Same day we have this article "Internet Freedom Wanes as Governments Target Messaging, Social Apps (npr.org)" in the front page of HN.
I know Facebook claims to use Whisper systems encryption but how can we blindly trust that this is actually implemented in a closed source system?
Stallman and others have been warning us for many years and we have been brushing it off. Now Snowden pretty much confirmed most of it but we keep going and entangling our wold more into these services.
There are two things that make me trust WhatsApp more than the competition:
1. In the UAE, where VoIP is illegal, the government was not able to selectively block voice traffic since it is indistinguishable from text traffic. So they had to ask WhatsApp to block voice functionality whenever a user is in the UAE.
2. If you lose your phone, you cannot recover your messages. Now, you may claim that they're just not providing a frontend option to do this, but would that make financial sense? You are potentially losing users who want their messages backed up so you can... falsely claim that you don't store messages?
3. Similar to 2), WhatsApp desktop cannot work without your phone being connected, again because that's the only way to access your messages.
Along the same lines as #1 is the example of the Brazilian government suspending WhatsApp nationally because they were technically unable to provide user chat messages for use in a police investigation.
>In the UAE, where VoIP is illegal, the government was not able to selectively block voice traffic since it is indistinguishable from text traffic. So they had to ask WhatsApp to block voice functionality whenever a user is in the UAE.
Authorities can selectively block WhatsApp voice calls, it's been done in Oman where I used to live. If I leave Oman and use WhatsApp in an uncensored country, voice calls work just fine.
This is not the case where WhatsApp is registered via a UAE number; the blocks persist no matter where you connect from.
They don't need WhatsApp's help to do it.
WhatsApp voice calls are done over different ports, so only these need to be blocked.
The UAE (and Saudi Arabia) went through the extra step of asking WhatsApp to perform a block server side because of legal regulatory issues. Oman has made no such demand.
My family regularly makes WhatsApp calls to me from Oman; they just have to switch on a VPN to tunnel out of Oman's censorware.
i switched SIMcards recently (the number was migrated to the new card though) and flashed another ROM on my phone. It helpfully offered me to restore all messages and media from the server. (6+ months of history)
Sure it could use the IMEI for the encryption. But i'm unsure if it can access that datapoint from application context?
/edit: i just scrolled back to the first message i've got on my most messaged contact. its from 2014. i've switched devices and sim cards since then. The phone number is the only thing that stayed the same.
WhatsApp has an optional auto-backup feature that periodically backs up your messages to Google Drive (iCloud on iOS?). You can find it under Settings > Chats > Chat backup. It is an extremely smart way to allow users to backup their messages if needed, while also ensuring that WhatsApp doesn't have access to the backups.
Once you activate a new phone, it will ask if you want to restore your messages from the latest backup. I guess it's using your Play Store account credentials to tie your SIM cards and phones together.
People are oblivious or just don't give a shit. As long as they can share their cat pictures and so on, it's all fucking dandy.
We (people who work in tech) have a duty to fix these issues and to implement our products in ways that respect the privacy and security of the people who use what we build without passing the buck on to them. A Facebook user doesn't have to give a damn about encryption before Facebook put good encryption in place - the engineers at Facebook should just do it anyway, because it's the right thing to do.
If we build services that fail the user by allowing a malicious actor to violate their privacy then that is our fault. It is not the user's fault for not demanding we do our jobs properly. This is on us.
We don't want to fix these things in our products because we want all that information about our customers because it's an extra revenue stream.
The maclicious actor is us. Don't work for shitty companies and implement stuff right for the companies you do work for.
Edit: Product owners give you jobs that are bad for the user/customer but they want it done ayways. Convince them why it's a bad idea and find another job if you can't.
When I said "people who work in tech", I meant that including product owners. Besides, the notion that Mark Zuckerberg hands out decrees of what Facebook must do next and the engineers have to choose between scampering away to build what he wants or resign if they disagree is utter nonsense. We're all human being who are capable of presenting a rational argument in favour of doing things properly. Product owners listen. Sometimes they disagree, and that's when you need to question your role as an engineer, but often they don't just ignore their team.
If you think that being an engineer in tech is a job where you blindly implement someone else's will then you're failing to live up to both your potential and your responsibility.
I'm sorry, who exactly is us? I didn't realize that by becoming a programmer, I'm now morally responsible for the actions of every single programmer out there in the world. I didn't realize that i should now look in the mirror and blame myself because some guy I never met decided to follow his CEO's orders and implemented a backdoor in their product.
There is no us. There's just hundreds of thousands of individuals, each doing their own thing. Some are angels, some are assholes, and a lot are in the middle. If you think that getting 500,000 people to make a pinky promise to be good is going to prevent shit from happening, that's just delusional thinking. No matter what you or I do, there will always be some asshole Investor/CEO/PM/programmer out there who will screw over people's privacy in order to make money, and you guilt-tripping the other 499,999 programmers is not going to change that.
If we want to stop shit from happening, we need systems in place to do that. Either regulatory, certification or market-based systems that catch and punish bad actors. In the absence of such systems, expect dysfunctional outcomes regularly.
I think we actually agree with one another, but I'm just coming at the argument from a slightly more positive position. We, as the engineers who build stuff, need to start making it clear that we don't like what the bad actors do, that we won't build it ourselves, and the "asshole Investor/CEO/PM/programmer" who does won't have a place in our industry. You're quite right that we need systems in place to stop this shit, but you're quite wrong if you think it's someone else's job to make that happen. We can build the certification or market-based systems right now.
Sorry if my previous message came across a bit harsh. I've been reading Chaos Monkeys lately and the author's style of writing is starting to rub off on me. I think we are indeed in agreement. As industry professionals, we do have the power to influence change. Not through wishful thinking or promises of good behavior, but by working to put in place certification/market-based systems that act as a check on bad corporate behavior. I hope we can start making progress towards those ends.
> something really bad needs to happen to move things in the right direction.
Something really bad already happened: genocide. What else needs to happen?
The Netherlands (among others) required everybody to register their basic info, including religion, with local authorities. This made it very simple for the Germans to know whom to deport.
Your data can be used for other things than originally intended. But people do not learn.
So you may be right. More really bad things need to happen.
how about: create a website with a random string in the URL, send that URL via whatsapp combined with content that likely triggers many safety bells (at facebook, whatsapp, nsa,...) to a contact, and make sure that contact does not open the URL.
create a second website (same domain) with a different URL, also with a random string, and use this to compare.
check if first URL gets a hit, and if yes, check if second URL gets same hit.
(spoiler alert: first URL will get a hit, second won't ;-D)
Don't must of these services (Skype, Facebook, WhatsApp), load the URL to fetch a thumbnail, page title, and page description, to show in the chat window instead of just the URL?
The content is encrypted between you and the receiver. If you didn't hit the URL and the recipient didn't hit the URL, how did someone else hit the URL which was encrypted in the transmission?
Is absolute security really something that anyone desires from a general purpose instant messenger?
The government might read my WhatsApp messages - so what? They have been able to listen to my phone calls for ages. If there's something I want to keep private (and there is - it's not like "I have nothing to hide"), I will simply not use WhatsApp or any other communication channel I don't fully trust.
I don't care as long as the owner of the coffee shop I'm currently I cannot read my messages.
> Is absolute security really something that anyone desires from a general purpose instant messenger?
I think the problem is that security is an ongoing conversation between the government and the people. My guess is that most people, if pushed to a firm position, would probably agree with:
a) The government should have the right to look at communication to stop bad things.
b) The government should have to individually prove before an independent court that any one use of that power is justified.
The difficulty is that the government unilaterally broke (b) by having a rubberstamp court and a policy that let them collect everything and choose when to look at it.
And the response to the government's action is to start looking to redress this privately. I.e. a market solution to a perceived deficit of privacy. I suspect that if they had kept (b) intact, there would be much less call for absolute security, and much less of a solid argument for it.
I think the point is not "having something to hide". I think the point is more like how much information we are letting corporations and governments have about us.
For instance, something that really gets on my nerves is when I search for something on amazon and when I am reading a blog post about something completely unrelated to my amazon search, I see an advert related to my search.
This is just really annoying, its not like I want to hide the fact I am looking for a new TV its just that its really annoying and its an invasion of my privacy. Its just like having a helpful but nosy neighbor who gets the mail for you.
Also, just like you said, if someone has something to hide they will find alternatives to hide it, but why inconvenience us, the law abiding citizens, why invade whats our own business?
Right, but this is exactly what I meant by "absolute security". I want a reasonable level of privacy so for example Amazon or my neighbor cannot get that information, but I don't care if there /might be/ a government backdoor. In exchange I get the convenience of being able to communicate with almost anyone I know in one app.
The thing is that is not how it works. If the encryption can be broken it can be broken. If the government can read your messages so can the coffeeshop.
But you are part of a very tiny proportion of users smart enough to realize this. And it doesn't address the issue of someone sending private (or incriminating) messages to you, which would still link you as a "person of interest". If I send you a message containing the word "bomb", for example, that could get both our accounts flagged.
I know Facebook claims to use Whisper systems encryption but how can we blindly trust that this is actually implemented in a closed source system?
Stallman and others have been warning us for many years and we have been brushing it off. Now Snowden pretty much confirmed most of it but we keep going and entangling our wold more into these services.