WhatsApp To Share Some Data With Facebook

Two years ago when Facebook bought WhatsApp, the instant messaging client said that the deal would not affect the digital privacy of its users. Things are changing now, WhatsApp said Thursday. The Facebook-owned app will share with the company some member information, as well as some analytics data of its users. Bloomberg reports: WhatsApp announced a change to its privacy policy today that allows businesses to communicate with users. The messages could include appointment reminders, delivery and shipping notifications or marketing material, the company said in its revised terms of service. In a blog post, WhatsApp said it will be testing these business features over the coming months. The strategy is an important step for Facebook as it attempts to make money from its most expensive acquisition. In addition to the messages from businesses, WhatsApp said it would begin sharing more information about its users with the "Facebook family." The data, including a person's phone number, could be used to better targets ads when browsing Facebook or Instagram, WhatsApp said.

"Some" data?

Try all the data. Privacy is dead, and has been for quite a while.

Re:"Some" data?

[The+Real+Dr+John]

This is why mergers and buyouts are such a problem. People need to start boycotting companies that do this kind of thing. Also time to bring back anti-trust laws and break up any companies that are "too big to fail".

Re:"Some" data?

The majority of my friends aren't geeks. What really weirds me out is that they say they wouldn't tell their friends everything about their private lives, but if I tell them that IT admins with access to their entire online life are just people like me, their eyes glaze over.

I try to explain it in simple terms: You don't want me to know this private stuff about you - but in my professional capacity I have access to all this information about you. There are numerous examples of governments with political agendas or individuals with personal agendas abusing access to private information. You are relying on the fact that you will never knowingly or unknowingly get on the wrong side of anybody in that position.

But still, blank.

I don't know how to explain it to people. I mean when I was a kid life was simpler, as actions were less likely to have consequences: I'd just go into l33t hax0r mode and obtain files from their machine / school computer account and then show them what I can do. They'd feel embarrassed and I'd teach them a bit about basic security. But as an adult and in this "post-9/11" world of fear, I wouldn't dare take that approach.

I just don't know what to do.

Re:"Some" data?

[TheRaven64]

It was always a stupid-sounding idea to use Whatsapp (I mean that as a totally independent fact, relative to whether or not Whatsapp was actually any good or not). From the very beginning, it was just someone's proprietary app that used an undocumented protocol. Nobody who is trying to do things right, is going to use anything like that.

Of the proprietary messengers, WhatsApp was the least bad. It was founded by people who grew up in the Soviet Union and left with an abiding hatred of surveillance, had a very strong privacy policy, and did end-to-end encryption. Also, using Erlang on FreeBSD, it had a lot of geek cred. Unfortunately, when Facebook bought it there wasn't much chance of it keeping the philosophy of the founders. On the plus side, they did donate $1m from the sale price to the FreeBSD Foundation.

I used to be a big advocate of XMPP, but it's largely been mismanaged into the ground by a lack of leadership in the standards body and a lack of decent reference implementations for the client side. Tox seems like the best bet at the moment for producing something that is both secure and open, yet with implementations that you can give to normal humans and get them connected.

Re:"Some" data?

[jenningsthecat]

...People need to start boycotting companies that do this kind of thing.

The vast majority of people don't care and don't want to know. They've been trained from birth to not be analytical and to follow the herd. For those in power, making "the people" feel powerless is good; making them feel that everything is OK and that they have neither need nor desire for power, is even better.

Also time to bring back anti-trust laws and break up any companies that are "too big to fail".

To a large extent, laws are effectively written and enforced by the companies that are "too big to fail" and their friends. Unless and until corporate hegemony is upended or destroyed this kind of abuse will continue to grow.

Re:"Some" data?

[The+Real+Dr+John]

Sad but true. But that doesn't mean people shouldn't try and make things better. It's not like these things are unavoidable natural disasters, they are the results of plotting, greedy sociopaths. We can fight back, and that, thankfully, seems to be a recurring theme in this election cycle.

Re:"Some" data?

[jenningsthecat]

The majority of my friends aren't geeks. What really weirds me out is that they say they wouldn't tell their friends everything about their private lives, but if I tell them that IT admins with access to their entire online life are just people like me, their eyes glaze over.

I try to explain it in simple terms: You don't want me to know this private stuff about you - but in my professional capacity I have access to all this information about you. There are numerous examples of governments with political agendas or individuals with personal agendas abusing access to private information. You are relying on the fact that you will never knowingly or unknowingly get on the wrong side of anybody in that position.

But still, blank.

I have the same problem. I think it has something to do with 'out of sight, out of mind'. If our friends don't know, will likely never meet, and don't know about the people who have access to their private data, then it's easy for them to keep their heads in the sand. It's comfortable, it requires no additional effort, and the threat of having to change their daily routines and upset their social structures feels more imminent and more dangerous than the (in their minds still abstract) threat of having their private info revealed to the world. I think this is partly just a human trait, and partly the result of indoctrination in public schools in an industrial society.

I don't know how to explain it to people. I mean when I was a kid life was simpler, as actions were less likely to have consequences: I'd just go into l33t hax0r mode and obtain files from their machine / school computer account and then show them what I can do...

I just don't know what to do.

I've never been remotely close to being a hacker, never mind 'l33t'. But I also don't know what to do. I offer my friends help with making their online activities safer and more private, and all I hear are crickets. And I'm not talking about ditching Facebook, Twitter, and the like - I'm just talking about ad blockers, NoScript, and a basic education about the types of places and behaviours to avoid. If they won't even do the Internet equivalent of asking a partner about STD's before having sex, how the hell would they ever come to terms with the fact that companies like Facebook are just using them and plundering their very lives for profit? Sometimes I feel like Neo in The Matrix.

Re:"Some" data?

[Cigarra]

Nobody who is trying to do things right, is going to use anything like that.

Oh, you're such a nerd. Not that's anything wrong with that! But the world doesn't work like that. Most of the people don't make app usage decisions based whether or not they're based on open standards / protocols, but on what kind of User Experience they get from the apps. In that sense, Whatsapp was FAR FAR better than the SMS they were competing with they started, back in 2009-10. The rest is history.

Re:"Some" data?

[wvmarle]

WhatsApp messages are end-to-end encrypted - or so they say, at least. I'm by no means an expert so I take their word for it, including it being unbreakable and WhatsApp not being able to read my messages while in transit and so.

This means the only data WhatsApp could possibly have from me, other than my phone number and my contact list, is encrypted messages (something they can't search for clues about my interests - yes I'm conveniently ignoring the time before they encrypted it all), and how many messages I exchange with whom, and the size of those messages and maybe info about attachments (type and size).

Where is the value in such data when it comes to targeting ads?

Re:"Some" data?

[Shadow+IT+Ninja]

Privacy can be taken back. You may have lost control of your existing data but that doesn't mean you can't protect yourself going forward. Besides, privacy is a complex family of issues and I there are a lot of aspects which aren't dead yet or which could get a lot worse. We have not yet come to a point where people are tracked with facial recognition (and other identifying technologies) everywhere they go in the physical world. We have not yet come to the point where our DNA is analyzed to discover what marketing strategies we are susceptible to. We have also yet to really explore the idea of symmetry of information. That is, the right to know all about the people who know all about you.

Re:"Some" data?

[Shadow+IT+Ninja]

Indeed, after talking to a lot of people recently about Facebook, I am impressed at how many have an account because of peer pressure. These people mostly say that they don't log on very often and when they do, they just check items about events and never post anything. So the support for Facebook is very broad but also very shallow.

Regarding antitrust laws, I think there have been different attitudes at different times in history. In fact, I think we are building towards a populist movement now which could lead to a round of trust busting like we haven't seen since the presidency of Teddy Roosevelt. A lot sentiment has been pro-business but that has been changing. I hope that it changes to pro-free market and trust busting supports the free market.

Re:"Some" data?

What matters is alternative action routes, rather than information.
If Facebook provides me with great benefits (emotional, social, financial, whatever) and you say it is bad, what am I to do? To give up these benefits?
If you provided some alternative: "google knows too much about you, when you want to be forgotten use duckduckgo" it's easier to act upon your advice.
What is the alternative you propose? How can I be informed of social activities and promote my products without Facebook?
For me, I took the choice long ago, for others, we need to provide a way out.

Repeat after me...

[HungryMonkey]

If you're not paying for the product, you are the product. Surprise, surprise.

Re:Repeat after me...

It's open source. You're not the product, you're the quality control department.

Standard protocol

[tsa]

I wish the EU would force makers of messaging software to standardize the protocols they use so that I can choose to use the program I want to use. As it is now you have to use what everybody uses to stay in touch with your friends, so now I have to give the datasuckers at Facebook all the information I so desparately don't want them to have because Whatsapp is a handy tool that everyone uses. I would gladly pay for a program that does what Whatsapp did before it was part of Facebook and nothing else, but I can't now because I can't force friends and relatives to use the same thing I do.

Re:Standard protocol

[0100010001010011]

XAMPP, IRC and Email are all pretty well documented. All have multiple clients.

Re:Standard protocol

[TheRaven64]

Signal is probably secure, but all communication goes via OpenWhisperSystems' servers, as does registration (which ties your identity to your account). They can't be forced to MITM your connections (probably - unless someone finds a vulnerability in the protocol), but they can unilaterally delete your account and they can be coerced into doing so. In contrast, Tox is completely decentralised (no central servers, it's a pure peer-to-peer network). Your identity is just a public key, so the only people who can identify you on the network are people that you have told your public key to through some out-of-band mechanism (or people who can view enough of the network that they can associate a public key with something else - i.e. an adversary like the NSA).

Re:Standard protocol

[butchersong]

The permissions for signal seem pretty insane though. Then again, maybe this is standard these days:
http://support.whispersystems....

Re:Standard protocol

[TheRaven64]

Considering that the entire selling point behind Signal is that it's supposed to be resistant to "an adversary like the NSA," I would think their ability to trivially associate a key with a real person would kind of turn that on its head.

Any global passive adversary can do traffic analysis on any communication network. Signal's message encryption should stand up against the NSA unless there are any vulnerabilities in the implementation that the NSA has found and not told anyone about or unless they have some magical decryption power that we don't know about (unlikely). Protection of metadata is much harder. If you connect to the Signal server and they can watch your network traffic and that of other Signal users, then they can infer who you are talking to. If they can send men with lawyers, guns, or money around to OWS then they can coerce them into recording when your client connects and from what IP, even without this.

In contrast, Tox uses a DHT, which makes some kinds of interception easier and others harder. There's no central repository mapping between Tox IDs and other identifiable information, but when you push anything to the DHT that's signed with your public key then it identifies your endpoint so a global passive adversary can use this to track you (Tox over Tor, in theory, protects you against this, but in practice there are so few people doing this that it's probably trivial to track).

No system is completely secure, but my personal thread model doesn't include the NSA taking an active interest in me - if they did that then there are probably a few hundred bugs in the operating systems and other programs that I use that they could exploit to compromise the endpoint, without bothering to attack the protocol. I'd like to be relatively secure against bulk data collection though - I don't want any intelligence or law enforcement agency to be able intercept communications unless at least one participant is actively under suspicion, because if you allow that you end up with something like Hoover's FBI or the Stazi..

Repeat after me

Nothing Facebook says can be trusted. Same goes for any company whose product or service you aren't paying for, and lots of the ones you do pay for, too.

Two years ago when Facebook bought WhatsApp, the instant messaging client said that the deal would not affect the digital privacy of its users. Things are changing now

Things always change. Companies always break their promises, er, "update their terms of service." Look at how many statements Microsoft made about Windows 10 that turned out to be utterly false, for example. Welcome to America, the show where the rules are made up and promises don't matter.

Re:Surprise?

[TheRaven64]

Yes, probably a lot of people. Before it was purchased, WhatsApp had a very strong privacy guarantee and made a marketing point of the fact that their protocol's end-to-end encryption meant that they couldn't spy on you even if they wanted to. When Facebook bought them, they announced that there would be no changes to this guarantee.

How to delete your phone number from facebook

[Ormy]

So obviously even after you 'delete' your phone number from facebook they will still retain that information indefinitely and probably trying to link your facebook and whatsapp accounts/information. You have to make them think your number has changed. You do this by registering a second facebook account (using a second email of course, and any random name), register your phone number with that second account (thereby removing it from the first account) then wait a while then delete/deactivate the second account. This way facebook will assume the number has changed hands (don't let them know the two facebook accounts were owned by the same person, use a different IP or at least spoof your user agent) and *hopefully* won't make the link between your original facebook account and whatsapp account (phone number).

Re:How to delete your phone number from facebook

[sdinfoserv]

It's even more insidious that that....FB creates "dark profiles", these are profiles on people who don't even have or want accounts. For example you go to visit your 80 year old mother who's not on FB, but you mention the fact that you're going to visit in a post.... they create her as a "dark profile". every time someone mentions her in a post, they continue to data mine and aggregate attributes... age, geographic location, income, relatives, what she likes, gifts given,... etc. You post a selfie with her while visiting - now they have facial recognition to add to the profile - all for marketing purposes and clearly without her consent.

Re:How to delete your phone number from facebook

[Xest]

Facebook already does this, they're in flagrant violation of European data protection laws, but for some reason no one is touching them, it's frustrating.

For example, I installed the Facebook app on my phone and have never given Facebook my phone number. Next time I logged in on my PC it prompted me to add my phone number with a textbox and an add button, except the phone number was pre-populated with my phone number, they were effectively asking me to confirm it by asking me to add it, because they'd very clearly already taken it, illegaly, from my phone, to pre-populate their add textbox (I don't use any kind of auto-fill, it was Facebook's actual website populating it).

This is a complete farce, because they're taking and storing data they have no right to have and then asking you to click a button to make it legal - the fact they even ask you to add it with this pre-populated box means they're completely aware they're breaking the law because it is simply asking you to click the button so that they're compliant. This isn't accidental violation, this is wilful violation, so they should be getting fined the maximum amount by all Data Protection agencies across Europe already.

Apparently you can opt-out of this new WhatsApp data transfer when it comes along, but what's the bet if you opt-out the data still gets sent regardless?

Re: Surprise?

[Lab+Rat+Jason]

GCHQ and NSA got in trouble???? [citation needed]

"We won't share your data"

[JustAnotherOldGuy]

"We won't share your data, but the people we sell it to will."

Suckers.

Anyone that believes the "We won't share your data" claim is either gullible, naive, or just plain stupid.

Of course they'll share your data, that's what their mission is: to collect your data and share it.

Stop kidding yourselves, this is what it's all about. You'd think people would have learned this by now, but noooooooooooo...

Who didn't see this coming?

[alispguru]

I did, when we talked about WhatsApp back in 2014.