Slashdot Mirror

WhatsApp TOS

3B. In order to access and use the features of the Service, you acknowledge and agree that you will have to provide WhatsApp with your mobile phone number. You expressly acknowledge and agree that in order to provide the Service, WhatsApp may periodically access your contact list and/or address book on your mobile device to find and keep track of mobile phone numbers of other users of the Service. When providing your mobile phone number, you must provide accurate and complete information. You hereby give your express consent to WhatsApp to access your contact list and/or address book for mobile phone numbers in order to provide and use the Service. We do not collect names, addresses or email addresses, just mobile phone numbers. You are solely responsible for the status messages that you submit and that are displayed for your mobile phone number on the WhatsApp Service. You must notify WhatsApp immediately of any breach of security or unauthorized use of your mobile phone. Although WhatsApp will not be liable for your losses caused by any unauthorized use of your account, you may be liable for the losses of WhatsApp or others due to such unauthorized use.
-- They of course only need a phone number to correlate this information as that is one of the major tokens traded between data brokers. If you have a phone number, you can very quickly find the name, address, and email addresses associated with this. Citation that showing aggregation available to anyone

5a(partial) - but Status Submissions may be globally viewed by WhatsApp users that have your mobile phone number on their smartphone, unless the user is blocked by you.
-- Clearly they use telephone numbers as one identifying ID. It is required to fill in your information with your phone number, so again, no need to read it from your contacts if they have the phone number.

Nowhere in the TOS does it discuss reading your messages, storing your messages, or parsing your messages.

Uh, hang on a cotton-pickin' second. Isn't WhatsApp supposed to have "end to end encryption?" Didn't they like publish a whole paper describing how their end-to-end encryption made it impossible for third parties to know the content that was being sent? Wasn't it supposed to be impossible for anyone, including WhatsApp themselves, to know the content being transmitted on their system?

Doesn't end-to-end encryption, where "even WhatsApp" can't see the contents of the messages, sorta preclude the use of moderators to moderate content? That is, if WhatsApp can't see the messages, they can't moderate the messages, right?

So, um, am I wrong in thinking that WhatsApp's claim to being able to moderate messages and claims that messages cannot be read by WhatsApp are sort of incompatible? Unless WhatsApp's supposed "end-to-end encryption" is more of a bullshit marketing ploy rather than a description of the actual algorithms in play here...

WhatsApp... Does that even have a desktop version? Without it it won't matter much in a business context for at least a few years. If it does, it's not advertised enough.

Look up Web Whatsapp.

Now there's a huge difference.
When you use Web Skype, the WebApp is connecting directly to the Microsoft servers. You basically get in your browser the same thing as in the new gen applications. (The new gen Skype application is basically a wrapper around the web app).
It's basically "your browser -> Microsoft's Skype server".

In WhatsApp's case, it's a bit different. You still need a smartphone app (either Android or iOS), that app still makes connection to the Facebook servers itself. But when you log into WhatsApp Web, the phone app goes into server mode, and relays data (through cloud servers) to the web app.
It's supposed to be "your browser -> some relay server -> the app running on your smartphone -> the official Facebook's WhatsApp server".

It's supposed to be done for two reason :
  - to enforce the approach that WhatsApp always had about 1 instance on 1 smartphone linked to 1 cellphone number. (they don't want cellphone-less instances)
  - the axolotl end-to-end encryption that Facebook has rolled both into WhatsApp and into their own inhouse Messenger *is end-to-end*. You need the smartphone to do the end-point decryption and eventually re-encrypt the data for the webapp. The webapp cannot directly connect the the WhatsApp server, because that server doesn't have any access to the cleartext.

WhatsApp is completely irrelevant (why is it even alive? Teens?)

Actually, all the youngs I've seen seem to be on snapchat nowadays.

Not sure this is correct. End to end encryption is for individual chat windows. Group chatting can be read by the mothership.

As explained in their white paper (warning, PDF), group chats support full end-to-end encryption. Your client encrypts multiple copies of the message using the keys of each person in the conversation, and then sends them out as individual messages.

The reason they can't show you your chat history is because they don't have it.

It's on the phone. There's a backup feature to Google drive or SD card, the problem is that sometimes (always?) a new phone will fail to restore the backups

https://faq.whatsapp.com/en/an...

WhatsApp FAQ - Finding the Menu button -
  https://faq.whatsapp.com/en/an...

Pretty much exactly spelled out in their EULA in terms vague enough to allow any information transfer except the actual content of your WhatsApp message.

https://www.whatsapp.com/legal/#privacy-policy-affiliated-companies
"We joined the Facebook family of companies in 2014. As part of the Facebook family of companies, WhatsApp receives information from, and shares information with, this family of companies. We may use the information we receive from them, and they may use the information we share with them, to help operate, provide, improve, understand, customize, support, and market our Services and their offerings. This includes helping improve infrastructure and delivery systems, understanding how our Services or theirs are used, securing systems, and fighting spam, abuse, or infringement activities. Facebook and the other companies in the Facebook family also may use information from us to improve your experiences within their services such as making product suggestions (for example, of friends or connections, or of interesting content) and showing relevant offers and ads. However, your WhatsApp messages will not be shared onto Facebook for others to see. In fact, Facebook will not use your WhatsApp messages for any purpose other than to assist us in operating and providing our Services."

WhatsApp is owned by Facebook. It's encryption is a joke when the right people are asked nicely, hence the "using techniques that 'cannot be disclosed for security reasons.' What they mean is they can't tell you how they did it because it would look REALLY bad if people realized how stupid it is to put your faith in a company that specializes in profiling and biometric data collection; https://www.whatsapp.com/faq/g.... If you're using WhatsApp on Google anything (Android, Chrome, etc.), you're in even worse shape because it's Google for Christ's sake. Remember Dirty COW? Google waited until after the election to fix it while every other Linux-based OS did months ahead of them.

But anyway, Facebook also invests huge amounts of money into cloud computing and AI. That combination one day will make all encryption and anonymity useless because we will all be digitally fingerprinted whether you have an account or not, especially if quantum computing advances, and you can assume your government will get a copy, just like they get copies of your DNA when you fall for the "fun and easy" TV advertised "ancestry" services. This "profile" is going to replace social security numbers. If you want real encryption (at least for now), use Signal (similar to Telegram but better) or a Tox client (similar to OpenVPN but for messaging). More importantly, use your brain. Both are free and open source and support text, talk, video, and file sharing. I would never use anything that important that I couldn't look at the code for. If you could look at WhatsApp's source code, I think security researchers would be horrified. And, Facebook gets caught spying on their mobile app all the time, so I don't see how WhatsApp would be any different. And just because a lot of people use it, doesn't make it the best. Matter of fact, that would make more of a target.

• https://finance.yahoo.com/news...
• https://www.theregister.co.uk/...
• https://www.thememo.com/2017/0...
• https://arstechnica.com/tech-p...
• https://www.pcworld.com/articl...

Some of the above links are kind of old, but note the ISP one. Legally, your internet service provider in the U.S. can sell your browsing information. Because of this, intelligence agencies can just purchase your data for cheap rather than getting a warrant and paying a government employee to waste their time. I'm mentioning ISP because Facebook has been trying for over a year now to bring the Internet to all kinds of places. They would become an "Internet Service Provider." In any case, if the app has an advertisement, you can be tracked.

The real note to take away from this is to realize data can be created and never destroyed and don't put anything on the internet you don't want found. I wish people would realize privacy settings are a joke; they only protect you from the average person. Anytime you see "convenient" or "secure" for a service, just assume it's complete BS because your government doesn't have the time or resources to actually physically search and seize everyone so they have software for it, contrary to "Martial Law" conspiracies; cloud computing makes it easier.

And since this news regarding terrorism, do you know why it was so hard to find Osama? It's because so far as we know, the most technologically advanced thing he ever personally used was a kidney dialysis machine or the Cold War weapons the U.S. gave him. The wor

WhatsApp in the meantime is there on many more platforms.

Of which most are soon-to-be-deprecated (like S60, BlackBerry, etc. basically anything that isn't iOS nor Android)

Or are nothing more than a glorified remote viewer-over-html (for Windows/Mac OS X/Linux) and needs to be used together with the phone app.

So, all things said, WhatsApp only supports iOS and Android officially too, like everyone else.

And although they started as a variant of Jabber/XMPP, WhatsApp has been extremely active in trying to shut down and perma-ban any attempt at a 3rd party client.

https://www.whatsapp.com/faq/e...

I'm sure this doesn't have anything to do with it...

It is pretty easy to make a protocol that is tamper evident, and it has already been done with other messaging platforms. https://www.whatsapp.com/faq/e...

A desktop version still doesn't help me. I own a PC, an Audiovox 8610 flip phone, and a Samsung Galaxy Tab A tablet running Android "Lollipop". I can't install it on my PC because according to the download page, "WhatsApp must be installed on your phone." I can't install it on my phone because an Audiovox 8610 is not listed as a compatible phone on FAQ #20951556. I can't install it on my tablet because according to FAQ #20951556, "We currently do not support tablets or Wi-Fi only devices, and do not plan to do so in the foreseeable future."

How does this work with web.whatsapp.com ?

From https://blog.whatsapp.com/10000618/end-to-end-encryption/:

"The idea is simple: when you send a message, the only person who can read it is the person or group chat that you send that message to. No one can see inside that message. [...] Not even us."

But my browser connects to web.whatsapp.com ? Are the messages decrypted in the browser ? Is there a key in the cookies ?

The first thing you do to connect is scan a QR code. I just tried scanning one with a generic app (not whatsapp), it's a couple of base64 string 42 bytes and 16 bytes long. That could work as a key (symmetric). I cant't seem to chromium-inspect the content that's feeding my web.whatsapp.

Anyone with data on this ?

Last January Whatsapp has removed the 1$ fee, so it's now free indefinitely. https://blog.whatsapp.com/615/...

This is true, it wasn't working this morning at home (VDSL2) and at work (small corporate provider). Not even http://web.whatsapp.com/ was working...

There's Instagram, Vine and Snapchat clients for Windows

...Phone. I visited with Windows 8.1 and got these:

• "Need an account? Download the app to sign up."
• Don't have an account? Download the app to sign up! That page's Windows button took me to the Windows Phone Store, which in turn gave me an error message "You need a Windows Phone with a linked Microsoft account before you can get apps from the Store."
• Blank black screen.

You can use the whatsapp web client on your device so long as you have the app on a smartphone to register.

From the Android download page: "Tablet devices are not supported". I have no smartphone. Is a smartphone still a luxury, or has it become a necessity?

And as I said you can run the Android apps in bluestacks.

Is BlueStacks based on Google Play or AOSP? Android distributions based on AOSP lack Google Play Store and thus cannot download Google Play Store-exclusive applications. In any case, it appears that BlueStacks is something that "everyone's gonna have to install" just as Flash Player and Java used to be; did I miss something in my assessment?

The API's are open source so enhancing is easy.

AFAIK, that's not a thing. You don't open source an API, as an API is a documented interface, not source; Similarly, see java's API battles with Google - reimplementing someone elses API is fair play. This doesn't make it "open source" though.
Regardless, where is the WhatsApp API documented? I couldn't find any mention of it on their site. The closest I got was: https://www.whatsapp.com/faq/e...
That's 2 ways for an iPhone APP to integrate with WhatsApp, which is not a full API, but just a way for an app to send messages by triggering WhatsApp.

On the other hand whatsapp plus is and was never available in the play store or any other official store.

I don't know how accurate that statement is. I just looked, and there are things like "Install WhatsApp Plus+" app on the google play store, and (possibly not exactly the same thing) there's WhatsApp Pro and WhatsApp_World on the amazon store.

About the name infrigment I agree with most of you but enhancing an app that is licensed under the GNU or GPLI license with open source Api's is free.

WhatsApp is not available under the GPL.
In addition, when forking a GPL'd project, you must still change the name. See netscape/mozilla/firefox, or openoffice/libreoffice/etc. There's loads of examples, but you don't steal a name because that's similar to saying you wrote the thing (or that they wrote your thing). You can use a related name, but it should be clearly different.

From a developer's point of view it's called improvement. Since they only ask donations just to go further with the development of it.

Ok, so I tried to find WhatsApp Plus+, assuming the source would be available since he's just making improvements and such. Where is it!?! There's loads of different sites with downloads for it, and they all look pretty shady and have very short FAQ pages (like 3-4 entries with nothing of real value). Where is its real home page? The version on uptodown.com seems to be the top page for it, but uptodown.com is just another play store and even has loads of random downloads for windows, mac, linux, android, etc... that's not the developers page.

1st year is free : http://www.whatsapp.com/faq/ge...
99 cents/y may be cheap, but certainly not free

Mistake one - it only works on a single browser

...simply open https://web.whatsapp.com/ in your Google Chrome browser...

WTF!?!?!? There is Google Chrome, Apple Safari, Mozilla Firefox, Opera, Internet Explorer. All those with large user bases. I am not even counting the small browsers. And they chose to release only for Google Chrome? What year is this, 1995?

I opened it in Chromium on Xubuntu 14.04, and it still doesn't fucking work. I reserve my swearing for the most egregious cases of malice or incompetence, and this is one of them. I come in with a browser that's recompiled Chrome and they turn me away because I don't have Chrome.

Now as for your other points, some of them appear weak. I want to help make your argument against WhatsApp stronger and even more F-bomb worthy.

If you just have a dumb phone or another platform, you can't use the web client.

<sarcasm>
Of course you can. All you have to do is buy WhatsApp Enabler for $45.
</sarcasm>

Its even worse, imagine that office full of metal that behaves like a Faraday cage, or that office in a bad location sitting on the shadow of 3G coverage.

Then put your office's WPA key into your phone.

Have a dead phone and you're travelling on a train with WIFI and want to use the web client, you can't!

What device would you be carrying with which you expect to use a web application over Wi-Fi? Or do "normal" people still carry laptops?

Link to requirement for WhatsApp Web needing your phone to be on the internet for WhatsApp web to work. I was incredulous when I read the above post, but it's true. How moronic.

I can tell you why I don't use WhatsApp.

While a competent mobile-oriented IM is a good idea in general, I intensely dislike the fact that they went with binding your account to your phone number. I juggle several SIM cards, and that's a no-no in WhatsApp's book.

I really dislike the link to my phone number, plus them uploading my contacts. I use a different phone number for WA only. So the sim that is linked to WA is not in the phone that uses WA. Then I block the contacts from WA, but that block hasn't worked always, so they got what they wanted anyway.

I can tell you why I don't use WhatsApp.

While a competent mobile-oriented IM is a good idea in general, I intensely dislike the fact that they went with binding your account to your phone number. I juggle several SIM cards, and that's a no-no in WhatsApp's book.

I infrequently use Kik for the same purpose as WhatsApp, especially linking its detailed message delivery status, but their recent changes to TOS and embedding a browser in-app makes me wary to continue.

http://www.whatsapp.com/

"Why we don't sell ads: Brian and I spent a combined 20 years at Yahoo! working hard to keep the site working. And yes, working hard to sell ads, because that's what Yahoo! did. It gathered data and it served pages and it sold ads. We watched Yahoo! get eclipsed in size by Google..."

Here is what just happened. Using a free app with no ads, some people collected the phone numbers and address books of 450 million suckers. Then for 4 Billion plus some stock, they sold all that information to Facebook, who will in turn re-sell that information selectively based on your Facebook habits directly to advertisers at a premium rate. There is also a messenger app and a bit of tech to enhance the already existing Facebook messenger a bit.

Part of me thinks the price was so high with stock simply to create a big buzz and get even more suckers to sign up, allowing them to reap more consumer information, etc...

Have fun getting robocalls for the rest of your existence until you change your phone number.

And this promise that nothing's going to change? Laughable. If nothing else it will receive facebook branding (subtle, such as color changes) pretty quickly, and the only reason to build it out further is so that they can reap even further benefits (read: more users) over to facebook at a later point.

"Independent"? Nothing will change? LOL. They are in for a big surprise if they actually believe Facebook's line of bullshit. And here's a short piece of one of their blog entries:

http://blog.whatsapp.com/index...

Why We Don't Sell Ads

When people ask us why we charge for WhatsApp, we say “Have you considered the alternative?”

At WhatsApp, our engineers spend all their time fixing bugs, adding new features and ironing out all the little intricacies in our task of bringing rich, affordable, reliable messaging to every phone in the world. That’s our product and that’s our passion. Your data isn’t even in the picture. We are simply not interested in any of it.

Remember, when advertising is involved you the user are the product.

Now that Facebook has spent $4 Billion Dollars (the $12 Billion in funny money is irrelevant) these guys are in for a rude awakening.

Nokia was still making well-designed phones with full keyboards up until fairly recently, with the last holdouts in their Asha line. The X2 was very low-end but a good design (rugged as heck but tragically low onboard memory, slow processor, low-resolution camera, & no WIFI/3G), despite lackluster stats. Usability, ruggedness, & things other than "can it play [latest ad-revenue/money-harvesting game]?" or "does it [make money for] google?" is what's key.

As nice as keyboard slider phones can be, I personally think the best design is the Blackberry-style full-QWERTY bar phone with a d-pad (& a screen which can have the touch-functionality switched on & off (capacitive touchscreens can be *too* sensitive)). NEC *tried* to make an Android phone meeting some of these specs, but I understand it fell far short of expectations. I had high hopes.

The new Blackberries, & the NEC Terrain, both have full QWERTY, but lacked any other meaningful inputs than the touchscreen, like the ever-useful d-pad, which is also lacking in the HTC ChaCha/Status. Nokia made the last good phone design with their E6 (or N950/E7), but that was underpowered & had numerous flaws. So I've (personally) settled on what I consider to be the least worst phone around still, a Nokia E73. I still see people with them out & about in the world, & it works quite well for me, as my primary mobile. I can do most anything on it that I need to: I can use various social media/internet functionalities (whatsapp (which is amazing how a major company designs their software to be accessible on most device platforms, not just iDevices & Android!), facebook, synctxt, okc, goodsearch - an enlightened alternative to google, twitter, etc.) & have access to an excellent email client, Citrix support, FM radio built-in (lucky me, I live near Good radio stations), & an amazing GPS. The camera's decent, too. Sure, it's carrier-locked (T-Mobile) but it has better stats than the E72, has built-in WIFI calling & has better data/radio frequencies. It has an older processor & low ram, but I have a 64gb microSD card & if I offload messages semi-regularly it's great for intense everyday use. I have destroyed many mobiles with what I consider "normal" everyday use, so real durability is important, & lacking as a design consideration in most mobiles.

I also have an N900, & bought a spare for when I can buy the Neo900 upgrade. I think that is still too slow (1ghz processor, 1gb ram (but a good sight better than the old specs (which still work decently well)), & the 3-row QWERTY is a setback, but I can do a lot with it, & it's an amazing device in essentially every other regard (admittedly, it's not my primary mobile). The N900/Maemo was/is too touch-driven, interface-wise, &, at least in theory, a Moto Droid or some other 4+ row QWERTY slider phone (Android seems to be the only option, as I don't think anyone's making non-Bluetooth (seriously, why waste even more battery with that when you can make a battery hutch/slide-out keyboard that plugs into the microUSB port (or Lightning port on i

True: http://www.whatsapp.com/faq/general/21864047

It's not so much about the key server, as I was musing that it there appears to be systems in place to have private email conversation that don't rely on manual processes or the service (email) or service provider (insert ISP here) themselves.

One problem that does spring to mind here is NAT'ing.
All phones (don't own an LTE one yet, maybe they're IPv6?) have an RFC1918 address, natted behind the ISP.
Unless magic is happening, or there's some knowledge I don't have, two phones can't connect to each other, not without a trusted 3rd party.
whatsapp may encrypt your communications, but what's actually happening is you're routing all your traffic through a single party who, if they wanted to, could divulge everything.

Could you handshake a set of keys that couldn't be compromised even though the entire conversation is being routed through your messaging app of choice's parent servers?
Is that analogous to an SSL handshake over the public internet?

When I send a text-message to a bunch of friends using my mobile phone via my telco, the telco is certainly not allowed to inspect the contents of the message, let alone to share it directly or indirectly with 3rd parties, such as advertisers.

Well, that's why clever people invented Whatsapp. It conveniently supports a global data tap on user SMS - and they all are happy to do it because it does so much more (read: the user also provides all those nice images). And because Apple didn't wanted to be left out, it created iMessage. Oh, and Siri, which conveniently supplies voiceprints of every user on the planet - especially with HD voice now making its way into mobiles it's really good intelligence, so I reckon they must be glad with all that effort to get a Siri-alike going on Android. Ah, yes, Android - have a look at point 47..

This is done by companies subject to the practically uncontrolled Patriot Act..

Paranoid, me? No - realistic. Privacy really needs some shoring up..

http://www.whatsapp.com/. Does text, pix, maps, video over a data connection, and folks just need to know your mobile number.