the difficulty of communicating the concept and value of techno-privacy to his friends and relatives - as opposed to the immediate and self-evident differential between whatsapp and sms texts.
Indeed, I was playing the devil's advocate. I definitely care about privacy and I am quite an ardent supported of projects that try to solve this issue. I just learned that if privacy comes at a large expense (losing their social graph or unfriendly UX), people will not care for it. So I guess we need to do better so we can have both privacy and good UX.
Facebook is a private company. Freedom of speech doesn't mean they are obligated to give you a megaphone for asking your mom how she is doing. They can and do ban people for any and no reason, cutting you off from your social network at a moments notice.
Telegram is getting really popular in India for bigger groups such as those in building societies and for parents in schools as they allow for more members. For one to one communication I don't see a change happening soon.
From the opposite point of view, in the last hour I’ve been added to 3 different group chats on Signal that were all previously WhatsApp chats (in which I did not participate, in spite of many of those friends repeatedly asking me to).
That’s added at least 20 or 30 friends/acquaintances into my signal contact list that I’m 99% sure downloaded signal for the first time this morning.
You can't do group chats in the same way using SMS messages. People who receive an SMS have no idea who else the message was sent to, so they can't even "reply all".
The fragmented and quirky MMS implementations in the wild render MMS functionally useless, especially compared to what feature set an app can have. I've seen MMS implementations that send replies to only the sender of the original (so some replies, from better implementations, end up in the MMS group, and some end up only sent back to the sender, resulting in confusion); I've seen MMS implementations that allow you to "like" a message, and this is implemented by just sending "I liked this." as a message back to the other clients — which can't interpret it as anything other than just a normal message — resulting in confusion.
Did you know that MMS can transmit slideshows[1]? I didn't, until my father somehow sent me one. The UI that Android has for that is — naturally — a complete afterthought. (No way to pause the slideshow, no way to navigate the slides, nothing. Just one run through the animation at Warp 8.)
MMS are available in UK but not popular, because they were heavily overpriced and fundamentally underwhelming when they were introduced 15 years ago. They are also metered like SMS - one of the big wins when switching from SMS to internet-based systems was to stop worrying about yet another limit.
I've lived in several places and nobody really uses SMS unless it's for 1) someone you don't really know or 2) notifications of some sort...
My impression is the US/Canada are one of the only places where SMS is still frequently used for casual text communication and i'm horrified that Apple's iMessage is the one to somewhat challenge that.
SMS prices (or 'lack of price') was something that really surprised me after I moved to Canada, as well as phone voicemail.
In Brazil we hurry to turn off the call if it goes into voicemail, as we pay to leave a message AND nobody listens to them because it costs a lot to listen (or at least used to).
As someone whose mobile data plan is faster than home wi-fi and who does not pay for receiving calls and SMSes, the "fixed landline data first" approach in Android really pisses me off.
That's why I was there already, along with a few of those friends who used to be part of various WhatsApp groups as well - and they've convinced large groups of pissed off WhatsApp users to download and use Signal today.
I don't know how many of the new Signal users will stay (there's already discussion in one of the new Signal groups about "Why aren't we using Telegram instead?")
Same as much of this thread - these people are not concerned much at all about encryption details, they're largely a pissed of mob of people departing WhatsApp. And some of them are already saying "there's no web client! I can't use this!!!"
I suspect I may well end up back being "the guy who's not part of most group chats" if/when they decide Signal isn't for them... And I'm OK with that.
I contact the majority of my friends with telegram, the UX is similar enough and people get on board quite quickly- the difficult part is convincing someone to install /another/ messaging app- if they have network effects too then it's a hard sell.
But once most people have both it gets easier.
Signal (UX wise) is not really super great for my family, I burned a lot of my "technical expert advisor" capital and reputation by pushing that too hard.
Signal has improved a lot. I burnt a lot of the same thing, but it's finally sticking when I ask people to first install it within the last year or so.
"Signal has gotten better" is the new "Linux on the desktop". When I move to a new phone with Signal, is there already an (easy) mechanism to take along all my messages from my old phone? Last time I checked, there wasn't, and this is a core requirement, even if most people don't quite realize it when they start using Signal.
There is a mechanism that works very well and reliably. It involves manually copying an exported backup from the old phone to the new one, and entering a 16 digit (IIRC) passcode. Wheter you consider that easy or not depends on you. For me it was a 5 minute procedure
Right, I used that procedure once, it's completely inadequate. It relies on having access to the old phone, knowing how to get files off it (and onto a new phone; both of which probably assume you know how to navigate the filesystem), and you basically need to follow documentation to do it, it's completely undiscoverable (maybe that last part has changed).
All of which is completely unacceptable in 2021 for a product meant for a large audience. Messaging is integral to people's lives, to the point where people keep 10+ year old phones because they have messages on them from people that passed away and they can't figure out how to move the messages across or to a new system. As much as it pains me to say, there just aren't any production quality alternatives to WhatsApp that can take over. And don't even get me started on Element/Matrix...
You have a point, but one should point out here that WhatsApp makes this easy only if you stick with the same type of phone... if you switch between Android and iOS you're completely SOL with WhatsApp. With Signal on the other hand you can use the (admittedly non-trivial) procedure mentioned in sibling in either case.
Another vote for Telegram here. I tried to get at least the core group of family/friends on Signal or Wire and to their credit they tried but it never stuck. They loved Telegram so much that we now have the entire extended family/friends on it.
Interesting that you had such a different result with Telegram. I'd prefer to use Signal for privacy reasons, but like you I burnt a lot of social capital trying to get my extended family to use it!
It will be a hard sell for me to switch, that's for sure. I am already using Whatsapp for Western contacts, Kakaotalk for Korean contacts, and WeChat for China contacts. I don't have any Japan contacts currently, or else I'm sure I will have to install Line. I installed Signal on my laptop for one heavy-privacy-proponent friend, and had Telegram for a while for another friend's group business chat, but I never really used either.
I had success at least moving my parents and sister to chat with me on Telegram. I was having weird issues with Telegram video call (very low sound on my parent's phones), so I still had to call them on Whatsapp. Also, didn't find any audio call option on Telegram, only video call.
Contrats !
Genuine question: Why don't you use phone call for audio-only calls ? In my experience the quality is better and degrades better. Is it because of bundles quota? In my country most plans includes unlimited voice but not sure what's the "world norm".
You can use a web browser aimed at the Skype website to setup a calling card equivalent system to dial out internationally over plain old telephone service for 2 cents per minute. You don't even need an app installed.
Don't get the subscription, pay as you go with Skype credit.
Does Android not have the equivalent to FaceTime audio? I get that for x-platform you have to use one of the apps being discussed. I use FT Audio with my sister, who's in UK, all the time (I'm in Chicago). Completely free and excellent sound quality.
Google surprisingly has a raft of telephony options.
You can use Google Duo to make voice or video calls for (other than data costs) free, Google hangouts also has voice-only plus video options and of course Google voice integrates with the classic telephone network and has cheap international rates.
Google Fi has free calling from the US to over 50 countries and otherwise their plans start at one cents a minute depending on destination. https://fi.google.com/about/unlimited-calling/
Most of my friends from Asia tell me WhatsApp was and is popular because it carried voice over data, bypassing the PSTN which apparently has very high per-minute rates.
If you want to go slightly higher tech there are telepresence appliances like 8x8, Amazon or Google IOT devices or you can just use sip phones and call between the devices free of charge using your own pbx software or a free service like Callcentric's IP Freedom plan.
There a million options that either let you opt out of Facebook's data collection and trade it for Google's, or just opt out entirely.
Google was pushing Hangouts heavily for a while, and I think that's still bundled with Android but is now on the way out. It did the job last I checked.
Android (at least used to) has native support for SIP through their phone application. I used it quite a bit 5 years ago or so, but moved over to...well, I can't remember. A 3rd party app that gave better visibility over what was happening with the service. I don't use VOIP too much any more, Signal is fine.
This is changing rapidly. Many
people I know are moving Signal. Also, don’t delete WhatsApp right away. Do a “silent” move: whenever people send you a WhatsApp answer on iMessage if they’re Apple users and actively push the Android friends over to signal. Works well in my case.
Fortunately I don't live in a place where WhatsApp is completely pervasive. I personally had luck saying "if you want to contact me use Signal, iMessage or at the very least SMS" and when people asked why, I would cite Cambridge Analytica.
How do you use iMessage if you got android phone? I hate this thing, would rather give my data to facebook then use it because it creates class separation between poor and rich. I have seen it with my kids who wanted iphone because they couldn't communicate with all the iphone kids who used iMessage. That's in itself much worst to me than some privacy which i already gave up on.
Absolutely agree. iMessage is even more cancerous in its social implications than WA.
I have had smart, educated people say "I got an iphone so I wouldn't be left out of group chats". Because downloading an app is too much work. I'm not sure how asking people to take 5 seconds to do something to improve their life and society became such a taboo.
Which turned out to be a bunch of hyped up marketing talk. Why does every person in SV I know seem to love the narrative that we’re being mind controlled by micro-targeted FB ads, which to be fair is what I used to believe.
Everyone on HN switches between “ads don’t work and targeting is BS” to “ads are manipulating our entire country by taking our data”
Even individuals are capable to hold contradicting opinions.
> There are lots of contradictions in people’s strongly held beliefs. Someone might preach self-sufficiency in politics, but coddle their children. An individual might oppose abortion on the grounds that human life is sacred and may still support the death penalty for convicted murders. A person might argue for the freedom of individual expression in the arts but want hateful speech to be regulated.
I think they are both true, but the second is worded differently than I would.
I think ads can work, but don't in many cases (based on recent stories that cancelling certain kinds of ad spend has no effect on outcomes). In some cases, like Uber advertising to get users, this seems entirely plausible.
So I largely think ads themselves are kind of harmless. But ad-backed business models are dangerous, because they optimize for "engagement", which tends to promote content that is divisive over more thoughtful, nuanced content. Sadly, it also seems to require gathering huge amounts of information about users in a centralized spot, which seems risky for a variety of reasons.
The whole thing reminds me of a call I got about 10 years ago to participate in a survey about smoking, and one of the questions they asked was "Do you believe nicotine causes cancer?" I paused because my understanding is that nicotine itself doesn't cause cancer, but the common delivery mechanisms at the time (smoking, dipping) do increase the risk of cancer. They forced me to answer yes/no, so I said "no", but obviously a decade later, I still remember it. Do ads cause harm? Probably not much, taken on their own. But everything _around_ them seems to.
I simply stopped using anything except decentralized ethical services that offer freedom, privacy, and high security like Matrix.
I refuse to help walled gardens get bigger. It has cost me a lot of contacts, but so be it. There is always a choice.
If you had a friend you respected that was vegan for ethical or environmental convictions would you insist on continuing to exclusively have social gatherings at BBQ restaurants with no menu options for them? Would you take them seriously if they caved to avoid being excluded from the group?
When I deleted all walled garden messengers by Google, Facebook etc they knew I wasn't kidding. Anyone that refuses to make small allowances for you living your convictions is not your friend.
The people that need to talk to me use matrix now or found other ways to reach out like e-mail or in person. Those that don't respect my ethics don't get free advice from me anymore.
I managed to get a part of my family to Threema. Just the part of "you are paying for the product, thus you are not the product yourselves" was reasonable enough.
In my friends circle we are all on telegram (after trying wire which is just buggy as hell), but I think this is mainly due to its multi device story and then fact that it is not WhatsApp.
I don't know how you make your loved ones stop using specific software, and generally speaking I wouldn't want to. But if people want to contact me, well, they have to use a mechanism I also use.
I know what you're asking, but I don't think there's a fix unless you somehow have tremendous influence with them. So you either put up with being coerced by your group, or you don't.
This is probably easier if you never used the services in the first place. My mom will occasionally whine that she has to open Imessage to talk to me, and that's about the extent of it. But of course, I am missing whatever they get up to on FB without me. And that's OK with me, but I know it isn't with everyone.
I managed to get almost everyone I know on Telegram in the last few years, to the point I get a WhatsApp message less than once a week. On the other hand, I usually hundreds of messages daily on Telegram. It's not hard if there's already interest among the people you talk with and you find the right way to get them on board.
Don't you think that Telegram has the same monetization problems (it burns "a few hundred million dollars a year" while the owner left Russia with $300m in his bank account a few years ago) and they already announced their monetization plans https://techcrunch.com/2020/12/23/telegram-to-launch-an-ad-p...
Where would you move next?
Signal - moved my immediate family to it, and now have a few friends on there as well.
It had some rockiness maybe about 3 years ago, but with their new group implementation and some other small tweaks I find it just as easy to use as whatsapp, albeit it a little uglier.
#1 complaint is the coloring - incoming messages should be high contrast, outgoing should have the background color. For some reason signal does the opposite and it's hideous.
Telegram isn't serious about privacy. They made my number searchable and notified people who have me in their Google contact list even though I didn't grant Telegram access to my contact list (before the time when Android would enforce this with permissions) and didn't allow them to use my number for anything.
Then it turned out that they have a setting where one can opt out, but what good is that if you already were opted in automatically.
In "Last Seen & Online" I had a deleted account in the exceptions of those who can always see my status, even though I never added one.
Telegram may be better than WhatsApp, but it is far from fantastic.
I'm fairly certain I enabled all possible privacy options when I installed telegram. I went to specific lengths to do so. I still get "xyz has joined telegram!" when a new friend joins up from my contact list.
Yep: just checked. Nothing more I can do to increase privacy settings. Zero confidence in it after that
You're right but I prefer it over WhatsApp/Facebook and I started using it when about 3/4 of my network moved to Telegram (to support their move away from WhatsApp/Facebook).
Consider Threema instead. It recently went open source and it has top-notch, Signal-quality crypto and you don't need to provide a phone number or email.
Telegram lacks end-to-end encrypted group chats and normal chats are not end-to-end encrypted by default, you have to switch to a "secure" chat every time you start a new chat.
You should try it again now, Signal is very user friendly these days. I've moved most of my very non-tech-savvy family and friends onto it without too much drama.
I moved almost all my friends and family to Telegram. I think the secret, once I managed to get them to install it, was to create common groups instead than many one-to-one chats.
Then they got hooked up, mostly thanks to the huge amount of high quality stickers.
I also use email (and Threema), but it annoys me a lot when I then get those "(no subject)"-Emails with multi-megabyte VID-20201225-WA0005.mp4 attachments.
I just wish they would keep all their WhatsApp stuff away from me.
What are you talking about ? Telegram encryption is based on 2048-bit RSA encryption, 256-bit symmetric AES encryption, and Diffie–Hellman secure key exchange
I had success moving my friend group onto Signal, but that was a group of young-ish, privacy interested, anti-Facebookers, so it wasn't much of a hard sell.
I managed to get most of my family to use telegram. I just stopped using whatsapp and convinced a few of them to do so also, the rest came because they couldn't speak to us otherwise.
The key was being stubborn and banking on them eventually wanting to talk to me.
> The key was being stubborn and banking on them eventually wanting to talk to me.
This. Same for me. I just put a message like this in the family whatsapp groups and then deleted the app/account: 'Hey everyone, I'm not going to be on WhatsApp anymore - you can call, text, signal, telegram or email me. Talk to you later!'. It was that simple. It took a little while but now my family is on Telegram. I know they still use WhatsApp but it's honestly not my problem or issue that they use the app - I just don't want to.
My family is on Threema, but I advocated for it heavily and it's still an island and they all use WhatsApp in parallel. But at least family photos get shared on Threema now.
WhatsApp is a masterclass in network effects. You can no longer decide whether or not you want to use it. Because your employer uses it, you have no choice but to use it. The only thing that will disrupt this is if security concerns make companies come out and explicitly ask employees not to use WhatsApp and I don't see that happening any time soon.
If your employer insists on installing and using a specific application on a phone, ask them for a phone to use it on. Don't feel the need to install it onto your personal device.
I'm wondering if someone can develop a product that addresses the networking effect problem. I.e. a service that allows groups to move their member lists seamlessly between networks and to be able to also see at a glance, which networks (e.g. WhatsApp, Signal, FB Messenger, Slack) the members are on. Perhaps a network of network memberships?
Such implicit locks are quite common a hamper to let the best product succeed.
We are all running what most would consider an outdated and poorly designed c.p.u. architecture by modern standards, simply because most software is not compiled to run on other architectures, and it won't be until those architectures see significant adoption.
this is wrong way to look at things, switch is never binary. Yes i have whatsapp, but i also have discord, messenger, hangouts, etc. You need to find an angle to attract user for something different and then keep them for everything else.
This is a genuine question, what is it that prohibits your group from using text messages and phone calls? I do not use any apps for communication, and can’t think of why I would have a need.
The main lock-ins for WhatsApp with my friends/family/colleagues are:
1. Group chats. SMS group chat doesn't exist (or it's next to unknown) in Australia.
2. Sharing images and videos. SMS destroys images/videos/gifs (if they even send).
3. International. Messaging friends/colleagues when they're overseas is easy.
4. Videochat (however, it's usually FaceTime with an older relative).
I attempted a shift to Telegram with a few close friends and family members. Eventually, we started to drop back to the "normal" comms route because our extended network was on WhatsApp/iMessage and juggling several methods was irritating (e.g you message a friend on Telegram and get no response -- they then message you later that day on WhatsApp -- it's irritating to move the conversation back to Telegram).
I don't use any of the private and popular messaging apps on my phone and do rely on SMS and phone calls to stay in touch. But there are limitations:
- SMS is not encrypted.
- SMS supports text only. MMS is not well supported, and often not free.
- SMS is sometimes not as "instant" as it can be delayed.
- Delivery reports and, read receipts are not user-friendly, and maybe unreliable, too.
- Group SMS support depends on your default SMS app.
RCS or Rich Communication Service on 4g and 5g looks to fix this, but support and compatibility between network is still lacking. Privacy laws also need a reevaluation as even cellular providers are looking to data harvesting to make more money and RCS may also lack encryption support.
Thanks for sharing this, good to know. But in the context of this discussion, it is kind of bad news. Those who avoid WhatsApp (and other messengers) do so because they don't want to trapped within it - SMS and RCS promises us more mobility and privacy because it is a standardised technology that works with all cellular service providers. Using a Google app for RCS, instead of WhatsApp, will just trap you within Google ecosystem, instead of Facebook.
- many extra chat features (reactions, stickers, replies, polls, etc). It might seem unnecessary but imo they do genuinely increase functionality and ease of communication
- scalable to large groups (maybe sms is as well, I've never tried more than 3-4 people)
- don't need a phone, can message from a computer instead
Most phone companies on their lower tier plans make you pick 1-2 of free calls, texts or a data allowance. High end plans aren't nearly so popular because most people don't get high end phones and of the people that do, many buy direct from Apple so don't have a contract associated with it, instead just using a prepay or sim only plan. So it's really only the high end android phones which get bought on contract which is a much smaller market than iPhones or the actual big market segment here: €100-200 androids
Nobody picks free texts. This leaves 15c/message as a discouragement for using SMS.
Unfortunately, I'm on the same stand as you. I managed to move my direct family and one group of friends into Telegram, but the rest didn't follow and many have been pestering me to go back.
I was thinking about going back, actually, but using a separate phone number (dual SIM FTW) and a work profile sandbox with heavily restricted permissions. I might still give it a shot, see if that's enough to quell FB's insatiable hunger for personal data.
It’s a shame the technology and usages are still moving quickly enough that there’s no obvious standardization that’ll last the next five years.
Social technologies would benefit from some regulation along the lines of “you must be able to use other apps to send to/receive from your app” for at least a minimal feature set, but it would be super hard to nail down what that regulation should exactly be.
My response to anyone is "I'm sorry, but I don't use WhatsApp or Instagram, and I rarely use Facebook because I don't trust them. You can reach me through X, Y, or Z."
If someone refuses to make an actual call, text me, email me, or use Signal, then clearly they don't respect me enough for me to need to communicate with them.
When I had roommates, one only wanted to use services A, B, ... and another one C, D, ... with no intersection between the 2 sets. So we had 2 group chats on two different services and we had to transfer messages from one to the other.
I don't know whom was not respecting whom, but I didn't feel really respected either, despite respecting each guy wishes.
I had better luck because most of the people I know aren't deeply invested in their apps. I just told everyone to add me on signal and over the years more people have started using it, and suggest signal or a phone call when its time to have a conversation
How's signal different? It's also in the same position as whatsapp was a few years ago. For the time being it may be better, but surely it is not a long-term alternative?
My thoughts as well. If the product is free, who is paying the devs? Who is paying for infra? I'm exclusively on Threema since it's not free, and the yearly external code reviews are stellar. The only thing that bugged me was that it was not open source, which changed by the end of 2020. Multi device coming this year, which was the last thing missing for my use case.
I moved my entire family onto it easily. But they are fairly conservative and so it simply was a matter of explaining the situation about big tech lying and they were sold.
source? I assume you are refer to the thing that went around yesterday? Then no, there is a big difference between the option to share data to get a feature (even though I'd agree the feature isn't well-designed) and what WhatsApp is doing here.
I've had success and you're right that it is about network effects. So you gotta take into account who you can convince first. But also consider that Signal hasn't been fully featured until about last month. So it isn't a good idea to just try to convert random non-techy people. For them you'd need to use current events that highlight how important privacy is (which there have been quite a few this year). But also focus on generating a critical mass. Now it isn't hard for me to convert people because we'll be planning things and 4/5 people have Signal so you just strong arm the fifth person and then they start using it more because they realize a fair amount of their friends are already there. It takes time though and let's be real about that Signal hasn't been fully featured. Until recently it has been more a geeky app.
So tldr target the people you want to convert to develop a critical mass.
Network effects as a emergent principle has been discovered to violate the promises of capitalist economics. We have a right to come together and set the limits and terms by which a few can extract from the many.
Why must there be extraction at all? Even trade seems like it would be better for the majority of parties involved, including having the effect of not having a bunch of pissed off people down the line.
"As part of the Facebook family of companies, WhatsApp receives information from, and shares information with, this family of companies. We may use the information we receive from them, and they may use the information we share with them, to help operate, provide, improve, understand, customize, support, and market our Services and their offerings. This includes helping improve infrastructure and delivery systems, understanding how our Services or theirs are used, securing systems, and fighting spam, abuse, or infringement activities. Facebook and the other companies in the Facebook family also may use information from us to improve your experiences within their services such as making product suggestions (for example, of friends or connections, or of interesting content) and showing relevant offers and ads. However, your WhatsApp messages will not be shared onto Facebook for others to see. In fact, Facebook will not use your WhatsApp messages for any purpose other than to assist us in operating and providing our Services."
Definition of Services: "all of our apps, services, features, software, and website (together, “Services”) unless specified otherwise."
Ads are the bulk of Facebook's "Services" but it's remarkable how they avoid saying it.
Looks like end to end encryption feature is bullshit marketing trick if they for example process my message before my device encrypts it to send it to other devices...
The encryption is also stripped when you back up your WhatsApp messages to Google Drive, along with a sweetheart zero-tier deal with Google to remove any possible downside that might make somebody think twice: https://faq.whatsapp.com/android/chats/about-google-drive-ba...
> WhatsApp backups no longer count against your Google Drive storage quota.
> Media and messages you back up aren't protected by WhatsApp end-to-end encryption while in Google Drive.
Well, let's be fair. The threat model for end-to-end encryption assumes that endpoint devices or the software itself used for communication are not compromised. Or subverted.
It's common knowledge that group chats are not E2E - there is one encryption context from a user to the servers, and another context from the server to each member of the group chat. Bog standard transport layer security, in other words.
However, even if you never used group chats and had E2E on with all your contacts, the traffic analysis ("metadata use") is enough to build associations and clusters. FB doesn't need to know the message contents (although they make use of them when available). You have frequent chats with people who play certain kinds of sports? Fine, for marketing purposes you'll be grouped with people who like those sports. Or if majority of your friends have pets - guess which cohorts you end up as well.
Oh, and if I remember correctly, WA definitely processes your messages locally before sending them: it uses a list of image hashes to prevent sending eg. child exploitation material onwards.
The sentiment of your message almost makes it looks like you are trying to say Whatsapp is no worse at E2E than the others?
This is not the case. Signal for example has open source which allows to verify that it does not use the message texts for commercial purposes so we can with good reason assume that the messages are at least E2E encrypted properly within the app and at least Signal servers.
Yes, of course if you have root access to the device itself, or otherwise hack it, you can compromise any messenger. But that's not even in the same league as having basically a message spying built-in, turned on, always on, inside your damn messenger app itself.
Whatsapp calling their app "E2E" in their marketing is a spit in the direction of the users that have the technical knowledge to understand how it really works. It is inaccurate in all the ways that matter. It is accurate only in one technical way that is completely irrelevant in the real world, just put there so they could use the phrase in the marketing while not caring about the true intent behind E2E.
> * The sentiment of your message almost makes it looks like you are trying to say Whatsapp is no worse at E2E than the others?*
That was not my intention.
I'm trying to say that E2E implies a very specific threat model, and that WhatsApp are in fact in position to subvert theirs in pretty straightforward ways. Their group messages have never been E2E, which means that if they were to force a client update where all communications are always group chats and UI hid this fact, the users would be none the wiser. They could also use their client-side content filtering to build keyword histograms and upload those periodically to their servers, without breaking their E2E.
In fact, I was trying to point out that they do not necessarily need to inspect or store message contents. WhatsApp is owned by a marketing analytics giant. With all the noise about E2E and metadata, people forget (or ignore) that traditionally intelligence about communications has been primarily about traffic analysis ("metadata"). Tapping into the communications has been of course a valuable goal, but knowing the communication patterns, frequencies, memberships and direction/timing of communications within groups has been enough to build valuable intelligence.
Sure. Access to content allows to do keyword and semantic/NLP based targeting. But the aggregation of marketing cohorts and their various relationships is likely a much more valuable asset. These relationships are also known as the social graph. And E2E, as implemented in WhatsApp, does not protect against it. They know who you communicated with, when, and where you were at the time.
Signal on the other hand have done a lot of work to enable not only E2E protected, but also properly untrackable group communications.
> But that's not even in the same league as having basically a message spying built-in, turned on, always on, inside your damn messenger app itself.
You hit the nail on the head. If you can't trust the client, practically any and all E2E promises are worthless. We agree on this one.
You also touch upon a wider problem across the messaging technology space. The term end-to-end-encryption has been hijacked as a high-value keyword by every snakeoil salesman. It confers a high level of trust, precisely because when implemented correctly, it provides guaranteed message content confidentiality. But even in this thread, we see that the term E2E is routinely used to imply even higher standard: that of anonymous communication.
Anonymity, confidentiality and integrity are all aspects of communications security. End-to-end can guarantee the last two, assuming the endpoints remain secure or at least trusted. Getting the first one included is going to require a lot of hard work, and in case of WhatsApp, would go directly against their owner's motives.
> I'm trying to say that E2E implies a very specific threat model, and that WhatsApp are in fact in position to subvert theirs in pretty straightforward ways.
I disagree. For me, E2E implies that the company itself cannot read my messages. It's not true for Whatsapp, but it's true for Signal/Matrix.
But if they were to do so, it could be done so that there likely wouldn't be anything in the visible application or its behaviour to highlight the change to a regular user. Unless you somehow see that the key ratcheting is in use and can confirm the two-sided key state out of band with your peer, you can't tell without disassembling the client.
However, this feels like derailing quite far from the original topic. The contract and assumption of E2E protection unavoidably relies on trusting the client(s) and the devices they run on.
Oh, you're right. It took quite a bit of digging around to get to this part, and I seem to have accidentally copied the part I was looking for, though I searched for "advertisements".
As others have mentioned increasingly small businesses (like my outdoor exercise class) and loose communities (like my child's school year parent's group) rely on WhatsApp. persuading these loose connections to move away from WhatsApp for one's own benefit is almost impossible.
Sacrificing access to these social amenities on the altar of incremental privacy invasion and power transfer to an unaccountable basically malign organisation is hard to stomach. And rather inconsequential taken in isolation.
What technical and legislative means might be effective in limiting the network effect around group chats? For example requiring in law that groups be accessible to an open federated hub and spoke messaging protocol to allow messages to flow from syndicated groups established on other systems (like matrix or signal or whatever) to WhatsApp groups.
What technical and legal prior art is there here? I would be interested to hear some ideas.
I feel like the internet, and the digital activities that happen on it, are this generation’s railroads, power, and telecommunications in the 18th and 19th century. They started as wild free-for-alls and evolved into regulated and stable markets with consumer protections, standardization, right to access, etc., usually after corrupt and unethical monopolies got out of hand and showed the importance of the service as a basic utility needed for a functioning country, and the need to protect it.
It might be enough to use many different messaging apps in parallel. This enabled competition and a smooth transition between them. For example, I tend to slowly move from WhatsApp to Telegram as more new groups I join are created in Telegram while old groups in WhatsApp tend to get abandoned. Also, I often access these groups through opera via their API and not the native apps. This is a natural development in a market where people use multiple apps in parallel: aggregators emerge and with that, the power shifts to them. That’s a good thing as it makes it easier to transition from one solution to the other.
What could be done legally to help this development is requiring services to offer open APIs to reduce the lock-in.
Having different apps is probably a step forward indeed. But (as far as I understand) just having WhatsApp installed on my phone allows them to keep an eye on my contact list. That sounds quite despicable to me.
Better in which terms? UX/Usability? Privacy/anonymity? Reliability? Reliability on never losing contacts/data? User-proof? As in: non-tech people will have it working well without tinkering, and they will not lose their data because they didn't to X procedure?
Such a sham that WhatsApp's privacy policy page still says:
We joined Facebook in 2014. WhatsApp is now part of the Facebook family of companies. Our Privacy Policy explains how we work together to improve our services and offerings, like fighting spam across apps, making product suggestions, and showing relevant offers and ads on Facebook. Nothing you share on WhatsApp, including your messages, photos, and account information, will be shared onto Facebook or any of our other family of apps for others to see, and nothing you post on those apps will be shared on WhatsApp for others to see.
This is hypocrisy!!
Edit: The word "onto" in the privacy policy is so dubious. They said we aren't sharing anything onto Facebook. Probably it didn't mean they weren't snooping our data.
Can someone help and dumb this down a little bit for me so that I can then explain to some of my friends who couldn't care too much about this change in policy?
For example: What should be my response to questions like:
. "What kind of data can now be shared with FB versus what was shared earlier (if any)?"
. "Whatsapp chats are end to end encrypted so how can my data be shared with FB?"
. "As an individual, how different is Whatsapp sharing my data with FB for ad/tracking purposes versus what other networks such as Google do to serve ads? Let's say I'm interested in ice-cream and I chat with someone about it and a couple of days later, I get ads about ice-cream, but I choose to ignore those ads, then how am I impacted/affected?"
* User phone numbers
* Other people’s phone numbers stored in address books
* Profile names
* Profile pictures and
* Status message including when a user was last online
* Diagnostic data collected from app logs
and already was getting:
Purchases
Financial information
Location
Contacts
User content
Identifiers
Usage data and
Diagnostics
technically it is facebook in violation of GDPR considering that all the data in the addressbook is easily considered personal data for a commercial entity and so facebook should ask the permission to each owner of those numbers before collecting them.
Based on this they do not store information of users who have not signed up and only store a cryptographic hash. The hash isn't created on the device, so the servers definitely get it.
"‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"
Cryptographic hash of phone number is still uniquely identifying natural person and is by GDPR still under the definition of personal data. The GDPR authors knew what they were doing - or they were lucky although also other parts of GDPR suggest that they had some technical think-tank behind it.
Anyway, hashing doesn't solve anything, whatever "obfuscation" is used/invented, as long as information points to "natural person" it is considered personal data.
> Their infra is generating those encryption certificates, so WhatsApp can very well decode the message and store it for further processing.
This is incorrect. The sender's device generates the key with which it encrypts outgoing messages. WhatsApp's infra cannot see the content of any messages sent.
The issue I have with that statement is that it cannot be proven. There is no source code of whatsapp, so this could have been changed anytime.
I mean, it's certainly possible to have an administrative backdoor that just shares the local keys. Even when that wasn't the case when you worked there, and even if we believe that you say the truth: we still cannot be certain that this won't change on February 8th.
I mean, whatsapp was remotely exploitable for more than 5 years before it was discovered (just to make a point).
Yes, of course this can't be proven. I'm reasonably confident what I stated still holds but I can't be certain. If that's enough of a turn off for you then your best bet is to not use the service.
There is no need to rekey or do anything similar. Chats are available locally on the device, WhatsApp may simply implement a side channel to access those (they could already have one to satisfy agencies btw)
There's a configuration option you can enable which shows a message whenever the remote party changes their key (usually meaning they bought a new phone, in my limited experience), so it's not that silent. Yes, it's unfortunate that on WhatsApp this option defaults to disabled (to not confuse the newbies?), while on Signal (which uses the same protocol) this options defaults to enabled.
3 years ago, my friend, an Indian fact-checker, showed me a screenshot of a WhatsApp screen, showing warning from WhatsApp that a message contains a dangerous link
This (the warning) is only possible if WhatsApp can read your messages
I'm guessing that they read your message on the app. So their claim (end-to-end encryption) is indeed true and correct.
But their app can and indeed has been reading your messages, for the past, at least, 3 years
Which I personally don't mind, when it's done fully automatically (no humans involved) and only for this kind of uses (to warn users of dangers)
WhatsApp (the app) can obviously read the messages. It can hash the links and check them the same way that browsers do. It doesn't have to happen server-side.
The app sends a request to a Facebook API for every link that you send/receive. Usually this returns the little image + text snippet that you see in the app, but obviously this could also return a message that the link is considered dangerous.
As a site owner you can probably see a request from a Facebook bot when a link to your site is shared on WhatsApp. (not sure how long they cache this)
Clearly. As with any encryption, at some point it needs to be decrypted for human consumption, and since someone else wrote the code/maintains to do this it's not impossible something naughty/distasteful will happen with the content. I'm just correcting the notion that the encryption is all orchestrated centrally and that viewing the messages in transit is trivial.
Appreciate your response. As a layman, if the service I'm using does not have access to any of the content of my messages, how would you (Whatsapp) be sharing my data? If whatsapp cannot read texts, images, location etc., then what gets shared with FB?
How can you guarantee this? And how about received messages? How can you retrieve all your old messages/conversations when you install the app on a new device? Don't they come from WhatsApp servers? Just curious, not doubting that you are actually an ex-WhatsApp employee.
I mean, I can't guarantee it. As others have said, it's not impossible that things have changed since I left or will change in the future. But I doubt it — e2e encryption is a big selling point for WA and something that is dear to the company's heart.
> And how about received messages?
It's the same deal — the sender encrypts the message with the the recipient's public key, and the recipient decrypts it with their private key (which was generated locally and never goes over the network).
> How can you retrieve all your old messages/conversations when you install the app on a new device? Don't they come from WhatsApp servers?
No, you can only get old messages from your old device or from a backup that went to the cloud somewhere (e.g. iCloud or Google backup). The messages on your phone are stored locally in a DB, so if you copy that DB to a new phone it'll have the new messages. WhatsApp doesn't store messages — they are only present on WA infra until acknowledged as received by the destination.
Thank you for your response. I think I fully agree with the last line - those who do not care about privacy won't really be affected by this.
I have a question to ask. How would this work? Even if for a second we assume that they're able to read all our texts etc., how can they curate that information with insurance companies? What data might the insurance companies be interested in? I would not (and I'm assuming a lot of people would not) specifically enter my age/health issues/Blood Pressure information on Whatsapp.
> They may very well sell also data to insurance companies making it harder for you to get insurance.
Let's say they record your position every 15 minutes.
(Position can be achieved via Wi-Fi AP names, cell towers, GPS).
Let's say you commute everyday to work on a highway and your average speed is 100 Km/h with sometimes a top speed of 150 Km/h.
Let's say your position shows that you're every workday near a pub from 17:50 to 19:00.
Let's say you're never seen near a gym.
Let's say you're sometimes near a medical center specialized in prostatic care.
[To be continued]
I'm not sure it matters. You still have to agree to the policy first. Whether you have an FB account at the moment might change for you in the future right? So FB couldn't be handling all those cases as well. This is a strategic move I think will cover all users.
> "Whatsapp chats are end to end encrypted so how can my data be shared with FB?"
I would stress to them the difference between the encrypted contents of a chat the metadata ("it's data about data!") of that chat.
Hopefully they will get it if you give an example of how just sending a message lets them profile you based on metadata like the exact time, geographic location, and recipient of the message, all without needing to see the contents. Encrypted messages sent from Truist Park at 2PM on a Sunday? Probably about baseball, etc etc.
The part that creeps me out the most is WhatsApp’s aggressiveness towards getting your Contacts. Other apps want them but WhatsApp hardly works without the permission.
Why hasn’t Apple introduced a private/segmented Contacts permission like they have Photos, Location, etc.?
An ability to give untrustworthy software an access to a sandboxed blank copy of Contacts would've been very useful.
As a side note, Telegram is the same as WhatsApp. You can't start a chat on a fresh install unless you give it an access to the contacts. There's no way to manually add in-app contacts. Given how "pro-privacy" they are supposed to be, this was rather disconcerting to see.
Where `<number>` contains the international prefix without the `+` sign. Has worked for me in Firefox and everywhere else I've tried. This is a fb-owned domain btw.
Pretty much all of our school and local community communication happens via WhatsApp. I'd change to Signal or Telegram in a heartbeat, but the inertia is so great it's not possible.
It pains me to say, but we're getting to the point where companies like Twitter, Facebook and Google need to be treated like utilities or something so that such moves as these can be scrutinised and controlled more effectively as Facebook could pretty much (within current law) introduce whatever policy they like and users would be faced with the option of accepting or being cut off from their local community.
Given the pandemic and the UK lockdown, this is not tolerable.