I am soon moving out for university and am going to meet a bunch of new folks. But I was wondering how do you go about approaching this with privacy in mind?
It is a little bit whonky to ask someone you just met to download Signal, if it is a group of people then it is more acceptable, or like how do you keep in contact if they don’t use any of the messaging platforms you use such as Signal and Telegram, and if you don’t use any of the ones they use such as Whatsapp or Instagram DMs (yes zoomers in the US use these) or Snapchat? Do you just use SMS where videos are absolute shit quality and you have no privacy there either?
Let me know how you deal with this issue.
Whatsapp is end-to-end encrypted
They asked about privacy, not security. WhatsApp is profiling you.
Except it is more private than alternatives like Instagram DMs and FB Messenger (ironically all by the same company), which are not e2ee.
@glacier’s response pretty much covers it all, and it’s confirmed in the Whatsapp Faq.
Sure, they could find out who you are based on someone who added you as contact. But if you don’t have a FB account, or don’t use your real name there, all they’ll know is that you have a WhatsApp account, but won’t see your messages, unless someone reports your messages. Sure, that’s not as great as Signal, but much better than Discord/Slack/Snapchat/etc.
There’s also the issue of trust. Can we trust Whatsapp when they claim it’s e2ee? There’s no way to verify, but the same can be said for other OSS alternatives; for instance, telegram servers are not open source and the client you download might not be the one you see on GitHub., So there’s no guarantee your private key is not sent to the server at any point.
They don’t need your chit-chat to profile you. Metadata profiling is where it’s at and that’s why that whole e2ee introduction was just a marketing ruse. It’s good enough for the NSA, so it’s good enough for Meta. And Meta does collect that data even without an account.
Well, your example is not open source, so yes, you cannot trust Telegram. Signal open sourced their server code some time ago. Even with FOSS you have to stay vigilant though and complete trustlessness is hardly achievable (do you trust your device? Your carrier? Your communication partner’s? Etc.)
It’s good enough for NSA to catch a terrorist, not necessarily useful enough for FB to produce targeted ads. If one plans to commit terrorism, Whatsapp is definitely not the best platform.
According to the article you linked: “In most cases, if metadata must be generated and/or used, it should be either 1) minimal or 2) encrypted so that it’s unreadable by the server handling the request(s)”. So most of the important metadata from your files will be encrypted, which make them inaccessible by Whatsapp unless they decrypt it (thus breaking the e2ee promises). Maybe they’ll know the file size or the file name, which you can easily change; what will they do with that?
So they are pretty much left with IP (if you don’t use VPN) and phone numbers you have contacted (which is already know by Apple/Google, NSA, etc. if you have a phone number and use it for calls).
I disagree. Identifying a terrorist and their whereabouts for targeted assassination is not that different to serving personalized ads. It’s all about gathering information about the person.
True, file metadata is unaccessible like message content but I was referring to message metadata which covers ip address and phone number (as you mentioned) but also geo location (possibly live - WhatsApp is an application after all), when you communicate with whom how often. You can derive lots of info from that especially if your communication partners are more careless about their data and may maintain an active social media profile with Meta.
It’s definitely easier than finding out info about someone whose life depends on not being found - like a terrorist.