Same day we have this article "Internet Freedom Wanes as Governments Target Messaging, Social Apps (npr.org)" in the front page of HN.
I know Facebook claims to use Whisper systems encryption but how can we blindly trust that this is actually implemented in a closed source system?
Stallman and others have been warning us for many years and we have been brushing it off. Now Snowden pretty much confirmed most of it but we keep going and entangling our wold more into these services.
There are two things that make me trust WhatsApp more than the competition:
1. In the UAE, where VoIP is illegal, the government was not able to selectively block voice traffic since it is indistinguishable from text traffic. So they had to ask WhatsApp to block voice functionality whenever a user is in the UAE.
2. If you lose your phone, you cannot recover your messages. Now, you may claim that they're just not providing a frontend option to do this, but would that make financial sense? You are potentially losing users who want their messages backed up so you can... falsely claim that you don't store messages?
3. Similar to 2), WhatsApp desktop cannot work without your phone being connected, again because that's the only way to access your messages.
Along the same lines as #1 is the example of the Brazilian government suspending WhatsApp nationally because they were technically unable to provide user chat messages for use in a police investigation.
>In the UAE, where VoIP is illegal, the government was not able to selectively block voice traffic since it is indistinguishable from text traffic. So they had to ask WhatsApp to block voice functionality whenever a user is in the UAE.
Authorities can selectively block WhatsApp voice calls, it's been done in Oman where I used to live. If I leave Oman and use WhatsApp in an uncensored country, voice calls work just fine.
This is not the case where WhatsApp is registered via a UAE number; the blocks persist no matter where you connect from.
They don't need WhatsApp's help to do it.
WhatsApp voice calls are done over different ports, so only these need to be blocked.
The UAE (and Saudi Arabia) went through the extra step of asking WhatsApp to perform a block server side because of legal regulatory issues. Oman has made no such demand.
My family regularly makes WhatsApp calls to me from Oman; they just have to switch on a VPN to tunnel out of Oman's censorware.
i switched SIMcards recently (the number was migrated to the new card though) and flashed another ROM on my phone. It helpfully offered me to restore all messages and media from the server. (6+ months of history)
Sure it could use the IMEI for the encryption. But i'm unsure if it can access that datapoint from application context?
/edit: i just scrolled back to the first message i've got on my most messaged contact. its from 2014. i've switched devices and sim cards since then. The phone number is the only thing that stayed the same.
WhatsApp has an optional auto-backup feature that periodically backs up your messages to Google Drive (iCloud on iOS?). You can find it under Settings > Chats > Chat backup. It is an extremely smart way to allow users to backup their messages if needed, while also ensuring that WhatsApp doesn't have access to the backups.
Once you activate a new phone, it will ask if you want to restore your messages from the latest backup. I guess it's using your Play Store account credentials to tie your SIM cards and phones together.
People are oblivious or just don't give a shit. As long as they can share their cat pictures and so on, it's all fucking dandy.
We (people who work in tech) have a duty to fix these issues and to implement our products in ways that respect the privacy and security of the people who use what we build without passing the buck on to them. A Facebook user doesn't have to give a damn about encryption before Facebook put good encryption in place - the engineers at Facebook should just do it anyway, because it's the right thing to do.
If we build services that fail the user by allowing a malicious actor to violate their privacy then that is our fault. It is not the user's fault for not demanding we do our jobs properly. This is on us.
We don't want to fix these things in our products because we want all that information about our customers because it's an extra revenue stream.
The maclicious actor is us. Don't work for shitty companies and implement stuff right for the companies you do work for.
Edit: Product owners give you jobs that are bad for the user/customer but they want it done ayways. Convince them why it's a bad idea and find another job if you can't.
When I said "people who work in tech", I meant that including product owners. Besides, the notion that Mark Zuckerberg hands out decrees of what Facebook must do next and the engineers have to choose between scampering away to build what he wants or resign if they disagree is utter nonsense. We're all human being who are capable of presenting a rational argument in favour of doing things properly. Product owners listen. Sometimes they disagree, and that's when you need to question your role as an engineer, but often they don't just ignore their team.
If you think that being an engineer in tech is a job where you blindly implement someone else's will then you're failing to live up to both your potential and your responsibility.
I'm sorry, who exactly is us? I didn't realize that by becoming a programmer, I'm now morally responsible for the actions of every single programmer out there in the world. I didn't realize that i should now look in the mirror and blame myself because some guy I never met decided to follow his CEO's orders and implemented a backdoor in their product.
There is no us. There's just hundreds of thousands of individuals, each doing their own thing. Some are angels, some are assholes, and a lot are in the middle. If you think that getting 500,000 people to make a pinky promise to be good is going to prevent shit from happening, that's just delusional thinking. No matter what you or I do, there will always be some asshole Investor/CEO/PM/programmer out there who will screw over people's privacy in order to make money, and you guilt-tripping the other 499,999 programmers is not going to change that.
If we want to stop shit from happening, we need systems in place to do that. Either regulatory, certification or market-based systems that catch and punish bad actors. In the absence of such systems, expect dysfunctional outcomes regularly.
I think we actually agree with one another, but I'm just coming at the argument from a slightly more positive position. We, as the engineers who build stuff, need to start making it clear that we don't like what the bad actors do, that we won't build it ourselves, and the "asshole Investor/CEO/PM/programmer" who does won't have a place in our industry. You're quite right that we need systems in place to stop this shit, but you're quite wrong if you think it's someone else's job to make that happen. We can build the certification or market-based systems right now.
Sorry if my previous message came across a bit harsh. I've been reading Chaos Monkeys lately and the author's style of writing is starting to rub off on me. I think we are indeed in agreement. As industry professionals, we do have the power to influence change. Not through wishful thinking or promises of good behavior, but by working to put in place certification/market-based systems that act as a check on bad corporate behavior. I hope we can start making progress towards those ends.
> something really bad needs to happen to move things in the right direction.
Something really bad already happened: genocide. What else needs to happen?
The Netherlands (among others) required everybody to register their basic info, including religion, with local authorities. This made it very simple for the Germans to know whom to deport.
Your data can be used for other things than originally intended. But people do not learn.
So you may be right. More really bad things need to happen.
how about: create a website with a random string in the URL, send that URL via whatsapp combined with content that likely triggers many safety bells (at facebook, whatsapp, nsa,...) to a contact, and make sure that contact does not open the URL.
create a second website (same domain) with a different URL, also with a random string, and use this to compare.
check if first URL gets a hit, and if yes, check if second URL gets same hit.
(spoiler alert: first URL will get a hit, second won't ;-D)
Don't must of these services (Skype, Facebook, WhatsApp), load the URL to fetch a thumbnail, page title, and page description, to show in the chat window instead of just the URL?
The content is encrypted between you and the receiver. If you didn't hit the URL and the recipient didn't hit the URL, how did someone else hit the URL which was encrypted in the transmission?
Is absolute security really something that anyone desires from a general purpose instant messenger?
The government might read my WhatsApp messages - so what? They have been able to listen to my phone calls for ages. If there's something I want to keep private (and there is - it's not like "I have nothing to hide"), I will simply not use WhatsApp or any other communication channel I don't fully trust.
I don't care as long as the owner of the coffee shop I'm currently I cannot read my messages.
> Is absolute security really something that anyone desires from a general purpose instant messenger?
I think the problem is that security is an ongoing conversation between the government and the people. My guess is that most people, if pushed to a firm position, would probably agree with:
a) The government should have the right to look at communication to stop bad things.
b) The government should have to individually prove before an independent court that any one use of that power is justified.
The difficulty is that the government unilaterally broke (b) by having a rubberstamp court and a policy that let them collect everything and choose when to look at it.
And the response to the government's action is to start looking to redress this privately. I.e. a market solution to a perceived deficit of privacy. I suspect that if they had kept (b) intact, there would be much less call for absolute security, and much less of a solid argument for it.
I think the point is not "having something to hide". I think the point is more like how much information we are letting corporations and governments have about us.
For instance, something that really gets on my nerves is when I search for something on amazon and when I am reading a blog post about something completely unrelated to my amazon search, I see an advert related to my search.
This is just really annoying, its not like I want to hide the fact I am looking for a new TV its just that its really annoying and its an invasion of my privacy. Its just like having a helpful but nosy neighbor who gets the mail for you.
Also, just like you said, if someone has something to hide they will find alternatives to hide it, but why inconvenience us, the law abiding citizens, why invade whats our own business?
Right, but this is exactly what I meant by "absolute security". I want a reasonable level of privacy so for example Amazon or my neighbor cannot get that information, but I don't care if there /might be/ a government backdoor. In exchange I get the convenience of being able to communicate with almost anyone I know in one app.
The thing is that is not how it works. If the encryption can be broken it can be broken. If the government can read your messages so can the coffeeshop.
But you are part of a very tiny proportion of users smart enough to realize this. And it doesn't address the issue of someone sending private (or incriminating) messages to you, which would still link you as a "person of interest". If I send you a message containing the word "bomb", for example, that could get both our accounts flagged.
Great, another app that does the same thing as the other apps that do the same thing.
Wouldn't it be nice if we could use an open, standard protocol and network so I don't need 5 apps installed to communicate with various circles of friends over different mediums.
After the death of federated im on mobile, this is the closest we get to decentralisation. I'm all for it. The more people are on different platforms, the less any one platform knows about anyone.
Ideally, federation. But bar that, this is better than having everything in one app.
Bonus: this puts the pain in the front, where it should be. If there was ever a chance of getting back to an open protocol, this will be the best way to get there: make the proprietary universe annoying for users.
In todays app world although, it's easier to have 5 messaging apps unlike the desktop days. We all really only have one messaging app in the background, and that is apple / google push servers.
I'd glady give up all these gimmick features, like stickers and so on, to have some proper standardization.
I mean audio messages and gif seem revolutionary to some, but in reality it's just a file being sent from one device to another. And in the end it's these end clients interpreting the data.
If email hadn't had become dominant so early, you'd also have companies trying to split and isolate communication, claiming features but actually only going after profits and monopolising.
> I'd glady give up all these gimmick features, like stickers and so on, to have some proper standardization.
You have that option available to you already. XMPP is here to stay. Unfortunately, network effects being what they are, you may or may not have many people to talk to.
Meanwhile, people continue to flock to
* Slack (deliberately putting this at the top, given the audience)
* Signal
* Whatsapp
* Line
* WeChat
* Facebook Messenger
* Viber
> If email hadn't had become dominant so early, you'd also have companies trying to split and isolate communication, claiming features but actually only going after profits and monopolising.
If you've tried running your own email servers recently, you may have noticed that emails going into the big providers (Google, Microsoft, Yahoo) doesn't always get there. Despite the open platform and open standard, with the majority of mail flowing through those gate keepers, the barrier to entry has gotten higher than it should.
Unless you're pushing pharmaceuticals or fake designer products. Then that seems to make it through all the time.
I totally agree with you, and just to expand on my point, I belive considering problema like
>Meanwhile, people continue to flock to
>* Slack (deliberately putting this at the top, given the audience)
>* Signal
>* Whatsapp
>* Line
>* WeChat
>* Facebook Messenger
>* Viber
is lacking consciousness for the effects. It is a comfortable illusion to ignore the fact that these are all (or at least predominantly) run by private companies, whose interest is not offering a through and through good service, but rather a profitable. Ostensibly, it might seem good/fast/better but that's by far not everything.
As others have mentioned, it is partly our "social/moral responsibility" (hope this wont provocate anyone) to educate people on the pitfalls and problems we and will be encountering with these services.
And regarding your second point, that also expands to the consciousness of decentralisation/federalisation/distribution. Centralize network is a special kind of distributed network with only one server. But that's not to point of people like me who are trying to promote these kinds of systems. And partially thats also blamable on the people who made the system (but to be fair, there were quite a few, and it wasn't that coordinated).
> Great, another app that does the same thing as the other apps that do the same thing.
Are you serious there? There were billion different apps doing text messaging too before Whatsapp. I don't see any point in dismissing the video chat on the basis that it is not the very first app.
I think the reason, besides the network effect, is that all federated alternatives are lacking in some way. For example, they may be missing one of these features:
I would add "Easy to find your friends," which is the killer feature for me. With FBM, you can just search for someone's name. With many of the federated alternatives, you end up searching for something like "xxBluntlordxxSk8rBoixx" which is really annoying and unprofessional.
All it would take was 2 big messaging companies to let their apps talk to each other and the floodgates would open. I'm hoping Facebook will at least let WhatsApp talk to their own Messenger, seeing as they own both.
SMS seems to have worked fine for the last twenty years, and is cross mobile platform. Yet I'm still pestered to install the latest instant messaging nonsense.
Ideally I wish the world used FaceTime/Messaging, since it integrates so nicely with everything Mac related. Also, BY FAR the best quality, and performance.
What about SIP?
It is an open standard and has support for voice/video/chat.
Actually it is the most used protocol by telecom companies and there are a lot of competing implementations such as mizu: https://www.mizu-voip.com/Software/Softphones.aspx
VoIP companies offers such to their customers and they are both easy to use and with high call quality, most of them with P2P media routing capabilities.
This is very good news, I'm really tired of how bad Skype's quality has gotten. WhatsApp's voice calls, on the other hand, are almost always crystal clear, often better than even phone calls.
There is one main reason for Skype's terrible call quality these last years, and that is because it's no longer peer to peer as it was at it's beginning. All Skype calls go through Microsoft's servers, as far as I understand. I expect WhatsApp can make use of P2P (I suppose WebRTC) as I also find the phone calls excellent quality and have come to use it a lot. I'll definitely be ditching Skype very soon once video is proven.
Most cellular networks run behind symmetric carrier grade NATs. Even when you have two mobile devices behind the same NAT their traffic will not flow P2P. All traffic has to be routed to the public net (and then back in if you can figure out IP:Port which is usually not possible with symmetric NATs). They will never be hair-pinned on the NAT either... True P2P is only possible when at least one mobile device is on a public network or behind a more permissive NAT device.
I think @telesilla's point is that a Skype call would be going through all the cellular network's infrastructure, and then off to Microsoft, before coming back.
It's an extra link in the chain, meaning another potential bottleneck and added latency.
It's the opposite for me. All WhatsApp calls - including to others in Singapore literally less than a mile from me - have a 3 second lag. This is not the case with Skype.
Yep, WhatsApp is high latency and really latency is more important than quality for voice calling. Video calling I think is actually a bit more lenient because you can pick up more visual cues to more easily adjust for the lag.
Same for me, where WhatsApp randomly tries to "reconnect" for audio only calls, Skype works flawlessly with video. Also, with Skype, I can make really cheap international calls to phones. I only wish they'd not abandoned the Linux client so badly.
WhatsApp is probably one of the most barebones chat apps I've seen so far. It's providing exactly what I need for communicating with people, and nothing more.
I doubt that adding video calls to a chat app requires a featuritis diagnosis.
Is the quality of a phone call a high bar? I've always found WhatsApp, Messenger and Skype to provide what sounds like much less compressed audio, occasionally at the cost of latency until the bitrate drops to compensate.
Unfortunately Jitsi was acquired by Atlassian, so I don't think you'll see many advances there.
They were (are) some of the best at working with WebRTC.
Edit: I would put more stock on Appear.in. They also have some of the best people, and they have recently launched a monetization plan (I was worried about that part)
I used video calling (almost) everyday for the past few years. I find FaceTime to be best at video calling even in the face of not the best connectivity. Unfortunately it is limited to Apple devices only. Excited to try WhatsApp for this.
I know why FaceTime wasn't opened like they promised it would be, but I do think it's a big shame. It's 2016 - we should have pervasive standard video calling by now, surely?
I remember reading a long time ago that Whatsapp will not include things like calling/video calling and will focus solely on texting. Why is every messaging app doing the exact same thing and why is there no inter-connectivity between them?
Given theres already furore due to recent data merging (fb + whatsapp), I dont think it would be a wise decision to integrate them further.
People started using WhatsApp before it was acquired by FB inc. A fair share of these might just leave WhatsApp if were to be merged completely with FB messenger.
Yes, why have both messenger and whatsapp. Additionally it seems they want to kill whatsapp, messenger gets the cool features that whatsapp should have gotten like the bot platform. Whatsapp is like an illegitimate child. Apparently everyone is on whatsapp, the bot platform should have been on whatsapp
They promoted their end to end encryption promise for messages, so I think they would've promoted it again if it still were true for the video call feature.
WebRTC being peer-to-peer, calls are encrypted end-to-end between peers. So if WhatsApp calls are peer-to-peer, then the call content would not be visible to WhatsApp/Facebook.
However, it's still possible to put a server between two participants so that instead of communicating directly, they would be communicating through this intermediate endpoint which would have access to call content - without call participants even knowing. So ultimately it's a question of trusting a particular service, not the protocol used.
FaceTime seems to be the only service which delivers consistently good quality. Skype's video quality was abysmal the last time I used it and the Google app (Duo I think) was the worst ever - infact that one showed the recipient the video flipped vertically. I didn't bother to see if it would be resolved, but instead just uninstalled it. I don't use Whatsapp's audio calls, so I doubt I will use video.
I tried it a couple of times. Video quality was not great. The second time I tried Duo it had weird sound issues. Was completely disappointed. Didn't use it after that.
It's a surprise since it comes from Google. Hangouts has worked more or less OK for me.
I really like that Duo can switch between Wifi and mobile network without reconnecting. However, usability is imo much better with Whatsapp. Duo still doesn't support calls on home screen on iPhones (calls are shown as notifications) and often fails to connect if the other person hasn't used the app for a day. It's annoying to first ask via Whatsapp to open Duo and then call there.
Nice to have but I almost never used a video chat any phone app, only a few times on Skype, mostly on desktop. Anyway, probably many people are using this so it's a must have for WhatsApp not to fade away.
But please add bots, unless FB decided that their Messenger is the only platform to survive in the long run and WhatsApp has to die. WhatsApp is still the number one chat in most of Europe and every developer here would like to write bots for it instead of for Messenger and Telegram. It's where our customers and our customers' customers are. Messenger is going to take over if bots get mainstream and you don't support them. My bet is that it will happen next year or never so you're running out of time (or not at all). We'll see.
And if you do implement bot, please copy Messenger: exactly the same API and the same or a very similar UI. That will give you all the Messenger bots from day 1 and developers will love you.
We could use something like ENUM mapping [1] on the device and there would be one single set of data that the user is in control. Even better, it would mean that I can choose the granularity of access to different communication channels, so if someone has my phone number they wouldn't be able to know my other messaging handles unless I make it public.
Since they're one of Twilio's largest customers, I wonder if they're accomplishing Video calling with the new Twilio Video product [1] that's currently in beta
Does anyone know when we can actually use it? They say "over the next days", does that mean we'll have to wait for an update or is the functionality already there and will be unlocked?
As far as I know, Durov first wants to create the best messaging platform and at this point I must say Telegram is really the best at what it does and constantly improving.
Yes and it is staying on being a messaging platform rather than doing everything and anything that others are doing. It has a webapp which works, desktop apps for desktops and works seamlessly
But it doesn't do end to end encryption by default and has a confusing interface for it which combines ephemerality and encryption into 'secret' chats. Most of the people I know who use Telegram are engineers and almost all of them believe that the standard chats are encrypted and 'secret' only refers to ephemerality because Telegram marketed itself so strongly as a private messenger.
It's of course possibly to deal with encryption and ephemerality as separate concerns but this doesn't seem to be a priority at all for the Telegram team. I feel like the team has the best intentions but it doesn't provide better security and privacy than Signal, Wire, or even Whatsapp when it comes to day-to-day chats with regular people in your life. As far as I recall there isn't even a way to verify key fingerprints.
It doesn't do e2e encryption by default by design. It's rather hard to have everything synchronised (one of the advantages much of the userbase likes) when everything is e2e'd.
>but it doesn't provide better security and privacy than Signal, Wire, or even Whatsapp
on what basis is this statement made? Isn't whatsapp going to use your data for ads on FB? I have had people tell me that their whatsapp contacts are popping up on facebook as "people you may know". This isn't just the end of it.
>believe that the standard chats are encrypted
One just has to read their website, it is clear that only secret chats are end to end encrypted. This is the problem with people, not their team. Tesla faced the same problem with their auto pilot feature.
> This is the problem with people, not their team.
I think that, from a design perspective, this is not a really good concept. If your defaults incentivize behaviour antagonistic to your users interest, you are still to blame for this effect.
My recent experiences with Skype on relatively good internet connections between continents has been great. Meanwhile, I've fairly regularly had freezing and terrible latency issues with Hangouts calls between two parties on excellent connections in the same state.
I don't understand the priorities of WhatsApp. I don't need video calling.
I need support for bots.
WhatsApp doesn't have it. Meanwhile, Skype, Telegram, Facebook Messenger and Google are where the action is, building great bot support. I want to use WhatsApp, but am using Skype and Telegram now to build a bot.
Bot support could also make WhatsApp viable as a business in the long run as an independent, secure service. Simply make businesses pay for bot accounts.
And I need true multi-device support (not a crappy desktop client that needs your phone to be near you, connected to the Internet and using the battery). And a way of adding contacts without exchanging phone numbers.
WhatsApp has always been the worst among the major messengers (Hangouts, Telegram, Line, WeChat all have this) but the sad thing is they can do what they want. They have the network effect on their side, the masses use it, so they can get away with being light-years away from the others in features...
And the masses use it particularly because all you need is a phone number. My mother or many of her peers barely manage to finish any kind of registration process, yet they have no problem using WhatsApp. Here in Germany there's no escaping WhatsApp - it's the standard communication platform.
I'd also enjoy true multi-device support, but I've been using Hangouts for a long, long time (when it was still Google Talk, and before the Android video/voice capabilities), and it's never been very good at IM, where Whatsapp is very reliable on the contrary.
I have no need for bots whatsoever, but I wanted video calls (in Signal, too). Whatsapp also seems to know how to do it right with low-data usage. Different strokes for different folks, I guess.
Sky (pay TV in Germany) has a feature where you can get sports news via WhatsApp. You have to add their number to your contacts and send "Start" to it. I haven't used it and don't know how they do it or what happens but some sort of crude bot system seems to be possible.
HN is not the best place to have these discussions about privacy because most of the folks here are neck deep building a surveillance economy.
If your job depends on not understanding something you wont so it's easy to brush away surveillance issues just like those whose livelihood is impacted by global warming find it easy to brush away those issues.
There is the old trope about I don't care or have nothing to hide which is self servingly obtuse because surveillance is not about you the individual, its about the health of your society. And the tired cliche about people not caring, well if people get impacted and begin to draw the dots they will care very much. So this just rests on a fleeting ignorance of the scope of surveillance.
Whisper systems uses your phone number which directly ties to your identity when any privacy conscious service that is half sincere will do everything in its power to avoid such gratuitous tie-ins.
I know Facebook claims to use Whisper systems encryption but how can we blindly trust that this is actually implemented in a closed source system?
Stallman and others have been warning us for many years and we have been brushing it off. Now Snowden pretty much confirmed most of it but we keep going and entangling our wold more into these services.