Hacker News new | past | comments | ask | show | jobs | submit login
WhatsApp gives users an ultimatum: Share data with Facebook or stop using app (arstechnica.com)
2254 points by erwinmatijsen 11 days ago | hide | past | favorite | 1146 comments

It's harder for US folks to understand just how much of a monopoly WhatsApp has in Europe and the UK.

Pretty much all of our school and local community communication happens via WhatsApp. I'd change to Signal or Telegram in a heartbeat, but the inertia is so great it's not possible.

It pains me to say, but we're getting to the point where companies like Twitter, Facebook and Google need to be treated like utilities or something so that such moves as these can be scrutinised and controlled more effectively as Facebook could pretty much (within current law) introduce whatever policy they like and users would be faced with the option of accepting or being cut off from their local community.

Given the pandemic and the UK lockdown, this is not tolerable.

I'm also in the UK and I deleted WhatsApp 2 years ago when it became clear that Facebook intended to move in the direction of fuller integration (I deleted my Facebook account after 1 month of usage 10 years ago). However, I had to reinstall WhatsApp because all of my kid's sports activities and school updates are organised through WhatsApp groups and it is impossible to participate without WhatsApp. Much as I believe in the cause, I'm not going to go preach it to the volunteers who coach my kids' rugby team. The scary thing here is that the actual real-life "social network" has been privatised and monopolised, and now we can't participate in society in very important ways without going through Facebook.

My experience is similar.

I want to add that when I left WhatsApp (~2y ago) I deleted my account. WhatsApp kept accepting messages on my behalf. People didn't know I wasn't getting their messages. I'm surprised I don't see this mentioned to the point I wonder if I did something wrong at the time.

In the end, I reopened a WhatsApp account recently because everyone is using WhatsApp in France and I couldn't stand breaking everyone's efforts to bring us together during lockdown.

> People didn't know I wasn't getting their messages.

They saw 2 ticks, meaning delivered to your device? Or did they see one tick, meaning only delivered to the server?

If it's the latter, that's a reasonable choice for the server to make. The server has acknowledged receipt of the message, and failed to send it to your device.

If you wanted WhatsApp to advertise to your contacts that your account was inactive, you could have maybe sent them a message yourself?

> The server has acknowledged receipt of the message, and failed to send it to your device.

Doing this without explicitly telling the other party is a dark pattern.

I would wager that most people using WhatsApp know the difference between one tick (server receipt), two ticks (client receipt) and two blue ticks (client actually read it).

Marking "Server received message and is holding it for user" with the same icon as "server received message and determined there is no such user" is dumb and bad and wrong, and probably also a dark pattern in this case.

If you click on the message you get a Message Info screen which shows you exactly what the state the message is and the timestamps. It explicitly says "Sent"/"Delivered"/"Read" alongside the ticks and at what time it happened.

I would take that wager. I certainly know what it means, and I imagine many users do, but the majority? I doubt it.

I can confirm my mother has no idea what these ticks mean. She can't make the difference between WhatsApp and iMessage either. At the time I left, I told her so and she kept wondering why I was not getting some of her messages (the ones she was sending on WhatsApp, that is).

I didn't know that until just now.

I didn't know that until after having used such apps for some year -- never thought much about those small symbols

@heipei: the curse of knowledge, i learned yesterday, via https://news.ycombinator.com/item?id=25658216

Were you a regular user? I’d wager most regular users know this. It’s a verb among my friends, like “she’s blue-ticking me”.

What’s more, if you tap on “info” after long pressing any message, the app explains it to you.

Most users don't search for extra info screens and extra information in apps. ESPECIALLY not the older generations. I'd argue that the majority of people may understand the blue tick, but that _very_ few understand the difference between a single check and a double check.

Even the ones who do understand a little about the checks probably don't bother thinking about the difference between "sent" and "delivered". They'd understand it if it was pointed out to them, they aren't stupid. But they don't care enough to realize it because they shouldn't _need_ to understand it most of the time.

And even so, the checkmarks are very subtle and easy to not notice if you don't expect to need to look at them. A user is more likely to say "well it didn't give me an error so it must have sent, I wonder why nindalf is ghosting me" rather than "huh, I wonder if WhatsApp actually _delivered_ the message to nindalf, let me check"

I use it multiple times a day. I'm in half a dozen groups.

I use it somewhat reluctantly which might reduce the degree to which I actively seek out understanding. I wish we'd all go back to vendor neutral channels of communication but I also apprecitate the fact that it is less sucky than SMS.

I’ve been using WhatsApp a few times a day for the last year, a d infrequently for several years prior, and I had no idea.

What is with HN and throwing around words like dArK pAtTeRn?

No it’s not a dark pattern. They’re being as transparent as possible. If you long press the message and click “info” they even explain what each tick means and when each event took place. It’s literally not possible to be more transparent than that.

And before the privacy brigade who’ve not used the app show up, this is configurable. You can opt out of sending and receiving read receipts. And since it’s a closed app with no other implementation, you can’t circumvent that either.

You're wasting your time. This is HN - any decision made by by Facebook or a Facebook-owned company is automatically evil.

he deleted his account. it's absolutely not reasonable to accept my message without informing me the user I'm sending to is not on the platform anymore

I can only guess that people sending messages to my cancelled WhatsApp account saw only one tick. That's still meaningless to less skilled users and there's no way to tell if the user has gone forever or if they're just offline for a bit.

Anyway, my point is that WhatsApp shouldn't silently accept messages for a non existent user no matter what weak signals you get. When you send a text message to a non existent number, you get an error. Same for an e-mail.

I can't help but think it's a way to deter users from leaving WhatsApp.

Did these marks even exist 2yrs ago? I know they didn't when I started using WhatsApp ages ago, but I don't recall when they were added...

They've been present for at least 5 years

> WhatsApp kept accepting messages on my behalf. People didn't know I wasn't getting their messages.

As an FYI to you and anyone reading this, you can convert your account to a business account using WhatsApp for Business. It has an auto-reply feature that you can enable with a custom message, to inform people you've moved to whatever platform you've decided to move to.

This is precisely the dilemma in a nutshell.

You have a choice but it's a bit like voluntary solitary confinement. Especially during a lockdown.

When I switched from Windows to Linux, sure there were some inconveniences but with enough technical knowledge and a bit of inconvenience I was able to get by.

But social media? What do I switch to?

> This is precisely the dilemma in a nutshell.

Exactly my problem too (car mechanic, plumber, school parent committee, loads of my friends …) – I need my car fixed, I need my plumbing fixed, I need to communicate with other parents. I hate that I have no choice but to use a Facebook product when I am not even on Facebook!

Just thinking out loud here, as I was considering something like this.

I can also not give up the WhatsApp account due to the social pressure. What if I would use a second phone, a cheap one, used only for the whatsapp (and some other essential but privacy invasive apps). I would not have that second phone always with me, but it would provide me access to the social network I need without feeling tracked or providing more data than needed.

I do understand that this doesn't fix exactly the issue presented here, but I already assumed that whatsapp data was already in Facebook's hands one way or another. But I would limit the amount of information that WhatsApp can track about me by having this application on a phone which does not really represent my full actions as i don't have it with me.

Edit: Corrected some typos.

Trouble is you are privileged enough to be able to afford two phones. For many families, even a $300 device is a significant expense. So if your approach was the only approach, only the rich would have privacy.

Thankfully his approach is not the only approach - just don't use WhatsApp! I never have despite the pleadings of my friends to use it.

If they can't be bothered to email or send an SMS to me or use Signal or video call via the multitude of alternative messaging services (Duo, FaceTime, Skype, Signal etc. etc.) I don't think they're that bothered about being my friend are they?

If their friendship hinges on me using a specific mobile app, that's a shallow friendship.

There's a "social capital" thing going on here. Your friends are usually willing to make some amount of effort to talk and hang out with you, depending on how close friends you are, but there are limits to that. Nobody wants to get together with someone who insists on doing everything their way every time. Most people don't care to spend what social capital they have getting their friends to use a different messaging app. You're only burning even more social capital if you try to lecture them about things they don't care about, such as Facebook having their personal information.

Particularly, this social capital is at its minimum when you're trying to develop new friendships. Good luck starting any when you refuse to use the app that everyone else in the area uses to communicate.

That just sounds like "everyone else is smoking, so I should start smoking too". Just because everyone else is doing it does not mean it is the right thing for you to do.

In this instance, if developing friendships relies on me sending my data to some unknown person the other side of the world so that they can build graphs on my activity and follow me around just because everyone else has decided that's what they want to do, then I would choose another path.

Wouldn't you? If not, please send me all your data and details of your activities, all the time. If you can trust that data to some guy you've never met in a datacenter, then why not send it to me. You've got my username - that's more than you'll ever know about the people looking at your data at Facebook.

> "everyone else is smoking, so I should start smoking too"

No, what they said is equivalent to "everybody is smoking but I'll annoy the hell out of them so they stop, and I'll refuse to meet them in person before they quit"

It's an individual-level realpolitik. You (the general you) are welcome to take such a stand if you care to, but the price is that your social opportunities may be severely constrained. There might be other things about you or your life that also constrain your social opportunities, things more important than who has your data, and if that's the case, then taking such a stand may leave you rather seriously isolated.

I would not "choose another path" because those things are more important to me. To be blunt, I'm not sending such data to any individual HN reader because that would have no relation at all to my practical ability to maintain friendships with people in real life.

You may have missed the point that in Europe, many many things are organised via WhatsApp. Kids football clubs, dance clubs, parents' evenings, school closures, social club outings, ...lots of things.

Other people are saying that in their countries, Health Services and bank transactions are coordinated via WhatsApp.

It's not just about messaging your friends, and for many people, "opting out" of WhatsApp is not a viable path.

[1] https://news.ycombinator.com/item?id=25669702

[2] https://news.ycombinator.com/item?id=25669600

[3] https://news.ycombinator.com/item?id=25671117

[4] https://news.ycombinator.com/item?id=25671855

I live in the UK. I understand that people arrange items via WhatsApp but it seems baffling to me. Why not just use email to notify people??

When you sign up to any service, they ask for an email address. They don't ask for a mobile number necessarily, and there is never a "my mobile number is on WhatsApp" checkbox. Why is the assumption of the organiser that you're on WhatsApp your concern? They have assumed you're on a certain platform, and it's their mistake.

It reminds me of the tidal wave of people suddenly abandoning their own websites and instead using "Find Us On Facebook". They might as well put "Use this keyword on AOL".

Facebook is not the internet, and WhatsApp is not the only communication method.

You can be as upset about the state of things as you want to be -- yes, it's wrong and broken and unfair -- but you can't change the state of things by just wishing hard enough. The GP's point stands, things are organized via WA, even though they shouldn't be, so your choices are exactly these:

  - Use WA and participate
  - Don't use WA, don't participate
  - Go stand in front of the home of whoever organizes the activity and have a little one-person picket parade with angrily-worded signs -- this is the same as #2 but might make you feel better

I am not upset about it at all - I think you are projecting that. I don't use it and it doesn't affect me. I was just presenting the alternative mechanism of using the established communication method of email for notification of events since an email account is requested for most things (tax returns, bank account, most accounts).

Perhaps it's baffling, and perhaps I agree, but one cannot deny the reality. They don't use email, they do use WhatsApp, and not using WhatsApp is effectively impossible for people in that situation.

Then the reality is insanity!

My mind is blown.

Why the use of the word “privilege”? We don’t know what balance of OP’s wealth is earned vs unearned (privilege).

We also don't know how much the phone was. It could have been a very cheap device. My main phone was £200 and the previous one was £120.

Looking on Amazon.com, a Huawei P Smart 2019 (32GB, 3GB) 6.21" FHD+ Display, Dual Camera, 3400 mAh Battery, 4G LTE GSM Dual SIM is $209.99.

I think some have assumed that he went out and bought an iPhone 12 Pro Max as a second phone, and we don't know that.

It could also be that he had the "privilege" to earn it (as not everyone has that privilege).

Seems a bit reductionist of the concept of privilege because everything becomes privilege as there is someone who has experienced worse with few options. For an extreme example, dying with cancer becomes a privilege compared to someone who loses their life immediately in an accident. Only one of those two has a chance to say goodbye as well as prepare their friends and family.

It’s not just reductionist, it’s a misuse of the word in a way that is becoming more fashionable. Buying phones does not come under the meaning of privilege, unless perhaps you’re in prison (I struggle to think of an example that might occur and isn’t patently absurd). The rest of us can walk into a shop, those things that are open to the public.

Hopefully this misuse is just a fad and we can go back to a more sensible use.

Or it could be they just worked really hard or prioritised or what do I know.

But I agree privilege is vastly overused.

Exactly. Privilege can indeed be earned through hard work (without implying that's the only way to gain/earn it), and one is free to use privilege in life. It's still privilege, and the troublesome part is when that goes unacknowledged.

Who does not have the privilege to earn money for a second phone and what would that privilege be?

Please describe what you mean by “privilege”. Privileged enough to have a second phone? What does that even mean? Am I also privileged to have a second laptop and a PS4? Should I feel ashamed because of this and why, exactly?

If you can afford to have a throwaway phone with a second phone line of service -- remember, WA must be tied to a phone number, and you don't want to give FB your real phone number, right? -- then you are probably doing better than the average person. Remember all those articles about how the average US resident can't afford a single $400 surprise bill? That's called privilege. Nobody is saying to "feel ashamed" about it, just remember that if you're suggesting a second phone as an acceptable solution to this problem.

That wasn’t me, I did not suggest that. Though your choice of wording is horrendous and your understanding of the term “privilege” is ridiculously wrong and borderline humiliating. It is not a privilege if you earned it by hard work. I spent years, decades of my life learning languages, educating myself in tech, and now you are saying that I am more privileged than an average person because I am earning more? I don’t think so.

On Android you could use Shelter [1]. Might no be as good as as second phone but it heavily limits the data you expose. You can also freeze the app if you don't use it actively.

The biggest annoyance is that Android only allows having exactly one of those "Work Profiles".

[1] https://f-droid.org/en/packages/net.typeblog.shelter/

>What if I would use a second phone, a cheap one, used only for the whatsapp (and some other essential but privacy invasive apps). I would not have that second phone always with me, but it would provide me access to the social network I need without feeling tracked or providing more data than needed.

This is what I'm doing currently: an old phone used exclusively for whatsapp (with an empty contact list); it always stays at home. I only use it to coordinate kid's stuff (school, social activities, etc), so there is no problem with me not having it with me the whole time.

You can limit what an app can gather anyway, if you wish. If you would go to such extremes to have a second device just for WhatsApp, there are ways to hide things from it on your one main device, too. I go for microg in order to cut Google's surveillance, and usually allow no permissions on untrusted apps, so all they can get is the IP. You can mitigate that too when needed, though probably with more effort than is practical (accessing the internet is something that can also be restricted from default Android permissions).

When this article went up, I realized that I'd allowed WA to access my Contacts, so I went in and revoked that permission. It immediately reformatted my whole conversation list as phone numbers instead of names. I can't rename the conversation, but I can "add to contacts"... which inexplicably shows me my OS contact editor, which they're not allowed to read. So I guess that as punishment for not letting them constantly vacuum up my contact list and send it all to FB, they make it harder to figure out who I'm talking to. Classic FB.

I have a second dirt-cheap used phone with a disposable SIM card just for WA. But you could make a WA<->Matrix<->Signal bridge (https://matrix.org/bridges/) using a temporary phone no.

Or even a VM if you don't want to have a physical phone.

I've recently switched to using Whatsapp in an emulator, which is kinda similar. I even almost got a virtual camera working so I can share my desktop screen via whatsapp call (would be super useful for parent tech support). Laptop cameras should work fine though.

I'd be very interested if you could add some info regarding what software you used to do this.

I used Bluestacks emulator (and Nox too, one has to be a clone of the other I guess) to run the app. For the virtual camera I used OBS with a plugin to emulate a webcam. This worked for the webcam feed in the browser, but in Windows > Camera it wasn't detecting anything. I got the same results when trying to use an old smartphone as a camera via DroidCam before I gave up.

I tried to run a branch of a charity without WhatsApp and Facebook for two years and it was impossible. I had to give in and sign up.

So, these things should be regulated and operated like utilities. Phone companies don't have the right to mine my contact list, and neither should Facebook.

> I'm not going to go preach it to the volunteers who coach my kids' rugby team.

Why not? I would.

And tell them what? Please all go install a different app? That only works if you can get everybody on board, it's unacceptable if a parent gets left out because he isn't there that day or cannot get it to work.

You would also have to explain to them that Facebook cannot read your messages, but they can see the meta data. And then you have to explain to them what meta data is.

I think your kid is not going to appreciate your efforts.

The point is that you can tell everybody why you don't like WA, and even come up with a really good way of explaining the problems to non-technical people. This might even work in some cases. The problem is that WA has an enormous head-start in Europe. So maybe you talk around your gym, but your kids' school can't justify switching. Guess what, you're still stuck picking between using WA and missing out on big chunks of your real life.

Wait for them to ask the why, tell them as succinctly as you can that fb is evil and there are alternatives.

How do you tell them succinctly in a way they can understand that the company that makes two of their favorite apps IG and WhatsApp is evil?

'they deliberately fine tune their product to make it more addictive'

'yes, and?'

'other companies have the same product (talking about chat) and don't contribute to the formation of monopolies'

'you're way out of line'

'i just don't trust them and i use a different service'

'ah? tell me more.'

If you think privacy is important, you have to do something about it.

It's a lesson in civics. To do nothing and say nothing while expecting someone else to fight the good fight is poor citizenship, but it is very good consumerism.


Wow I had a similar experience at university. I only joined Facebook because my course had a Facebook group where we all communicated. Now this same hook exists in WhatsApp. It’s pretty crazy

the issue is that people would probably not want to pay for an app like WhatsApp, and so the 'free' alternative takes hold, and whoever controls that gets the cost of running the infrastructure in advertisement fees.

If some company could set themselves up as a utility, and the mobile network operators were to pay that company to run the messaging app + infra, then it could be made to operate like a utility and nobodies data would have to be sold.

I could remember initially paying for a Whatsapp subscription a couple of years ago, I was happy to do so as I believed they were providing an essential service.

I think that model could've worked.

And wasn't it just $1 for a year?

This could work as a good argument to switch if executed well.

'your device owns you and is siphoning cash from you'

In the U.S., my experience with Whatsapp was that I created an account and never used it once to communicate with anyone, then I deleted it.

I've also withdrawn from social media.

The exception for now is HN, because it's more of a forum, even when bad information sometimes instates itself as reality for a large conversation, like a big gathering of fans talking about their team that will inevitably fail to win or perhaps a bad STD.

I learn what others are doing through direct and intentional communication, even if technology is used or if the information is second-hand. I don't text back or call back immediately, which my friends and family forgive, but it sometimes seems to hurt my relationships.

I still worry of dependence on large companies, big data companies gathering more information about me than I know myself, and the potential of out-of-control AIs. However, I attribute these in-part to my own paranoid thinking that use my memories of large company layoffs, privacy concerns raised in the tech community, and mostly fiction.

While I've come to the realization that the act to trying to be happy and successful is the very thing that makes me unhappy, and I just need to exist, maybe becoming better at whatever I'm naturally good at, while being here and now with those I'm with, giving my service to them... I still keep wasting time replying about things that don't matter.

WA is not particularly good, it's just that I don't know anyone who doesn't use it (in the Netherlands), even when you want to contact helpdesks it is sometimes the preferred way. I mean, we have this in many streets: [0]

Without kids I could see myself getting away with not using WA, but with kids you are really setting yourself up for a very hard time (and prepare to be judged by other (annoyed) parents and your kid will feel the consequences at some point, the kids will miss out on critical and fun information).

WA has almost become what email used to be. Except that it's a controlled platform and we are locked into a single provider, a provider that once promised a focus on privacy and an app free of commercials, forever...

[0] https://duckduckgo.com/?q=whatsapp+buurtpreventie&t=ffsb&iax...

It has completely replace texting in NL and some parts of Europe too, and I mean that literally.

yep, here in the UK everyone I know uses whatsapp. Some people have telegram as well, but WA is the baseline. The only SMS texts I get are marketing and automatic notifications.

What does it do that's so great?

It's "good enough", and it used to be free when texting wasn't.

And it's better than SMS at Unicode.

And at sending/receiving pictures... MMS was even more expensive here.

It's more reliable than sms - I used not to receive some of the texts people would send me, which caused all kinds of misunderstandings. I ended up doing experiments with friends sitting beside me just to prove my point. The same thing happened to family members.

I'm not sure what the problem was, but WhatsApp solved it.

I don't actually use SMS but I don't think that most people get read/receipt confirmation. The little check-mark system in WA is a big step forward compared to plain texting. Of course, similar features exist in other chat applications, but if the comparison is just between WA and SMS, that's a big difference.

it just replaced texting back when phone contracts tried to charge lots of money for texts. The network effect does the rest.

At one point I had unlimited data (2011-ish?) for 5 eur/month and a text was 20 euro cents per 160 chars or so... So I guess providers wanted SMS to disappear here.

>Twitter, Facebook and Google need to be treated like utilities [...]

Our generation is reinventing the wheel here, our ancestors had exactly the same problems with the power, water, gas, telephone and rail networks (at some point in time, all those were unregulated and privately owned) and did exactly that. Critical infrastructure needs to be heavily, regulated if not outright publicly owned.

I think similarly to how europe has forced Banks to interoperate by making them write a protocol that can interoperate, governments need to force social media companies to write down a protocol and use it.

I like the analogy with utilities, but the issue is that we pay for electricity, but we don't pay for our usage of social media. As long as that's true we can difficulty do what I'm suggesting above

Exactly that. There needs to be a mandated federation protocol for instant messenger apps that have lets say > 10 million user in the EU.

I think India's Unified Payments Interface is a better analogy here. From what I understand (as an outsider, so based only on what I've read) it provides a universal API for mobile applications to interface with banks, essentially standardizing the federation of bank transfers. Therefore, your account at bank X can be used to pay an account at bank Y for some service that uses app Z.


I wrote a tweet thread about this which I will post here for convenience:

Consolidation is a debt. You gain market cap at the cost of introducing systemic weakness and reducing broader market innovation. Once a company becomes a fundamental service they need to be regulated like a utility

(I will illustrate with Facebook)

Facebook can get the license to operate it but they also need to open up their API’s so others can build on top. These should become web standards governed by w3c.

Facebook is an interesting case as this system would remove all the perverse incentives driving their business model (no more ads). It would also crash their stock. That value hasn’t disappeared though, it has been pushed out to the edge nodes of their network (specifically the companies building on top of their API’s). My thesis is that this model will increase the overall pot while reducing the share the largest players have.

The knock-on effect of this is that investors will see this as the final outcome and be less incentivised to invest. That may be a problem as we don’t want to stop the emergence of billion scale companies altogether. Therefore a mechanism for the people to buy out the company at a fair legally agreed market value should be in place. This will stop crazy upsides and protect the undesirable downsides. The asset then becomes publicly owned but privately operated according to regulations.

AI would fall under the same model. With open API’s and standards anyone can get the data they need to build new AI companies. Especially feasible if we move towards self-sovereign identities and crypto methods of exchange.

To facilitate more small tech innovation we need to introduce a UBI. It will allow more people take risks with their time leading to more cottage innovation. In 100 years it will be a fundamental aspect of fiscal policy.

Additionally education needs to be refocused on making things. People are not equipped with the skills to build things. There is no better way to learn, grow and generate value. If we want a diversified small tech eco-system economy we need to focus on helping people develop the skills that make it possible.

I don't like the idea of government having full control of these services.

I believe that we need fully decentralized system, much like the e-mail, but realtime and E2EE. Sadly, it seems to me that we're taking the opposite direction. Just few widely used messengers, all of them are centralized, some of them have E2EE, but who knows for how long - EU commission seems to like the idea of breaking in. No matter what their intentions are, I didn't sign up for that.

In essence I agree with you, but let's not forget that in most countries, the government has already complete (albeit strongly regulated) control and access to postal services and everything that is sent through them, and I think most citizens (me included) are okay with that as well.

Furthermore; I'd much rather have the government spying in my stuff than Facebook selling my data to the highest bidder; at least if that were my only two choices.

> and everything that is sent through them

Are you seriously comparing letters and private IM conversations? I don't know about you, but I received/sent maybe 5 letters in last 10 years, none of which were from/to another private entity.

> I'd much rather have the government spying

I consider this very short sighted and dangerours, but that's your choice.

> at least if that were my only two choices

Those are not your only two choices, that's kinda my point. We actually don't have to choose between a greedy company or a state. The only decision people need to make is centralized or decentralized system.

I share most of your sentiments, I really do. In a perfect universe, we'd all be using fully e2e-encrypted messaging systems. But:

> The only decision people need to make is centralized or decentralized system.

They already have this choice; Matrix and others exist for quite some time already. Yet it is evidently clear that your average citizen will flock to whatever messenger is the easiest to use and is already used by their friends/family. Security/privacy are second thoughts at best, if at all; and even if it were important, grasping the different implications of all the available options isn't exactly easy either.

And since we can probably agree that the vast majority of folks already "fail" to make the right choice in this regard, I'd much rather have a regulated, government-controlled messenger than some company like Facebook. The former is accountable to its citizens, the latter to its shareholders - if I have to pick my poison, the choice is clear.

> Are you seriously comparing letters and private IM conversations? I don't know about you, but I received/sent maybe 5 letters in last 10 years, none of which were from/to another private entity.

...because email and IM exist. they used to not exist and people sent paper letters to each other all. the. time.

now there are places and people I need a particular digital post office company to communicate with - and the worst part is, it's because they don't really care and thus force me to risk giving up my data if i want or need (read - am forced to due to life circumstances) to talk with them.

I think this trust difference is a general division between Europe and US. Europeans generally trust their governments more than private companies, and vice versa in the US. I would assume both have valid reasons for this on their own side of the pond.

For what it's worth, I too would trust the government a whole lot more than Facebook.

That‘s a good observation, and I agree, though I wonder why.

It would seem to me that Americans have had more experiences with bad companies, and Europeans more experiences with bad governments over the past 300 years...

It seems most people have chosen the centralized system, whether we like it or not. So then, the next choice would indeed be „public or private“?


Not to forget the things that were in co-operative ownership, either.

Sure, let's make the public alternative, but I am strongly against taking over businesses.

I am strongly for taking over businesses which are de facto monopolies.

If your public alternative can't win the users then "breaking the monopoly" will worsen the user experience. I don't want to live in that world - consider Telegram, a much better experience than WhatsApp, and it won over many users already. Evidently the monopoly is not as strong as is suggested. Telegram might not exist if there was a risk of losing the company. I don't want to be stuck with bad public software. In reality, when you destroy WhatsApp, people won't use the bad software, they will go to the next player and make it a "monopoly" because it most likely will be a better user experience.

At every step of the way, Facebook has leveraged its size and existing troves of data to undermine and buy out the competition. The goals of Facebook, Amazon, Microsoft and Google are the same - world domination. Same as any mega conglomerate of years past. The difference now is tech scale and the willingness of regulators to allow it to happen.

Then how come my entire family and most friends use Telegram now?

Network externalities in communication networks make it so that you can create a 10x better application and still have 0 chance of competing.

I disagree. Facebook, Twitter and Google are ephemeral utilities. They will probably be replaced by another company.

Privatizing them will just let someone else come along and Embrace, extend, extinguish them.

> They will probably be replaced by another company

Nobody has a chance, but different reasons in each company:

* What we have seen with Google - For a search engine, the more traffic you get the better results you can give (you can A-B test different algorithms for different queries, and optimise results). For new entrants they need to be popular before they can be better, which is a catch-22. Additionally Google has significant revenue which is very profitable because of it's monopoly position, and it can use this to reinvest in search technology to further widen the gap. It's going to take more than 2 people in a garage to beat modern Google at search!

* For a social network, Facebook buy out any potential competition when it's gaining traction to further solidify their monopoly. See WhatsApp, Instagram, Friend.ly e.t.c.

> For a search engine, the more traffic you get the better results you can give

Lately I have been noticing the opposite trend. Google search relevance is going downhil for me. I'm not sure when that started but I noticed it in 2019-ish last two years. Youtube search is so bad (note: I have history disabled), I rely on Google to search YouTube.

Playing cat and mouse with SEO seems to have taken its toll. I find myself going to DDG and Bing a few times a week. Before it was only Google.

> For a social network, Facebook buy out any potential competition when it's gaining traction to further solidify their monopoly.

Maybe, but each of those competitors is essentially a fad, and Facebook forcing WhatsApp users to login via Facebook, to me seems more like desperate move, than anything else.

I agree those acquisitions are IMO problematic, but I am not sure if they are strengthening Facebook, or killing it with a thousand cuts.

Them going out of business in 60 years doesn't mean we have to sit on our hands now.

I don't think they will last 60 years as monopolies. Like IBM if yesterday they will shuffle around shadow of their former selves.

MSFT is nowhere the behemoth it was, with Windows 10 being minority compared to Android.

Blame Carrier. Modern SMS could have been great, but Carrier didn't want to lose the however minimal revenue they had with SMS. ( Not every countries has unlimited SMS across all Network and across the world )

Or Blame MSN, the Instant Messenger, when Microsoft refuse to admit defeat to the Smartphone platform.

So WhatsApp took over in EU ( I believe iMessages or SMS is still popular in France ), UK, SEA, Brazil, Hong Kong. Line in Japan and Taiwan, KakaoTalk in South Korea. Unsure about Australia and Canada. ( They use WhatsApp but not to the extent of countries listed above. )

And it is iMessages in US. I have no idea why that thing even took off. I have tried it dozen times over the years and every few months it has problem with message delivery, people in group not receiving any messages. Poor Searching capabilities etc....

Telegram has gain usage but for different kind of reason. And I dont see it ever being used in the same manner as WhatsApp.

So most of friends just clicked yes and share their Data. It is important to note despite the increasing hostility against FB on HN, and in Tech Circle, most people in the world seems to have no problem with it. I dont see WhatsApp going away any time soon.

Edit: How does this data sharing fit in with GDPR in EU?

> How does this data sharing fit in with GDPR in EU?

It actually doesn't fit at all. As long as "payment" for usage is based on agreement to share personal data it is illegally obtained consent. Either they are ignoring their lawyers or they should fire them.

EDPS Opinion 4/2017 on the Proposal for a Directive on certain aspects concerning contracts for the supply of digital content, 14 March 2017, p. 7.

"There might well be a market for personal data, just like there is, tragically, a market for live human organs, but that does not mean that we can or should give the market the blessing of legislation. One cannot monetize and subject a fundamental right to a simple commercial transaction, even if it is the individual concerned by the data who is a party to the transaction."


I think iMessage took off, because you don't realise it's not SMS. Open the Messages app, type a message, if there's an iDevice in the other end, BOOM, iMessage.

Where iMessage fails is when the device in the other end isn't an Apple device, or perhaps the contact previously used an iPhone, then fallback to SMS is troublesome.

Most of my familymembers will send an "SMS"... except it's via iMessage, but nobody knows or cares.

I have this problem. I use an Android phone, but have a Mac and iPad. My mum has no idea how to send an SMS to me so will send me messages on iMessage that I don't see for weeks because I haven't used the iPad or Mac (been working on Windows for a while writing code).


I'm in the opposite situation. A friend has iMessage on the computer but just SMS on the phone. There's no way to force send an SMS on iOS anymore. All the guides I've found just mention the "Resend failed message as SMS" but messages never fail, they're just queued on the computer.

Oh so no way to explicitly send a SMS from iMessage on an iPhone now?

That'll explain why my mum can never ever get in touch with me.

Carriers now looking to RCS as the messenger alternative, but if they price it like MMS, they will kill it. To do it cheaper, they have to give a large chunk of the service to Google, which gives Google the data mining opportunities :(

MMS is free at this point, in many countries. The carriers in those countries will make more money by using RCS, because it will use cellular data (at least if I understand it correctly), which isn't free.

My point being that I don't think many carriers care about text messaging, or phone calls. They sell you a fixed cost plan for those. The only thing that can really affect your price is data usage. If Google wants to deal with the hassle of managing a messaging platform, great, that's money save on running a service that isn't making money anyway.

Is RCS using Google infrastructure? I thought it stands for Rich Communication Services, the SIP/IMS based telco system?

GDPR still holds. The data can only be used in an aggregated from for advertising purposes within platform (facebook, insta, whatsapp) and not be sold to others. You have the right to have your data deleted upon request.

Ditched it about 2 years ago. And man, it's so hard! Literally everybody uses it here in the Netherlands as well.

I'm getting strange looks every day when people hear I don't use the platform. It's horrendous.

I also really fear for the moment where I've to tell a nice girl I met that I don't use the platform, and that we should use X other platform instead. I can imagine that to be a letdown or to be weird. That's insane to me.

I got used to the strange looks. I got the strange looks when people heard I didn't use Facebook. If you asked them to sign up to a website on the Internet that was popular in your circles just so you could be friends, they'd refuse, eg. "please sign up to basschat.co.uk because all my friends like bass guitars".

If their friendship relies on you installing an app on your phone, that's a very shallow friendship isn't it?

> If their friendship relies on you installing an app on your phone, that's a very shallow friendship isn't it?

This argument doesn't make sense. You can't just ignore practical aspects entirely and justify it with a cheeky "if they're truely your friends they'll accomodate ahah".

Sure if I want to send a private message to a friend I don't care whether its via SMS or whatsapp, but if I'm in a group chat with 5 of my friends I won't send a transcript of the conversation to the one person who doesn't participate.

Why not inform your friend of the outcome? Half of the group chats seem to be utter nonsense until a final outcome is made, particularly with arranging something.

Or would you not want your friend to attend?

The choice is: do I want my friend to be included in my activities?

The choice is not: do I want my friend to be included and also send all of his data to some people I've never met?

Your idea of friendship is rather strange. It appears to involve other people arranging your social life for you on your behalf, and then presenting the plans to you for your approval via the communication method of your choice.

Maybe it works for you, but not for most people.

Not at all. You have that wrong. It is quite a funny way of presenting how I'd do it though! That'd be insane!

I ring them up or SMS people.

As someone who lives in the Netherlands, I feel your pain. I don't think I can get my contacts to really switch to something else, and even if I could, new ones would use WhatsApp anyway.

I think your fear depends strongly on how open-minded/techie the girl is, though: I've used Signal to communicate with all of my Tinder contacts, but I will admit people remark on how it feels like a 'drug deal'.

> but the inertia is so great it's not possible.

It is possible, but difficult. You may lose access to some groups, but you can't have everything you want without some sacrifice.

Personally, I'm leaving WhatsApp. Yes, my family and friends will be a bit annoyed about the hassle of contacting me separately, but so be it.

That sort of behavior is very selfish, wouldn't you agree? You expect everyone to be annoyed and go through the hassle of contacting you, when you can't even keep one app installed to communicate with all of them.

And in a lot of countries you wouldn't lose access to "some groups" but you would lose access to ALL of them, from social, to every other group.

You could easily flip it around. Why should others expect me to sacrifice my privacy to socialise with them?

For me, ditching WhatsApp is altruistic, helping make it easier for others to socialise without giving up their privacy and security.

What hassle would that be? They could send you SMS or call you.

Would they really find that too difficult? The mind boggles.

WhatsApp means groups. A lot of groups. Both long-living and ephemeral.

1 on 1 can be done. But group communication? They will leave you out and it will be your burden to get the info using another channels.

That seems quite the choice to make: learn about group chats or send all your data to Facebook.

It seems quite one-sided.

So many children using it. Wonder what the EU law is on data privacy and under age kids? Can under-18s legally sign this snooped data over to FB?

Hope some lawyers can stop this in its tracks. Otherwise Signal or some other service will get our business

Don't know about kids but I think there is some requirement that people can meaningfully say no. Seems this is a breach of such a requirement.


Sadly the law is written in a way that let’s the optional part be disregarded if the business considers the data that’s being shared necessary to run its business model... and advertising companies like Facebook will argue all data can help them sell ads better or for more money, hence all sharing of data shouldn’t need to be optional. This has yet to be tested in court, but both google and Facebook have taken this approach in their implementation of gdpr, leaving us wondering what the point was anyway... law without teeth :( the eu should have already slapped down google hard for their lack of an opt out, but it’s been years and still nothing. Seems the law makers aren’t really on the side of privacy after all.

Last I checked WhatsApp minimum age was 16 (in the EU at least) to comply with the regulations.

Obviously that doesn't stop (many, many...) just using it anyway. But Facebook will happily turn a blind eye to this unless their hand is forced.

Here all the kids use it as soon as they get a phone. If they can't write yet they'll send emojis (!!). The minimum age is just a meaningless smoke screen.

Yes, usage by kids is a real problem. My child is one of only two in the class that doesn't use WhatsApp. All the others do. They have what they call a "class group", even though not everyone is there.

When I try to tell parents how much Facebook learns about their kids (their friends, networks, and by merging data from different sources: habits, school, frequented locations, etc), they just roll their eyes. The response is "well everybody is tracking us, who cares".

All this even though there is Signal, which works JUST FINE.

Children luckily are much more flexible and chop and change with the wind. It's the older folks once something is established it ends up becoming bedrock and super hard to change. Parents/Adults are busy if something 'works', there's a lot of resistance to changing it.

Yes, though I feel like people are finally (slowly) waking up to the problems here. Both the US and the EU are finally looking deeply into Facebook and other big tech.

I don't think politicians are going to solve the problem for us entirely, but a bunch of us have been working on technical solutions for decades and they aren't the entire answer either.

A little regulation combined with the right alternatives may go some way. I'm optimistic, though we have a very long road ahead.

Thanks for the positive outlook among many negative ones :) I hope we can find a good alternative in the market. Anyone know of alternatives that allow end to end encryption with group chat support so far?

In Norway WhatsUp is popular, but my dentist still use SMS and email, and so other businesses that I interact with. My son’s school has own app for communicating with parents and teachers use Teams to present online lectures. My son uses Discord to talk to friends, but I think he is an exception.

What is really problematic is Facebook monopoly for organizing any social activities or events. There are simply no alternatives especially among 30-50 years old. Like the saying, “What parents were afraid video game would do to children, Facebook did to parents.”

I can cut out WhatsApp from professional use no problem.

There is no way to cut WhatsApp from casual/family use in Europe.

Schools, kindergartens, mechanics, contractors, plumbers everyone uses it.

The problem is that WhatsApp is the easiest method to share photos on mobile.

If you do not have WhatsApp your plumber can not send you a picture of pipes they fixed. How do you work around that?

Other parents are using WhatsApp for organizing out of school activities. Again, there is no way to go full Stallman here...

I'm in Europe, and I'm doing it to the best extent that I can: no permissions allowed to whatsapp, no profile picture, no read receipts, no notifications, sending a standard message to all personal groups that 'lads, I'm moving to signal, ciao'.

Beyond that, I will not entertain personal messages on whatsapp, only work related. Each new person will be greeted with "Do you mind awfully if we use Signal?" Does this come off as self-important? Sure. But it helps that I don't care too much if it does. I had the same attitude quitting FB and Twitter too, I just don't need people that much. I don't have a 100 friends anyway. I have like 15 that I really want to keep in touch with. Those 15 will understand.

What when other new person suggests Telegram? I have like four different messaging apps on my phone: WhatsApp, Telegram, Wechat and Link. Don’t need one more random app lol

I’d love to switch to telegram, but their default messages aren’t even end to end encrypted. And secure messages are not available for groups. So it’s not a great option for privacy actually.

Not only Europe and UK, LATAM is also pretty much governed by WA. I remember one time I had a visit of some folks from Canada, they were very surprised that we used it as our main chat/communication app. When I asked why, they said "we don't hear from it (referring to WA) that much, we all just use iMessage" I guess in their context/community most people own iPhones.

Exactly, the usage of iOS in some countries is high, and that’s where WhatsApp didn’t win as the most used chat.

Yep, in Australia I had basically never used WhatsApp. It's barely a thing. (However, Facebook Messenger dominates there, so it's not as if the privacy situation is any better, Facebook Messenger is just a better app/website to use).

Here in the UK I am literally required to be on WhatsApp to live in the building I currently live in. I have no choice in this matter. It's just the default messaging service for everyone.

If you join any kind of club? WhatsApp group. If you want to talk to someone about renting a room or apartment? WhatsApp chat. Live with housemates? WhatsApp group.

Plus the whole fact that if I deleted facebook, I would cut off contact with my friends and family (I can't expect like 25 people all to switch messaging services just for me). I would lose access to my thousand-dollar Oculus VR headset (I hate them so much for buying and linking facebook and Oculus, and hope a better competing standalone headset comes out).

And don't forget, you can't use an Oculus Quest with a blank facebook account you made just for that - they actually check that you're really using the account and force you to verify with photos and ID.

They are the absolute epitome of evil. Facebook, in many ways, but particularly in regard to Oculus, is a moustache-twirlingly, cartoonishly evil organization.

Could I just never buy an Oculus? Hopefully one day. But when not just your hobbies, but also your study and skillset and career prospects are right in that industry, you swallow your pride and make a damn facebook account.

I was also required to be in facebook groups for university classes back when I was a student. I HAD to be on facebook to get a degree. And for an amateur theatre group I joined.

Not to mention everything going on with misinformation about elections, vaccines, etcetera etcetera.

Some of this stuff is now moving to Discord, which is probably better than anything owned by facebook, but being better than facebook is a damn low bar, and Discord is still ultimately a for-profit corporation that would sell your soul if it made them a dollar.

This "just stop using it" attitude you always get on Hacker News and reddit about facebook and their various messaging platforms baffles me. Do you people not have lives? Jobs? Friends? Family? If you (in or out of a pandemic lockdown) want to do just about anything outside your house, or a whole bunch of things inside it, you need to use Facebook services.

It sucks and I've love to stop supporting them but it's not like most of us have a realistic choice.

> This "just stop using it" attitude you always get on Hacker News and reddit about facebook and their various messaging platforms baffles me.

Unfortunately, seems that for many people on HN, HN is almost all their online social interaction, + tech people on signal/mastodon. Some don't seem to understand the concept of having family and friends who are not tech-savy (or even hate tech). Or understand the concept of social capital.

Yeah. It's not that I don't believe those people, it's just that I don't think they should act like it's a real option for everybody.

> I can't expect like 25 people all to switch messaging services just for me

It’s not “switching”, they can start using another app and continue using whatsapp. I’ve done it with my family at least twice during the last 12 years, it was not that difficult.

When I lived in Russia my doctor messaged me via WhatsApp. I'm American so I was a little culture shocked, I don't know if this is standard procedure or anything but it illustrates how ubiquitous WhatsApp is.

I'm so anti-Facebook now that it's a part of the way I identify myself, and for all that I can't delete it. I maintain contact with a friend in Germany via Whatsapp or Facebook messenger, and in this case it would be possible to use email (which is not nearly as casual as firing off a message in your spare moments) or some other service but it doesn't solve the problem about friend groups.

I have friend groups around the world that my only way to participate in is Facebook. I believe moving abroad is in my future again, and Messenger is detestably the only real way to keep up with my friends back home. Leaving Facebook and Messenger is like leaving a bar I hate; I'm only here for the people and I wish we could go somewhere else.

I've lived in Germany for years and I do feel like, if we're going to stereotype people by nationality, they're one of the most privacy-sensitive groups you'll find. This is the country where, by law, if somebody picks up a (land-line) phone in the house, any other phone currently in use has to shut off. I'm not saying you can definitely convince that friend to get off WA / FB, but it's worth a shot.

(I don't know what to replace it with -- I mostly use Hangouts but it really feels like it's falling apart.)

For younger friends, I found that they can sometimes install a 2nd messenger, depending on how close you are. Of course, if they already use 2 or 3, you might need to use one that they have.

I would suggest to check if they use Telegram/Line/Kakao/Hangouts, or suggest it to them. They are all closed source, but at least is the lesser evil?

I am in europe, switzerland and plenty of friends in austria. Yes many of my social circle have whatsapp but none is using it exclusively as it was some years ago.

People have the choice and use it. Not sure what is holding other circles back?

I havent had whatsapp in 4+ years and only rarely have to fall back to SMS

What is the alternative are your social circles using? SMS is the only alternative with a wide install base and the experience is inferior to WA,Telegram etc.

Telegram, Signal, Discord, some via Email depends on the people. Everyone has a second or third messaging app

Do you have kids? What do they use?

I dont. Guess they would communicate by dancing on tiktok judging from my knowlege about teens these days :)

Steganography or the dancing pigs problem? :-)


Not possible? I think you mean that it's painful.

And it is, and I sympathize, but you and your family will not die or starve. It's possible.

I'm fed up an will remove fb and wa from my phone, at least. It will be painful

Also in Africa, most business live out from WhatsApp.

You will find WhatsApp contacts for any kind of communication, ordering a taxi, food, whatever.

Move out of WhatsApp, and it is going to be quite boring out in the Savannah.

In France, SMS is still the most common, even though it is declining. I think it is historic: we had cheap unlimited SMS plans before internet data plans were common.

WhatsApp is popular but not a monopoly. Not really something to celebrate since its main "competitor" and #1 instant messenger app is Facebook Messenger. Skype and Discord are also significant, and I expect iMessage to be important too.

But with SMS group messaging is rather cumbersome no?

Yes, which is exactly why WhatsApp has replaced SMS : group messaging. People still use SMS for 1 to 1 conversation in France

Based on all the groups my wife is part of, it seems other people get absolutely nothing done in life since they appear to be sending pointless messages on a group constantly. Her phone is constantly buzzing, and 99.9% of it is utter nonsense.

It seems to me that the inability to easily message a group would be a bonus and not a loss!

Not just Europe + UK, LATAM is all WhatsApp.

Net neutrality not existing helps WhatsApp and other services here, one cell provider for example offers 1 year unlimited WhatsApp+Facebook including voice and video calls for a total (not monthly!) cost of 3USD on a prepaid chip. So you can't call, you can't write SMS, you can't use the internet but you can use WhatsApp for almost no cost. If you are on a budget this is a no brainer, for comparison - 5GB full internet access on the same chip is around 5$.

How are you going to break such a monopoly supported by providers? At this point it is something all providers do so if one starts offering it all other providers have a competitive advantage because everybody is already using WhatsApp. I am not sure if Facebook pays these providers, my guess is not - they are pushed into this by their competitors.

Net neutrality is very important to not let this happen. Similar deals exist for other popular services: Instagram, Youtube, TikTok, Spotify, Snapchat, Twitter, Netflix to name a few

>how much of a monopoly WhatsApp has in Europe and the UK

Everything you said applies to the Indian subcontinent, SE Asia and South America which form the bulk of the WhatsApp user base as well but with lesser or no scrutiny whatsoever when compared to EU/UK.

> I'd change to Signal or Telegram in a heartbeat, but the inertia is so great it's not possible.

It has to start somewhere. It is possible, but it takes will, and the acceptance that you will lose some contacts.

Most of my friends have migrated to Telegram now.

It's a little more nuanced than that. I don't question that WhatsApp is huge, in some countries and social circles, but it's by no means dominating across Europe.

Personally I'm not really sure who's using WhatsApp, I know two or three WhatsApp users. They all use it because they have friends other countries, mostly the middle east.

If RCS actually becomes a thing, then I don't see much of a future for apps like WhatsApp.

> If RCS actually becomes a thing

I have no reason to believe it will ever take off: It's been dead in the water since 2012 or even earlier. It doesn't support end-to-end encryption. Carriers would like to charge for it.

Assign everyone an IP V6, there's plenty. Then treat that as our internet phone number. Define a chat protocol that contains the very basics and everyone has to support that. Want to send a chat, you have their IP V6. Exchange using QR code. No server necessary for the basics. If a text fails sending device can keep trying or just give up.

This takes chat away from any single service.

This approach ignores all the aspects that made whatsapp / chat services popular in the first place. A short list:

  - Contact Discovery
  - Group chats
  - History / Log
  - Shared message order
  - Communication beyond text (emojis / reactions / inline images) 
  - Ability to receive messages while offline 
  - No need for technical skills
These aren't trivial features, they are prerequisites for any replacement, decentralized or otherwise. Just because we as developers like / tolerate things like IRC doesn't mean the rest of the world will accept it.

Everything you list could be supported at the client level with a decentralized IP6 level protocol without a need for a centralized server middleman.

Sounds great! Let me know when you’ve built it so I can try it out :)

Unfortunately, IPv6 addresses have to be assigned by someone, and they typically change when moving around/changing provider. And you have to go trough the firewall...

I prefer something you can generate yourself, like encryption keys. That's the approach taken by yggdrasil (and cjdns before): generate an encryption key, map the public part to an IP address (there's almost enough bits in v6). Plus, it can easily be end-to-end encrypted.

Another plus is that you can generate as many as desired.

As for the protocol, Matrix is experimenting a bit with going p2p.


username checks out

As UK resident I fully echo this situation.

I have Telegram and Signal installed and was chatting with friends above moving over (finally) but its painful especially right now.

With right amount of incentive, force and numbers - tipping point could be reached but I cant see it happening in the current situation.

With my cynical hat on I imagine FB know this and timed this policy change accordingly.

"Be the change you want to see in the world" -- I'm gonna have a go at switching as many people away as possible; friends, family, co-workers. It's all about critical mass so every step in that direction is a step toward your school and local community communications being on some alternative platform instead.

Same case here in India, Sucks to have these apps despite knowing what they are doing just because your School or College groups are on these platforms. I tried educating my fellow mates about this but seems unlikely that it will have any effect.

Why not make a local WhatsApp<->Signal bridge using Matrix (https://matrix.org/bridges/) and a disposable SIM card, and just use Signal app on your phone?

Is that easy to do? I thought WhatsApp didn’t allow api access.

Just an obvious point - you don’t have to “change”. You can install both and use signal as much as you can. This costs you almost nothing, maybe just a little app switching. Not much to pay for a better world.

While WA is near ubiquitous in Germany, from my own experience many non-technical people in the UK prefer Telegram to WA. WA is the only way I can reach some of my contacts in Germany, but with my UK contacts I can avoid it altogether.

Same in Mexico and (AFAIK) most LATAM countries.

If I need anything to be delivered to the house I need to use Whatsapp (gas, water, food, etc).

no they don't need to be treated like anything, they are completely new thing, so if you think that their dominant market position is an issue, they can be forced to implement public api(open standart), therefore unlocking their userbase and allowing infinite competition

I hardly know anyone who uses Whatsapp, people mostly use messenger in swe, nor, fin, den.

faced with the option of accepting or being cut off from their local community.

It’s a deal!

I disagree, they're NOT public utilities, they're private companies that people chose to use (why is beyond me).

What could be considered instead, is building public utilities as a community.

Almost all public utilities have started as private companies of some kind. Broadcast, telecom and railway companies are the most recent examples. They started as private companies but then, due to limited spectrum, unification pressure, needing to include everyone including remote places and wasteful duplication got transformed into publically owned or at least publically licensed and regulated utilities (depending on which utility and country you are looking at).

So, while they are not yet public utilities, they should be turned into such.

That's not true, I live in West Europe and I never used Whatsapp in my life. There are always alternatives to get informed here.

It's hard for most of to world remember that there isn't just US, UK and Europe in this globe...

Just use something else....

You guys do have emails though, why isn’t that used instead?

I am in the EU, and this is what I have been presented with:

„ By tapping Agree, you accept the new terms, which take effect on February 8, 2021. After this date, you’ll need to accept the new terms to continue using WhatsApp. You can also visit the Help Center if you would prefer to delete your account and would like more information. To learn more about how WhatsApp processes your data, read our updated privacy policy“ (with an Agree button underneath).

I could close the window. But there is a hard deadline apparently: Feb 8th.

F* you Facebook. I‘d rather stop using Whatsapp altogether.


Will start using Signal app, and for the transition period I‘ll keep an old smartphone with a throwaway Sim card and WhatsApp installed on it to keep updates from absolutely necessary groups I need to be part of.

As I understand it even with click thru agreement like this it is still illegal in the EU. Could be an interesting case on the way... I believe that WhatsApp only real option in this case is to stop serving the EU, which I feel as an EU residents could only be a good thing!

I believe so too.

In addition, I vaguely remember something about the acquisition of WhatsApp by Facebook to be only approved under condition that exactly this kind of data sharing would not happen.

Although I have my doubts about it happening soon, because the immediate impact it would have on real everyday life could by rather disastrous initially (something Facebook no doubt is aware of), the EU should probably declare/certify Facebook as a rogue/criminal organization. I just can't see it any other way, with Facebook's blatant disregard for anything but its own greedy interests.

If Facebook keeps pushing their "luck" like this, it should simply have all its assets on EU soil frozen. If eventually rules a criminal organization, confiscated too. It would be very sad and unfortunate for any EU citizens working for the company, who no doubt have no say in Facebook's criminal enterprise. But the current status quo is becoming completely unacceptable.

History has plenty of lessons, about criminal organizations rising to (hard to defeat levels of) power. In many cases more than anything because both societies and governments/authorities failed to respond appropriately in time, when they still had a fair chance containing those (with far less effort).

All that is even without opening the can of worms that is the access US government agencies have to all of Facebook's data.

Probably relevant: if I go to the terms/privacy policy via settings, I am greeted by the following preamble.

"If you don't live in the European Region, WhatsApp LLC provides WhatsApp to you under this Terms of Service and Privacy Policy."

It would be a good thing to lose a chat app that works very well and has E2E by default?

Yes, it would force people to use better alternatives such as Signal or Telegram.

Signal is run by someone who hates repeatable builds and open platforms. Telegram is to the russian government what whatsapp is to the US government.

That is to say, both options are bad. Of course it is conceptually better to spread your information over many separate information silos so that your data is harder to correlate. That should not be the bar we aspire to though.

All of these apps seem to hate open platforms and third party clients; Signal just as much as WhatsApp. I wouldn't even mind using WhatsApp if I could just open a browser window on any modern computer and log on like I can with Twitter. But no, I need to have a smartphone with either Android or IOS. They all want that magic unique personal identifier that is the mobile phone number to prevent you from having more than one persona, and they all want their closed apps as the sole way of using their service.

Of course, that requirement is exactly how they implement the user lock-in, so it's not going anywhere until legislation forces them to open up.

Signal is actually open source but I agree with the sentiment.

Services now just want some person info they can link to you and that actually scares me a little.

You're right about Signal having an open source client of course. It's a closed platform because of the 'no-forks-allowed' stipulations.

The main reason for not wishing that Signal is forked revolves around adding new features. It stops things being fragmented.

As both the client _and the server_ is open source though it's entirely possible to do things like Signal<->Matrix bridges.

I don't think it's the Russian government you should be concerned about when using Telegram. Sure, TG is far from a secure platform, but the Russians have spent considerable effort trying to shut it down so out of all the possibilities, I'd say TG being in Russian hands is among the smallest.

Ah. That's why Russian government was trying to block Telegram for over two years. Good to know.

They could have just been doing that to lend it legitimacy ... psyops is something they’re very big into these days

I've heard that before and the idea is reasonable but I must say if they've actually pulled of that stunt then it is amazing because I've seen nothing to suggest so despite being aware of the possibility for years.

I’d say it’s pretty much their MO these days

You mean directing people were they want by pretending they don't want you to while not taking action against those who do?

If so, do you have other notable examples or is it insider information? ;-)

I think it’s pretty well known ... have a look into this guy https://www.google.ie/amp/s/amp.theatlantic.com/amp/article/...

I know you’re not engaging in good faith but I’m adding this more for the benefit of onlookers

> I know you’re not engaging in good faith but I’m adding this more for the benefit of onlookers

That was uncalled for. Please adjust your troll-detector and I'll adjust my wittyness dispenser ;-)

I am serious even when I'm joking, but I have never heard anyone saying that in full seriousness and also it feels like we should have known something: even the Russian secret service isn't perfect, in fact they've done some really big mistakes the last few years (in addition to their deliberate "mistakes" that they seemingly do to show off.)

Yeah right Vladimir. Sure.

I actually have a really viking name for some reason and while I have tried to learn Russian my vocabulary is limited to around 20 or so :-)

>Telegram is to the russian government what whatsapp is to the US government.

Do you have a source for that. Telegram is built by the VKontakt guys who Putin famously fucked over.

And that's why we have Matrix.

that'll never happen - WhatsApp is almost WeChat for Europe, it's ubiquitous and the network effect is so strong you'll really struggle to get masses of people to switch away fom it.

99% of people outside of the HN bubble will just look at the dialog, click OK and carry on as normal.

Instead of surrendering we - technically aware people - should think about possibilities to make them respect privacy or think about ways to change the situation.

Yes but not clicking through the shrink-wrap agreement isn't a real way to do it. Legislation that requires people be able to say no to data collection without loss of service would go a long way.

I have messaged a bunch of my EU friends with this article. Most of them were shocked.

I did the same. Mixed reactions, some shocked, some shrug and move on. And my friends are academically educated and relatively conscious of this issue I believe. Probably not the most representative sample...

I think this level ignorance is pretty common today.

If WhatsApp can’t be legally compliant then they simply can’t provide the service. It’s up to them.

If you need to force people to use alternatives it's because they are not much better to begin with.

I've used the Signal app and it's a bug fest. Telegram is not even encrypted by default and there is no option for encrypted groups.

> If you need to force people to use alternatives it's because they are not much better to begin with.

This isn't necessarily true - that's basically the problem with monopolies and the point of anti-trust. The network effect really can entrench an inferior product.

That's not a useful definition of better though. WhatsApp, Messenger, etc. are better because they're reliable and the people I want to talk to use them.

MMS messages are hot garbage but they're still better than a lot of alternatives because everyone with a phone can receive them.

Main reason I use whats app is because everyone else I deal with uses whats app, not because it has specific features. I could probably list a different chat app and social networking site for every time I switched a school and when I started to study.

I do personally believe that for all its faults WhatsApp is the best. It’s a pity about that but I guess FB have to pay all those great developers somehow. It’s up to regulation to set the boundaries for what’s acceptable in business so let’s see what happens.

> It’s a pity about that but I guess FB have to pay all those great developers somehow.

They could just run it as a paid service again? They had a minimal annual charge before the Facebook acquisition and probably could have raised that, instead Facebook made it "free" which should have been a warning sign of things to come.

One of the reasons the founders left was that FB wanted to put ads and track users, and didn't even want to try to make a Business paid version like WhatsApp proposed.

> Telegram is not even encrypted by default and there is no option for encrypted groups.

Friendly reminder that encryption is more than E2E-encryption despite what certain people on HN thinks.

Telegram is encrypted point-to-point by default. Same as banks, modern mail etc.

Can we stop spreading technical misinformation now, please? There's plenty of other issues with Telegram and if we stop crying wolf over the neighbors grand danois people might actually believe us when there is an actual wolf.

> E2E by default

Only if you trust Facebook with their proprietary software.

Who cares if it's "technically illegal" if there's no fines for it. I seriously doubt that the EU will grow teeth anytime soon (but I hope to be surprised!).

It’s not the EU you need to worry about it’s the courts ... check out the whole Max Schrems Facebook thing and the Apple Tax stuff is yet ongoing ...

Yes, but both are examples of the EU not actually wanting to do the right thing, even if the courts say so. Privacy shield was shot down by Schrems in court, only to be replaced by the EU mumbling about "standard contract clauses, just do the same as before". No billions in penalties in sight.

Same for the Apple (and others') taxes in Ireland: While the Irish have been told by courts and the rest of Europe to collect the taxes they are owed, they just refuse to do so.

No you're out of date, the standard contract clauses thing was blown out of the water. It's a big problem for Facebook, not sure where it's at now.

Also your understanding of the Apple case is a little out of whack too. There's a lot of subtlety to it, but basically the court ruled in Apple's favour on a technicality and there is a revised appeal pending.

Google/Alphabet has received more than 8 billion Euro in fines by the EU. I wouldn't generally call them toothless.

What's the alternative? Has the FTC, FCC or any other US agency taken any action against the American big tech companies?

The US sees FAANG as its babies and will protect them at all costs. Its up to the rest of the world to rein them in.

In practice, everything that doesn't have a punishment is legal

So you are going to move from one centralized, walled garden, privacy hostile platform that hard requires Google/Apple ecosystems to get signed updates... to another with identical drawbacks.

I suggest something that lets you use any client/platform you want, uses the same crypto primitives, and lets you choose what server/country your data is hosted in and change your mind any time, e.g Matrix.

How many times do centralized services like VK, WhatsApp, Instagram, Apple, etc need to get co-opted into enforcing the will of private entities or governments before we learn our lesson?

The only network services this won't become true of at some point in the future are those with decentralized clients and servers obeying a common documented protocol.

Matrix is riddled with bugs. While I agree with you that signal isn't all that great (they do some really good stuff and then make some really weird trade-offs), I've recently compared Signal, Wire, Threema, Jami, Briar, Element/Matrix, and Keybase.

The most mature app is Signal. It has the best usability to privacy trade-off.

Threema is the better choice if you don't mind not having a usable desktop client. For me that's a total deal breaker. It costs a one-time 5 bucks and it's totally worth that, if only it had so much as a usable web client (you need to open your phone and navigate two menus to enable the web client every time your phone changes WiFi or anything).

Wire is the better choice if you can sacrifice a tiny bit of usability for better privacy. It's sluggish is all, and (like Signal and most other services) uses AWS. Full disclosure: I was involved in a paid audit of Wire so I know more about the encryption protocol than I do about the other clients'.

Element/Matrix is the better choice if you'd rather make a trade-off towards privacy. Presumably the clients will mature, and between two years ago and one year ago they've made good progress. It's going less fast today but I still see things getting slowly better, and the decentralization works very well and fairly easy to setup.

If all you really want is a better privacy policy and want to ensure people stick around and don't uninstall it, Telegram is by far the usability winner and has a large network effect already. But it's a trade-off with the devil because there is zero encryption. They could ransom or sell our chat logs any time.

Briar and Jami have limitations that make it unusable for general purposes use with your mom. Facebook and Google's messengers I didn't look at for obvious reasons. Keybase was never end to end encrypted to begin with and now Zoom bought them so they'll probably shut down soon (also, bugs).

Rocket.chat seems only aimed at business users.

You can also do OTR over any platform you like, and I still have to try this overlay encryption system on Android (I forgot its name).

Pick your poison...

>> I was involved in a paid audit of Wire so I know more about the encryption protocol than I do about the other clients

Seeing as you mentioned Threema in the same post, I think I ought to step in here.

The encryption protocol for Threema is open source, using standard algorithms, not something they invented.

You, like I did for $my_org, can write your own software to send messages to devices running Threema using the Threema API.

Message contents are, of course, encrypted before submission to the API. Threema provide a number of SDKs to help you, but you are under no obligation to use it, you can write your own API submission client from scratch.

P.S. Not saying Wire is bad here. Wire is good. I use it alongside Threema myself for $other_uses. But I'm saying don't write off Threema under a false understanding that their encryption protocols are closed source.

That's a good point. Threema using standard libsodium cryptoboxes makes this easier to reimplement than these Axolotl-like protocols. Still, Wire has a bot API so you don't need to reinvent the wheel to integrate in a chat. Not sure that's any harder than using libsodium.

Afaik Signal doesn't have an API or SDK, there only seem to be third party implementations for bots.

Signal will by design likely be more stable than Matrix in the short term because it is a centralized dictatorship.

China can move fast for this reason too.

You have to decide if the long term consequences of a fast moving dictatorship are worth giving up the freedom of a sometimes messy democracy.

The internet is too important to herd all our services into control of dictators, no matter how benevolent.

We survived the dialup days for all the UX hell of many providers without giving AOL exclusive control in spite of them having the best UX.

I hope we can do the same with something as critically important as worldwide internet communications, but the marketing of dictators and their ability to move quickly is sometimes too hard to resist until it all backfires spectacularly.

That's what they want you to believe for some reason. Moxie went so far as to talk in the biggest hall at the last chaos communication congress about how important it is that we don't use decentralized services and clients.

I'm not buying it. Look at Matrix and tell me it's holding them back.

What's holding them back, perhaps, is not having a shitton of money in the bank like Signal, and they're actively supportive of decentralization which costs developer resources. Signal (or Matrix, for that matter) could not spend dev time on decentralization and just let the open source community do its thing. But that's not what Signal is doing, they're instead actively hostile towards it.

Or look at Telegram, they have an open network and third party clients. There also are unofficial clients that some people use. But what does the 99% use? The official clients. Signal's argument is that people might use insecure, unofficial clients. In practice, that's not what your average mom will do. (And it's not as if the official Signal app was audited either.)

I'm also not buying the "China can move faster" thing. They can be more oppressive without consequences, but is that really better? Does that "centralized dictatorship" allow them to be "more stable"? It's easy to say, and easy to see how indeed an oppressive government's decree can change things from one day to the next, but on that scale I think you need to consider more things than I am qualified to do before you can really say whether that is a superior system in a given situation.

I guess we conclude the same thing in the end, though, as you say "The internet is too important to herd all our services into control of dictators, no matter how benevolent."

> I'm not buying it. Look at Matrix and tell me it's holding them back.

The main argument against federated protocols playing well with security is that they have a harder time evolving. The example always given is email. Once Matrix has reached 500M users and several server implementations with less than 20% market share each, how can you be sure that it will keep improving contrary to email protocols? WhatsApp switched to E2EE in a matter of months, but most of our emails are still plaintext on the servers.

I like and use Matrix as a replacement for IRC, but I don't think they will catch up in terms of security with Signal in most practical situations (meaning, I want to send a message to a non-technical person). Both because of the fossilization associated with federated protocol (see above), and simply because developing a federated protocol is way harder and less forgiving than a centralized one.

Your argument about the "99% use" means that first that you don't need centralization if it's already centralized in practice, and second that it brings very little benefit (benefits only 1% of users). At that point, the (possibly low) costs of decentralization are not worth it.

Signal did not have a shit ton of money until a year or two ago. I like Matrix but it's main issue is still UI/UX on clients (especially around key management) - which is slowly getting better but still too complex for normal non-techie users.

> Wire is the better choice if you can sacrifice a tiny bit of usability for better privacy.

Do you mean better privacy than Signal? I was under the impression that Signal was significantly ahead of Wire in this regard with features like private groups and private contact discovery.

Private contact discovery and other metadata protection claims are largely security theatre. SGX is entirely broken and those with physical (and sometimes even remote) access can dump keys at any time.

They pinky swear they always patch and never dump keys when they have the chance though.

It's a security theater not only because someone broke it, but also because you can always just look at which IPs talk to which IPs. Even Tor has issues with preventing traffic analysis, except with Signal you can observe (or trust) a single party (instead of the guard and exit nodes) to get the data.

It's more of a trust thing than something you can technically solve while still having features like real-time calling. Hence Facebook being objectionable despite having encryption.

They're both hosted on USA-based services, they both have proper encryption on the client and apply it also to calls and video calls. There is no significant difference to me in terms of privacy.

Usability is slightly different, yes, and you might also trust Signal more because they do better PR (they say outright that they're from the USA and get money from Facebook, while Wire has devs in Berlin and claims to be a German company, while taking money from USA investors... which imo comes down to the same thing), or you might trust Wire more because they were actually audited at all.

For a family that are all on the same server, Nextcloud Talk is also nice and "relatively easy" to set up (and 0 effort when you already use Nextcloud). I am still desperately waiting on Talk being able to use the federation features of Nextcloud (so you can chat to users on other servers). That would increase my usage a lot, my parents are on another server (which admittedly also runs from my basement) and I have colleagues with their own server...

I do use Signal and Telegram with some friends, I really find the difference between WA and Signal to be small. Telegram though is a lot nicer as a platform, it has some channels I'm part of and the desktop client is much better. But this comes with privacy/security trade-offs as mentioned in this thread.

I also use Element.io for some channels and groups. I find it surprisingly nice. I may set up a server myself soon.

As someone who doesn't use WhatsApp, thanks for mentioning WA and Signal are not very different and that Telegram has better UX. That matches what I thought, but I didn't know and I was a bit worried what I'd be signing my family up for when asking them to switch away from Telegram.

Yeah, Signal used to handle changing phones pretty poorly but that is sort of solved now (you can store your groups and phonebook in the cloud behind a pin). Other than that it is really nice. The desktop client is arguably better than WA's web solution, although I have run into non-syncing messages, but, you can use the desktop client with your phone off, which is a major + imho.

Honestly, Signal is just super high quality when you take into account how privacy focused it is, I could easily replace WA with Signal, apart from "the network effect".

> you can use the desktop client with your phone off, which is a major + imho

Indeed, if it has to go through my phone it's nigh unusable in my opinion. Wire and Element/Matrix handle this properly since they don't depend on a phone number in the first place (so no need to tie it to your phone), only Signal and Threema are somewhat of a pain in this regard since you need to link it, and only Threema absolutely requires your phone to be online all the time.

I can recommend the FluffyChat Matrix client, it's quite pleasant to use, although still not perfect :)


Why is Telegram not on your list?

They lie about encryption. They call themselves an encrypted messenger when they're not, at least not in the way that people expect nowadays. I volunteered for their support team a few years ago but was rejected because the first test question was about their encryption and I refused to lie (I said regular chats are encrypted but only to the server, i.e. that Telegram can read your messages which was true then and is still true today, and that you need to use secret chats for encryption.)

I ended up adding a paragraph about it anyhow but that's why, when starting to write the post, I didn't add Telegram to the list. There is also rocket.chat further down that I didn't mention on top, fwiw.

it is?

I should maybe have put it in the list on top. I initially listed only the encrypted messengers, but later decided to add a paragraph about Telegram anyway.

I don't like Signal's stance on forks (which is that they are allowed but may not use the official Signal network) but it hardly has identical drawbacks. Signal is open source, can be downloaded as an official APK and can be run on LineageOS without Google Play (notifications do require some emulation of Play Services calls, but that can be provided using MicroG).

"hardly has drawbacks" My notes on Signal contain the following:

+ It usually just works

+ Reasonable desktop experience (needs to re-link once a month or so, but otherwise independent and not terrible UX), good mobile experience

- Metadata handled by Amazon

- Phone number is a hard requirement, and changing your phone number means re-connecting to everyone

- Funding comes from Facebook from what I recall, and even with large amounts of their $100M invested, their expenses are 8 times larger than their income.

+ At least it's a foundation and their finances are not a black box!

~ With a build from an untrusted third party, you can make it work on Androids where Google Play Services are intentionally firewalled off.

~ No audit of the clients. The protocol, sure, but most bugs aren't introduced on a protocol level.

These are only things they could solve, i.e. that others do better. That their contact discovery solution (where you upload your phone book) is broken isn't a downside because nobody else has that figured out either.

> - Metadata handled by Amazon

That's rather broad, which metadata are you thinking about? Especially given the sealed sender feature. Assuming you have access to everything at Amazon, what can you deduce about Signal users?

I can think of:

- IP address (you can tell that this IP address sent some Signal message)

- size of messages

- timestamps of messages (when they were received by an Amazon server)

IP address leaks a lot of information but there are still workarounds, and it seems reasonable if you're in a no-trust model (meaning Signal's servers wouldn't be any better than Amazon's). In any case, that's way less information than other mainstream messengers.

On the other hand, one distinguishing feature regarding metadata is groups: group membership is not known by anyone outside of the group if I understand correctly, contrary to WhatsApp (and others).

"Funding comes from Facebook from what I recall."

Not really. Original funding came from NGO sources such as the Open Tech Fund.

The author is a toxic dictator who hates the idea of ceding power so that they can have a constructive and open protocol for everyone. That means the app should never be used, by anyone. If you're going to use software like this, you may as well stay with whatsapp - at least that has a lot of users.

I see mention of the toxic dictator stuff and non-reproducible builds mentioned through this thread - do you have info on that you can point me to? I am asking because a guy at work wanted me to install Signal as voice call quality on Duo was appallingly bad. Thanks in advance.

You can read about the stance in question on a lot of github issues, one of which is this one: https://github.com/LibreSignal/LibreSignal/issues/37 (not actually the signal repo, but moxie talks about the need for iron control over the platform). You can extrapolate consequences pretty far from what is said there, consequences which are well understood by moxie (if nothing else, you can see that time was spent thinking about environmental factors). To me this attitude is baldly toxic because it makes the world worse (in that it reinforces the opinion that centralised is better, which is at the heart of so many problematic digital services).

Thanks. Reading that thread, I think he is saying that he wants to remain centralised and federating third-party servers and traffic isn't his plan.

I know in theory that sounds "bad" but it's their service I guess? In the real world, centralised services seem to be the norm, eg. the postal service. They don't let random third parties take the mail and also mandate that you use their postage stamps to use their network, and only accept mail at their post boxes and mail offices. They don't let people inject mail into the vans along their postal routes, and don't forward mail that is from another delivery company, eg. DPD, DHL, FedEx.

I am not sure how else it'd work?? Surely it'd be like expecting the postal system to deliver FedEx's parcels, whilst not paying the postal system anything at all. That's unfeasible and unsustainable.

There's e-mail for one. A great good everyone uses, which is definitely decentralised (much to the chagrin of a few large providers, which continuously act in bad faith to centralise it as much as they can). Signal could have been that, but for (mainly) mobile messaging. Because they went the jaded route as you do it's now just another way for one person to apply his dictatorial view to the masses. I agree with you that in a mountain of shit you won't really notice a little bit more shit, but that doesn't make it anything but shit. It could have been better, it is not. That's something that deserves a little lamenting.

I can only guess but it may relate to Moxie's at times somewhat brash behavior in Github issues and an ongoing debate over centralized vs decentralized protocols (with him advocating the former). He gave a talk addressing the (de-)centralization topic at the Chaos Communications Congress in 2019:

36C3 - The ecosystem is moving | https://www.youtube.com/watch?v=Nj3YFprqAr8

There is nothing wrong with the protocol, the client software or the server software; the problem is entirely with the OWS server TOS.

How would we know? The signal app as most people understand it cannot be built in a reproducible manner. This means that most people will be using something that may as well be compromised. The author does not care. It doesn't matter what the source code behind it is, as an entity signal is hostile to everything a good messaging app should be.

The Java classes making up the application proper have had reproducible builds since 2016 [1]. The Play Services Signal relies on don't, but there are open source alternatives.

[1]: https://signal.org/blog/reproducible-android/

If you can't produce the app as you download it, it's not reproducible. Saying part of it is is disingenuous.

Another key difference would be the business model. Signal being a non-profit[0] does not provide any guarantees for the app to not become 'hostile' in the future, but any such development motivated by personal profits would at least require a change of organization type, which I assume wouldn't go unnoticed.

[0] https://en.wikipedia.org/wiki/Signal_Foundation

It was well noticed when WhatsApp changed hands to Facebook, and yet the vast majority of users didn't move to anything else because of network effects.

Once users are in an ecosystem it takes years to convince them to change and only after they hit a high discomfort tipping point.

If Signal ran short on funding and got bought by Google or Facebook all the tracking would kick in and most users would stay.

We must stop herding people into walled gardens. It is unethical and always backfires.

Moxie highly discourages using the APK because it means turning on untrusted sources which is highly unsafe and bypasses signature verification.

It is one BGP attack or compromised CDN admin way from compromising the masses.

This is one of the few points I agree with moxie on.

The only safe way to install software on an Android device requires you bootstrap trust via a system supplied package manager that enforces signature verification.

Lineage grabs unsigned binary blobs from a separate account with little accountability ( https://GitHub.com/themuppets ) to limit the blast radius of illegally distributing them and does not ship a package manager at all.

They expect degoogled users to do disable system signature verification to use an alternative app store like F-droid. Lineage is great if you want to turn an old device into a game system or something, but it should not be used on a device you need to be able to trust.

The only Google-free option to have a signed system-verified app supply chain on Android is use a ROM that bundles F-droid as a system trusted app manager like CalyxOS, RattlesnakeOS, or my projects, aosp-build, and #!os.

While F-Droid is far from perfect it is the only alternative path and Moxie refuses to allow apps to be distributed there because he openly admits he wants the usage metrics that come from Google/Apple distribution.

In effect, you either use Apple/Google ecosystems to run verified binaries, or compile yourself every week or two.

Moxie highly discourages using the APK because it means turning on untrusted sources which is highly unsafe and bypasses signature verification

That's nice, but why should Moxie decide whether the Google Play Store is a trusted source for me?

Right. They offer one option with signature verification and low privacy (Play store), and one option with higher privacy but low security (YOLO apk).

If neither of these work for you, you are not wanted on the Signal network.

> bypasses signature verification.

APKs do not bypass signature verification. Android still requires all apks to be signed, and only installs updates to apks that were signed by the same original key.

As for BGP attacks, the apk is distributed using TLS, so it needs more than that. That being said, CDN hacks are definitely an issue. But so is someone hacking their play store account or Google play itself.

Semantics, but worth clarifying.

You have to turn on untrusted sources to sideload an APK. It will verify a signature. The problem is the OS has no anchor to know if that signature is by the key of the party you expect, or that of a malicious adversary. Once you pin the wrong key it is like getting a bad HTTPs cert on first connection. All bets are off moving forward.

The OS has no anchor when you obtain it from the play store either. Google play can absolutely send you a hacked app with a different signing key if they want to. Signatures play no role in the first installation, they only play a role in subsequent installations.

If you have downloaded the apk using http, you can still verify the signature before installing through other means, e.g. by comparing it to your friend's installed APK, using multiple ways to download the apk, etc. Can you do this with Google play?

As much as I loathe Google I do have a fairly high expectation that the HSM rooted key pinning infra of Google Play itself is less vulnerable to MITM than the standalone signing key embedded in an APK hosted on a CDN somewhere.

You also can directly download APKs from Google Play using Aurora Store and compare them to the standalone APK in theory, though both points of verification are against the same entity so it only rules out MITM on a CDN etc.

Problem is, who has time to do this for every single update? How many would even do it for the initial install? Most technical sysadmins don't even verify ssh host fingerprints unless automated CA infra does it for them.

Even if someone does do this religiously, in practice I suspect they will put off valuable security patches until they can manually verify every new binary corresponds with the published source code to rule out supply chain attacks etc.

If two totally independent entities compiled and published signed binaries and their hashes matched (when signatures are stripped) then there is some automated consensus there are currently no obvious supply chain attacks in play to protect users at large who don't have the time or experience to compile and verify against the published apk by hand or manually compare fingerprints. F-droid could keep the Signal Foundation honest if they let them but instead they say "trust us, or compile your own binaries" as if no middle ground exists.

Meanwhile I can hand my wife a phone with F-Droid and Matrix and know she can update reasonably safely without any manual key verification steps by me or her. Even when the signing key of matrix.org on Google Play gets compromised the blast radius does not extend to F-droid.

The more reputable independent package managers building, signing, and distributing protocol compatible binaries the better. Makes it impractical for even a sophisticated adversary to gain control. Also lets users to have the freedom to choose an easy automated install)update path for apps that respects their privacy by not requiring proprietary Google services.

> who has time to do this for every single update?

Again, you only have to do this for the first install. After that, the local OS takes over and rejects any apk signed with a different key. It's a TOFU system.

Fair. My SSH host key example stands.

Systems that expect humans to be key pinning anchors are always a bad plan.

>and Moxie refuses to allow apps to be distributed there because he openly admits he wants the usage metrics that come from Google/Apple distribution.

So he admits he cares about usage metrics more than privacy. which makes trusting signal a bit hard

Directly installing APKs by hand is something that is only for people who know what they are doing. However, providing the APK for download is something that is helpful for 3rd party package managers, which can verify the hash.

> forks ... may not use the official Signal network

Is it technically prevented or just frowned upon? The former would be strange, because fixing a bug in your own private fork would also exclude you from the network.

There are forks of the Signal client that do use the OWS servers [1], but IIUC they are in violation of the OWS TOS. Certainly moxie has threatened to block forked clients, which is why F-droid won't host any of these forks [2].

[1]: https://github.com/tw-hx/Signal-Android

[2]: https://forum.f-droid.org/t/we-can-include-signal-in-f-droid...

I actually do not find this unreasonable, maintaining and providing backwards support everyone's custom version with their own quirks would be a big technical burden.

Moxie openly admits he centralized because it is easier and that decentralizing is too hard. We should all just give up and pick the least bad centralized service.

With that thinking we would all be using AOL.

Making a robust flexible protocol that can support a bunch of different client and service implementations is hard, but that is how we ended up avoiding email and web browsing being controlled by a single entity.

Matrix is solving the hard problem of providing the core functionality of tools like Slack and Whatsapp without sacrificing user freedom or asking you to trust any one entity.

This is what ethical engineering looks like, and I don't mind tolerating occasional growing pains in exchange for freedom.

Then no support should be provided for these forks. Caveat emptor unless you use the official client.

Allowing modding and forks does not mean you have to provide support for them.

Exactly this. You don't have to prohibit homosexuality just because you don't want to deal with adding support to your database of married citizens / prohibit forks because you don't want to support them.

The argument makes no sense. I can't decide if Moxie is a double agent with street cred or honestly trying to do good here.

I am generally a pretty decent read of people and in my observations and interactions with him I genuinely believe he believes a benevolent dictator building a centralized system is the only way to bring non-profit-motivated secure messaging to the masses, and that if one accepts this seemingly irrefutable truth, then the best candidate for the job is himself.

He is charismatic, highly intelligent, and lives by his own moral compass, rejecting FOSS ethos and silicon valley capitalist ethos alike.

This makes him especially dangerous.

> I suggest something that lets you use any client/platform you want, uses the same crypto primitives, and lets you choose what server/country your data is hosted in and change your mind any time, e.g Matrix.

I'll bite.

Who's paying for my johnchristopher@whatever.tld and for the data (avatar pictures, transfered files, chat logs) associated with it ?

Will the Matrix foundation let me use their services forever and for free ?

Will there be discussion on HN in ten years about getting your own custom domain and own federated server ? For one account only ? Like we have for mail regularly ?

You can think of it like email.

Maybe you started on AOL and later realized AOL is terrible. You could export your address book and move to a client/server you trust more and notify all your contacts from the new location.

This is the same story on Matrix and what I mean when I say it is a freedom respecting decentralized service.

You are also free to run your own DNS to a dedicated EMS instance then later point to your own self hosted server later much like the freedom you have using your own domain and MX records on Google Apps allowing you to later move to a new email provider without having to update your social graph to change your address.

On Signal, there is no such option. You use their clients and servers forever, or GTFO.

> Maybe you started on AOL and later realized AOL is terrible. You could export your address book and move to a client/server you trust more and notify all your contacts from the new location.

The whole point is in avoiding starting with an AOL like service. So far only big matrix provider are reliable and performant enough to be usable. This is @gmail.com all over again but with @matrix.org tld.

Except you won't be able to carry your messages from a tld to another when you decide to rely on another domain name (your own or someone else's).

How long before Matrix foundation send messages telling users they are going to delete their rooms and messages if they don't log in once a year ? Or that they are now restricted your account to matrix.org rooms to "save operating costs" ?

The whole tech stack is free but operating costs are not.

> So far only big matrix provider are reliable and performant enough to be usable.

I've been running a Matrix homeserver on a 1/1 VM for years without any issues. There is no downside to choosing a small server, you can still federate with everyone else. That's the entire point.

Same here. Except joining rooms on federated instance need something beefier than my $5/month VPS SSD. And much more storage for data (pet peeve of mine: 4K avatars pics that are not resized and stored as is on my end of the federation).

Following the e-mail analogy: Inevitably, there will be contacts of yours who didn't get or read your notification, or contacts of yours who aren't in your contacts list.

As I wrote in another comment, portable identities are a matrix spec change I'm quite excited about: https://github.com/matrix-org/matrix-doc/blob/neilalexander/...

Start on a server, but your real identity is attached to a cryptographic key, not an e-mail-like identifier. That would allow you to move around, and maybe one day get rid of domain names altogether (using something like yggdrasil or tor to host and connect servers, for instance).

True. It is up to you to point your own domain day one with either email or matrix if you wish to avoid this discomfort.

Signal offers no such choice.

Even if you don't do this, you can still reach contacts on the old server and middle through.

If you switch from walled garden to walled garden like WhatsApp to signal there is no migration path at all.

> The only network services this won't become true of at some point in the future are those with decentralized clients and servers obeying a common documented protocol.

You mean like SMS?

I didn't say all decentralized services are good. Just that decentralization is a prerequisite for something to avoid complete control by a single party long term.

A better example would be HTTP/HTML/JS. Sure it is not perfect and protocol updates are hard and slow due to endless implementations but we got a working decentralized internet out of the deal that is very hard for any single party to take over now, so I call that worth it over a single party enforcing proprietary protocols like AOL having a total monopoly.

> I suggest something that lets you use any client/platform you want

I lost about half of my contacts when migrating to Signal, do you really think I can make them install some random app that may or may not work?

They already complain that Signal isn't as polished as Whatsapp.

Those that won't respect your ethics are not your friends.

I lost many of my contacts moving to Matrix but earned a lot of new high value ones that share my worldview to continue building a decentralized censorship resistant internet.

> Those that won't respect your ethics are not your friends.

This is kind of an unreasonable, one sided, stance. You exact everyone to simply follow you and your preferences with no regard for their preferences. Maybe you not respecting them and their worldview makes you the bad friend, not the other way around.

> I lost many of my contacts moving to Matrix but earned a lot of new high value ones that share my worldview

I don’t know if isolating yourself from anyone that doesn’t’ think and act the exact same way is a good thing.

If someone believe something is legitimately toxic to themselves or society, like being around smoke, consuming certain substances, eating meat, using walled garden internet services etc... They should not be peer pressured into giving up those views.

I for one avoid Google products for personal communications. A lot of long term friends decided they only want to socialize online with Google products fully knowing it excludes me, in spite of easily accessible alternatives like Matrix and Jitsi.

They are not using Google products because it makes the world better, they are using it because they don't like change, and changing to maintain a friendship with me was not worth trying to use less privacy hostile communication mediums.

Fair enough.

I for one would not exclusively socialize at a Brazilian steakhouse if I had a vegan friend in a given social circle.

I will go to great lengths to accommodate people that are acting on authentic ethical convictions but if someone is only doing something that conflicts with my ethical convictions because they can't be bothered to try something new, then they obviously don't value me, and I'll invest more time with people who do.

You should live your convictions and find people that either share them, or at least respect you enough to accommodate them.

I don't expect others to think or act like me, but I would expect that my legitimate desire to maintain privacy in personal communication to be respected by anyone worth my time.

Plenty of friends that don't share my views put up with using some open tools to keep in touch with me. I likewise accommodate some of their preferences that don't make any sense to me. Everyone has a mix of deal breakers and things they can be flexible on in any type of human relationship.

I would also add that Matrix, unlike any of the other networks discussed, offers the ability to bridge to all other networks being discussed so if you so desire you can have your open network cake and communicate with people on walled garden networks too.

Not worth the trouble for me and I don't even want to have accounts in these platforms or let them collect my conversations, but the path at least exists.

> Those that won't respect your ethics are not your friends.

Yeah right. I am not RMS, with lock-downs, curfews, social distancing etc I'm already isolated enough so I'm not losing my remaining contacts for some moral high-ground.

> So you are going to move from one centralized, walled garden, privacy hostile platform that hard requires Google/Apple ecosystems to get signed updates... to another with identical drawbacks.

Ideally we'd have a polished, decentralized app. Signal is a compromise. I don't think the drawbacks are identical:

Facebook's business model depends on violatings the privacy of the users. The Signal Foundation has no such need.

The client is open source. I see no reason to call Signal "privacy hostile".

* There is no OS verified path to install Signal or updates without being in Google/Apple proprietary ecosystems and submitting some usage metrics to them.

* You can't use signal on minority market share platforms even if they offer higher assurances of freedom, privacy, and security (RISC-V, OpenPOWER, etc.)

* Getting a phone number requires KYC in over 200 countries and carriers will happily sell you out as extensively documented and demonstrated by journalists buying owner info and GPS coordinates for any given phone numbers. Any service that hard requires a phone number is not prioritizing privacy.

* All metadata and TCP/IP metadata flows to a SPOF where signal employees, the ISP, or another entity inline could use network heuristics to deanonymize users, of dump the weak keys in SGX and get actual contact lists directly.

* If you want to use a privacy respecting signature verifying app store solution like F-Droid you are SOL. Moxie threatened to fight F-Droid or any other parties compiling/signing binaries from source code or doing forks or alternative implementations. He wishes to have complete control and the ability to rapidly push updates to all users quickly, be they benign or malicious. If someone coerces the signing key out of them, all signal conversations globally could be decrypted likely before anyone noticed.

I call all of this behaviour very privacy hostile. Published source code is moot if you are not allowed to use it or empower third parties like f-droid to hold it accountable.

Signal provides a SHA256 checksum on their download page at https://signal.org/android/apk/

Signal works on platforms such as GrapheneOS without the Google ecosystem.

You're right regarding the phone number. I consider it a necessary compromise. Look at the spam problem that email has.

Our quest to fully convert to Signal has hit a major wall, Android tablets are not supported as linked devices.

Supporting tablets would allow us to chat and send files across devices, without resorting to apps like Messenger.

Depending on your exact needs either Telegram or (preferably IMO) Matrix might be a solution.

(Yes, I think this is correct: For anyone who are currently on WhatsApp or anything Facebook for that matter even Telegram is a huge improvement in most ways.)

I get your point, but moving people to Signal has been an accomplishment on its own, you get to say "we should move to this new private app" only so many times, before your friends and family grab their torches.

The good thing is that matrix can be bridged to Signal[1], to allow for a smoother transition period.

This is also true with Whatsapp[2], but against their terms of service, so you risk getting banned, and built on reverse-engineering, plus you need an android VM of some sort.

I've been personally moving my family to Signal, since that provides the best UX and easier transition from Whatsapp. Once I'm comfortable enough with it, we'll likely transition to matrix.

What Matrix is missing is in my view:

- Client with simple UI, polished UX, and not just a smoking pot of features: FluffyChat[3] is mostly there.

- Server of which I can guarantee the uptime. Dendrite should lower the resource usage for a ~5-100 accounts server, and decentralised identities[4] would allow falling back to another server (such as a friend's).

We're mostly there, so I'm starting to prepare the switch, starting with my more technical friends, by setting a bridge up. Hopefully we can finally break that dependency on phone numbers (ideally, domain names as well with [4]) and move on to bey-based IDs.

[1] https://github.com/tulir/mautrix-signal

[1] Older bridge, unmaintained: https://github.com/matrix-hacks/matrix-puppet-signal


[3] https://web.fluffychat.im/en/

[4] https://github.com/matrix-org/matrix-doc/blob/neilalexander/...

If you want people to be privacy minded this is what you have to prepare them for, though. Signal could get bought out by a privacy-hostile company next year, or they could go out of business.

Or get a visit from the NSA.

Well if you just remove the app and let them know where they can find you. They basically have no choice.

Telegram is not better than WhatsApp in the very important aspect that it is not end-to-end encrypted. You can balance up the risks of facebook inserting malicious code into their client against the risks of your data being accessable at rest on Telegram's servers, but it's not at all clear Telegram is in a better spot there.

e2e encryption is mostly moot considering neither the client-application nor -device are really trustworthy.

then there is the problem with push-notifications passing throu either google or apple as well as device-backups which both hand over your metadata and probably message content.

imo telegram is in a better spot simply because it is not affilliated with the facebook/google ecosystem but in the end it does not make much of a difference due to aforementioned systematic deficiencies.

imo good reasons to cash in on the platform compatibility and convenience of telegrams cloud-messaging architecture.

Can you run the web interface to signal in the tablet’s web browser? I thought basically no one used android tablets anyway

Signal has no web client.

> I thought basically no one used android tablets anyway

Tens of millions of Android tablets are sold every quarter.

Perhaps people should be filling their throw away simcards with random people from the phone book.

I am mostly using Signal and will let my WhatsApp expire.

I also think matrix is great and would recommend setting up an account by installing element. I think growth in matrix will more fully undermine FB's position as well as Slack/etc.

It was always a clear business transaction: acess to a messenging service for access to meta data (and now message data).

I wonder how Out of curiosity:

Does anyone know how the new Whatsapp TOS differ from the Gmail TOS in regard to user data and privacy. How does the Facebook group use data differently than, say Facebook or Microsoft?

> It was always a clear business transaction: acess to a messenging service for access to meta data (and now message data).

Nah it wasn’t, I paid for WhatsApp originally and then there was a subscription model for a while.

I much prefer both those models, Facebook is just greedy.

So what should self sentient person do, just lie down and accept the erosions of our blood won freedoms? No thanks. I have right now all my company talking to thousands of customers explaining this mess to them and helping those who need to switch to Signal. So yeah, fuck you FB!

Signal is no better. You fell into one marketing trap with WhatsApp and have now fallen for another.

Signal is another private entity with complete control of the servers and end client binaries. The fact they happen to open source the code is kind of moot since no services are allowed to write alternative implementations, no one can run their own servers or prove what code is running on Signals servers, nor can anyone even distribute reproducibly built binaries from said source code for accountability (e.g. f-droid).

There are so many better options. I suggest Element/Matrix which can even bridge to WhatsApp and Signal as needed thanks to community contributed bridges.

Thank you for the constructive answer.

I thought Signal was open source, and the distributed binaries matched the source, and that is was allowed to run your own servers. Are the servers even open source?

Are there lirerature regarding the technical/conceptional bits Element/Matrix? What is the tradeoff there?

> I thought Signal was open source, and the distributed binaries matched the source

This is sort of true. The source is published and you can build your own binary. But given that you can't distribute Signal outside of official stores and can't pin the version in those official stores (unless you turn off updates on your phone entirely), it's not actually practical to run an audited version, yet alone to make your own changes to the code.

> and that is was allowed to run your own servers. Are the servers even open source?

EDIT: apparently there is now (purported) server source available, not that that means much when there's no way to even know which code a given server is running, yet alone run a server with different code. They claim that their E2E encryption means control of their servers doesn't matter, but their protocol analyses doesn't actually think about what an attacker might be able to do at the server level, IME.

> Are there lirerature regarding the technical/conceptional bits Element/Matrix? What is the tradeoff there?

It uses either the same ratchet protocol as Signal or a very similar one. E2E for group chats is more complicated but I don't think you're giving up anything.

I largely agree with you but I don't want to see misinformation spread even when it supports my view.

The signal server source code is open source now in theory, you are just not permitted to run your own server and have it join the Signal network. We have to take their word for it that they are running the code they publish.

> servers are closed-source. Th

They are open source. Please see github.

I started a high level doc a couple years ago to compare the major tradeoffs in most popular messengers here:


We also only assume the published Signal binaries match the published source code. Moxie and team have exclusive control of the signing keys and Moxie said he will fight any third parties like F-droid doing from-source signed binaries outside the Google/apple ecosystems in spite of the accountability and removed SPOF it would offer.

If you choose to use a non Google/Apple platform or a freedom-respecting architecture like RISC-V or OpenPOWER you don't get to be on the Signal network.

This eliminates me from being able to use Signal. Talked to moxie at length about this but in the end he repeatedly admits he has no problem cutting off the few to enforce his vision for the many. He also frequently implies he sees himself as the only entity worthy of running the world's communications systems.

He is a smart guy and means well, but he is naive. Benevolent dictators are always replaced by less benevolent ones eventually. There is nothing stopping what happened to WhatsApp happening to Signal. You also have to trust the pinky swear offered by the Signal Foundation that they won't dump the keys from their SGX enclaves using any of a myriad of design flaws, and that they, their ISP, datacenters, and any three letter orgs tapping them will all throw away all the TVP/IP level metadata that centrally flows to their systems.

With Matrix OTOH, if those that host a given set of binaries/servers go evil or we simply want control of our metadata for sensitive channels, we can just use one of the alternative independent clients or a fork, switch to our own server or one run in a country or by an entity we trust more. We also still will be able to reach our social graph, just like switching an email provider.

Democratic control is messy, but I will take it over a benevolent dictator any day.

As for documentation, matrix.org documents the API and design choices of Matrix extensively and they welcome people making alternative clients and bridges to other networks because they believe the only safe and sustainable network services are open ones.

You should consider publishing your table here instead:


Element is really slow on mobile, Signal and WA show my list of conversations in fewer than 5 seconds. Element needs ~10 seconds just to load UI, then 10 more seconds to sync list of active conversations, then I enter into a conversation and it needs between 2 seconds and 2 days to synchronize e2e keys. I can literally leave the conversation open, phone in charger for night and it still can't sync message. How do I explain to my parents that their message from 2 days ago "call me when you're free" didn't arrive because Element couldn't read it? They changed name 3 times already, changing APP ID, forcing me to reinstall it on all devices, update all my bookmarks in browser, having to sync all keys between all devices, not only on my devices, but also my family members who were using it. Their initial-setup of the app is really bad experience. Sometime I can NOT have two devices online at the same time to login and send message from new third device. It's cool on browser, I had nothing bad experience on mobile + web.

Signal is simply best because it works as SMS client AND encrypted messages client. Best UI/UX, one app to rule them all, consistent behaviour, not owned by FAAMG.

Thanks for your insights, I’ll definitely look into Element/Mattix. I didn’t know Signal was just another scheme to collect private data. But I always knew that WhatsApp == FB yet I couldn’t do much due to network effects. Decentralizing the web has never been so important as now.

Signal is not another scheme to collect private data and anyone who makes such a claim has their own agenda to push (as you can see from the other comments in this thread made by this person.) Do a bit more research, get a wide variety of opinions, and then decide which factors are most important to you.

It’s the same as WhatsApp in some extent - always promised that they wouldn’t give up your data while they gained traction and then get acquired by Facebook and get forced to.

No, it is not the same. Signal is a registered 501.3(c) non-profit with a public board and cannot just decide to sell themselves and your metadata at some future point. Signal is also making ongoing improvements to protocols and apps to limit the amount of metadata that must be collected or that can be usefully held.

That’s interesting, I didn’t know that. Thanks for correcting me.

> I didn’t know Signal was just another scheme to collect private data

I think that's quite a misstatement, but it is indeed a centralized service.

I don't think they -intentionally- exist to harvest user data. They just create a situation where they can be taken over by an entity that wishes to easily at any point, or maybe they are already tapped by an entity that has dumped their SGX keys and/or is tapping their network traffic to bulk harvest the metadata they helpfully centralize.

The founder of VK had good intentions and was willing to protect his users too. The Russian government replaced him with someone more ethically flexible.

The foundsrs of WhatsApp clearly never intended it to go in the direction it did post acquisition, but it was not their call.

Gathering all users to a single choke point on a single client on a single server infra is irresponsible and unsustainable. We have been here before.

May I recommend Delta Chat?

It's an email client (with clever, seamless encryption based on gpg) with a WhatsApp style interface. There's a desktop client too.

I've only ever managed to get one person to use it, but goodness it'd be nice to get rid of WhatsApp.

Edit: URL https://delta.chat/

Note that gpg provides worse security from an encryption standpoint than signal/WhatsApp

Frankly, I don't even care if it uses end-to-end encryption at all if it's encrypted to my own server.

Of course, email goes between servers and then you definitely want to ensure the encryption is solid (it often isn't, so PGP is definitely good). I'm just saying that Wire/Signal/Threema/etc. having better encryption is in my opinion only important when you use Wire's/Signal's/Threema's servers. If you can and do host your own, especially if you host it at home, then in practice there is no difference.

Since most people don't do that, Signal/Wire/Threema/Matrix are of course the better options than PGP+email, but PGP+email is still an improvement over the status quo.

Care to explain?

No perfect forward security. It's a feature, not a bug.

It doesn’t feel like a feature to me. And neither does the lack of deniability. They both feel like things that leak information that doesn’t need to be leaked.

Perfect forward secrecy requires two-way real-time communication, in order to construct a session key that can't be computed from just the private keys and the encrypted message. Therefore the way that PGP's lack of perfect forward secrecy is a feature is that it allows an encrypted message to be generated in a way that doesn't require two-way real-time communication, and can therefore be sent by email.

The trade-off is that you then don't have perfect forward secrecy.

Why does signal still work when the other party is offline?

Seems somewhat like threat model will determine the need for deniability etc. I don't consider myself to need it, and mine seems like a common enough case - compatible with a normal WhatsApp user's use case.

whatsapp and signal have forward secrecy, so if your private key is leaked it means that past conversations can't be decrypted. In reality it does not offer a lot of protection if you don't disable keeping logs (because losing your phone and malware are the only realistic ways of your private key being leaked). In addition the way that they have forward secrecy implemented it means that you have to decrypt every message posted in groupchats while you were offline sequently until the last one, which can take hours in an active (even if small) group if you are gone for a week. The other thing is that both of these apps to my knowledge do not warn you if a new key is added (I might be wrong here) so an active attacker can pretty much nullify the encryption, this is not an issue with openpgp.

To add to this: the point of the disappearing messages in signal is to enhance the value of the forward secrecy by not having the record of the messages (so long as both devices are using correct clients and no one is screenshotting messages.

The other feature is deniability: having an encrypted message and it’s decryption doesn’t give you any more information than a screenshot of the message in signal. There isn’t a way for the encrypted message to prove that it was legitimate as the previous keys are revealed in a way that means anyone sniffing the traffic could make a message encrypted with that key.

Afaik, the messages should be deniable as long as they are not signed, not sure how delta chat handles it though. Regarding deniability I personally would consider it as an anti-feature because the one receiving the message can't prove to the wider world that they received it from a certain person and similarly someone who is falsely accused of posting a certain message can't go and say "show the signatures of the messages or you are lying".

By the way, do you know if the one receiving the messages can force messages that are marked as "disappearing" to be kept?

It is true that messages would be deniable if they weren’t authenticated. The design of signal’s protocol is such that messages are authenticated but deniable: it is possible for the recipient to determine that the message was genuine (the information you want to send) but it is not possible for a third party to prove that a message was authentic (the information you don’t want to leak).

See also, this article about doing the same for email: https://blog.cryptographyengineering.com/2020/11/16/ok-googl...

> The design of signal’s protocol is such that messages are authenticated but deniable: it is possible for the recipient to determine that the message was genuine

Via the use of MACs, yes. I never said otherwise. What I said before still holds, as the recipient you can't prove to others that you indeed received a message by a certain someone rather than forged it yourself to incriminate them.

> See also, this article about doing the same for email: https://blog.cryptographyengineering.com/2020/11/16/ok-googl...

The "Marisa" person in the comments is a friend of mine from IRC and I agree 100% with what she said.

In the EU, there are different terms that you should agree to: https://www.whatsapp.com/legal/updates/terms-of-service-eea

As far as I understand, because of GDPR, the sharing of data between Facebook companies is limited. This is different from the US terms.

Anybody interested in SIM cards?

UK/IE/RO/MD/UA/RU/etc - cheap and fast delivery :D

> Will start using Signal app

I can't do this because everyone else I know uses Whatsapp.

Well, do you know whether they use Signal as well? You might be surprised.

Whatsapp helpfully gives you a transition period during which you can try out both ;)

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact