Any app that gives my peers even an inkling of what I'm doing without me explicitly sending that information gives me the heebie jeebies.
I've gone back to using SMS for messaging these days. No more read receipts, no more "last active 10 minutes ago", no more "Alice is nearby!", and no more "you haven't messaged Bob in a while, send a message?".
Sure SMS is insecure, but at least it doesn't drive me insane with all the bullshit of so many messaging apps.
Why not use Signal and turn off read receipts (and typing indicators and previews)? Then you don't have the SMS insecurities (which reveals your locations) and the other metadata issues? That seems to actually fit all your criteria.
And this is just the tip of the iceberg. As described in the article, you can avoid this by hiding your "last seen" status.
But why use the "last seen" feature, if WhatsApp also has an "online" indicator? Funnily enough, that one can't be disabled and is visible to everyone! That has been criticized for over 5 years now, with no reaction from whatsapp/FB.
There was even a similar tool back in 2016 which used this "online" indicator instead, called WhatsSpy [0]. It's no longer maintained, but you can see screenshots of it on this old German article [1] or you might be able to find English articles as well.
I don't know of any current tool which does this, but I'd guess there are a few out there, since it's so easy to do and can't be prevented.
Not just that you can correlate this data with activity on various social networks like Reddit and 4chan or even hacker news over time and slowly narrow down the list of possible anonymous usernames someone may have by just removing all users that were active when individual is known to be sleeping.
I've always wanted to do something similar at scale. Generate all possible random mobile numbers 11^10, check if they have a WhatsApp profile pic and run it through AWS' rekognition celebrity model (https://docs.aws.amazon.com/rekognition/latest/dg/celebritie...). You could identify the personal numbers for a _lot_ of VIPs, politicians, etc.
"Amazon Rekognition can recognize thousands of celebrities in a wide range of categories, such as entertainment and media, sports, business, and politics. With Amazon Rekognition, you can recognize celebrities in images and in stored videos. You can also get additional information for recognized celebrities."
I guess an argument could be made how celebrities are public figures which in some jurisdictions gives them a bit worse privacy protections.
Also interesting: The article "Celebrity recognition compared to face search" [0] does actually have a disclaimer:
> Celebrity recognition should not be used in a manner that could result in a negative impact on civil liberties.
Only to then follow up how face search allows for the very same thing with your own face collections, so it's apparently not just reserved to celebrities.
Why is this a "security" issue? People know that other people can see their "last seen" date, but usually they don't care so they left it. Hell, I leave it public as well. I couldn't care less about this tiny details.
Now, if you tell me that by leaving public my "last seen" date, people can get more data about me (e.g., with whom I talk to), well then yes, I would call that a security issue.
> if [...] people can get more data about me (e.g., with whom I talk to) [...]
It's quite possible, at least among mutual friends. If you have 2 people you know, who are also friends with each other, who have high correlation of online times, then, it's a signal that they could be talking with each other.
It's also amusing (insert a better verb...) that Facebook probably knows who's dating who based on frequency of messages on Messenger/WhatsApp/Instagram, location data ("It's the 3rd Friday night that their phones are close to each other in some venue"), and if they're on the same WiFi (A few hours later: "Well, it's 1AM, and after an hour of inactivity, James' phone is now connected to Jenny's WiFi, they did have their third date earlier...")
The most interesting part to me wasn't the technical details but rather the MAU, WAU, DAU stats at the end from random sample. Way fewer people than I would have expected use WhatsApp on a weekly basis.
This is in France, where text messages were free (unlimited with your subscription) long ago before we had internet on our smartphone.
Thus people use text message a lot and did use WhatsApp only to contact people outside from France
I saw a very strange thing in Whatsapp last week. One of my contacts texted me their name in Cyrillic characters (Whatsapp on IOS), five seconds later I got an email to my Gmail inbox in russian. I check my spam folder occasionally (mostly bitcoin scams for some reason) and had never seen any messages in russian.
Another big problem is that Whatsapp automatically previews the URLs, thus leaking the IP of the person. I could not find a way do disable link previews.
Is there any chance that the client needs the online status for some internal optimization, e.g. in order to deliver messages for online contacts to a different server than those destined for offline contacts? I could imagine delivery paths to be quite different (one would be immediately passed through in-memory while the other would be stored in some database and potentially trigger mobile push notifications).
In that case, it is nice to at least visually expose that this information is available to bad actors using custom clients too.
However, this fails as a possible excuse ever since Facebook acquired WhatsApp, given that they have essentially unlimited resources available and could easily implement a privacy proxy to hide this information from clients.
In any case there cannot be a good reason to share the online status / last seen date before any interaction has happened between two contacts, and approved by the receiver.
If you have had no interaction with someone, you should first accept a message (and not report it as spam) before this information is shared. Ideally that would be the default as well for the About field and the profile picture.
I definitely agree – none of my hypotheses make for a good reason. I'm just wondering if there's anything technical behind what seems to be a quite stubborn decision that also sticks out (as everything else has controllable privacy options).
Another weird decision is that read receipts are not possible to be deactivated in group chats, but there is no explanation for that that I could think of (delivery receipts might be required for faster encryption key ratcheting, but the read status has no significance at all for the protocol).
I hate that you can't log out of Whatsapp temporarily. I have to turn off my internet or my phone to take a break from it, or uninstall and reinstall the app. A dark pattern that means I'm always logged in even when I don't want to be.
I meant I sometimes wish to take a break from both notifications as well as my counterpart seeing the message got pushed into my client and thinking I'm ignoring them. If there's unattended to messages I feel a social pressure to respond quickly. I want Whatsapp to be more like an email client which is far less intrusive into mental and emotional space.
Now that I think more about it, I could do two things: (1) disable notifications, (2) make it so I disable the blue check and double check and appear offline. It'd effectively simulate logging off.
Personally, I enable battery saving mode: it prevent any app from using data in the background, so whatsapp won't synchronize with its servers at all unless the app is open.
The drawback is that this behavior can not be enabled on a per-app basis: either all app synchronize, or none. So I don't have new emails either unless explicitly enabled, or any other similar app. The only thing that still works and notify without requiring the app to be open are text messages and phone calls.
I consider that to be a feature, but other might not.
Yeah I know very well what you mean! I do #1 (turn off notifications in the app settings) every now and then when I want to cut off a specific communication channel.
I'm unsure how you'd do #2 though? There's a permission for background data, wonder if that would be enough? Let me know if you test it!
To disable the blue check you just don't need to open the app, blue check for sender only triggers when you view the message in the actual app, but not if you read it in the notification/on the lock screen.
As long as the app is not open you also won't be shown as online, that only happens when actively using the app.
>Nobody uses Signal in France [from the 5000 sample]
If one would've come to HN and read the last few months worth of posts you'd come to think that a lot of people from around the world moved to Signal. But then again this is a reminder about how little HN represents compared to the general population's tech choices.
That signal move backfired for me. Before it was just whatsapp. Now with some folks from my generation moving to signal and the older folks from the parent's generation staying with whatsapp, I have had to maintain presence across 2 chat applications.
What's the actual cost here? You have one app open or another, no different to two distinct chatgroups in WhatsApp except for some small extra CPU cost for changing app focus if switching between them.
The only issue I've seen is when I want to add someone who's only WhatsApp to a Signal chat, which has happened maybe twice until they also joined.
Personally I feel good about taking even a small amount of Comms out of Zuckerberg's clutches
* Messenger for family and some friends
* WhatsApp for group chats and most of my friends
* SMS for older family members
* Signal and Telegram for a select few privacy-conscious friends
And at least one family member uses three of these, and it's a toss-up which one he'll use at any given time.
My anecdata but, my friend in France does and has been forever. That's how her and I keep in contact and video chat. Perhaps their sample wasn't representative.
I'd say a sample of 5000 random phone numbers is more representative than individual comments from a community obsessed (in a positive way) with privacy.
It's bad that this is happening, but from a developer standpoint it is also very easy to overlook things like this because most APIs are not aware of who the data is for.
When an API always returns the `last_seen` field regardless of who is querying the data, it's very easy to make the mistake to present the data to someone who should not see it.
That's also one of the reasons I think most CRUD APIs use bad practice because they always return all data on a READ and may always store all data on a CREATE or UPDATE.
But.. a company like Facebook should know better. It seems they just don't care.
> But.. a company like Facebook should know better. It seems they just don't care.
I agree 100%. If it was a simple hobby project that somebody had hacked together, I'd agree that it might be easily overlooked. When you have thousands of people supposedly working on making privacy a priority etc: not so much.
> Privacy setting for Last Seen: Set by default to Everyone and nobody configures it.
It surprised me that only 10% of his random (French) sample is active daily (179/1751=10%). In my contacts, I do see people who have accounts but haven't used it in weeks, but it's not the norm. However, I see lots of people in my contacts who show no info for Last Seen. Is he underestimating how often people configure the privacy setting for Last Seen? Or perhaps there is another factor that determines when Last Seen gets shown?
His script start from the bottom of 06 XX XX XX XX (french mobile number) and increases.
This is not the most efficient way to have working/active numbers.
As he said, starting with 06 numbers are saturated by now and we opened 07 XX... numbers. Thus, 07 numbers are more likely to be fresher et more used by "younger" people. While first 06 could be more used by professional and "older" people
As I said in a previous comments, older generation do not use WhatsApp very much as we had unlimited text message before getting internet on our phones (before iPhone 1). Before Covid, my parents did not use WhatsApp at all while texting daily. They use it now to video call during curfew
At least in my group of friends (which is probably a very bad sample), hiding "last seen" is very common.
I really dearly wish there was one for the online status as well, and I'm glad to have spent my teenage years in a time where SMS was the norm, where neither read receipts nor online status was available. It made for a much more relaxed messaging experience (which iMessage seems to be much better at approximating).
I've been using WhatsApp for years, reluctantly since it is the de-facto SMS standard in my country.
I will never, ever, understand the "online" status feature. It is ridiculously invasive and cannot ever be turned off or even hidden from specific contacts. This is a SMS client, not a chat client, and revealing a user's online status is highly problematic both socially and security-wise. I can't help but wonder how many lives this feature has ruined.
(I am talking specifically about the "online" indication, not the "last seen" information, which is also invasive but can be turned off).
That is a subjective take that's mainly in your head.
WhatsApp is a client for chatting, so it is a chat client. It does not use the SMS network, so it is not an SMS client.
Some countries such as US and France had free SMS services, that enabled it to be used as chat. Other places SMS being costly it was used as a "write ideally one message" functionality, similar to email (which only costs in other ways, in human time, but not in actual bills). You can see this in the design of the Messages app in iPhone for example.
I only used WhatsApp for a year or so to talk to a specific person, but it definitely felt like a chat client to me. My general impression is that it is a lesser version of AIM but using phone numbers as logins. To be fair, I think of all instant messaging apps as lesser versions of AIM, and I still can't believe AOL dropped the ball so hard on that.
I don't remember the online indication, is that only when you're actively using the app? or just if the app is open on your phone? I'm trying to think of a situation where either could ruin someones life but I'm struggling. Maybe if you're trying to avoid someone important to you, but need to talk to someone else on whats app? Could you give an example of what you were thinking?
When you are online anyone can check it. There is no option to hide the online status. Using an easy script anyone can then spy and understand pretty much everything of a person, or a group. This is easy cyber stalking and dangerous. Especially because normal people do not understand this and think that hiding last seen is useful to avoid being stalked…
Do you mean any one of your contacts? or anyone who has your phone number? And I'm still confused about the definition of "online" and how that can give anyone an understanding of you.
Anyone with your number, and it reports when you have the application open. Assuming WhatsApp is the first and last app you open in the day (good morning and good night messages) you know how long a person sleeps, and this is only a very easy analysis you can do. I am sure you can find something more interesting recording when people open an app.
OK, yeah I agree that should be configurable, or at least limited to contacts. Maybe it should only count as online if you're actively using the app instead of having it open in the background. I'm sure many people just have it open 24/7. If I still used it, I would want an option to only receive messages when I'm online.
>Maybe it should only count as online if you're actively using the app instead of having it open in the background
Not sure about desktop clients and not sure about what you mean by "open in the background" in this specific case, but I can answer this for mobile WhatsApp apps specifically. For those, it only tracks when you actually have the app open in your main view.
More specifically, if you just have the app in the background while using some other app, it doesn't count as online. If someone sends you a WhatsApp message and you receive a notification but don't open the app itself, it doesn't count. Only when you actually open the app is when it shows you as being online.
Personally, I agree with you that the simplest solution that would already resolve a ton of those issues is to simply only display your "online" status to those who you have added to your contact list (instead of to literally the entire world).
" understand pretty much everything of a person, or a group."
How does this work - does it leak status or location, messages, contact lists etc? We have a number of folks who are absolutely freaking out over how folks are being killed because of this - can someone walk us through how it leaks all this info?
A quick note that I make my entire calendar public in terms of available times so that folks can schedule their time with me.
> We have a number of folks who are absolutely freaking out over how folks are being killed because of this
I can totally see that happening:
Person X suspects their partner is cheating on them with Person Y. So they start logging every time their partner is online and every time Person Y is online. Person X becomes obsessed with this theory of cheating and discovers a correlation between their online times, concluding that they're being cheated on, so they explode in rage and go kill their partner.
Um, my wife and I use the same code for all our devices - if your partner is developing this level of paranoia aren't there easier approaches to this question? Or maybe setup a separate whatsapp account to use for cheating if you are big into that so folks can't track you while you cheat?
your answer doesn’t make any sense in this context. this is a standard whatsapp feature that can not be turned off. you can disable networking and open whatsapp and that flag will not be sent, but also your conversations won’t get updated. jailbreaking doesn’t change any of this.
If you have root you could decrypt the traffic on the fly, and block any data that is not necessary for basic functionality. Maybe even run squid locally, and configure it there. I doubt that's what they meant, and it would take a bit of reverse engineering, but would be kind of fun.
> I'm trying to think of a situation where either could ruin someones life but I'm struggling.
Ruining someone's life might be hyperbole but people certainly notice when the people they're messaging are online. Especially when they send messages and are ignored.
Totally agreed that it's invasive. Same for the "typing" indicator, which also can't be disabled. If I'm writing something longer than a sentence or two, I usually just compose it somewhere else and then copy/paste it into WhatsApp, just to avoid feeling observed.
The fact that those two things can't be disabled actually makes me want to use WhatsApp less. I doubt I'm alone in that. Makes me wonder if Facebook's "engagement" stats account for those types of disincentives.
I also type elsewhere and copy paste to Whatsapp anytime I am writing something longer than a couple lines. I have also disabled the last seen feature. The currently online status seem way worse than last seen and can't be disabled.
> I will never, ever, understand the "online" status feature.
Fun fact: WhatsApp was initially just that i.e. It showed status of its users online and people started using it to share messages leading up to the development of full-fledged chat app.
We may be from the same country, Where peer pressure to have a WhatsApp account is so high that friends and relatives get offended if you don't have one.
So I have isolated WhatsApp to a android VM, it sends me an encrypted email of the incoming messages, lets know the sender the same and that they need to message me on Signal if expect faster reply[1].
In the UK, I’ve basically only used WhatsApp for sms-type communication for the past 4 years. Actual SMS is for one-time passcodes and automated messages from my bank and doctor.
Previous to that, I was in Australia where practically nobody used WhatsApp, favouring iMessage or Facebook messenger.
There are a lot of things that are "ubiquitous" but I still wouldn't voluntarily use. Between this thread and the YouTube one today, and countless other ones in the recent past, there seem to be a growing number of "Xyz app is bad, but I won't stop using it" threads lately. I mean, talk about being part of the problem and not part of the solution. Whatever happened to "Be the change you want to see in the world?"
> I agree with your comment completely, but isn't this a bit a bit of an exaggeration?
No. Many global south countries like Brazil use WhatsApp instead of sms, and not being able to control what information you push out is therefore dangerous. As someone else wrote in this sub, you don’t need to first ‘friend’ or link with someone on WhatsApp before they can see all your info (like how often and how long someone is online). Stalking and stalkers are more prevalent than you think. Nevermind that the situation is also different depending on your gender (women are stalked and victims of violence more than men).
Also I think a few people here seem really concerned with whether its an SMS or an IM service, but I think that doesn’t matter when you ask instead what’s affordable and accessible to the average person in the global south. I think you’ll find that sms and calls are usually luxuries reserved for the tiny minority in power).
> women are stalked and victims of violence more than men
This is going to be a bit off-topic now, but I'd say by violence above only physical violence is meant. If verbal and psychological abuse is included, the balance isn't quite so obvious.
It doesn't take much imagination to come up with a hypothetical scenario. Person is writing to their partner but receiving no reply, however they can see that their partner has been online for the past 30 minutes. Person is convinced that their partner is talking to that one guy from the gym.
I have definitely been called out for being online but not replying, so I can easily imagine how that can end up becoming a big drama in some relationships.
Maybe you have a crazy manager. They see you were online when you were meant to be working. They use this to justify their thoughts you’re lazy. Who knows?
Not sure if its country wise or only in newer versions, but you can turn off last seen and read receipt as well. go to account -> privacy if its available or try to upgrade.
I can't help but wondering how many lives WhatsApp has helped.
And it is definitely NOT an SMS client. The entire reason it has become so popular is that it does not use SMS. Before WhatsApp - the govt in these countries - supposedly looking out for the common good - allowed telecom carriers (usually giant oligarchs) to charge OBSENE per msg rates.
I do remember when SMS where actually free in Germany (where customarily telecoms charge you an arm & a leg). This led to people carrying mobile phones (era before smart phones), but only ever used SMS. You've seen them 'simsen' in bars, coffee shops, everywhere. Looked quite funny then (even though we appreciated that they stopped talking loudly on their phones all the time everywhere). I still can't quite get used to the view of people with a screen glued to their face.
With Android phones you could possibly use an app like NoRoot Firewall to cut off net access for the app when you want to appear offline. Unfortunately that's a pretty "advanced" use of apps for the average consumer and definitely not a replacement for building this in natively.
Depends on your reasons for showing offline. If offline is a proxy for “I am not here to check and respond to messages”, such as when you’re sleeping, quite useful. If not, and you’d prefer to be constantly offline for privacy reasons, less useful.
You don't "show offline" in WhatsApp, either "online" appears below the contact name or nothing appears. Nothing doesn't mean offline, it means the person doesn't have WhatsApp running in the foreground, they could or could not be online (which most define as "using or not using the phone right now").
In some circles it has completely replaced SMS. While it has chating features, the normal message sms use case also takes place within whatsapp in these circles/countries.
you can turn on airplane mode, quickly check whatsapp messages, get out and turn off airplane mode. It is a dirty hack, but it also helps you to spend minimal time on whatsapp.
I really need "Permanently Archive Chat" feature in whatsapp. There are some chats/groups that I never want to see any message in but don't want to leave.
I believe whatsapp knows how useful this feature is but it will lead to lower usage and they are not rolling out
The general consensus here seems to be, let me hide from my friends and family. All the comments are focused on how annoying it is that Facebook is generously sharing information that you might not otherwise think they were collecting about you.
Not to downplay this, but the authors "You can track any mobile phone !" claim seems comically overblown. Not everyone has What's App, some people who have it rarely use it, and only knowing when someone's online is a pretty weak form of "tracking".
That said, I agree it's not good that you can spam strangers phone numbers and see when they're online. I'll be turning off that feature on my phone.
I've gone back to using SMS for messaging these days. No more read receipts, no more "last active 10 minutes ago", no more "Alice is nearby!", and no more "you haven't messaged Bob in a while, send a message?".
Sure SMS is insecure, but at least it doesn't drive me insane with all the bullshit of so many messaging apps.