And if so, why exactly? It says it’s end-to-end encrypted. The metadata isn’t. But what is metadata and is it bad that it’s not? Are there any other problematic things?
I think I have a few answers for these questions, but I was wondering if anyone else has good answers/explanations/links to share where I can inform myself more.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
[Matrix/Element]Dead
much thanks to @gary_host_laptop for the logo design :)
Your address book is uploaded to Facebook servers when you use Whatsapp. And each time you interact, they know with who and link this information with other profiles and users of the Meta products.
Is Facebook bad for privacy?
Whatsapp is Facebook. Literally. Whatsapp sold themselves to Facebook.
So yes: it’s bad for privacy.
The biggest problem is that it uploads your entire contact list and thus social network to Facebook. That alone tells them a lot about who you are, and crucially, also leaks this information about your friends (whether they use it or not).
With contacts disabled it’s a pain to use (last time I tried you couldn’t add people or see names, but you could still write to people after they contacted you if you didn’t mind them just showing up as a phone number).
It still collects metadata - who you text, when, from which WiFi - which reveals a lot. But if both you and your contact use it properly (backups disabled or e2e encrypted), your messaging content doesn’t get leaked by default. They could ship a malicious version and if someone reports your content it gets leaked, of course, but overall, still much better than e.g. telegram which collects all of the above data AND doesn’t have useful E2EE (you can enable it but few do, and the crypto is questionable).
removed by mod
https://ibb.co/wLryDYd
This image somehow is such low quality on my device that I can’t read any of the text on it.
If you’re on Android, the E2E is meaningless as WhatsApp can read what you type, just as the Facebook app can, since they have keyboard access.
I don’t know that they do this, just saying it’s a leak point, and since it’s Meta/Facebook/Zuckerberg, well, let’s just say I’m a bit cynical.
Yes
Yes.
It’s owned by Meta, you better forget about privacy lol!
It’s not just that. Their app can easily have tracking components that look for the list of installed apps, how often you charge your phone, how often are you on a WiFi network, etc.
Also, the app and any tracking component it has can also freely communicate on the wifi network. That doesn’t only mean the internet, but the local, home network too, where they can find out (by MAC address, opened ports and response of the corresponding programs) what kind of devices you have, when do you have them powered on, what software you use on it (like do you use any bittorrent client? syncthing? kde connect? lots of other examples?), and if let’s say your smart tv publishes your private info on the network, it does not matter that you have blocked LG (just an example) domains in your local dns server, because facebook’s apps can just relay it through your phone and then their own servers.
If the app’s code has been obfuscated, exodus privacy and others won’t be able to detect the tracking components in it.
Are others different, like Signal and how do I know?
As a normal user I install both in exactly the same way, I have no way to verify that the code of the apk on the play store is exactly the same as the code published by Signal as open-source. How could I trust Signal more?
Signal’s encryption is sound, but there’s an uncomfortable fact that it uses google play services dependencies (like for maps and other things, I think). There are articles (1, 2) that discuss that it has functionality that may allow an other process (the google play services process) to read the signal app’s state or even directly it’s memory because of that, which can mean the contents of the screen or the in-memory cache of decrypted messages.
Security audits often only audit the app’s own source code, without the dependencies that it uses.
The google play services dependency could have a “flaw” today, or it could grow a new “feature” one day, allowing what I described above.
May or may not be connected, that Moxie (signal founder) is vehemently against any kinds of forks, including those that just get rid of non-free dependencies (like the google play services dependencies). The other comments of his are also telling.
Because of these, I have ruled for myself that I’ll not promote them as a better system, and I’ll not install Signal on my phone, because I think it gives a false sense of security, and for other things like still requiring an identity connected identifier (a phone number) for registration.
However if there were people whom I can only reach through Signal, there’s Molly. They maintain 2 active forks, one of which is rid of problematic dependencies, and I would probably use that. Molly-FOSS is not published on the official F-droid repository, but they have their own, so the F-droid app can still be used to install it and keep it updated.
It’s hard, unfortunately, and in the end you need to trust a service and the app you use for it.
F-droid apps are auditable, they are forbidden from having non-free (non-auditable) dependencies, and popular apps available in the official repository are usually fine.
With google play, again the truth is uncomfortable.
On Android, the app’s signing key (a cryptographic key) makes it possible to verify that the app that you are going to install has not been modified by third parties.
Several years ago Google has mandated that all app developers are required to hand in their signing keys, so that google can sign the apps instead of them, basically impersonating them. Unfortunately this also means that unless the app’s total source code is available (along with all the source code of it’s dependencies), it’s impossible to know if google has done modifications to the app that they make accessible on the google play store. This in itself is already a huge trust issue to me, but what is even worse is that they can just install custom modified versions for certain users on a case by case basis, with the same signing key that once meant that it was not modified by third parties like google, and no one will know it ever.
Just an example to show that the above is possible: the amazon web store similarly also requires the developer to hand over the app’s signing key, and they admit in the documentation that they add their own tracking code to every published app.
Thank you a lot, this is great information!
You can only know if you choose to read the code and compile from source. You can trust, in that your read the code and just install the app, or let others read the code for you. If reputable sources tell you it’s good, most of the time it’s good. How can you trust Signal more? Well you… shouldn’t. You could try to use a decompilation tool, don’t know if that works on Android’s apps though.
TL;DR: Yes it is, it’s terrible. What would you expect from a Facebook product? Use Signal instead.
Thank you, but I’m looking for actual arguments that would sway someone that is trying to come to a rational conclusion. “The reputation of the company is bad” is of course valid evidence, but it would be much more interesting to know what Facebook actually gains from having users on WhatsApp.
First, it is very likely that the WhatsApp encryption is compromised, it definitely shouldn’t be trusted, as it is completely proprietary and thus not transparent to users and independent auditors. Also, unlike Signal, WhatsApp doesn’t encrypt any metadata. The biggest source of WhatsApp user data for Facebook though are address books. When you grant WhatsApp permissions to access your contacts, that data is sent to Facebook servers unencrypted. That way, Facebook can see the names and phone numbers of all of your contacts. This is not just bad for you, it’s also bad for everyone whose phone number you saved in your address book, their data is sent to Facebook, even if they don’t use any Facebook services themselves. Also, when you have WhatsApp or any app installed on your phone, it by default has access to many things that you can’t control or restrict. For example, it can access some unique device identifiers and look at stuff like the list of apps you have installed on your phone or access sensors like the gyroscope and accelerometer which can absolutely be used to track you. It’s better to keep shady apps like those made by Facebook, Google, Amazon, Microsoft or other surveillance corporations off your devices. Use FOSS alternatives with a proven track record like Signal if they are available.
I understand they have access to all this information you listed, but what do they gain from that if I don’t use any (other) Facebook services? Normally, I understand that it allows for better ad targeting, but WhatsApp does not have ads, and if I don’t use any other Meta services that actually serve ads, how could this info being out be a problem for me?
Facebook has your address book, so they have the phone numbers and names of all of your friends, work colleagues, family members and other people you happen to know. They can see your entire social graph. This kind of metadata is extremely valuable. If you just have the phone number of someone in your phone book who at some point becomes a terrorist, you are now also under full investigation. I don’t know about you, I find this scary and dystopian, but unfortunately it’s real. If someone you know does something that’s wrong, you are now also a suspected criminal. Metadata is sometimes even more valuable than the actual data itself. To quote the former NSA director Michael Hayden: “We Kill People Based on Metadata”. Especially since the Snowden leaks we know that we should protect ourselves from corporate/government overreach and surveillance and the best way to do this is avoiding proprietary software. FOSS is superior in any way: It’s built by voluntary individuals who just want to help out other people and try to make the world a better place, it’s transparent to the user and can be verified, you have the freedom to do with it whatever you want. We really shouldn’t be supporting multi-billion dollar corporations lead by weirdos. Did you know that Mark Zuckerberg bought all the land around his house, so that none of his neighbors can see what he is doing for privacy reasons, while he probably caused the biggest invasion of privacy in the last decade? We shouldn’t be supporting such people. We really shouldn’t.
WhatsApp Moderators Can Read Your Messages - https://gizmodo.com/whatsapp-moderators-can-read-your-messages-1847629241
…if someone reports them
That means if they want to see your messages they do it anytime, not only when someone report it.
If a government want access to the messages they can access.
but how can they read them when its encrypted?
Unlike other messaging apps, they have access to encryption keys, when you change devices you only need to fill the phone number and all of your messages are available.
On other apps like Signal or matrix, you need to backup or export your keys to other devices, otherwise you can access previous messages.
It’s like you own an apartment and the doorman have keys to all apartments, if you lose the key the doorman can give you a copy, but also have access to your apartment when it pleases.
Don’t you need to have backed up your messages in Google drive to be able to restore them when changing devices? And up until the multi device update when someone changed their phone you’d get a text saying your encryption keys with them has changed.
And I remember talks in matrix about the need for a single password solution to appeal to masses.
That’s what they say.
MetaFacebook already lied before countless times, so who knows.(You can google Facebook lawsuits. The number of the results is scary.)
Are you really asking about privacy of a Facebook’s app?
Are you going to be flippant or help educate the person?
The answer is: Yes, WhatsApp is bad for privacy.
Whats the deal with IP address and Whatsapp? Like use a VPN ofc but still interested in what is known/felt about this matter
deleted by creator
Jynx
Not sure what you mean? It’s a meta app, they can easily fingerprint your devices without the need of an IP address, VPN doesn’t matter at all. If you access any Meta services from the same device, they know exactly who you are.