Hacker News new | past | comments | ask | show | jobs | submit login
WhatsApp issued takedown against alternative clients a week before acquisition (raw.github.com)
208 points by martinml on Feb 20, 2014 | hide | past | web | favorite | 66 comments

I wouldn't read too much into this. As part of their purchase agreement WhatsApp likely needed to say that they had been diligent in maintaining and defending their copyrights and trademark. That's pretty standard in a financing, so I'd imagine it's a standard part of M&A deals. It probably turned up during due diligence that they had some "cleanup" to take care of in order to not be lying when they made that representation.

It's pretty disgusting to dismiss this level of abuse of the DMCA (these aren't even legitimate copyright issues!) and legal bullying under the guise of standard operating procedure. It's over-the-top wrong.

I own one of the affected repositories, and submitted the original link to HN the moment I got an email notification about it from Github [1]. It's a shame we didn't get the discussion going earlier.

IANAL, but what the hell does a security POC (and an unofficial API derived from it) have to do copyrights? On what grounds did a repo get chosen for takedown? Is it the "whatsapp" in the name? What about a simple "x.whatsapp.net" connection string in the code? Is that infringement?

Either way, shitty move by WhatsApp.

[1] - https://news.ycombinator.com/item?id=7230041

You're aware that you have rights under DMCA too? File a counter-notification[1] explaining why you think the takedown isn't valid and Github will likely put the repo back online. And if WhatsApp doesn't like it, they can sue you.

[1] http://www.chillingeffects.org/dmca/counter512.pdf

With $19B in pocket they can totally ruin his life with a lawsuit.

Assuming you're filing a counter-notice in an instance where you have a good faith belief that the original takedown notice is in error, and that you can support that belief, it's rather unlikely that the counter-notice alone will make the supposed copyright holder more disposed towards litigation. Especially if they knowingly misrepresented matters in the takedown, opening themselves up to damages and attorney's fees.

In any case, they can already sue you regardless of whether a takedown notice is issued in the first place. :)

It's a pretty big leap from a vague and threatening letter to a life-ruining lawsuit... but IANAL and that's certainly possible.

There's still a mandatory 10(?) day delay before the content can be reinstated.

Hey, I never said it was a fair and just process, but the designers of the DMCA at least did consider that the takedown process might be abused.

They should have solved that issue then, not just consider it.

large money crush imagination and suck all the life out of creativity, of all people zuck should've entertained huge ecosystem of various clients that suit other people's needs...

Interesting. Trademark law is probably pretty strong against repositories named "WhatsApp" or something very similar. Using the logo without permission as well.

Describing a project as "working with WhatsApp" would probably not be an actionable trademark infringement. Code that works with the WhatsApp API is almost certainly not "infringing", unless there's some "encryption" going on.

Unfortunately the DMCA takedown rules are such that Internet providers such as Github have basically no direct recourse and refusing to comply is not an option. Additionally, complainants don't have to prove much of anything to issue a takedown notice to a service provider. This is a seriously broken part of copyright law, IMO.

That said, this complaint doesn't appear to me to be explicit enough to meet with GitHub's takedown policy (https://help.github.com/articles/dmca-takedown-policy), which requires "Identify the copyrighted work you believe has been infringed. The specificity of your identification may depend on the nature of the work you believe has been infringed, but may include things like a link to a web page or a specific post (as opposed to a link to a general site URL)." But the complaint itself, besides mentioning trademarks and the WhatsApp name, only says "unauthorized use of WhatsApp APIs, software, and/or services". But the existence of code that can use the WhatsApp API is not the same as actually using WhatsApp's services in an unauthorized manner, so I think this is ripe for some pushback.

WhatsApp can easily enough restrict API access to its own clients if it chooses to do so, which is a far better solution than trying to shut down what's apparently an easy library to write.

How would you propose they do that ? - there's nothing magical they can do that will identify official clients that third parties couldn't replicate.

Surely that is their problem?

And surely taking action against parties who exploit that fact is their solution.

How does an security PoC and API library fall under the DMCA? See this comment: https://news.ycombinator.com/item?id=7273662

From what I recall, the DMCA is about copyright and trademark infringement.

The DMCA is also about "anti-circumvention". It makes it illegal to remove DRM that protects copyrighted content, or to create tools that do so.

That said, this takedown looks pretty bogus to my (untrained) eye.

> Interesting. Trademark law is probably pretty strong against repositories named "WhatsApp" or something very similar. Using the logo without permission as well.

They probably fall under nominative use, which is an affirmative fair use defense. Describing an API or implementation of XYZ as a "Webclient for XYZ" should be fine.

Agreed. It's not as if there aren't a zillion other Github repositories using trademarks in their names. Consumers of open source will generally understand the distinction between official libraries and third-party-developed libraries, and if trademark law is reasonable (IANAL), it should accept even "whatsapp" repos as fair use since no "reasonable person" would be confused. But it requires someone willing to fight Facebook, I guess.

Renaming them al "wazaa" should be fine too.

No law is reasonable.

Wireshark dissector plugin? taken down? I haven't really followed wireshark goings-on in a while, but wow... just wow... I don't think i've seen this before:


My apologies for the bile, but I can't help but call out my reactions to this news...

1. facebook (you: I expected this from, you we're already #1 on this s#17list) 2. whatsapp (sell-out!) 3. github (highly disappointed watching you just lay down and immediately comply shutting down these repositories)

I'm considering moving all my code off of github over this...

With the poor, let's say terrible, security posture WhatsApp always had, this is really not the way to communicate the message that they care and want their software to be scrutinized. Open implementations are a great help to any reverse engineer trying to figure out the mess that is their protocol.

This is exactly what triggers full disclosure.

"this is really not the way to communicate the message that they ... want their software to be scrutinized"

To be fair, isn't the case for most proprietary software - even for the most security-concerned closed-source companies?

No one at WhatsApp has ever warrented that their software is open source, that they want to produce open source or that they share open source values.

"isn't the case for most proprietary software - even for the most security-concerned closed-source companies"

Frequently, and it is an attitude I really dislike.

A serious dedicated attacker can replicate the reversing work quite fast, but this kind of things make it really hard to dedicate a couple of hors to assessing the quality of a protocol.

Moreover, they demonstrated not to be security-concerned, so this comes to me as covering tracks, even if it isn't.

As I understand it they've contributed a lot back to the erlang platform itself. It's their particular system that they want to keep proprietary.

You know what was pathetic? With all its security and authentication loopholes people still used it. I gave it up for time but friends still won't listen and then I had to come back. Now, Facebook is sth I can't tolerate. At least earlier I didn't run the visible risk of my very intimate messages falling into advertisers' hands.

You are technology-aware somehow. Billions of people are not. Us, the IT bunch, must understand this. People buy apps that make fart sounds or only show a damn GIF of a naked someone. People send emails (yes, they somehow manage to do so), and call you after to notify you. Wake up.

I own 3 of the affected repos:

Yowsup https://github.com/tgalal/yowsup MIT License

It is a library that implements WhatsApp's protocol. It is built on community effort of reverse engineering WhatsApp's protocol. I created this in first place to bring WhatsApp on an unsupported platform (Nokia N9/ meego platform)

Wazapp https://github.com/tgalal/wazapp GPLv2 License

This is a UI frontend to Yowsup for Nokia N9. Nokia N9 is the only smartphone produced by Nokia which never got WhatsApp support. I created this client because I wanted to use WhatsApp on my Nokia N9. The code is totally decoupled from Yowsup, and does not use WhatsApp in its name. You can see its icon here http://everythingn9.com/wp-content/uploads/2012/05/wazapp.pn... which for me looks different enough from official client's icon.

OpenWA https://github.com/tgalal/OpenWhatsappBB10 GPLv3 License

This is also a frontend to Yowsup, but for Blackberry 10. It is a little bit similar case as Wazapp. I created this for BB10 when WhatsApp initially said they're not supporting that platform. Again, this is decoupled from Yowsup, has same icon as Wazapp. Its name though on Github is OpenWhatsappB10, as a project name. However, the real app name is OpenWA. Perhaps a rename of the repository would be sufficient ?

I was toying around with your (quite excellent) Yowsup library a little while ago and the one question I always had was this: Since WhatsApp doesn't have an official library, wasn't Yowsup always in the cross-hairs?

I mean, it was only a matter of time before they clamped down and claimed that you were violating section 3.A.iii of the ToS by reverse-engineering the WhatsApp protocol, right?

Don't get me wrong, I would have loved it if Yowsup was allowed as an (unofficial) API - or something like that. However, as a newbie to the world of programming & software development in general, I am trying to understand what was wrong about the DMCA notice. What, in your opinion, should they have done instead?

That is not a DMCA takedown request. It is merely a takedown request. The person to whom it was sent has no obligation to comply.

The copyright part is.

Also, I wouldn't describe the DMCA safe harbor as an obligation to comply. More of a benefit to complying that doesn't apply to trademark (with the default in both cases being susceptibility to hypothetical lawsuits).

It is a markdown version posted by github for the original DMCA takedown notice sent to github


If you visit any of the links in the request they state "Repository unavailable due to DMCA takedown"

Interesting to see how the priorities beginning to shift once somebody gets ready to make a deal with the devil.

> This continues to cause significant harm to WhatsApp.

$16bn says otherwise.

Maybe libraries/clients would impact WhatsApp's ability to rework their backend to use FB infra now that they've been acquired?

But they are third party libraries; WhatsApp has no obligation for backwards compatibility.

Yes, but... With a sufficiently widespread third party library they risk a backlash with their userbase. Social networks depend so much on the network effect to bring in users that cutting out a large chunk of users all at once because the protocol changed could cause more users to drop out.

Thinking about it, I wonder how much AIM and MSN Messenger's fights against third party clients messed up their user bases.

Their userbase uses the Whatsapp app that comes bundled with their phones on many intl carriers. I don't think they care about the 0.0001% of their userbase that uses third party clients.

Presently, correct. But that's the risk of allowing third-party clients with an unpublished protocol spec. Right now they can break anything they want. If they don't limit third-party clients, their hands could become tied by too many people using it.

EDIT: Note: I'm not a fan of proprietary protocols. I'm just describing what I see as the position of a company that wants to monetize a network like this. If the network and client is the revenue source, then third party clients work against you. Allowing the third party clients to gain too large a share of your user base means that breaking compatibility could have significant network effects against you as those users move to another platform and bring their friends and family along.

I don't think there ever was a serious risk for that for WhatsApp: multi-device support isn't just missing, they are actively making it a pain. There's no way to obtain your password, the password changes regularily, logging in with a second client kicks the old connection, etc.

So people would be forced to make a choice: use it on your phone, or on your computer. Aside from the group of people who don't have a smartphone, most people would chose phone.

MSN made a ton of protocol changes even after there were a lot of third party clients. Trillian, for example, was very popular. Trillian had updates out for MSN changes typically within a day or two.

Thus my question:

I wonder how much AIM and MSN Messenger's fights against third party clients messed up their user bases.

Then one can build a client that mimics one very used bundled client. (so they can't just say "update or you can't log in anymore").

I know that you can't used the outdated version on Android for much longer without being cut off access.

No, it really doesn't.

IANAL, but these claims can't last. To the extent those projects are using WhatsApp's trademarks or copyrighted logos, they can stop infringing by renaming and removing the logos. There might be a "hacking" claim against users who use that software to access WhatsApp's servers, but not copyright (assuming WhatsApp doesn't claim copyright over messages sent through the aervice), of unknown validity, and probably not enforceable against a site which merely hosts code to do so. I think.

It looks like Github has pulled a bunch of the repos, including the ones that don't even have "WhatsApp" in their names.

Is this because they had something like "compatible with WhatsApp" in their descriptions?

If I were repository owners and/or paying customer of Github, I would not be OK with this.

I have a repo called whatsapp analyzer. Guess it was looked over.

People really liked this one: https://github.com/davidgfnet/whatsapp-purple

Starred 419 times.

> unauthorized use of WhatsApp APIs

Does that actually have anything to do with copyright or trademark, or are they just very takedown-happy lawyers?

I don't think that has been decided yet. It was the main issue during the Oracle v. Google trial, but if I remember correctly, the judge declined to rule on whether APIs could be copyrighted or not.

I've enjoyed looking through that Github repository. Lots of snarky comments in the commit log about requests from Sony.

Interesting, so what would happen if I were to upload a copy of these repos under a new name? (not that I was going to)

666 github stars for the repo :)

wtf. i had no idea this could be done to open source code.

I'm not going to comment on the validity of this specific case, but "open source" doesn't automatically mean "protected from copyright law infringement".

From what I understand, companies _have_ to do stuff like this. By not protecting a copyright or trademark you are, in effect, giving it up.

Calling your API "node.whatsapp" is using their trademark, and they do have the right and responsibility to protect it.

It doesn't make them wrong; just a jerk :)

They have to do it to protect trademark, but not copyright. I'm not sure there's any real copyright claim to be made here. The DMCA does have provisions against reverse engineering etc. It's not clear to me from this notice exactly what's believed to be infringing other than the Trademark claim, which is pretty straightforward (and easily gotten around).

> The DMCA does have provisions against reverse engineering

Here in the EU reverse engineering is allowed and even if you sign a contract saying you won't reverse engineer something you've still got the right to do it.

How would the DMCA comply with this, would anyone be able to shut down legally reverse engineered code on GitHub?

GitHub is located and hosted in the US, so US rules apply when it comes to takedowns, etc.

I always wondered, if a company doesn't really want to protect their trademark (too much hassle), but has to, can't they just grant people a (temporary, revokable) right to use the trademark pro forma?

I remember seeing a company (something Linux-related) that had a very strict trademark policy, and they did sue people who used their logo or their name, or event something different but similar. But their web site had a form where you could just enter your email address and name, and it would say oki-doki, you may now use our trademark as you like, until we say otherwise.

You could do that, but probably not in WhatsApp's case, assuming that aggressive trademark protection was a condition of the acquisition deal.

all you message are belong to us

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact