lol. whatsapp
I'd been putting off moving all our family WhatsApp groups to Telegram.
Now I can actually justify the time it will take.
I no longer have an oculus HMD, but Oculus no longer has any profit from me.
I am thankful that I made the decision early on to use steam for purchases early on.
The only surprise is that this was not done sooner.
WhatsApp is somewhat more essential for a lot of people, and contains more sensitive information, so this is not good.
At least with FB and Insta, you can just keep rubbish information stored in there.
But doesn’t this violate GDPR? Correct me if I’m wrong but I thought asking the user to share data or leave service was illegal under it.
Also the same under iOS 14, again I have almost zero knowledge regarding the app store policies but I thought it had the same condition that an app should be functional without the user accepting data sharing policies.
Signal works pretty well for anyone who isn't my family.
I'm puzzled where Denmark went "wrong". I see other EU users say that WhatsApp is absolutely dominant in their countries, and yet everybody i know uses iMessage, which may not be surprising if you look at graphs like this https://gs.statcounter.com/os-market-share/mobile/denmark
For "social circles", coordinating sports activites and more, people use Facebook or Facebook Messenger, which is just as bad as WhatsApp.
Schools here use Microsoft Teams for remote teaching classes, and Office365 for schoolwork, and there's not a single Google account to be found anywhere. O365 may be just as bad, but the contract is negotiated on a government level, and bound by the GDPR and other local laws, so i assume my kids personal data are relatively secure.
Because of regulations, Whatsapp may neither move data out of India or transfer to a third party.
Was that time-limited, is it not running afoul of that, or does Facebook just risk it?
Turning off access to contacts in ios immediately makes your profile picture invisible to others.
Meaning: we cant all revoke access and try to identify contacts by profile pic.
Fuck you FB.
I guess it's time to say goodbye to my fb account.
So long whatsapp. I never needed you. :bird emoji:
Theoretically you might be able to get something out of the local or cloud backups, but they're encrypted so they're probably difficult to get a hold of. The key is stored in the private application data, but there must be some way to get it back/regenerate it because you can restore a backup without copying any secrets from the previous phone.
[1]: „Backuptrans iPhone WhatsApp Transfer for Mac“
Moving to a different walled garden is not a solution.
I mean, we should help our friends to migrate to new solutions. If we don't we lose.
I created a new burner FB account (I don't use FB) to go with my Quest 2.
I used a fake name and a gmail burner account.
However I've had to enter my credit card details to make payments so they have my real name, bank details and address information. They also know what I'm watching, what I'm buying etc
So my question is - do they call me out at some point and tell me to add a real name or prove my ID. Or do they let me carry on under my burner account because they can still profit from me both from my spend on apps/games and by selling my real data?
(The only way to win is to not play the game...)
Also what happened to the "if you're not the customer you're the product" mentality. Do people expect some entities to pay for servers and teams of Android and iOS developers to create a chat app without getting paid and out of pure goodwill?
Please bear with me if this doesn't belong here. Normally I wouldn't dare posting on HN (don't want it to become mainstream and have idiots like me gush out their opinions) but I really dunno who else to ask this.
I would suggest reading through their blog posts if you're curious about all the work they're putting into ensuring that they collect as little data about their users as possible. they truly are innovating in a field where nobody else seems to care about ensuring privacy first.
This does come at a cost to how quickly user-facing features arrive compared to their competitors, but this is because they think through where you may leak data and engineer a way around it before allowing a feature to go through. That said, at this point it's pretty much at feature parity with WhatsApp, so moving over to it would be a great time to do so.
It's open source and very secure: https://www.securemessagingapps.com/
I don't see how thats tenable with anything that requires a hosted server to relay information.
Someone will need to pay for it going forward and if the users money runs out, what then?
On a related note, as a regular Signal user (and I've had a modicum of success converting some friends to it), I worry how they intend to stay afloat with "grants and donations" for the next 95 years.
Well, there’s an IM service already deployed to all mobile systems and it’s called SMS.
All that’s needed is some sanity in the pricing, some modernization of support for multimedia and cross-device sharing/archiving.
This whole industry exists for 1 sole reason: telco ineptitude
> Message delivery is "best effort", so there are no guarantees that a message will actually be delivered to its recipient, but delay or complete loss of a message is uncommon, typically affecting less than 5 percent of messages
Maybe 5g will fix something, I'm not current on the spec.
https://tweakers.net/nieuws/176412/whatsapp-verplicht-datade...
I've settled for just talking to the people I can convince on different messengers and now have ~5 messenger apps on my phone.
I use LineageOS for privacy reasons, and intercept various things I consider to be privacy violations.
I very much disagree with these ways of operating, for systems that monopolize human-to-human communication.
All because "the users don't know better, so it's good to filter the information they get access to" or because "information overload is somehow more likely to push people to the extremes than siloing and letting people live in filter bubbles" and other similarly paternalistic justifications. It's interesting how facebook trying to get the information is bad, but using that information, among other things, to filter what its users see or not is apparently good.
Usually people have it installed alongside WhatsApp, i am the only one without it i think.
Just started the process of notifying my connections that I'll be uninstalling WhatsApp. If not Signal, then just Phone, iMessage, SMS and email work well..
Hopefully this will drive larger adoption of Signal..
None of my friends can see it (I checked for two close friends).
Can one of you guys try the same and confirm Whatsapp does not block such status?
Nowadays most people i know have signal installed alongside WhatsApp, i even migrated my mother.
Actually maybe I can put it in my bio and keep the account floating ? Hmm
https://www.whatsapp.com/legal/privacy-policy-eea
I especially like how their email template asks you to fill out a bunch of unnecessary fields and implies that the request might be denied if you don't.
I think most WhatsApp users would just give up at that point.
I think both of these adresses work: - DPO-inquiries@support.whatsapp.com - Objection.eu@support.whatsapp.com
However, I don't really know how to best formulate such a request.
(By the way, the server might refuse to receive you mail, if they don't recognize your domain.)
If I had money I would do a foundation thing to kickstart something like that.
Is that a dumb idea ?
edit: maybe the latency between the app and the block service would be too high to be reliable/tolerable.
edit2: there used to be a lot of applications that relied on dropbox to store things but I have a feeling SSG captured the dev mindshare (or maybe Dropbox restricted the API).
edit3: I just corrected `id` to `idea`, my brain does that when I am tired :D
Someone else with more info could explain better?
“Today, Facebook does not use your WhatsApp account information to improve your Facebook product experiences or provide you more relevant Facebook ad experiences on Facebook.“
"Today, I've not murdered you yet! Look at that accomplishment I've made!"
Whatever WhatsApp/Facebook do to “take care” of the “customers” is just like pig farmers taking care of pigs.
https://news.ycombinator.com/item?id=25669600
That's a neat trick, but not as neat as Signal's "sure, here's all the data we have - the time and ip address of their last use."
(I'm sure a bunch of the "better UX, UI, and features" people like in Telegram rely on them storing more data on their servers, so that comes down to a privacy/convenience tradeoff, which as others have pointed out almost always comes down on the convenience side for 99.99% of people...)
How to report:
https://ec.europa.eu/info/law/law-topic/data-protection/refo...
We invented social media.
Who can't?
https://arstechnica.com/tech-policy/2016/10/fbi-demands-sign...
Can't find any downside, really - except that few people are on it.
>https://www.latimes.com/business/la-xpm-2014-feb-24-la-fi-tn...
>The WhatsApp acquisition has raised concerns among some users that WhatsApp would become, well, more like Facebook. Zuckerberg took the opportunity to quiet those concerns, saying WhatsApp would continue to operate independently from Facebook.
>“We are absolutely not going to change plans around WhatsApp and the way it uses user data. WhatsApp is going to operate completely autonomously,” Zuckerberg said. “They might use people and infrastructure to grow, but the vision is to keep the service exactly the same. They do not keep the content you send, and we’re not going to change that.”
Except default E2E (which WhatsApp, Signal, Wire, Threema etc. do provide).
Jumping out of the Facebook frypan into the Salesforce fire doesn't seem to be a particularly winning move...
(Which also raises the question, whichever alternative you choose, you probably need to evaluate the risk of Facebook (or some equally evil corp) acquiring them down the track. I wonder how likely Discord/Telegram/Signal are to be able to resist Facebook-sized acquisition offers?)
WhatsApp uses "privacy shield"[0] to allow it to flow data from the EU to the US.
However, privacy shield was rejected by the European Court of Justice on 16 July 2020 (Schrems II) [1] so we're back to "standard contractual clauses" [2].
There's currently no alternative to Privacy Shield.
[0] https://www.whatsapp.com/legal/privacy-shield/?lang=en
[1] https://en.wikipedia.org/wiki/EU%E2%80%93US_Privacy_Shield#L...
[2] https://ec.europa.eu/info/law/law-topic/data-protection/inte...
Let's keep in mind however that these are advanced use cases, and that for 99% of the users these are just apps supposed to deliver text and media from A to B. In 2021 it's not hard to build an app like these, even with E2E encryption and 2FA. Social lock-in obviously plays a role, but I'm really appalled by the scarcity of alternatives that enables companies like Facebook to bully us into reading our private messages for advertising purpose and easily get away with it.
Although the privacy related changes were somewhat expected, the timing and aggresive timeline will likely play out in Facebook's favor.
While giving users a 1 month grace period to either comply (share their data) or delete their account already seems like a pretty aggressive window that limits the ability for users to fully assess options or migrate existing groups/chats to alternative platforms, the short timeline combined with the on-going pandemic, and the fact that WhatsApp has become one of the primary means of communication for many around the world will likely lead to a very limited drop in users leaving the platform as a result of this policy change.
Beyond Febuary, once users have already shared their data, there is likely minimal incentive for groups or individuals to overcome the network effects and move to another platform in the short term.
Also, a preparation for antitrust action - once the data is shared and integrated, even if they are forced to separate WhatsApp, they have all the metadata (which takes 3-5 years to become stale) and now they will have it “legally” (sadly, this extortion is indeed legal. It shouldn’t be)
Isn't WhatsApp still purportedly end-to-end encrypted? What data is "on the table" when it comes to sharing - just contact lists and phone numbers?
It is, and same is claimed in their privacy policy and ToS. According to the original article it will include, what is already being collected:
User phone numbers
Other people’s phone numbers stored in address books
Profile names
Profile pictures and
Status message including when a user was last online
Diagnostic data collected from app logs
Along with possibly: Purchases
Financial information
Location
Contacts
User content
Identifiers
Usage data and
Diagnostics
A little more than contact lists and phone numbers.Does anybody have this picture ? I can’t find it
This is not just a founders problem - investors are equally compliant since they keep on throwing their money as long as they see that sweet exponential curve.
Once they get tired of seeing their money being lit on fire; they give the founders one option; monetize what you have or shut down.
Since users are now used to your service being free, the only thing you can do is to look at what you have; User data.
At first, you just sell this info to your “trusted” partners because you want to be able to sleep at night, but as the revenue keeps on growing, your investors realize you have a money printing machine at your hands.
At this point you you’ve lost your compass and forgot why you even founded the thing, being stuck at a big table discussing with investors and lawyers how to find loopholes in the new iteration of the GDPR laws, ending the meeting with deciding to funnel a big chunk of cash to lobby the law out of existence.
At this point, everybody looses except from the stock owners. Or maybe you find it hard to sleep at night, because even thought you now have infinite amounts of cash, you lost a part of yourself that day when you threw your entire user base under the bus.
What we need more urgently is better open source alternatives that allow us to port out of this wall garden apps easily, that is only way I can see my contacts and data from WhatsApp and other apps migrating out.
So the company with the deepest pockets controls our daily communication channels and as consumers we feel powerless due to the network effect.
One way to overcome this would be to make it mandatory that communication services must allow federation. Sure, it would not be a perfect solution, but it would be a lot better than the current situation and should be acceptable by all parties involved.
People I talk to and my IP address but what else?
Wish Apple would let us choose which contacts to give specific apps access to, like they did for photos.
In the meantime, you can try minimizing what WhatsApp sees about you by turning off access to contacts, using the desktop or web app, and just talking to people via
I switched to Telegram and never looked back.
I know some crypto fans who really try to push for folks to use Signal, but there's too much inertia. WhatsApp isn't really on the radar.
It's wild to read how much of a monopoly it enjoys elsewhere.
I use Signal with tech friends, and Telegram with family/non-tech friends. I feel like the latter using Telegram is still better than them using WhatsApp, so I’ll take what I can get.
Yeah, Matrix is great. I was probably among the first people to install Riot, but the grim reality is nobody (well, one geek-friend of mine and his wife) uses Matrix. Look, even I was surprised when you mentioned "Element": thought it must be some new messenger I didn't hear about...
But I'd surely rather like people to promote Element here, not Signal.
I demoed it recently as a Slack alternative and it's not very user friendly. Our groups ended up just using Signal.
I don't know if any other competitors who do the same. As Signal messages are end-to-end encrypted, Even if their servers were compromised, your messages would still be secure. As they use a rotating key, unlike manually using PGP, even if one of the keys was intercepted, they would not be able to decrypt any of your other messages. Using PGP, if someone steals your private key, all your messages are now vulnerable.
Note that this isn't just theoretical - there are governments using Matrix, but not necessarily federating with other instances.
(1) claims that Facebook promised Whatsapp would not be monetised, and that Facebook and and Whatsapp's data would not be combined. This information was also provided to European antitrust regulators
(2) missed out on $850 stock option grants vesting by quitting early over disputes with Facebook about monetisation strategy
(3) promoted #deletefacebook on Whatsapp following the Cambridge Anlalytica scandal
(4) Donated $50m to the non-for-profit alternative, Signal.
Textual messaging is a low-data-use (accessible to the cheapest phones with the smallest data packages) entrypoint to capture a person's social network so you can have other opportunities to capture them again and again with other services in the future. Facebook saw India as an especially huge burgeoning market at that time (hence Internet-dot-org / Free Basics), and afaik WhatsApp is ubiquitous there.
Also, I'd be happy to pay for Whatsapp but then they need to isolate themselves from Facebook/third parties and slow down with the feature creep. It works great for what it is. If they mutate the thing further, it's going to become a gross/convuluted app that tries to cater to all use cases.
GDPR allows processing of data under various legal bases. They use consent (opt-in) only for things like accessing your camera. For sharing data with other Facebook services, they rely on a "legitimate interest" (opt-out) instead. In theory, you might be able to object to processing under a legitimate interest, but they make it rather cumbersome. Which processing activities they perform under which legal basis is actually well-explained in the privacy policy, if you manage to find the correct section (it has a rather labyrinthine structure).
One can dream, right?
Anyway we have so many ways to communicate with one another that if someone wants to reach me he can, probably it will be less a big deal than what most of us think.
If all of your tech savvy friends disappear from WhatsApp in a matter of a couple of weeks maybe some other people might follow... I kind of hope in a domino effect right now, let’s see how it plays out!
I am a heavy advocate of privacy and the main driving factor for these conversations in my friend/family circle. Trying to get people to a different platform since 2 years now (they did and came back), so now I wonder if I am just wasting time really for a apocalypse that was never going to happen.
I think in Europe we are more aware of these issues because shady organisations in the past have been able to get their hands on government files and use them for nefarious purposes.
IBM's custom designed punch cards and the absolute openness of census records (church books are rarely encrypted) was the only reason the third Reich was ever able to census all European Jews and then systematically deport them in any reasonable time frame.
That is obviously very different from new WhatsApp TOS, but this incredibly prevalent opinion of "Well, nothing really bad regarding privacy and tech did actually happen, right?" irks me a lot.
_______
>WhatsApp, according to the App Store, reserves the right to collect:
Purchases
Financial information
Location
Contacts
User content
Identifiers
Usage data and
Diagnostics
So does anyone know if there's a way to revert the agreement?
Forget whether or not they can, legally; if I recall correctly they explicitly promised not to.
People who work for those without integrity are baffling to me.
Edit: Just did a comparison of all the data collected by Whatsapp, Signal and Telegram
Telegram - https://apps.apple.com/gb/app/telegram-messenger/id686449807 WhatApp - https://apps.apple.com/us/app/whatsapp-messenger/id310633997 Signal - https://apps.apple.com/us/app/signal-private-messenger/id874...
WhatApp collect a stupid amount of data. Its time for me to shift.
Even for me, my kids school sends updates on WhatsApp. Bank also sends its updates on WhatsApp etc. But I have avoided using WhatsApp for these purposes. And so far I have survived. Because almost all businesses don't rely exclusively on WhatsApp. Atleast in my case. They send emails, SMS messages etc. It's not as clean as WhatsApp. But everything has its pros and cons.
If we really want to move, then I think we can move. It will be a little harder to start with. But then something better will hopefully come across. Tech has always filled gaps which come up.
https://medium.com/@kloudtrader/reducing-whatsapp-digital-fo...
Not sure if it still applies to the latest version of Android and WhatsApp but it might help. However it only mitigates certain real-time tracking and contact discovery, not to mention switching profiles is somewhat of a hassle.
Users: whatever.
I like Whatsapp, and this change seems in line with what Whatsapp always has been. Of course I'm always wary of advancements, ready to uninstall it if really bad news arrive, but in general Whatsapp has been respectful of its users, especially those that are privacy concerned.
They hired a lead developer from Signal to implement E2E encryption, its functionality is almost completely transperent, which reduces the need to inspect source code to understand functionality. The most severe of privacy criticisms have amounted to "Facebook knows who you message and at what times you message", which is a very good position for a 2B user platform to be in, since it doesn't read message contents.
I have tried Signal, but I cannot recommend it to family (yet), since I don't find what they do with metadata harmful, it's just a price to pay for the otherwise free app, like advertisement. Anyone who has recommended Signal so far sounded like an inflexible Stallman fundamentalist. I reserve my voice for other more serious incidents, if there is a successful warrant for message contents or if there is ad targetting based on message contents, then I will start sounding the horns, but for now: Meh.
Can you explain more? Without the ability to see the source code, how can you confirm that e2e encryption is actually being used correctly?
On the other hand as tech savvy person I have no expectation about what happens to the data that I enter into the app beyond expecting it not to be immediately published for everyone to see unless that's what the app explicitely does.
I know data I entered might be viewed by unspecified number of people all over the world during normal operation, and that this data might be published at some point in the future. I'm hoping none of the unknown people that can view my data knows me personally or uses this data against me.
There's no end to end encryption hosted service I currently trust to do what they say. If I were to transfer information that I don't want under no circumstances to go public I'd have to research what wikileaks is now using for communication.
That's the contract I'm operating under. I think it's a good balance because it's aligned with physical reality.
I have not used Telegram though, so that’s not a preference based on usability, just on trust.
Also, FYI, Telegram is going to introduce some paid features soon, but it's not completely clear what they'll be. There just was some talking about that's it about the time they are going to monetize it, but I'm not sure if they announced what exactly becomes paid and what doesn't.
2. Technical lingo like "verify other session" and some buggy emoji shenanigans confuse people. The only passable device linking, based on scanning a QR code, is between Element Desktop and Element Mobile, but...
3. Element on iOS is absolutely awful. The worst interface I've ever seen. Extremely busy and convoluted. Rows of horizontally scrollable icons, duplicated as lists? Chat views where spacing is all off? It doesn't work for small group chats and doesn't work for large public chatrooms.
4. Element on iOS won't play GIFs. Element on Chrome/Electron only uploads the first frame of a pasted GIF. This was actually a deal breaker for my social circle.
Frankly, just compare the user experience of Keybase and Element. Keybase got it right.
Also I've previously had the Android app crash and throw Java stack traces, but that was an older version.
That's how e2ee works. You have to send all the old messages to other new client on your other device.
- forward secrecy
- self-destruction
- forced destruction
as telegram does. E.g. whatsapp seems to only have an option for 7 day self-destruction, which may be too long for some use cases, and no instant destruction. Neither of two are superior privacy-wise all things considered, but stating that always-on e2ee is a most important thing is probably naive. And then you have tg bots, ui/keyboards, stickers, etc which for a regular user outweigh the security area entirely.Also your virtual bet is lost because every time my circle discusses ‘hot’ topics in telegram (company issues, lawyer/audit-related chats, recreational drug use, etc), we go secret and warn users who do otherwise. We can’t check whether that is common or not, because those who have to be ‘secret’ may resist to admit this activity.
Pretty much all of our school and local community communication happens via WhatsApp. I'd change to Signal or Telegram in a heartbeat, but the inertia is so great it's not possible.
It pains me to say, but we're getting to the point where companies like Twitter, Facebook and Google need to be treated like utilities or something so that such moves as these can be scrutinised and controlled more effectively as Facebook could pretty much (within current law) introduce whatever policy they like and users would be faced with the option of accepting or being cut off from their local community.
Given the pandemic and the UK lockdown, this is not tolerable.
I want to add that when I left WhatsApp (~2y ago) I deleted my account. WhatsApp kept accepting messages on my behalf. People didn't know I wasn't getting their messages. I'm surprised I don't see this mentioned to the point I wonder if I did something wrong at the time.
In the end, I reopened a WhatsApp account recently because everyone is using WhatsApp in France and I couldn't stand breaking everyone's efforts to bring us together during lockdown.
You have a choice but it's a bit like voluntary solitary confinement. Especially during a lockdown.
So, these things should be regulated and operated like utilities. Phone companies don't have the right to mine my contact list, and neither should Facebook.
Why not? I would.
It's a lesson in civics. To do nothing and say nothing while expecting someone else to fight the good fight is poor citizenship, but it is very good consumerism.
If some company could set themselves up as a utility, and the mobile network operators were to pay that company to run the messaging app + infra, then it could be made to operate like a utility and nobodies data would have to be sold.
I've also withdrawn from social media.
The exception for now is HN, because it's more of a forum, even when bad information sometimes instates itself as reality for a large conversation, like a big gathering of fans talking about their team that will inevitably fail to win or perhaps a bad STD.
I learn what others are doing through direct and intentional communication, even if technology is used or if the information is second-hand. I don't text back or call back immediately, which my friends and family forgive, but it sometimes seems to hurt my relationships.
I still worry of dependence on large companies, big data companies gathering more information about me than I know myself, and the potential of out-of-control AIs. However, I attribute these in-part to my own paranoid thinking that use my memories of large company layoffs, privacy concerns raised in the tech community, and mostly fiction.
While I've come to the realization that the act to trying to be happy and successful is the very thing that makes me unhappy, and I just need to exist, maybe becoming better at whatever I'm naturally good at, while being here and now with those I'm with, giving my service to them... I still keep wasting time replying about things that don't matter.
Our generation is reinventing the wheel here, our ancestors had exactly the same problems with the power, water, gas, telephone and rail networks (at some point in time, all those were unregulated and privately owned) and did exactly that. Critical infrastructure needs to be heavily, regulated if not outright publicly owned.
I like the analogy with utilities, but the issue is that we pay for electricity, but we don't pay for our usage of social media. As long as that's true we can difficulty do what I'm suggesting above
Consolidation is a debt. You gain market cap at the cost of introducing systemic weakness and reducing broader market innovation. Once a company becomes a fundamental service they need to be regulated like a utility
(I will illustrate with Facebook)
Facebook can get the license to operate it but they also need to open up their API’s so others can build on top. These should become web standards governed by w3c.
Facebook is an interesting case as this system would remove all the perverse incentives driving their business model (no more ads). It would also crash their stock. That value hasn’t disappeared though, it has been pushed out to the edge nodes of their network (specifically the companies building on top of their API’s). My thesis is that this model will increase the overall pot while reducing the share the largest players have.
The knock-on effect of this is that investors will see this as the final outcome and be less incentivised to invest. That may be a problem as we don’t want to stop the emergence of billion scale companies altogether. Therefore a mechanism for the people to buy out the company at a fair legally agreed market value should be in place. This will stop crazy upsides and protect the undesirable downsides. The asset then becomes publicly owned but privately operated according to regulations.
AI would fall under the same model. With open API’s and standards anyone can get the data they need to build new AI companies. Especially feasible if we move towards self-sovereign identities and crypto methods of exchange.
To facilitate more small tech innovation we need to introduce a UBI. It will allow more people take risks with their time leading to more cottage innovation. In 100 years it will be a fundamental aspect of fiscal policy.
Additionally education needs to be refocused on making things. People are not equipped with the skills to build things. There is no better way to learn, grow and generate value. If we want a diversified small tech eco-system economy we need to focus on helping people develop the skills that make it possible.
I believe that we need fully decentralized system, much like the e-mail, but realtime and E2EE. Sadly, it seems to me that we're taking the opposite direction. Just few widely used messengers, all of them are centralized, some of them have E2EE, but who knows for how long - EU commission seems to like the idea of breaking in. No matter what their intentions are, I didn't sign up for that.
Not to forget the things that were in co-operative ownership, either.
Privatizing them will just let someone else come along and Embrace, extend, extinguish them.
Or Blame MSN, the Instant Messenger, when Microsoft refuse to admit defeat to the Smartphone platform.
So WhatsApp took over in EU ( I believe iMessages or SMS is still popular in France ), UK, SEA, Brazil, Hong Kong. Line in Japan and Taiwan, KakaoTalk in South Korea. Unsure about Australia and Canada. ( They use WhatsApp but not to the extent of countries listed above. )
And it is iMessages in US. I have no idea why that thing even took off. I have tried it dozen times over the years and every few months it has problem with message delivery, people in group not receiving any messages. Poor Searching capabilities etc....
Telegram has gain usage but for different kind of reason. And I dont see it ever being used in the same manner as WhatsApp.
So most of friends just clicked yes and share their Data. It is important to note despite the increasing hostility against FB on HN, and in Tech Circle, most people in the world seems to have no problem with it. I dont see WhatsApp going away any time soon.
Edit: How does this data sharing fit in with GDPR in EU?
It actually doesn't fit at all. As long as "payment" for usage is based on agreement to share personal data it is illegally obtained consent. Either they are ignoring their lawyers or they should fire them.
EDPS Opinion 4/2017 on the Proposal for a Directive on certain aspects concerning contracts for the supply of digital content, 14 March 2017, p. 7.
"There might well be a market for personal data, just like there is, tragically, a market for live human organs, but that does not mean that we can or should give the market the blessing of legislation. One cannot monetize and subject a fundamental right to a simple commercial transaction, even if it is the individual concerned by the data who is a party to the transaction."
https://edps.europa.eu/sites/edp/files/publication/17-03-14_...
Where iMessage fails is when the device in the other end isn't an Apple device, or perhaps the contact previously used an iPhone, then fallback to SMS is troublesome.
Most of my familymembers will send an "SMS"... except it's via iMessage, but nobody knows or cares.
I'm getting strange looks every day when people hear I don't use the platform. It's horrendous.
I also really fear for the moment where I've to tell a nice girl I met that I don't use the platform, and that we should use X other platform instead. I can imagine that to be a letdown or to be weird. That's insane to me.
If their friendship relies on you installing an app on your phone, that's a very shallow friendship isn't it?
I think your fear depends strongly on how open-minded/techie the girl is, though: I've used Signal to communicate with all of my Tinder contacts, but I will admit people remark on how it feels like a 'drug deal'.
It is possible, but difficult. You may lose access to some groups, but you can't have everything you want without some sacrifice.
Personally, I'm leaving WhatsApp. Yes, my family and friends will be a bit annoyed about the hassle of contacting me separately, but so be it.
And in a lot of countries you wouldn't lose access to "some groups" but you would lose access to ALL of them, from social, to every other group.
Would they really find that too difficult? The mind boggles.
Hope some lawyers can stop this in its tracks. Otherwise Signal or some other service will get our business
https://ec.europa.eu/info/law/law-topic/data-protection/refo...
Obviously that doesn't stop (many, many...) just using it anyway. But Facebook will happily turn a blind eye to this unless their hand is forced.
When I try to tell parents how much Facebook learns about their kids (their friends, networks, and by merging data from different sources: habits, school, frequented locations, etc), they just roll their eyes. The response is "well everybody is tracking us, who cares".
All this even though there is Signal, which works JUST FINE.
I don't think politicians are going to solve the problem for us entirely, but a bunch of us have been working on technical solutions for decades and they aren't the entire answer either.
A little regulation combined with the right alternatives may go some way. I'm optimistic, though we have a very long road ahead.
What is really problematic is Facebook monopoly for organizing any social activities or events. There are simply no alternatives especially among 30-50 years old. Like the saying, “What parents were afraid video game would do to children, Facebook did to parents.”
There is no way to cut WhatsApp from casual/family use in Europe.
Schools, kindergartens, mechanics, contractors, plumbers everyone uses it.
The problem is that WhatsApp is the easiest method to share photos on mobile.
If you do not have WhatsApp your plumber can not send you a picture of pipes they fixed. How do you work around that?
Other parents are using WhatsApp for organizing out of school activities. Again, there is no way to go full Stallman here...
Beyond that, I will not entertain personal messages on whatsapp, only work related. Each new person will be greeted with "Do you mind awfully if we use Signal?" Does this come off as self-important? Sure. But it helps that I don't care too much if it does. I had the same attitude quitting FB and Twitter too, I just don't need people that much. I don't have a 100 friends anyway. I have like 15 that I really want to keep in touch with. Those 15 will understand.
Here in the UK I am literally required to be on WhatsApp to live in the building I currently live in. I have no choice in this matter. It's just the default messaging service for everyone.
If you join any kind of club? WhatsApp group. If you want to talk to someone about renting a room or apartment? WhatsApp chat. Live with housemates? WhatsApp group.
Plus the whole fact that if I deleted facebook, I would cut off contact with my friends and family (I can't expect like 25 people all to switch messaging services just for me). I would lose access to my thousand-dollar Oculus VR headset (I hate them so much for buying and linking facebook and Oculus, and hope a better competing standalone headset comes out).
And don't forget, you can't use an Oculus Quest with a blank facebook account you made just for that - they actually check that you're really using the account and force you to verify with photos and ID.
They are the absolute epitome of evil. Facebook, in many ways, but particularly in regard to Oculus, is a moustache-twirlingly, cartoonishly evil organization.
Could I just never buy an Oculus? Hopefully one day. But when not just your hobbies, but also your study and skillset and career prospects are right in that industry, you swallow your pride and make a damn facebook account.
I was also required to be in facebook groups for university classes back when I was a student. I HAD to be on facebook to get a degree. And for an amateur theatre group I joined.
Not to mention everything going on with misinformation about elections, vaccines, etcetera etcetera.
Some of this stuff is now moving to Discord, which is probably better than anything owned by facebook, but being better than facebook is a damn low bar, and Discord is still ultimately a for-profit corporation that would sell your soul if it made them a dollar.
This "just stop using it" attitude you always get on Hacker News and reddit about facebook and their various messaging platforms baffles me. Do you people not have lives? Jobs? Friends? Family? If you (in or out of a pandemic lockdown) want to do just about anything outside your house, or a whole bunch of things inside it, you need to use Facebook services.
It sucks and I've love to stop supporting them but it's not like most of us have a realistic choice.
Unfortunately, seems that for many people on HN, HN is almost all their online social interaction, + tech people on signal/mastodon. Some don't seem to understand the concept of having family and friends who are not tech-savy (or even hate tech). Or understand the concept of social capital.
It’s not “switching”, they can start using another app and continue using whatsapp. I’ve done it with my family at least twice during the last 12 years, it was not that difficult.
I'm so anti-Facebook now that it's a part of the way I identify myself, and for all that I can't delete it. I maintain contact with a friend in Germany via Whatsapp or Facebook messenger, and in this case it would be possible to use email (which is not nearly as casual as firing off a message in your spare moments) or some other service but it doesn't solve the problem about friend groups.
I have friend groups around the world that my only way to participate in is Facebook. I believe moving abroad is in my future again, and Messenger is detestably the only real way to keep up with my friends back home. Leaving Facebook and Messenger is like leaving a bar I hate; I'm only here for the people and I wish we could go somewhere else.
(I don't know what to replace it with -- I mostly use Hangouts but it really feels like it's falling apart.)
I would suggest to check if they use Telegram/Line/Kakao/Hangouts, or suggest it to them. They are all closed source, but at least is the lesser evil?
People have the choice and use it. Not sure what is holding other circles back?
I havent had whatsapp in 4+ years and only rarely have to fall back to SMS
And it is, and I sympathize, but you and your family will not die or starve. It's possible.
I'm fed up an will remove fb and wa from my phone, at least. It will be painful
You will find WhatsApp contacts for any kind of communication, ordering a taxi, food, whatever.
Move out of WhatsApp, and it is going to be quite boring out in the Savannah.
WhatsApp is popular but not a monopoly. Not really something to celebrate since its main "competitor" and #1 instant messenger app is Facebook Messenger. Skype and Discord are also significant, and I expect iMessage to be important too.
„ By tapping Agree, you accept the new terms, which take effect on February 8, 2021. After this date, you’ll need to accept the new terms to continue using WhatsApp. You can also visit the Help Center if you would prefer to delete your account and would like more information. To learn more about how WhatsApp processes your data, read our updated privacy policy“ (with an Agree button underneath).
I could close the window. But there is a hard deadline apparently: Feb 8th.
F* you Facebook. I‘d rather stop using Whatsapp altogether.
Edit:
Will start using Signal app, and for the transition period I‘ll keep an old smartphone with a throwaway Sim card and WhatsApp installed on it to keep updates from absolutely necessary groups I need to be part of.
Definition of Services: "all of our apps, services, features, software, and website (together, “Services”) unless specified otherwise."
Ads are the bulk of Facebook's "Services" but it's remarkable how they avoid saying it.
Sacrificing access to these social amenities on the altar of incremental privacy invasion and power transfer to an unaccountable basically malign organisation is hard to stomach. And rather inconsequential taken in isolation.
What technical and legislative means might be effective in limiting the network effect around group chats? For example requiring in law that groups be accessible to an open federated hub and spoke messaging protocol to allow messages to flow from syndicated groups established on other systems (like matrix or signal or whatever) to WhatsApp groups.
What technical and legal prior art is there here? I would be interested to hear some ideas.
We joined Facebook in 2014. WhatsApp is now part of the Facebook family of companies. Our Privacy Policy explains how we work together to improve our services and offerings, like fighting spam across apps, making product suggestions, and showing relevant offers and ads on Facebook. Nothing you share on WhatsApp, including your messages, photos, and account information, will be shared onto Facebook or any of our other family of apps for others to see, and nothing you post on those apps will be shared on WhatsApp for others to see.
This is hypocrisy!!
Edit: The word "onto" in the privacy policy is so dubious. They said we aren't sharing anything onto Facebook. Probably it didn't mean they weren't snooping our data.
But says it will be used (shared) internally to target ads and product suggestions.
Very weasely indeed.
For example: What should be my response to questions like: . "What kind of data can now be shared with FB versus what was shared earlier (if any)?"
. "Whatsapp chats are end to end encrypted so how can my data be shared with FB?"
. "As an individual, how different is Whatsapp sharing my data with FB for ad/tracking purposes versus what other networks such as Google do to serve ads? Let's say I'm interested in ice-cream and I chat with someone about it and a couple of days later, I get ads about ice-cream, but I choose to ignore those ads, then how am I impacted/affected?"
Why hasn’t Apple introduced a private/segmented Contacts permission like they have Photos, Location, etc.?
An ability to give untrustworthy software an access to a sandboxed blank copy of Contacts would've been very useful.
As a side note, Telegram is the same as WhatsApp. You can't start a chat on a fresh install unless you give it an access to the contacts. There's no way to manually add in-app contacts. Given how "pro-privacy" they are supposed to be, this was rather disconcerting to see.
Does not work for me in Firefox, but in Chrome on Android, I can start a new chat without access to the contacts. I agree that it is weird though!
False, I do it ALL the time.
https://github.com/subhamtyagi/openinwa
You can enter a number in that app and it will launch a conversation with them in whatsapp. I think it makes use of the API mentioned in sibling comments.
[1] https://en.wikipedia.org/wiki/Signal_(software)#Encryption_p...
[2] https://threatpost.com/signal-audit-reveals-protocol-cryptog...
[3] https://eprint.iacr.org/2016/1013.pdf [PDF]
That sounds a lot less alarming, in the third to last paragraph, than the headline or first few paragraphs?
Don't get me wrong, I ditched Facebook years ago, and wouldn't use WhatsApp but for family and a pre-Corona club I wouldn't have (much at all) contact with otherwise. That quote just makes me much less annoyed than my initial reaction was. Which is of course her job, but assuming it's true...
I use LineageOS for privacy reasons, and intercept various things I consider to be privacy violations.
I very much disagree with these ways of operating, for systems that monopolize human-to-human communication. We live in a bunch of walled garden communication apps, people don't use any open systems like e-mail and phone anymore, and those walled garden apps bully us into giving them data? They are all starting to behave the same way.
Then came the question - can we talk to people on whatsapp using signal because friends, aunts, uncles, cousins who live international all live on whatsapp. Moving your network, their network and their networks network becomes quite the task.
People, in general, don't have a qualm about installing another app when it's recommended by someone they trust.
I think we are now at the point where this applies to individuals. If a person or group of people rely too heavily on a single free service then they’re going to feel pain when that service finally decides to monetize.
There are no free lunches. All these “free” products out there that seem great have Venture Capital investors waiting until the day that the service reaches a critical mass and they can flip the cash-generating switch.
Tricked people into giving up info they trade like commodities so they can buy more useless crap in life.
Fortunately, it is generally expected Harris/Biden administration will come down hard on these companies.
then again they are wall street people so we will have to see if there's a recession (The simpsons predicted a global recession after Trump administration)
https://www.reddit.com/r/signal/comments/ewp99j/disable_webs...
Unlike Telegram, WhatsApp, Element etc. which work fine without Google, Signal devs have repeteadly refused to make improvements to the "always-awake" mode which happily eats 40% battery.
With that said, there is some work being done towards a FLOSS replacement for firebase [1]. Gotify can be used as a backend [2], among others ([3] too, I think). Not ready for prime-time, but almost, and development started pretty recently (mid-December).
[1] #openpush:bubu1.eu (https://matrix.to/#/!ajsXAmvYUOjfmMJnGJ:bubu1.eu)
[1] https://github.com/UnifiedPush/UP-spec/blob/main/specificati...
I have worked on many a project in my time, and I can't think of a single instance where we knowingly screwed over users or clients. Our teams' goals have always been to make the product better. What's going on here? I am honestly curious.
Ads: we could increase revenue if we had access to WhatsApp data, but that's Product and Legal's call.
Product: Ads asked us to access WhatsApp data, but we're just facilitating between them and Legal.
Legal: Ads and Product asked us to change the policy to allow access to WhatsApp data.
Nobody being willfully malicious, just not asking certain questions, and the gaps between departments obfuscate the whole thing.Monetization often trumps customer's best interests. It certainly has at most companies where I've worked (but not all).
Messaging in the Netherlands almost universally runs on WhatsApp these days. Nobody uses text messages anymore, understandably, but somehow we all ended up on a platform run by Facebook. "Whatsappen" (messaging on Whatsapp) and "appje" (short for WhatsApp message) are even official words now. Need to contact a friend? Send an appje. Need support from a company? Send an appje. Need to send a message to your team at work? Send an appje in the group chat.
Has anyone managed to get their contacts to switch to Signal? I can't even get tech-savvy people to switch, since they always seem to find some minor annoyance that makes them instantly dismiss the app and go back to WhatsApp.
At this point it's just a lost cause. I have some friends on Signal and use NextCloud talk (my own server, yay, still waiting for federated chat to chat to other servers), but so many "official" things are on WA, children's birthday parties, school announcements, sports related announcements, neighborhood announcements. We are really too dependent on WA, and you know, based on WA's original promises this wouldn't really be a problem. Now it is, although I fear I'm one of the very few that sees it that way.
[0] https://duckduckgo.com/?q=whatsapp+buurtpreventie&t=ffsb&iax...
Messages from daycare, zoom class info for kids, alerts, are all connected to WhatsApp.
There is no way to avoid using it. Wish there was something I could do.
FB: "Yeah we are just going to buy this platform with a privacy focus that everybody loves and grew dependent on and turn it into FaceBook." I don't even understand how that is legal.
There should also be a copy of the messages database, and I'm sure there is some open source app to decrypt it somewhere.
[0] https://faq.whatsapp.com/android/chats/how-to-save-your-chat...
Businesses here have started using WhatsApp as an alternative to SMS, email for sending spam to important package tracking information (without prior permission).
But I see this as the best opportunity to convert some of my contacts to Signal/Email as this stays in mainstream news for a while(but quite sure that almost all of them have clicked 'Agree' to T&C banner showed on WhatsApp when they woke up morning without giving it a thought and I'm certain that's exactly what FB intended).
I do not know whether to feel fear, sadness or shame on the type of power WhatsApp/Facebook holds only my people.
With WhatsApp becoming the new defacto sms / mms it would make sense.
Could they even reuse pieces of the legislation that made it happen for usb chargers?
Signal would probably be a poor base for an interoperability standard. Which flavour would you use? Signal Messenger, Matrix, OMEMO and allegedly WhatsApp all use the Signal protocol but can not interoperate at all.
Signal Protocol is also more complex than it needs to be. It has two levels of forward secrecy for example. It is basically all the crypto geekery of the last few decades packed into a instant messaging protocol. Something intended as an interconnection standard should be as simple as possible.
https://media.ccc.de/v/35c3-9941-how_facebook_tracks_you_on_...
I foolishly installed the Facebook app on Android for a while. When I asked for a data dump from Facebook I was amazed at the amount of data it had stolen from my phone, including full contacts list. It sounds like that is exactly what Facebook are planning with WhatsApp.
I'd pay $1 / year to opt out of that and be the customer rather than the product.
(E: 12, not 18. 18 is for families)
If I make $1/mo/per user from adverts, but my conversion rate is 1/12 at $12/mo, then I'm making $23 for every 12 users.
Doesn't mean I make $12/user/month.
I like what Matrix is doing but they are far away from becoming mainstream. Within 2-3 years a new platform will rise and it will fix flaws of existing messaging apps. This will then be followed by social media but it might take another 6-7 years to fix that mess.
When smartphones came out people modified IRC with support for push brokers and message replay but because of app stores this means push brokers for community maintained clients have to be maintained by the individual volunteer paying (yes! paying, shut up about the free dev accounts they don't allow you to send push notifications) for the "privilege" of submitting the app (meaning they have low to zero availability.) The relay Mozilla maintains allows servers and users to choose who brokers push messages but Apple and Google screw over their users for profit and this is the result.
Smartphone app stores have made IM unusable.
My friends from Europe and Brazil are locked into WhatsApp, my American friends seem to prefer FB messenger. They’re really using 2 versions of the same company’s products which are “incompatible” at this point. Facebook could make them compatible with one another and with each other only OR they could do the socially beneficially thing and use an open protocol. Unless employees at FB push for this, they’re likely to take the former route.
For me, ditching WhatsApp is altruistic, helping make it easier for others to socialise without giving up their privacy and security.
Net neutrality not existing helps WhatsApp and other services here, one cell provider for example offers 1 year unlimited WhatsApp+Facebook including voice and video calls for a total (not monthly!) cost of 3USD on a prepaid chip. So you can't call, you can't write SMS, you can't use the internet but you can use WhatsApp for almost no cost. If you are on a budget this is a no brainer, for comparison - 5GB full internet access on the same chip is around 5$.
How are you going to break such a monopoly supported by providers? At this point it is something all providers do so if one starts offering it all other providers have a competitive advantage because everybody is already using WhatsApp. I am not sure if Facebook pays these providers, my guess is not - they are pushed into this by their competitors.
Net neutrality is very important to not let this happen. Similar deals exist for other popular services: Instagram, Youtube, TikTok, Spotify, Snapchat, Twitter, Netflix to name a few
Everything you said applies to the Indian subcontinent, SE Asia and South America which form the bulk of the WhatsApp user base as well but with lesser or no scrutiny whatsoever when compared to EU/UK.
It has to start somewhere. It is possible, but it takes will, and the acceptance that you will lose some contacts.
Personally I'm not really sure who's using WhatsApp, I know two or three WhatsApp users. They all use it because they have friends other countries, mostly the middle east.
If RCS actually becomes a thing, then I don't see much of a future for apps like WhatsApp.
I have no reason to believe it will ever take off: It's been dead in the water since 2012 or even earlier. It doesn't support end-to-end encryption. Carriers would like to charge for it.
This takes chat away from any single service.
- Contact Discovery
- Group chats
- History / Log
- Shared message order
- Communication beyond text (emojis / reactions / inline images)
- Ability to receive messages while offline
- No need for technical skills
These aren't trivial features, they are prerequisites for any replacement, decentralized or otherwise. Just because we as developers like / tolerate things like IRC doesn't mean the rest of the world will accept it.I prefer something you can generate yourself, like encryption keys. That's the approach taken by yggdrasil (and cjdns before): generate an encryption key, map the public part to an IP address (there's almost enough bits in v6). Plus, it can easily be end-to-end encrypted.
Another plus is that you can generate as many as desired.
As for the protocol, Matrix is experimenting a bit with going p2p.
I have Telegram and Signal installed and was chatting with friends above moving over (finally) but its painful especially right now.
With right amount of incentive, force and numbers - tipping point could be reached but I cant see it happening in the current situation.
With my cynical hat on I imagine FB know this and timed this policy change accordingly.
If I need anything to be delivered to the house I need to use Whatsapp (gas, water, food, etc).
It’s a deal!
What could be considered instead, is building public utilities as a community.
So, while they are not yet public utilities, they should be turned into such.
In addition, I vaguely remember something about the acquisition of WhatsApp by Facebook to be only approved under condition that exactly this kind of data sharing would not happen.
Although I have my doubts about it happening soon, because the immediate impact it would have on real everyday life could by rather disastrous initially (something Facebook no doubt is aware of), the EU should probably declare/certify Facebook as a rogue/criminal organization. I just can't see it any other way, with Facebook's blatant disregard for anything but its own greedy interests.
If Facebook keeps pushing their "luck" like this, it should simply have all its assets on EU soil frozen. If eventually rules a criminal organization, confiscated too. It would be very sad and unfortunate for any EU citizens working for the company, who no doubt have no say in Facebook's criminal enterprise. But the current status quo is becoming completely unacceptable.
History has plenty of lessons, about criminal organizations rising to (hard to defeat levels of) power. In many cases more than anything because both societies and governments/authorities failed to respond appropriately in time, when they still had a fair chance containing those (with far less effort).
All that is even without opening the can of worms that is the access US government agencies have to all of Facebook's data.
https://ec.europa.eu/info/law/law-topic/data-protection/refo...
"If you don't live in the European Region, WhatsApp LLC provides WhatsApp to you under this Terms of Service and Privacy Policy."
I suggest something that lets you use any client/platform you want, uses the same crypto primitives, and lets you choose what server/country your data is hosted in and change your mind any time, e.g Matrix.
How many times do centralized services like VK, WhatsApp, Instagram, Apple, etc need to get co-opted into enforcing the will of private entities or governments before we learn our lesson?
The only network services this won't become true of at some point in the future are those with decentralized clients and servers obeying a common documented protocol.
The most mature app is Signal. It has the best usability to privacy trade-off.
Threema is the better choice if you don't mind not having a usable desktop client. For me that's a total deal breaker. It costs a one-time 5 bucks and it's totally worth that, if only it had so much as a usable web client (you need to open your phone and navigate two menus to enable the web client every time your phone changes WiFi or anything).
Wire is the better choice if you can sacrifice a tiny bit of usability for better privacy. It's sluggish is all, and (like Signal and most other services) uses AWS. Full disclosure: I was involved in a paid audit of Wire so I know more about the encryption protocol than I do about the other clients'.
Element/Matrix is the better choice if you'd rather make a trade-off towards privacy. Presumably the clients will mature, and between two years ago and one year ago they've made good progress. It's going less fast today but I still see things getting slowly better, and the decentralization works very well and fairly easy to setup.
If all you really want is a better privacy policy and want to ensure people stick around and don't uninstall it, Telegram is by far the usability winner and has a large network effect already. But it's a trade-off with the devil because there is zero encryption. They could ransom or sell our chat logs any time.
Briar and Jami have limitations that make it unusable for general purposes use with your mom. Facebook and Google's messengers I didn't look at for obvious reasons. Keybase was never end to end encrypted to begin with and now Zoom bought them so they'll probably shut down soon (also, bugs).
Rocket.chat seems only aimed at business users.
You can also do OTR over any platform you like, and I still have to try this overlay encryption system on Android (I forgot its name).
Pick your poison...
I'll bite.
Who's paying for my johnchristopher@whatever.tld and for the data (avatar pictures, transfered files, chat logs) associated with it ?
Will the Matrix foundation let me use their services forever and for free ?
Will there be discussion on HN in ten years about getting your own custom domain and own federated server ? For one account only ? Like we have for mail regularly ?
You mean like SMS?
I lost about half of my contacts when migrating to Signal, do you really think I can make them install some random app that may or may not work?
They already complain that Signal isn't as polished as Whatsapp.
Ideally we'd have a polished, decentralized app. Signal is a compromise. I don't think the drawbacks are identical:
Facebook's business model depends on violatings the privacy of the users. The Signal Foundation has no such need.
The client is open source. I see no reason to call Signal "privacy hostile".
Supporting tablets would allow us to chat and send files across devices, without resorting to apps like Messenger.
(Yes, I think this is correct: For anyone who are currently on WhatsApp or anything Facebook for that matter even Telegram is a huge improvement in most ways.)
I am mostly using Signal and will let my WhatsApp expire.
I also think matrix is great and would recommend setting up an account by installing element. I think growth in matrix will more fully undermine FB's position as well as Slack/etc.
I wonder how Out of curiosity:
Does anyone know how the new Whatsapp TOS differ from the Gmail TOS in regard to user data and privacy. How does the Facebook group use data differently than, say Facebook or Microsoft?
Nah it wasn’t, I paid for WhatsApp originally and then there was a subscription model for a while.
I much prefer both those models, Facebook is just greedy.
It's an email client (with clever, seamless encryption based on gpg) with a WhatsApp style interface. There's a desktop client too.
I've only ever managed to get one person to use it, but goodness it'd be nice to get rid of WhatsApp.
Edit: URL https://delta.chat/
As far as I understand, because of GDPR, the sharing of data between Facebook companies is limited. This is different from the US terms.
UK/IE/RO/MD/UA/RU/etc - cheap and fast delivery :D
I can't do this because everyone else I know uses Whatsapp.
Whatsapp helpfully gives you a transition period during which you can try out both ;)
My wife recently got her entire extended family to use Signal. She has always refused to use WhatsApp. They all love Signal now, and use it all the time. However, this was during a family crisis.
During the Covid lockdowns, many companies I know used Signal as their preferred non corporate communication platform over WhatsApp... But again, that was a crisis.
It seems to be difficult to dislodge people from their preferred platforms without some kind of external driver to adopt it.
https://news.ycombinator.com/item?id=25668547
edit: mass downvote! here are the links.
this link talks specifically about signal protocol being used by organized crime https://www.volkskrant.nl/nieuws-achtergrond/waarom-criminel...
https://www.securityweek.com/telegram-rivaling-tor-home-crim...
https://nakedsecurity.sophos.com/2019/05/03/criminals-are-hi...
https://www.independent.co.uk/life-style/gadgets-and-tech/ne...
The move can be made faster now because groups are so prevalent on WhatsApp.
when was cross-platform messaging ever new?
... IRC, AIM, etc ...
That’s added at least 20 or 30 friends/acquaintances into my signal contact list that I’m 99% sure downloaded signal for the first time this morning.
But once most people have both it gets easier.
Signal (UX wise) is not really super great for my family, I burned a lot of my "technical expert advisor" capital and reputation by pushing that too hard.
And normal chats are not end-to-end encrypted by default. Are you using end-to-end encrypted chats with your contacts?
Everyone on HN switches between “ads don’t work and targeting is BS” to “ads are manipulating our entire country by taking our data”
I refuse to help walled gardens get bigger. It has cost me a lot of contacts, but so be it. There is always a choice.
If you had a friend you respected that was vegan for ethical or environmental convictions would you insist on continuing to exclusively have social gatherings at BBQ restaurants with no menu options for them? Would you take them seriously if they caved to avoid being excluded from the group?
When I deleted all walled garden messengers by Google, Facebook etc they knew I wasn't kidding. Anyone that refuses to make small allowances for you living your convictions is not your friend.
The people that need to talk to me use matrix now or found other ways to reach out like e-mail or in person. Those that don't respect my ethics don't get free advice from me anymore.
In my friends circle we are all on telegram (after trying wire which is just buggy as hell), but I think this is mainly due to its multi device story and then fact that it is not WhatsApp.
I know what you're asking, but I don't think there's a fix unless you somehow have tremendous influence with them. So you either put up with being coerced by your group, or you don't.
This is probably easier if you never used the services in the first place. My mom will occasionally whine that she has to open Imessage to talk to me, and that's about the extent of it. But of course, I am missing whatever they get up to on FB without me. And that's OK with me, but I know it isn't with everyone.
It had some rockiness maybe about 3 years ago, but with their new group implementation and some other small tweaks I find it just as easy to use as whatsapp, albeit it a little uglier.
#1 complaint is the coloring - incoming messages should be high contrast, outgoing should have the background color. For some reason signal does the opposite and it's hideous.
Then it turned out that they have a setting where one can opt out, but what good is that if you already were opted in automatically.
In "Last Seen & Online" I had a deleted account in the exceptions of those who can always see my status, even though I never added one.
Telegram may be better than WhatsApp, but it is far from fantastic.
Be the change you want to see in the world.
Then they got hooked up, mostly thanks to the huge amount of high quality stickers.
So I just use email.
I just wish they would keep all their WhatsApp stuff away from me.
As for converting people who are not that interested, I can tell you from experience talking about privacy generally doesn't sell it.
The key was being stubborn and banking on them eventually wanting to talk to me.
This. Same for me. I just put a message like this in the family whatsapp groups and then deleted the app/account: 'Hey everyone, I'm not going to be on WhatsApp anymore - you can call, text, signal, telegram or email me. Talk to you later!'. It was that simple. It took a little while but now my family is on Telegram. I know they still use WhatsApp but it's honestly not my problem or issue that they use the app - I just don't want to.
Don't expect people to uninstall Whatsapp. Having multiple messengers is fine.
We are all running what most would consider an outdated and poorly designed c.p.u. architecture by modern standards, simply because most software is not compiled to run on other architectures, and it won't be until those architectures see significant adoption.
The main lock-ins for WhatsApp with my friends/family/colleagues are:
1. Group chats. SMS group chat doesn't exist (or it's next to unknown) in Australia.
2. Sharing images and videos. SMS destroys images/videos/gifs (if they even send).
3. International. Messaging friends/colleagues when they're overseas is easy.
4. Videochat (however, it's usually FaceTime with an older relative).
I attempted a shift to Telegram with a few close friends and family members. Eventually, we started to drop back to the "normal" comms route because our extended network was on WhatsApp/iMessage and juggling several methods was irritating (e.g you message a friend on Telegram and get no response -- they then message you later that day on WhatsApp -- it's irritating to move the conversation back to Telegram).
- SMS is not encrypted.
- SMS supports text only. MMS is not well supported, and often not free.
- SMS is sometimes not as "instant" as it can be delayed.
- Delivery reports and, read receipts are not user-friendly, and maybe unreliable, too.
- Group SMS support depends on your default SMS app.
RCS or Rich Communication Service on 4g and 5g looks to fix this, but support and compatibility between network is still lacking. Privacy laws also need a reevaluation as even cellular providers are looking to data harvesting to make more money and RCS may also lack encryption support.
- e2e encryption
- many extra chat features (reactions, stickers, replies, polls, etc). It might seem unnecessary but imo they do genuinely increase functionality and ease of communication
- scalable to large groups (maybe sms is as well, I've never tried more than 3-4 people)
- don't need a phone, can message from a computer instead
- messages sync across multiple devices
- video calling for groups with some apps
Nobody picks free texts. This leaves 15c/message as a discouragement for using SMS.
I was thinking about going back, actually, but using a separate phone number (dual SIM FTW) and a work profile sandbox with heavily restricted permissions. I might still give it a shot, see if that's enough to quell FB's insatiable hunger for personal data.
Social technologies would benefit from some regulation along the lines of “you must be able to use other apps to send to/receive from your app” for at least a minimal feature set, but it would be super hard to nail down what that regulation should exactly be.
I just dropped the link in the title into all the group chats I'm in, said I'm headed to signal and removed myself from the groups.
I was not the first person to do that in these groups. Will it cause a critical mass exodus? Idk. I won't know, I won't be back.
If someone refuses to make an actual call, text me, email me, or use Signal, then clearly they don't respect me enough for me to need to communicate with them.
I don't know whom was not respecting whom, but I didn't feel really respected either, despite respecting each guy wishes.
Amongst many, many other factors, it's a nonprofit foundation, not a commercial company.
Long term, it has backing from people (like the original founders of Whatsapp) who want to see an open solution flourish. Plus people can donate.
Also, both the client and server are open source.
Signal is much harder to sell to non-tech users IMHO.
So tldr target the people you want to convert to develop a critical mass.
That's one reason with I prefer Matrix/Element...
> WhatsApp backups no longer count against your Google Drive storage quota.
> Media and messages you back up aren't protected by WhatsApp end-to-end encryption while in Google Drive.
It's common knowledge that group chats are not E2E - there is one encryption context from a user to the servers, and another context from the server to each member of the group chat. Bog standard transport layer security, in other words.
However, even if you never used group chats and had E2E on with all your contacts, the traffic analysis ("metadata use") is enough to build associations and clusters. FB doesn't need to know the message contents (although they make use of them when available). You have frequent chats with people who play certain kinds of sports? Fine, for marketing purposes you'll be grouped with people who like those sports. Or if majority of your friends have pets - guess which cohorts you end up as well.
Oh, and if I remember correctly, WA definitely processes your messages locally before sending them: it uses a list of image hashes to prevent sending eg. child exploitation material onwards.
What could be done legally to help this development is requiring services to offer open APIs to reduce the lock-in.
Isn't it just a wrapper for https://web.whatsapp.com/ ? I wouldn't call that an "API"
* User phone numbers
* Other people’s phone numbers stored in address books
* Profile names
* Profile pictures and
* Status message including when a user was last online
* Diagnostic data collected from app logs
and already was getting: Purchases
Financial information
Location
Contacts
User content
Identifiers
Usage data and
DiagnosticsAnd if they don't, can I sue them (at least in the EU) or ask my contact to be removed before the agree to the terms?
They will most likely share metadata about you with facebook to sell that data to push more ads into your face.
They may very well sell also data to insurance companies making it harder for you to get insurance.
Options are limited only by who would like to pay for info about you.
Its rather a question about “How much you value your privacy?”
Ps. Ppl using facebook from the go “do not care about their privacy” so I dont know how much more it will affect you.
This is incorrect. The sender's device generates the key with which it encrypts outgoing messages. WhatsApp's infra cannot see the content of any messages sent.
(Source: ex-WhatsApp employee)
I have a question to ask. How would this work? Even if for a second we assume that they're able to read all our texts etc., how can they curate that information with insurance companies? What data might the insurance companies be interested in? I would not (and I'm assuming a lot of people would not) specifically enter my age/health issues/Blood Pressure information on Whatsapp.
> They may very well sell also data to insurance companies making it harder for you to get insurance.
I would stress to them the difference between the encrypted contents of a chat the metadata ("it's data about data!") of that chat.
Hopefully they will get it if you give an example of how just sending a message lets them profile you based on metadata like the exact time, geographic location, and recipient of the message, all without needing to see the contents. Encrypted messages sent from Truist Park at 2PM on a Sunday? Probably about baseball, etc etc.
Probably too high-level and wordy to share with a non-tech crowd but this is one of my favorite blog posts on this topic, from the immediately-post-Snowden era: https://kieranhealy.org/blog/archives/2013/06/09/using-metad...
Shouldn't it be possible to delete your whatsapp chat and contacts data regularly from the cloud? Eg. one could delete the whatsapp account, clear data on cloud and make a new account again. Having more control over your data stored by Facebook would give more power to the users of enforced by the government.
I've never owned a cell phone nor ever had a social media account in my life. Sure, it gets me the occasional eye roll but trust me, my social life is just fine.
Caveat: old person speaking.
If people won’t go to the trouble of using an alternate way of getting in touch with you then they’re not really your friends.
They’re for aggregate metrics and attention collecting on the part of the company.
I do not have a Facebook empire, Twitter, TikTok or other social media presence.
I email academics I can’t visit.
I group text friends and family to make plans, and use the calendar built into my phone to remind myself of those events.
Make it happen.
Be the change you want to see.
Don't get me wrong, I love Riot (or whatever it's called these days) but it's just not user-friendly for your average Joe...
EDIT: To the people downvoting this: I said the same thing a long time ago about whatsapp before Facebook bought them.
Even moving from Fb to Telegram is an improvement in almost all respects and it's sure as hell a lot easier to do than going straight to Matrix/Riot/whatever it is these days. Don't be a purist and let people have their compromises, lest you end up like the "GNU/" part in front of "Linux".
However I'd also promote federation-first services like Matrix. Only issue with Matrix is the e2e being so clumsy IMO
(Edit: this is rather a negative comment but its out of frustration -- I want to use it!)
That page also states "Advanced users with special needs can download the Signal APK directly. Most users should not do this under normal circumstances." which IMO is a very good point. Downloading random APKs from the internet is rarely a good idea...
In other words, Telegram doesn't even deserve to be in the same conversation. Even if it had the best encryption out there (however you define that), that wouldn't mean anything when it's not used in like 98% of the cases (percentage pulled out of my ass).
It's like comparing Signal to Facebook's Messenger, and I'd still say Messenger over Telegram because at least it uses Signal's protocol under the hood (I believe the feature is called hidden conversations) instead of inventing its own thing and ignoring the expert opinions.
It tries to have feature-parity to WhatsApp; looks the same, works the same. All this while researching innovations on cryptography that doesn't compromise user experience too much.
In my experience, doing exactly what WhatsApp does (but safer) makes it an easy sell to people around me.
So I personally don't even know if I'll keep fighting for my privacy and stuff or if I'm going to give up now. I don't want to, but I honestly don't imagine how on Feb08 I will be telling people who aren't my close friends or co-workers, but communication with whom is really valuable to me, that I refuse to join any WhatsApp group chats anymore, so they will have to notify me about anything important (important to me, in he first place!) personally via SMS, Telegram, email, whatever. Especially now, when people are forced to communicate remotely and stuff gets cancelled/renewed/delayed because of another round of idiotic government regulations, so if I'll fall out of these communities, I'm pretty much left in the vacuum and won't know about anything that happens.
Personally I don't know anyone that started using whatsapp after the fb purchase, so they were all happy to pay for their use of a messaging app.
I wouldn't trust any api you don't control, don't have a solid contract (without the changable terms) or isn't owned by a nonprofit.
The free ones will hurt you but you expect it. The paid ones hurt more because you often build a business around an ecosystem that eats you up.
The solution isn't to say "profit = bad", it's to break up monopolies or force interoperability and forbid certain forms of "payment" (such as exploiting and reselling personal data) that are deemed nefarious to society.
Lastly, Signal doesn't collect/store any of your data on their infrastructure other than a few hashes required for operation. WhatsApp/facebook on the other hand collect, and likely keep, forever, at much metadata about you as possible. The only way to pay for this free storage is to stay more data so they can target you for advertising dollars.
This doesn't guarantee that Signal will live forever, but at the very least they've learned from previous mistakes and have taken actions to address them.
One is a google-style lock into an ecosystem of free apps that a company can monetize at any time. Stay away if possible: the users will be milked sooner or later.
The other is openstreetmap-style set of free data that anyone can download anytime, plus some apps (maybe free, maybe not) using it for some function. I see no problem with it as the lock-in is highly unlikely because the main feature (say, map data) is always available. My 2c.
I’m trying to encourage people to remember that this is what these companies do when we use their services for free. They seem to think they are entitled to our private data and they are beginning to respond harshly when we try to keep what is rightly ours to ourselves.
Use a service until it’s useful, then be prepared to leave when you no longer agree to its terms. The average user will go through many social networks and apps throughout their life.
Not all of them. Some, like unroll.me, blatantly tell you they sell your data - and people still give them access to their entire E-mail inbox.
Maybe in the US they might get that per user, but not worldwide.
And I’d pay $5,000 for a new Tesla. Though I have no idea why someone would sell me one for so cheap.
And then 2-3 years after that an entirely incompatible platform will do the same thing...
I think that model could've worked.
'your device owns you and is siphoning cash from you'
It seems quite one-sided.
My point being that I don't think many carriers care about text messaging, or phone calls. They sell you a fixed cost plan for those. The only thing that can really affect your price is data usage. If Google wants to deal with the hassle of managing a messaging platform, great, that's money save on running a service that isn't making money anyway.
Infuriating.
That'll explain why my mum can never ever get in touch with me.
Nobody has a chance, but different reasons in each company:
* What we have seen with Google - For a search engine, the more traffic you get the better results you can give (you can A-B test different algorithms for different queries, and optimise results). For new entrants they need to be popular before they can be better, which is a catch-22. Additionally Google has significant revenue which is very profitable because of it's monopoly position, and it can use this to reinvest in search technology to further widen the gap. It's going to take more than 2 people in a garage to beat modern Google at search!
* For a social network, Facebook buy out any potential competition when it's gaining traction to further solidify their monopoly. See WhatsApp, Instagram, Friend.ly e.t.c.
Lately I have been noticing the opposite trend. Google search relevance is going downhil for me. I'm not sure when that started but I noticed it in 2019-ish last two years. Youtube search is so bad (note: I have history disabled), I rely on Google to search YouTube.
Playing cat and mouse with SEO seems to have taken its toll. I find myself going to DDG and Bing a few times a week. Before it was only Google.
> For a social network, Facebook buy out any potential competition when it's gaining traction to further solidify their monopoly.
Maybe, but each of those competitors is essentially a fad, and Facebook forcing WhatsApp users to login via Facebook, to me seems more like desperate move, than anything else.
I agree those acquisitions are IMO problematic, but I am not sure if they are strengthening Facebook, or killing it with a thousand cuts.
MSFT is nowhere the behemoth it was, with Windows 10 being minority compared to Android.
Where `<number>` contains the international prefix without the `+` sign. Has worked for me in Firefox and everywhere else I've tried. This is a fb-owned domain btw.
You can also access the unencrypted messagestore database, if you have root access. For me, it is located at : /data/data/com.whatsapp/databases/msgstore.db
https://ga.de/news/digitale-welt/gericht-verbietet-whatsapp-...
First prompt is when tapping the plus sign at the top.
You would also have to explain to them that Facebook cannot read your messages, but they can see the meta data. And then you have to explain to them what meta data is.
I think your kid is not going to appreciate your efforts.
Without kids I could see myself getting away with not using WA, but with kids you are really setting yourself up for a very hard time (and prepare to be judged by other (annoyed) parents and your kid will feel the consequences at some point, the kids will miss out on critical and fun information).
WA has almost become what email used to be. Except that it's a controlled platform and we are locked into a single provider, a provider that once promised a focus on privacy and an app free of commercials, forever...
[0] https://duckduckgo.com/?q=whatsapp+buurtpreventie&t=ffsb&iax...
Furthermore; I'd much rather have the government spying in my stuff than Facebook selling my data to the highest bidder; at least if that were my only two choices.
Are you seriously comparing letters and private IM conversations? I don't know about you, but I received/sent maybe 5 letters in last 10 years, none of which were from/to another private entity.
> I'd much rather have the government spying
I consider this very short sighted and dangerours, but that's your choice.
> at least if that were my only two choices
Those are not your only two choices, that's kinda my point. We actually don't have to choose between a greedy company or a state. The only decision people need to make is centralized or decentralized system.
> The only decision people need to make is centralized or decentralized system.
They already have this choice; Matrix and others exist for quite some time already. Yet it is evidently clear that your average citizen will flock to whatever messenger is the easiest to use and is already used by their friends/family. Security/privacy are second thoughts at best, if at all; and even if it were important, grasping the different implications of all the available options isn't exactly easy either.
And since we can probably agree that the vast majority of folks already "fail" to make the right choice in this regard, I'd much rather have a regulated, government-controlled messenger than some company like Facebook. The former is accountable to its citizens, the latter to its shareholders - if I have to pick my poison, the choice is clear.
...because email and IM exist. they used to not exist and people sent paper letters to each other all. the. time.
now there are places and people I need a particular digital post office company to communicate with - and the worst part is, it's because they don't really care and thus force me to risk giving up my data if i want or need (read - am forced to due to life circumstances) to talk with them.
For what it's worth, I too would trust the government a whole lot more than Facebook.
This argument doesn't make sense. You can't just ignore practical aspects entirely and justify it with a cheeky "if they're truely your friends they'll accomodate ahah".
Sure if I want to send a private message to a friend I don't care whether its via SMS or whatsapp, but if I'm in a group chat with 5 of my friends I won't send a transcript of the conversation to the one person who doesn't participate.
Or would you not want your friend to attend?
The choice is: do I want my friend to be included in my activities?
The choice is not: do I want my friend to be included and also send all of his data to some people I've never met?
Maybe it works for you, but not for most people.
https://www.theverge.com/2020/11/19/21574451/android-rcs-enc...
A better example would be HTTP/HTML/JS. Sure it is not perfect and protocol updates are hard and slow due to endless implementations but we got a working decentralized internet out of the deal that is very hard for any single party to take over now, so I call that worth it over a single party enforcing proprietary protocols like AOL having a total monopoly.
> I thought basically no one used android tablets anyway
Tens of millions of Android tablets are sold every quarter.
This is in relation to iMessage vs BBM vs whatever was popular on Android at the time.
(And they got on boarding, group functionality and UI better than anyone for a very long time)
If the only way to reach you is to either install Signal or wait a year until the lockdowns are over, people install Signal.
I can only speak for why one company adopted Signal over WhatsApp, but the main reason was that the company did not want their communication metadata tracked by Facebook. They were regarded as equivalent in terms of E2E encryption and functionality.
EDIT: They also did not trust Facebook entirely not to break the E2E in some way (eg cloud backups or whatever), and the message contents had to remain secure. It wasn't a huge concern, but all else being equal, Signal was the better choice.
They saw 2 ticks, meaning delivered to your device? Or did they see one tick, meaning only delivered to the server?
If it's the latter, that's a reasonable choice for the server to make. The server has acknowledged receipt of the message, and failed to send it to your device.
If you wanted WhatsApp to advertise to your contacts that your account was inactive, you could have maybe sent them a message yourself?
Doing this without explicitly telling the other party is a dark pattern.
No it’s not a dark pattern. They’re being as transparent as possible. If you long press the message and click “info” they even explain what each tick means and when each event took place. It’s literally not possible to be more transparent than that.
And before the privacy brigade who’ve not used the app show up, this is configurable. You can opt out of sending and receiving read receipts. And since it’s a closed app with no other implementation, you can’t circumvent that either.
Anyway, my point is that WhatsApp shouldn't silently accept messages for a non existent user no matter what weak signals you get. When you send a text message to a non existent number, you get an error. Same for an e-mail.
I can't help but think it's a way to deter users from leaving WhatsApp.
As an FYI to you and anyone reading this, you can convert your account to a business account using WhatsApp for Business. It has an auto-reply feature that you can enable with a custom message, to inform people you've moved to whatever platform you've decided to move to.
It seems to me that the inability to easily message a group would be a bonus and not a loss!
Same for the Apple (and others') taxes in Ireland: While the Irish have been told by courts and the rest of Europe to collect the taxes they are owed, they just refuse to do so.
Also your understanding of the Apple case is a little out of whack too. There's a lot of subtlety to it, but basically the court ruled in Apple's favour on a technicality and there is a revised appeal pending.
The US sees FAANG as its babies and will protect them at all costs. Its up to the rest of the world to rein them in.
I have had smart, educated people say "I got an iphone so I wouldn't be left out of group chats". Because downloading an app is too much work. I'm not sure how asking people to take 5 seconds to do something to improve their life and society became such a taboo.
Yep: just checked. Nothing more I can do to increase privacy settings. Zero confidence in it after that
And unlike Signal, you can host your own server (Synapse) instance and be truely independent with the ability to join the federated network.
Then there are also many organizations/companies that use Whatsapp to set appointments, for chat support, etc.
In many EU countries Whatsapp is pretty much replaced SMS. Only a small minority of folks have Signal or Telegram. iMessage is probably the only other thing that shows as a blip on the radar, but only a portion of the population has iDevices.
I agree that this is a bad situation, but WhatsApp became popular when it was still independent and their profit model was charging 1 Euro per year (which was much cheaper than SMS). Now abandoning Whatsapp is difficult due to network effects.
If people won’t go to the trouble of using your preferred method of getting in touch with you then you don't have enough social clout.
I ring them up or SMS people.
Other than that it's definitely a great alternative.
'yes, and?'
'other companies have the same product (talking about chat) and don't contribute to the formation of monopolies'
'you're way out of line'
'i just don't trust them and i use a different service'
'ah? tell me more.'
-
Signal IS much better.
It's a nonprofit, not a commerical company.
There are arguments for and against centralized systems and forks of apps. The lead dev of Signal is concerned about interoperability; but still leaves users the option of doing things the way they would like with the open source code; it's just not 'supported™'
* You can't use signal on minority market share platforms even if they offer higher assurances of freedom, privacy, and security (RISC-V, OpenPOWER, etc.)
* Getting a phone number requires KYC in over 200 countries and carriers will happily sell you out as extensively documented and demonstrated by journalists buying owner info and GPS coordinates for any given phone numbers. Any service that hard requires a phone number is not prioritizing privacy.
* All metadata and TCP/IP metadata flows to a SPOF where signal employees, the ISP, or another entity inline could use network heuristics to deanonymize users, of dump the weak keys in SGX and get actual contact lists directly.
* If you want to use a privacy respecting signature verifying app store solution like F-Droid you are SOL. Moxie threatened to fight F-Droid or any other parties compiling/signing binaries from source code or doing forks or alternative implementations. He wishes to have complete control and the ability to rapidly push updates to all users quickly, be they benign or malicious. If someone coerces the signing key out of them, all signal conversations globally could be decrypted likely before anyone noticed.
I call all of this behaviour very privacy hostile. Published source code is moot if you are not allowed to use it or empower third parties like f-droid to hold it accountable.
Signal works on platforms such as GrapheneOS without the Google ecosystem.
You're right regarding the phone number. I consider it a necessary compromise. Look at the spam problem that email has.
It would seem to me that Americans have had more experiences with bad companies, and Europeans more experiences with bad governments over the past 300 years...
For end2end you can just use the secret chat function.. https://core.telegram.org/api/end-to-end
Feel free to check their source out - https://telegram.org/apps#source-code
So I'm not sure what 'bears repeating'.
0. https://github.com/signalapp/Signal-Android/issues/9044#issu...
Maybe you started on AOL and later realized AOL is terrible. You could export your address book and move to a client/server you trust more and notify all your contacts from the new location.
This is the same story on Matrix and what I mean when I say it is a freedom respecting decentralized service.
You are also free to run your own DNS to a dedicated EMS instance then later point to your own self hosted server later much like the freedom you have using your own domain and MX records on Google Apps allowing you to later move to a new email provider without having to update your social graph to change your address.
On Signal, there is no such option. You use their clients and servers forever, or GTFO.
The whole point is in avoiding starting with an AOL like service. So far only big matrix provider are reliable and performant enough to be usable. This is @gmail.com all over again but with @matrix.org tld.
Except you won't be able to carry your messages from a tld to another when you decide to rely on another domain name (your own or someone else's).
How long before Matrix foundation send messages telling users they are going to delete their rooms and messages if they don't log in once a year ? Or that they are now restricted your account to matrix.org rooms to "save operating costs" ?
The whole tech stack is free but operating costs are not.
I've been running a Matrix homeserver on a 1/1 VM for years without any issues. There is no downside to choosing a small server, you can still federate with everyone else. That's the entire point.
Start on a server, but your real identity is attached to a cryptographic key, not an e-mail-like identifier. That would allow you to move around, and maybe one day get rid of domain names altogether (using something like yggdrasil or tor to host and connect servers, for instance).
Signal offers no such choice.
Even if you don't do this, you can still reach contacts on the old server and middle through.
If you switch from walled garden to walled garden like WhatsApp to signal there is no migration path at all.
But social media? What do I switch to?
> This is precisely the dilemma in a nutshell.
Exactly my problem too (car mechanic, plumber, school parent committee, loads of my friends …) – I need my car fixed, I need my plumbing fixed, I need to communicate with other parents. I hate that I have no choice but to use a Facebook product when I am not even on Facebook!
I can also not give up the WhatsApp account due to the social pressure. What if I would use a second phone, a cheap one, used only for the whatsapp (and some other essential but privacy invasive apps). I would not have that second phone always with me, but it would provide me access to the social network I need without feeling tracked or providing more data than needed.
I do understand that this doesn't fix exactly the issue presented here, but I already assumed that whatsapp data was already in Facebook's hands one way or another. But I would limit the amount of information that WhatsApp can track about me by having this application on a phone which does not really represent my full actions as i don't have it with me.
Edit: Corrected some typos.
I lost many of my contacts moving to Matrix but earned a lot of new high value ones that share my worldview to continue building a decentralized censorship resistant internet.
This is kind of an unreasonable, one sided, stance. You exact everyone to simply follow you and your preferences with no regard for their preferences. Maybe you not respecting them and their worldview makes you the bad friend, not the other way around.
> I lost many of my contacts moving to Matrix but earned a lot of new high value ones that share my worldview
I don’t know if isolating yourself from anyone that doesn’t’ think and act the exact same way is a good thing.
I for one avoid Google products for personal communications. A lot of long term friends decided they only want to socialize online with Google products fully knowing it excludes me, in spite of easily accessible alternatives like Matrix and Jitsi.
They are not using Google products because it makes the world better, they are using it because they don't like change, and changing to maintain a friendship with me was not worth trying to use less privacy hostile communication mediums.
Fair enough.
I for one would not exclusively socialize at a Brazilian steakhouse if I had a vegan friend in a given social circle.
I will go to great lengths to accommodate people that are acting on authentic ethical convictions but if someone is only doing something that conflicts with my ethical convictions because they can't be bothered to try something new, then they obviously don't value me, and I'll invest more time with people who do.
You should live your convictions and find people that either share them, or at least respect you enough to accommodate them.
I don't expect others to think or act like me, but I would expect that my legitimate desire to maintain privacy in personal communication to be respected by anyone worth my time.
Plenty of friends that don't share my views put up with using some open tools to keep in touch with me. I likewise accommodate some of their preferences that don't make any sense to me. Everyone has a mix of deal breakers and things they can be flexible on in any type of human relationship.
Not worth the trouble for me and I don't even want to have accounts in these platforms or let them collect my conversations, but the path at least exists.
Yeah right. I am not RMS, with lock-downs, curfews, social distancing etc I'm already isolated enough so I'm not losing my remaining contacts for some moral high-ground.
Is it per year? Per Quarter? Not clear to me.
But yeah, definitely not per month, but also much higher than the $1/year the GP is offering.
1: https://www.statista.com/statistics/223280/facebooks-quarter... 2: https://www.statista.com/statistics/408971/number-of-us-face... + ~20 for canada
> There are lots of contradictions in people’s strongly held beliefs. Someone might preach self-sufficiency in politics, but coddle their children. An individual might oppose abortion on the grounds that human life is sacred and may still support the death penalty for convicted murders. A person might argue for the freedom of individual expression in the arts but want hateful speech to be regulated.
from https://www.fastcompany.com/3067169/how-your-brain-makes-you...
I think ads can work, but don't in many cases (based on recent stories that cancelling certain kinds of ad spend has no effect on outcomes). In some cases, like Uber advertising to get users, this seems entirely plausible.
So I largely think ads themselves are kind of harmless. But ad-backed business models are dangerous, because they optimize for "engagement", which tends to promote content that is divisive over more thoughtful, nuanced content. Sadly, it also seems to require gathering huge amounts of information about users in a centralized spot, which seems risky for a variety of reasons.
The whole thing reminds me of a call I got about 10 years ago to participate in a survey about smoking, and one of the questions they asked was "Do you believe nicotine causes cancer?" I paused because my understanding is that nicotine itself doesn't cause cancer, but the common delivery mechanisms at the time (smoking, dipping) do increase the risk of cancer. They forced me to answer yes/no, so I said "no", but obviously a decade later, I still remember it. Do ads cause harm? Probably not much, taken on their own. But everything _around_ them seems to.
What does it mean in a context?
80% of population is worth $5 and 20% is worth $30 ; but all of the YT premium subscriber are from the 20%, so despite the average only being $10, offering it for less than $30 will lose money.
I've had the joy of trying to explain to my elderly dad why his text message history is lost because he chose Signal as the default sms system, didn't make a backup, didn't sync that backup to the cloud or manually copy it to the new phone, and didn't write down the very long decryption code.
The usability issues for non-tech people have been getting less and less in the past years which is keeping my hopes up.
This is also true with Whatsapp[2], but against their terms of service, so you risk getting banned, and built on reverse-engineering, plus you need an android VM of some sort.
I've been personally moving my family to Signal, since that provides the best UX and easier transition from Whatsapp. Once I'm comfortable enough with it, we'll likely transition to matrix.
What Matrix is missing is in my view:
- Client with simple UI, polished UX, and not just a smoking pot of features: FluffyChat[3] is mostly there.
- Server of which I can guarantee the uptime. Dendrite should lower the resource usage for a ~5-100 accounts server, and decentralised identities[4] would allow falling back to another server (such as a friend's).
We're mostly there, so I'm starting to prepare the switch, starting with my more technical friends, by setting a bridge up. Hopefully we can finally break that dependency on phone numbers (ideally, domain names as well with [4]) and move on to bey-based IDs.
[1] https://github.com/tulir/mautrix-signal
[1] Older bridge, unmaintained: https://github.com/matrix-hacks/matrix-puppet-signal
[2]https://matrix.org/docs/guides/whatsapp-bridging-mautrix-wha...
[3] https://web.fluffychat.im/en/
[4] https://github.com/matrix-org/matrix-doc/blob/neilalexander/...
then there is the problem with push-notifications passing throu either google or apple as well as device-backups which both hand over your metadata and probably message content.
imo telegram is in a better spot simply because it is not affilliated with the facebook/google ecosystem but in the end it does not make much of a difference due to aforementioned systematic deficiencies.
imo good reasons to cash in on the platform compatibility and convenience of telegrams cloud-messaging architecture.
If they can't be bothered to email or send an SMS to me or use Signal or video call via the multitude of alternative messaging services (Duo, FaceTime, Skype, Signal etc. etc.) I don't think they're that bothered about being my friend are they?
If their friendship hinges on me using a specific mobile app, that's a shallow friendship.
The biggest annoyance is that Android only allows having exactly one of those "Work Profiles".
This is what I'm doing currently: an old phone used exclusively for whatsapp (with an empty contact list); it always stays at home. I only use it to coordinate kid's stuff (school, social activities, etc), so there is no problem with me not having it with me the whole time.
That is to say, both options are bad. Of course it is conceptually better to spread your information over many separate information silos so that your data is harder to correlate. That should not be the bar we aspire to though.
Of course, that requirement is exactly how they implement the user lock-in, so it's not going anywhere until legislation forces them to open up.
Do you have a source for that. Telegram is built by the VKontakt guys who Putin famously fucked over.
99% of people outside of the HN bubble will just look at the dialog, click OK and carry on as normal.
I've used the Signal app and it's a bug fest. Telegram is not even encrypted by default and there is no option for encrypted groups.
This isn't necessarily true - that's basically the problem with monopolies and the point of anti-trust. The network effect really can entrench an inferior product.
Friendly reminder that encryption is more than E2E-encryption despite what certain people on HN thinks.
Telegram is encrypted point-to-point by default. Same as banks, modern mail etc.
Can we stop spreading technical misinformation now, please? There's plenty of other issues with Telegram and if we stop crying wolf over the neighbors grand danois people might actually believe us when there is an actual wolf.
Only if you trust Facebook with their proprietary software.
I'd love to use signal with more people but that, and the ux around changing phones means I can't really recommend it to anyone but the most technical of my friends.
Yeah, thanks but no thanks.
That's my point. I hate systems that require a phone number, as they usually mean that I have a substandard experience when I'm not on my phone and I can't sign my children up so that we have a general chat tool.
The only option ends up being massively over the top team style chats like Rocketchat, Mattermost, Discord, or Slack. So we end up back on Hangouts.
A bit shit for general family conversation.
[Edit] If they do allow signing up/in with a username then I'll probably be all over it. That would be awesome news.
No. Threema does not require a phone number (it uses one for the registration verification, but your account is not linked to that number).
All of which is completely unacceptable in 2021 for a product meant for a large audience. Messaging is integral to people's lives, to the point where people keep 10+ year old phones because they have messages on them from people that passed away and they can't figure out how to move the messages across or to a new system. As much as it pains me to say, there just aren't any production quality alternatives to WhatsApp that can take over. And don't even get me started on Element/Matrix...
This is not the case. Signal for example has open source which allows to verify that it does not use the message texts for commercial purposes so we can with good reason assume that the messages are at least E2E encrypted properly within the app and at least Signal servers.
Yes, of course if you have root access to the device itself, or otherwise hack it, you can compromise any messenger. But that's not even in the same league as having basically a message spying built-in, turned on, always on, inside your damn messenger app itself.
Whatsapp calling their app "E2E" in their marketing is a spit in the direction of the users that have the technical knowledge to understand how it really works. It is inaccurate in all the ways that matter. It is accurate only in one technical way that is completely irrelevant in the real world, just put there so they could use the phrase in the marketing while not caring about the true intent behind E2E.
That was not my intention.
I'm trying to say that E2E implies a very specific threat model, and that WhatsApp are in fact in position to subvert theirs in pretty straightforward ways. Their group messages have never been E2E, which means that if they were to force a client update where all communications are always group chats and UI hid this fact, the users would be none the wiser. They could also use their client-side content filtering to build keyword histograms and upload those periodically to their servers, without breaking their E2E.
In fact, I was trying to point out that they do not necessarily need to inspect or store message contents. WhatsApp is owned by a marketing analytics giant. With all the noise about E2E and metadata, people forget (or ignore) that traditionally intelligence about communications has been primarily about traffic analysis ("metadata"). Tapping into the communications has been of course a valuable goal, but knowing the communication patterns, frequencies, memberships and direction/timing of communications within groups has been enough to build valuable intelligence.
Sure. Access to content allows to do keyword and semantic/NLP based targeting. But the aggregation of marketing cohorts and their various relationships is likely a much more valuable asset. These relationships are also known as the social graph. And E2E, as implemented in WhatsApp, does not protect against it. They know who you communicated with, when, and where you were at the time.
Signal on the other hand have done a lot of work to enable not only E2E protected, but also properly untrackable group communications.
> But that's not even in the same league as having basically a message spying built-in, turned on, always on, inside your damn messenger app itself.
You hit the nail on the head. If you can't trust the client, practically any and all E2E promises are worthless. We agree on this one.
You also touch upon a wider problem across the messaging technology space. The term end-to-end-encryption has been hijacked as a high-value keyword by every snakeoil salesman. It confers a high level of trust, precisely because when implemented correctly, it provides guaranteed message content confidentiality. But even in this thread, we see that the term E2E is routinely used to imply even higher standard: that of anonymous communication.
Anonymity, confidentiality and integrity are all aspects of communications security. End-to-end can guarantee the last two, assuming the endpoints remain secure or at least trusted. Getting the first one included is going to require a lot of hard work, and in case of WhatsApp, would go directly against their owner's motives.
I disagree. For me, E2E implies that the company itself cannot read my messages. It's not true for Whatsapp, but it's true for Signal/Matrix.
WA seems large enough that the security community would put in that effort periodically.
Don't get the subscription, pay as you go with Skype credit.
Edit: sometimes I also start with an audio call, but midway there's something I want to show them, so we switch to video by just pressing 1 button.
Based on this they do not store information of users who have not signed up and only store a cryptographic hash. The hash isn't created on the device, so the servers definitely get it.
"Cryptographic hash" is as bullshit as "MD5 encrypted passwords".
https://gdpr-info.eu/art-4-gdpr/
"‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"
Cryptographic hash of phone number is still uniquely identifying natural person and is by GDPR still under the definition of personal data. The GDPR authors knew what they were doing - or they were lucky although also other parts of GDPR suggest that they had some technical think-tank behind it.
Anyway, hashing doesn't solve anything, whatever "obfuscation" is used/invented, as long as information points to "natural person" it is considered personal data.
The reality is that WhatsApp is a requirement for social life. Any solution that doesn't start from that point lacks any practicality.
I get social inertia is a thing.
Somehow I’ve blown it off and life still works.
Summarizing it as “life begins and ends with WhatsApp” seems just as ridiculous to me.
Acquiesce and nothing changes.
Turn and face the strange.
If you are already well connected with your peers and friends and your social life doesn't depend on finding and exploring via the "social apps" sure you have the freedom to disconnect virtually and still remain connected socially.
If you're not in one of those countries, then I don't think you can speak for what a social life there is.
If I tell people they can only contact me via snail mail or in person (i.e. not have a phone at all), would you find it surprising that I will have a lot less of a social life?
Even 15 years ago I knew people in countries who had a difficult social life because they refused to use SMS - this was before the era of smart phones.
> HTTPs works with email, email works over data networks.
A lot of younger folks do not use email except for signing up for stuff and official work. When I left university a decade ago, many incoming freshmen were quite upset at the requirement to use email.
You can always have some social life, but in certain locales and circles, whether you use these apps or not will affect what type of social life you'll have.
> Acquiesce and nothing changes.
Sorry, but these types of statements are usually of little value, and only sound good. I could easily write:
Resist and nothing changes.
And it will likely be as true (and similarly lacking in entropy) as yours.
All my family members live in a different country and there is no good medium for communication than whatsapp.
Your example of religions is also suspect. To be blunt we perceive it that way in places and times where established Churches are legally independent and separate from the government. It’s not always and often isn’t true, or at least isn’t the case by default in some places.
https://en.wikipedia.org/wiki/Church_tax
https://en.wikipedia.org/wiki/Tithe
https://en.wikipedia.org/wiki/Zakat
https://en.wikipedia.org/wiki/Jizya
Compare and contrast with Alms, the more charitable less compulsory concept:
https://en.wikipedia.org/wiki/Alms
Just one more reason to love separation of Church and State and the prohibition on Congress on making laws respecting an establishment of religion.
Not the nicest way to put it but they put in Yeoman’s[1] work and earn it.
Ever heard the first rule of encryption? "Never roll your own crypto". Well they broke the rule and they won't let anyone check if the crypto is secure or not.
Not to mention encryption is off by default and your plaintext messages are stored on their servers...
https://telegram.org/privacy#3-3-your-messages https://telegram.org/privacy#4-1-storing-data
Of course, email goes between servers and then you definitely want to ensure the encryption is solid (it often isn't, so PGP is definitely good). I'm just saying that Wire/Signal/Threema/etc. having better encryption is in my opinion only important when you use Wire's/Signal's/Threema's servers. If you can and do host your own, especially if you host it at home, then in practice there is no difference.
Since most people don't do that, Signal/Wire/Threema/Matrix are of course the better options than PGP+email, but PGP+email is still an improvement over the status quo.
The other feature is deniability: having an encrypted message and it’s decryption doesn’t give you any more information than a screenshot of the message in signal. There isn’t a way for the encrypted message to prove that it was legitimate as the previous keys are revealed in a way that means anyone sniffing the traffic could make a message encrypted with that key.
Telegram's backend is closed-source.
Here are links that show that WhatsApp is painted as a tool for pedophiles:
* https://www.indiatoday.in/technology/news/story/whatsapp-has...
* https://www.businessinsider.com/whatsapp-has-a-child-porn-pr...
* https://techcrunch.com/2018/12/20/whatsapp-pornography/
* https://endsexualexploitation.org/articles/whatsapp-has-a-ch...
My friends and family have mostly been using Signal for over a year and we never had such worry. I also know laywers, lawmakers, doctors and CEOs who are also using Signal for important communications.
Signal is another private entity with complete control of the servers and end client binaries. The fact they happen to open source the code is kind of moot since no services are allowed to write alternative implementations, no one can run their own servers or prove what code is running on Signals servers, nor can anyone even distribute reproducibly built binaries from said source code for accountability (e.g. f-droid).
There are so many better options. I suggest Element/Matrix which can even bridge to WhatsApp and Signal as needed thanks to community contributed bridges.
I guess Matrix is doing this, but unfortunately, the way history has played out, centralized IM had first mover advantage by a huge margin and that's what people are used to now - that a messenger is an application on your phone that you can only use to contact other users of that same application.
We've actually witnessed that people _are_ willing to pay for streaming services like Spotify and Netflix after a long time of illegal torrents. How can we spread this sentiment towards services like email and chat too?
Neither could I find anything matching your second point that installing any of these messengers might make law enforcement suspect you to be a criminal.
@heipei: the curse of knowledge, i learned yesterday, via https://news.ycombinator.com/item?id=25658216
What’s more, if you tap on “info” after long pressing any message, the app explains it to you.
Even the ones who do understand a little about the checks probably don't bother thinking about the difference between "sent" and "delivered". They'd understand it if it was pointed out to them, they aren't stupid. But they don't care enough to realize it because they shouldn't _need_ to understand it most of the time.
And even so, the checkmarks are very subtle and easy to not notice if you don't expect to need to look at them. A user is more likely to say "well it didn't give me an error so it must have sent, I wonder why nindalf is ghosting me" rather than "huh, I wonder if WhatsApp actually _delivered_ the message to nindalf, let me check"
I use it somewhat reluctantly which might reduce the degree to which I actively seek out understanding. I wish we'd all go back to vendor neutral channels of communication but I also apprecitate the fact that it is less sucky than SMS.
I remember vaguely getting convinced by a friend, "you just payed [200,300,idk]€ for that new phone, can't pay one euro for this one app?"
We can't, because those two things are in direct opposition. Piracy was less convenient and offered fewer features that people wanted, so they moved to platforms that were more convenient. The current giants (Gmail, Facebook, WhatsApp...) are more convenient than their alternatives (generic email, Mastodon, Signal...) and so the pressure is not to move, but in fact to stay.
In general, the pressure is always decentralised->centralised, which is exactly what torrents->Netflix was. Even if we had infinite funds to offer people distributed services for free forever, we would still need to make them more convenient than their current centralised ones - if on top of not being more convenient, we also want to charge them, I see no reason why the average person would ever want to switch.
Maybe there's some space for a freemium model (IIRC one of the questions asked during the Facebook hearing was whether they could add a paid ad-free option) but so far that hasn't happened.
And it's better than SMS at Unicode.
I'm not sure what the problem was, but WhatsApp solved it.
I thought Signal was open source, and the distributed binaries matched the source, and that is was allowed to run your own servers. Are the servers even open source?
Are there lirerature regarding the technical/conceptional bits Element/Matrix? What is the tradeoff there?
This is sort of true. The source is published and you can build your own binary. But given that you can't distribute Signal outside of official stores and can't pin the version in those official stores (unless you turn off updates on your phone entirely), it's not actually practical to run an audited version, yet alone to make your own changes to the code.
> and that is was allowed to run your own servers. Are the servers even open source?
EDIT: apparently there is now (purported) server source available, not that that means much when there's no way to even know which code a given server is running, yet alone run a server with different code. They claim that their E2E encryption means control of their servers doesn't matter, but their protocol analyses doesn't actually think about what an attacker might be able to do at the server level, IME.
> Are there lirerature regarding the technical/conceptional bits Element/Matrix? What is the tradeoff there?
It uses either the same ratchet protocol as Signal or a very similar one. E2E for group chats is more complicated but I don't think you're giving up anything.
https://docs.google.com/spreadsheets/d/1-UlA4-tslROBDS9IqHal...
We also only assume the published Signal binaries match the published source code. Moxie and team have exclusive control of the signing keys and Moxie said he will fight any third parties like F-droid doing from-source signed binaries outside the Google/apple ecosystems in spite of the accountability and removed SPOF it would offer.
If you choose to use a non Google/Apple platform or a freedom-respecting architecture like RISC-V or OpenPOWER you don't get to be on the Signal network.
This eliminates me from being able to use Signal. Talked to moxie at length about this but in the end he repeatedly admits he has no problem cutting off the few to enforce his vision for the many. He also frequently implies he sees himself as the only entity worthy of running the world's communications systems.
He is a smart guy and means well, but he is naive. Benevolent dictators are always replaced by less benevolent ones eventually. There is nothing stopping what happened to WhatsApp happening to Signal. You also have to trust the pinky swear offered by the Signal Foundation that they won't dump the keys from their SGX enclaves using any of a myriad of design flaws, and that they, their ISP, datacenters, and any three letter orgs tapping them will all throw away all the TVP/IP level metadata that centrally flows to their systems.
With Matrix OTOH, if those that host a given set of binaries/servers go evil or we simply want control of our metadata for sensitive channels, we can just use one of the alternative independent clients or a fork, switch to our own server or one run in a country or by an entity we trust more. We also still will be able to reach our social graph, just like switching an email provider.
Democratic control is messy, but I will take it over a benevolent dictator any day.
As for documentation, matrix.org documents the API and design choices of Matrix extensively and they welcome people making alternative clients and bridges to other networks because they believe the only safe and sustainable network services are open ones.
Signal is simply best because it works as SMS client AND encrypted messages client. Best UI/UX, one app to rule them all, consistent behaviour, not owned by FAAMG.
I think that's quite a misstatement, but it is indeed a centralized service.
[1] https://threema.ch/en/blog/posts/md-architectural-overview-i...
Granted I've never used WhatsApp, but I've been using Signal for like 5 years now on my phone and on my laptop with absolutely no issues.
Meanwhile, the Telegram desktop client is at feature-parity with the phone app with both running entirely independently on as many devices as you want.
WhatsApp is a total joke, it loses media (IIRC this includes audio messages as well) people send you after a very short time even when you use it on a single device, so talking about multi-device usage is completely out of the overton window.
(for any sensible definition of multi-device)
When everyone was using SMSes to chat, how did the kid that did not have a phone felt? And people were social before phones existes too.
I think that being outside of the main mean of communication is going to have an impact on your social life, independently of what the medium is
There you have it. Class of 1950 uses letters to organize itself. Class of 2000 uses e-mail. Class of 2010 uses Facebook. Class of 2020 uses Tiktok or idk snapchat.
And this issue isn't just about your class, it also includes any peer group of any kind. For me as a 20s something, the choice is quite binary.
Nowadays you can't even participate in free software communities without using proprietary services. Many free software projects have discords instead of community run matrix or IRC instances.
Hey, I might be old, but I still live nowadays too!
In other words: even though cell phones and social media were around when I was younger, they didn't play the central role they do today, so presumably it was much easier for me to do without them and still have a normal social life than it would be today.
Here's a sad thought experiment though: if you can only remain an active part of your circle of friends if you use the same technology as they do, what does that say about the depth of that friendship?
MMS messages are hot garbage but they're still better than a lot of alternatives because everyone with a phone can receive them.
But if they were to do so, it could be done so that there likely wouldn't be anything in the visible application or its behaviour to highlight the change to a regular user. Unless you somehow see that the key ratcheting is in use and can confirm the two-sided key state out of band with your peer, you can't tell without disassembling the client.
However, this feels like derailing quite far from the original topic. The contract and assumption of E2E protection unavoidably relies on trusting the client(s) and the devices they run on.
They have the encryption key, so the difference is not huge.
https://www.upcounsel.com/converting-non-profit-to-for-profi...
Most people use these apps for the network. The app without the network is useless, but any fork would initially be in this situation.
The signal server is also open source. The absence of federation does mean you would also need to get all of your contacts to move to a different service as well, but it is better than a proprietary system. I do wish Signal was more open to federation and/or alternative clients though.
The trade-off is that you then don't have perfect forward secrecy.
The signal server source code is open source now in theory, you are just not permitted to run your own server and have it join the Signal network. We have to take their word for it that they are running the code they publish.
They are open source. Please see github.
"Protection money" means somebody is illegally forcing you to pay for something that you don't want or need, solely to enrich themselves. But it's not illegal if it's literally the foundation of the society.
Democracy is the most expensive system of government. It has to be paid for or it doesn't work. It's paid for with taxes. It's not protection money, it's fuel for a life support system that you and everyone else is hooked up to.
I mean was it legal when the local Baron came and levied a tax on your wheat? Under the King’s laws, or maybe it was just tradition, but if the alternative is you’re killed and your land is taken and given to someone more loyal, then you just had a tax levied upon you and the payment was your life.
Similarly, merchants which snuck into cities rather than paying the tax at the gates were not entitled to protections from whoever was the guarantor of laws, a city guard or the like.
So what’s going to happen if you don’t pay your taxes? Turns out the IRS, the States and the equivalents in other countries have legal means of taking what you own for what you owe. We can discuss the tradeoffs on this, but in practice it’s not overly different from a Duke or a King or a mobster. What’s different is the process, the expectancy of it, and the legality.
At the end of the day, what we’re paying for is the protection of our police, fire departments, Armies and Navies.
The founder of VK had good intentions and was willing to protect his users too. The Russian government replaced him with someone more ethically flexible.
The foundsrs of WhatsApp clearly never intended it to go in the direction it did post acquisition, but it was not their call.
Gathering all users to a single choke point on a single client on a single server infra is irresponsible and unsustainable. We have been here before.
Services now just want some person info they can link to you and that actually scares me a little.
As both the client _and the server_ is open source though it's entirely possible to do things like Signal<->Matrix bridges.
In practice it works by each device having their own encryption key and then those devices are bound together with a cross signing key, so your peer can robustly identify all your devices at once (and the list of devices can change as long as they are bound by the cross signing key). Certainly the server is able to correlate device ids (and thus keys) and IPs.
The way threema does it sounds a bit how room encryption works in Matrix amond multiple clients.
https://en.wikipedia.org/wiki/Comparison_of_cross-platform_i...
Looking on Amazon.com, a Huawei P Smart 2019 (32GB, 3GB) 6.21" FHD+ Display, Dual Camera, 3400 mAh Battery, 4G LTE GSM Dual SIM is $209.99.
I think some have assumed that he went out and bought an iPhone 12 Pro Max as a second phone, and we don't know that.
Hopefully this misuse is just a fad and we can go back to a more sensible use.
But I agree privilege is vastly overused.
They could just run it as a paid service again? They had a minimal annual charge before the Facebook acquisition and probably could have raised that, instead Facebook made it "free" which should have been a warning sign of things to come.
Someone that needs a special set of phones to be able to communicate securely and not be reliant on a publicly run server? Here's a non pointless use case.
I'll let imagine who might run something like that.
[1] https://support.signal.org/hc/en-us/articles/360007320771-Se...
By the way, do you know if the one receiving the messages can force messages that are marked as "disappearing" to be kept?
See also, this article about doing the same for email: https://blog.cryptographyengineering.com/2020/11/16/ok-googl...
Via the use of MACs, yes. I never said otherwise. What I said before still holds, as the recipient you can't prove to others that you indeed received a message by a certain someone rather than forged it yourself to incriminate them.
> See also, this article about doing the same for email: https://blog.cryptographyengineering.com/2020/11/16/ok-googl...
The "Marisa" person in the comments is a friend of mine from IRC and I agree 100% with what she said.
It's not a hard concept, and it's not just tech people who care about it. It doesn't require any knowledge of tech to understand.
On the other hand, she knows how to use FB messenger and my efforts to get her to switch to email/telegram have just caused confusion so far.
My apologies for the imposition if that’s not the case.
[0] https://www.techrepublic.com/article/j-edgar-hoover-would-ha...
To be honest, I'm not well versed in the debate of privacy, but invariably in discussing user tracking by BigCo's a lot of my friends just say "I don't care if they have my data, I've got nothing to hide."
An example in the first case is that you'll want to buy a secret gift for someone, but because of the tracking the surprise will be spoiled because they'll be seeing ads for it on their systems.
Did you know that MMS can transmit slideshows[1]? I didn't, until my father somehow sent me one. The UI that Android has for that is — naturally — a complete afterthought. (No way to pause the slideshow, no way to navigate the slides, nothing. Just one run through the animation at Warp 8.)
[1]: https://en.wikipedia.org/wiki/Multimedia_Messaging_Service
My impression is the US/Canada are one of the only places where SMS is still frequently used for casual text communication and i'm horrified that Apple's iMessage is the one to somewhat challenge that.
In Brazil we hurry to turn off the call if it goes into voicemail, as we pay to leave a message AND nobody listens to them because it costs a lot to listen (or at least used to).
I don't know how many of the new Signal users will stay (there's already discussion in one of the new Signal groups about "Why aren't we using Telegram instead?")
Same as much of this thread - these people are not concerned much at all about encryption details, they're largely a pissed of mob of people departing WhatsApp. And some of them are already saying "there's no web client! I can't use this!!!"
I suspect I may well end up back being "the guy who's not part of most group chats" if/when they decide Signal isn't for them... And I'm OK with that.
iMessage is only for Apple devices.
I'm unsure if they will allow signups without phone numbers, but they don't store that information. Signal doesn't have it. [0][1] It is very possible they go around this though.
[0] https://signal.org/blog/looking-back-as-the-world-moves-forw...
[1] (time-stamped to only the important part) https://www.youtube.com/watch?t=894&v=Nj3YFprqAr8&feature=yo...
> they usually mean that I have a substandard experience when I'm not on my phone
> I can't sign my children up so that we have a general chat tool.
This isn't a privacy thing, this is a general tool that is fundimentally broken if I'm not on my phone.
I'm not always on my phone, and my kids don't have phone numbers.
They are unusable.
Spike on iOS is a client that wraps email in a chat like UI if the people are free to chat real time. Not sure if it’s on Android.
There a numerous video chat sites not connected to Zoom, or FB properties
whereby, etc
I gave my family an ultimatum and being the tech savvy one they jumped to Signal
Social inertia is a thing conceptually, but it’s not gravity. It can be bent any which way
Not all families respond well to ultimatums.
Seeing as you mentioned Threema in the same post, I think I ought to step in here.
The encryption protocol for Threema is open source, using standard algorithms, not something they invented.
You, like I did for $my_org, can write your own software to send messages to devices running Threema using the Threema API.
Message contents are, of course, encrypted before submission to the API. Threema provide a number of SDKs to help you, but you are under no obligation to use it, you can write your own API submission client from scratch.
P.S. Not saying Wire is bad here. Wire is good. I use it alongside Threema myself for $other_uses. But I'm saying don't write off Threema under a false understanding that their encryption protocols are closed source.
Afaik Signal doesn't have an API or SDK, there only seem to be third party implementations for bots.
China can move fast for this reason too.
You have to decide if the long term consequences of a fast moving dictatorship are worth giving up the freedom of a sometimes messy democracy.
The internet is too important to herd all our services into control of dictators, no matter how benevolent.
We survived the dialup days for all the UX hell of many providers without giving AOL exclusive control in spite of them having the best UX.
I hope we can do the same with something as critically important as worldwide internet communications, but the marketing of dictators and their ability to move quickly is sometimes too hard to resist until it all backfires spectacularly.
I would also state that it is unfair to compare an app that doesn't have to worry about your privacy and solving real engineering problems vs basically making a web app that can easily sync your data because it's all stored on someone else's computer.
If that's the level of privacy you're setting you may as well use email for communicating. It's federated, it's easy to use, and everybody has one.
All that said, I do agree the Signal desktop app needs some work, but they'll get there eventually, and in the meantime I don't have to wonder if any of my data will be leaked to anyone outside of my intended recipient.
Funny you say that because Signal is the one with a crappy Electron app which is definitely a deal breaker for me. I mean I lose E2E with Telegram but gain really well designed and featureful platform apps that are native and non-gimped desktop apps (and a functional linux client. Signal's Ubuntu client just crashed for me).
You can use Google Duo to make voice or video calls for (other than data costs) free, Google hangouts also has voice-only plus video options and of course Google voice integrates with the classic telephone network and has cheap international rates.
Google Fi has free calling from the US to over 50 countries and otherwise their plans start at one cents a minute depending on destination. https://fi.google.com/about/unlimited-calling/
Most of my friends from Asia tell me WhatsApp was and is popular because it carried voice over data, bypassing the PSTN which apparently has very high per-minute rates.
If you want to go slightly higher tech there are telepresence appliances like 8x8, Amazon or Google IOT devices or you can just use sip phones and call between the devices free of charge using your own pbx software or a free service like Callcentric's IP Freedom plan.
There a million options that either let you opt out of Facebook's data collection and trade it for Google's, or just opt out entirely.
I call my family for 1 cent per minute.
I'm not buying it. Look at Matrix and tell me it's holding them back.
What's holding them back, perhaps, is not having a shitton of money in the bank like Signal, and they're actively supportive of decentralization which costs developer resources. Signal (or Matrix, for that matter) could not spend dev time on decentralization and just let the open source community do its thing. But that's not what Signal is doing, they're instead actively hostile towards it.
Or look at Telegram, they have an open network and third party clients. There also are unofficial clients that some people use. But what does the 99% use? The official clients. Signal's argument is that people might use insecure, unofficial clients. In practice, that's not what your average mom will do. (And it's not as if the official Signal app was audited either.)
I'm also not buying the "China can move faster" thing. They can be more oppressive without consequences, but is that really better? Does that "centralized dictatorship" allow them to be "more stable"? It's easy to say, and easy to see how indeed an oppressive government's decree can change things from one day to the next, but on that scale I think you need to consider more things than I am qualified to do before you can really say whether that is a superior system in a given situation.
I guess we conclude the same thing in the end, though, as you say "The internet is too important to herd all our services into control of dictators, no matter how benevolent."
The main argument against federated protocols playing well with security is that they have a harder time evolving. The example always given is email. Once Matrix has reached 500M users and several server implementations with less than 20% market share each, how can you be sure that it will keep improving contrary to email protocols? WhatsApp switched to E2EE in a matter of months, but most of our emails are still plaintext on the servers.
I like and use Matrix as a replacement for IRC, but I don't think they will catch up in terms of security with Signal in most practical situations (meaning, I want to send a message to a non-technical person). Both because of the fossilization associated with federated protocol (see above), and simply because developing a federated protocol is way harder and less forgiving than a centralized one.
Your argument about the "99% use" means that first that you don't need centralization if it's already centralized in practice, and second that it brings very little benefit (benefits only 1% of users). At that point, the (possibly low) costs of decentralization are not worth it.
Do you mean better privacy than Signal? I was under the impression that Signal was significantly ahead of Wire in this regard with features like private groups and private contact discovery.
They pinky swear they always patch and never dump keys when they have the chance though.
It's more of a trust thing than something you can technically solve while still having features like real-time calling. Hence Facebook being objectionable despite having encryption.
Usability is slightly different, yes, and you might also trust Signal more because they do better PR (they say outright that they're from the USA and get money from Facebook, while Wire has devs in Berlin and claims to be a German company, while taking money from USA investors... which imo comes down to the same thing), or you might trust Wire more because they were actually audited at all.
I do use Signal and Telegram with some friends, I really find the difference between WA and Signal to be small. Telegram though is a lot nicer as a platform, it has some channels I'm part of and the desktop client is much better. But this comes with privacy/security trade-offs as mentioned in this thread.
I also use Element.io for some channels and groups. I find it surprisingly nice. I may set up a server myself soon.
Honestly, Signal is just super high quality when you take into account how privacy focused it is, I could easily replace WA with Signal, apart from "the network effect".
I ended up adding a paragraph about it anyhow but that's why, when starting to write the post, I didn't add Telegram to the list. There is also rocket.chat further down that I didn't mention on top, fwiw.
I mean, it's certainly possible to have an administrative backdoor that just shares the local keys. Even when that wasn't the case when you worked there, and even if we believe that you say the truth: we still cannot be certain that this won't change on February 8th.
I mean, whatsapp was remotely exploitable for more than 5 years before it was discovered (just to make a point).
WhatsApp could almost certainly perform active MITM
This (the warning) is only possible if WhatsApp can read your messages
I'm guessing that they read your message on the app. So their claim (end-to-end encryption) is indeed true and correct.
But their app can and indeed has been reading your messages, for the past, at least, 3 years
Which I personally don't mind, when it's done fully automatically (no humans involved) and only for this kind of uses (to warn users of dangers)
The app sends a request to a Facebook API for every link that you send/receive. Usually this returns the little image + text snippet that you see in the app, but obviously this could also return a message that the link is considered dangerous.
As a site owner you can probably see a request from a Facebook bot when a link to your site is shared on WhatsApp. (not sure how long they cache this)
I mean, I can't guarantee it. As others have said, it's not impossible that things have changed since I left or will change in the future. But I doubt it — e2e encryption is a big selling point for WA and something that is dear to the company's heart.
> And how about received messages?
It's the same deal — the sender encrypts the message with the the recipient's public key, and the recipient decrypts it with their private key (which was generated locally and never goes over the network).
> How can you retrieve all your old messages/conversations when you install the app on a new device? Don't they come from WhatsApp servers?
No, you can only get old messages from your old device or from a backup that went to the cloud somewhere (e.g. iCloud or Google backup). The messages on your phone are stored locally in a DB, so if you copy that DB to a new phone it'll have the new messages. WhatsApp doesn't store messages — they are only present on WA infra until acknowledged as received by the destination.
While that is true, what you have not accurately determined is why that value is low, and how much of that is your doing vs theirs.
In my experience the desktop client is slow, buggy, and takes eons to start up. There's also no web version, making it awkward to use on computers other than your own.
I would be more willing to switch over to Signal if it wasn't so lacking in this regard.
Particularly, this social capital is at its minimum when you're trying to develop new friendships. Good luck starting any when you refuse to use the app that everyone else in the area uses to communicate.
In this instance, if developing friendships relies on me sending my data to some unknown person the other side of the world so that they can build graphs on my activity and follow me around just because everyone else has decided that's what they want to do, then I would choose another path.
Wouldn't you? If not, please send me all your data and details of your activities, all the time. If you can trust that data to some guy you've never met in a datacenter, then why not send it to me. You've got my username - that's more than you'll ever know about the people looking at your data at Facebook.
No, what they said is equivalent to "everybody is smoking but I'll annoy the hell out of them so they stop, and I'll refuse to meet them in person before they quit"
I would not "choose another path" because those things are more important to me. To be blunt, I'm not sending such data to any individual HN reader because that would have no relation at all to my practical ability to maintain friendships with people in real life.
Other people are saying that in their countries, Health Services and bank transactions are coordinated via WhatsApp.
It's not just about messaging your friends, and for many people, "opting out" of WhatsApp is not a viable path.
[1] https://news.ycombinator.com/item?id=25669702
[2] https://news.ycombinator.com/item?id=25669600
When you sign up to any service, they ask for an email address. They don't ask for a mobile number necessarily, and there is never a "my mobile number is on WhatsApp" checkbox. Why is the assumption of the organiser that you're on WhatsApp your concern? They have assumed you're on a certain platform, and it's their mistake.
It reminds me of the tidal wave of people suddenly abandoning their own websites and instead using "Find Us On Facebook". They might as well put "Use this keyword on AOL".
Facebook is not the internet, and WhatsApp is not the only communication method.
- Use WA and participate
- Don't use WA, don't participate
- Go stand in front of the home of whoever organizes the activity and have a little one-person picket parade with angrily-worded signs -- this is the same as #2 but might make you feel betterThey call everything "a myth" and then cite strong circumstantial and testimonial evidence that those "myths" are true, only to dismiss everything with hand waving about how "we'll never know" what his extremely private and mysterious sex life was like. Give me a break.
Indeed, if it has to go through my phone it's nigh unusable in my opinion. Wire and Element/Matrix handle this properly since they don't depend on a phone number in the first place (so no need to tie it to your phone), only Signal and Threema are somewhat of a pain in this regard since you need to link it, and only Threema absolutely requires your phone to be online all the time.
My mind is blown.
If so, do you have other notable examples or is it insider information? ;-)
I know you’re not engaging in good faith but I’m adding this more for the benefit of onlookers
That was uncalled for. Please adjust your troll-detector and I'll adjust my wittyness dispenser ;-)
I am serious even when I'm joking, but I have never heard anyone saying that in full seriousness and also it feels like we should have known something: even the Russian secret service isn't perfect, in fact they've done some really big mistakes the last few years (in addition to their deliberate "mistakes" that they seemingly do to show off.)
+ It usually just works
+ Reasonable desktop experience (needs to re-link once a month or so, but otherwise independent and not terrible UX), good mobile experience
- Metadata handled by Amazon
- Phone number is a hard requirement, and changing your phone number means re-connecting to everyone
- Funding comes from Facebook from what I recall, and even with large amounts of their $100M invested, their expenses are 8 times larger than their income.
+ At least it's a foundation and their finances are not a black box!
~ With a build from an untrusted third party, you can make it work on Androids where Google Play Services are intentionally firewalled off.
~ No audit of the clients. The protocol, sure, but most bugs aren't introduced on a protocol level.
These are only things they could solve, i.e. that others do better. That their contact discovery solution (where you upload your phone book) is broken isn't a downside because nobody else has that figured out either.
That's rather broad, which metadata are you thinking about? Especially given the sealed sender feature. Assuming you have access to everything at Amazon, what can you deduce about Signal users?
I can think of:
- IP address (you can tell that this IP address sent some Signal message)
- size of messages
- timestamps of messages (when they were received by an Amazon server)
IP address leaks a lot of information but there are still workarounds, and it seems reasonable if you're in a no-trust model (meaning Signal's servers wouldn't be any better than Amazon's). In any case, that's way less information than other mainstream messengers.
On the other hand, one distinguishing feature regarding metadata is groups: group membership is not known by anyone outside of the group if I understand correctly, contrary to WhatsApp (and others).
Not really. Original funding came from NGO sources such as the Open Tech Fund.
36C3 - The ecosystem is moving | https://www.youtube.com/watch?v=Nj3YFprqAr8
Once users are in an ecosystem it takes years to convince them to change and only after they hit a high discomfort tipping point.
If Signal ran short on funding and got bought by Google or Facebook all the tracking would kick in and most users would stay.
We must stop herding people into walled gardens. It is unethical and always backfires.
It is one BGP attack or compromised CDN admin way from compromising the masses.
This is one of the few points I agree with moxie on.
The only safe way to install software on an Android device requires you bootstrap trust via a system supplied package manager that enforces signature verification.
Lineage grabs unsigned binary blobs from a separate account with little accountability ( https://GitHub.com/themuppets ) to limit the blast radius of illegally distributing them and does not ship a package manager at all.
They expect degoogled users to do disable system signature verification to use an alternative app store like F-droid. Lineage is great if you want to turn an old device into a game system or something, but it should not be used on a device you need to be able to trust.
The only Google-free option to have a signed system-verified app supply chain on Android is use a ROM that bundles F-droid as a system trusted app manager like CalyxOS, RattlesnakeOS, or my projects, aosp-build, and #!os.
While F-Droid is far from perfect it is the only alternative path and Moxie refuses to allow apps to be distributed there because he openly admits he wants the usage metrics that come from Google/Apple distribution.
In effect, you either use Apple/Google ecosystems to run verified binaries, or compile yourself every week or two.
Is it technically prevented or just frowned upon? The former would be strange, because fixing a bug in your own private fork would also exclude you from the network.
[1]: https://github.com/tw-hx/Signal-Android
[2]: https://forum.f-droid.org/t/we-can-include-signal-in-f-droid...
With that thinking we would all be using AOL.
Making a robust flexible protocol that can support a bunch of different client and service implementations is hard, but that is how we ended up avoiding email and web browsing being controlled by a single entity.
Matrix is solving the hard problem of providing the core functionality of tools like Slack and Whatsapp without sacrificing user freedom or asking you to trust any one entity.
This is what ethical engineering looks like, and I don't mind tolerating occasional growing pains in exchange for freedom.
That's nice, but why should Moxie decide whether the Google Play Store is a trusted source for me?
If neither of these work for you, you are not wanted on the Signal network.
APKs do not bypass signature verification. Android still requires all apks to be signed, and only installs updates to apks that were signed by the same original key.
As for BGP attacks, the apk is distributed using TLS, so it needs more than that. That being said, CDN hacks are definitely an issue. But so is someone hacking their play store account or Google play itself.
You have to turn on untrusted sources to sideload an APK. It will verify a signature. The problem is the OS has no anchor to know if that signature is by the key of the party you expect, or that of a malicious adversary. Once you pin the wrong key it is like getting a bad HTTPs cert on first connection. All bets are off moving forward.
So he admits he cares about usage metrics more than privacy. which makes trusting signal a bit hard
The argument makes no sense. I can't decide if Moxie is a double agent with street cred or honestly trying to do good here.
He is charismatic, highly intelligent, and lives by his own moral compass, rejecting FOSS ethos and silicon valley capitalist ethos alike.
This makes him especially dangerous.
I know in theory that sounds "bad" but it's their service I guess? In the real world, centralised services seem to be the norm, eg. the postal service. They don't let random third parties take the mail and also mandate that you use their postage stamps to use their network, and only accept mail at their post boxes and mail offices. They don't let people inject mail into the vans along their postal routes, and don't forward mail that is from another delivery company, eg. DPD, DHL, FedEx.
I am not sure how else it'd work?? Surely it'd be like expecting the postal system to deliver FedEx's parcels, whilst not paying the postal system anything at all. That's unfeasible and unsustainable.
If you have downloaded the apk using http, you can still verify the signature before installing through other means, e.g. by comparing it to your friend's installed APK, using multiple ways to download the apk, etc. Can you do this with Google play?
You also can directly download APKs from Google Play using Aurora Store and compare them to the standalone APK in theory, though both points of verification are against the same entity so it only rules out MITM on a CDN etc.
Problem is, who has time to do this for every single update? How many would even do it for the initial install? Most technical sysadmins don't even verify ssh host fingerprints unless automated CA infra does it for them.
Even if someone does do this religiously, in practice I suspect they will put off valuable security patches until they can manually verify every new binary corresponds with the published source code to rule out supply chain attacks etc.
If two totally independent entities compiled and published signed binaries and their hashes matched (when signatures are stripped) then there is some automated consensus there are currently no obvious supply chain attacks in play to protect users at large who don't have the time or experience to compile and verify against the published apk by hand or manually compare fingerprints. F-droid could keep the Signal Foundation honest if they let them but instead they say "trust us, or compile your own binaries" as if no middle ground exists.
Meanwhile I can hand my wife a phone with F-Droid and Matrix and know she can update reasonably safely without any manual key verification steps by me or her. Even when the signing key of matrix.org on Google Play gets compromised the blast radius does not extend to F-droid.
The more reputable independent package managers building, signing, and distributing protocol compatible binaries the better. Makes it impractical for even a sophisticated adversary to gain control. Also lets users to have the freedom to choose an easy automated install)update path for apps that respects their privacy by not requiring proprietary Google services.
Again, you only have to do this for the first install. After that, the local OS takes over and rejects any apk signed with a different key. It's a TOFU system.
Systems that expect humans to be key pinning anchors are always a bad plan.