Looks like interoperability is geo-fenced to Europe only.
This reads like a lot of words to say Fuck You Europe to me.
Well, feelings are mutual, at least we are on the same page, them and me.
Messaging-interoperability is the one aspect of the DMA I don't support. These apps are free to download; and if you care about security (and use Signal) you'll want to avoid cross-service messaging anyway.
Yes but you aren’t truly free to choose which app you download. You have to use the one being used by the people you want to message. That is of strong benefit to incumbents.
Even then, that consecutive 60-day limit sounds bizarre. For instance, someone who has dual citizenship could legitimately switch between an EU and a non-EU country every single month. Why shouldn't that person have access to these "Interoperable Messaging Services" when in the EU?
There are government services that use whatsapp in my country. This argument "just don't use it" is very tired.
Interoperability can be achieved with E2E encryption.
Without additional regulations across the globe it’ll be simpler playing the geofencing game for those companies.
World's most stupendous & drawn out Yak shave, if one thinks about it
Now, not sure what I was hoping for. None of my messages currently go through Meta and I'm quite happy with this.
As an implementer, I certainly wouldn't want to police and track my users and their location for a chat service, and as a user I wouldn't want a chat service to track me.
I also certainly don't want to depend on a system which is unreliable because it artificially depends on my or my contacts position on Earth
This whole thing sounds like something I will not want to use anyway.
Some of them even threaten back charges if it turns out you used more data abroad than at the home country over a long enough period.
I called their bluff once and got away with it, but their systems may have improved since then
I think the previously often raised objections to interoperability were technically and economically mostly sound (federation is much harder to achieve in a secure way, thinking of key distribution, identifier verification etc.).
Now overcoming all of these obstacles and then going the extra mile to implement geofencing (which also has tons of edge cases!) completely undoes that argument.
WhatsApp makes their money from the business clients/apps (which aren't covered under this, which I think is fine by the way).
So why care where a user is on the planet? I just don't see the business reason for this. Maybe I'm missing something?
On the other hand, I could imagine their business messaging ambitions to be threatened by third-party clients: There's nothing stopping the vendors of these clients from undercutting Meta on business messaging rates.
And this is all assuming that third-party services couldn't provide their own business messaging services to first-party WhatsApp client users without paying Meta their list price. I don't know whether the DMA allows that, or if normal rates would still apply in that case.
The data is otherwise E2E encrypted but when you see a link preview on WhatsApp Meta knows that.
I've been waiting for this, and hoping I could "just" cook up some of my own code to use with WhatsApp, and/or integrate it with Pidgin or bridge to email or whatever. But the entire process is about as hostile as possible.
For example "Partner shall have in place a dedicated security team" basically excludes most startups, or most smaller companies.
It's not clear to me if this is really complying with the DMA – it's certainly not in the spirit of it, but less sure about the letter of it.
That said, I'm sure we'll see open source libraries pop up everywhere to communicate with WhatsApp directly. There already are unofficial WhatsApp clients in various forms, but now they can use the protocol without risking breakage because they reverse engineered the contents of the protocol itself.
I think there will be plenty of space for the Beeper Minis out there right now.
How so? Each of them would need approval by Meta + signing an NDA, and I can easily see that ruling out open source libraries.
That's really a decision you should make, and not WhatsApp – "do I trust this arp242 guy and his GitHub repo?"
And some auditing isn't necessarily too bad, I guess, but a lot of this goes far beyond "basic security"; it's the type of "corporate checkbox security" that we all know works so well.
What’s the point of thinking that WhatsApp is e2ee if anyone can write their own end point?
my friends and I use WhatsApp because we know the messages are secure. Imagine if every other group message had the “green bubble” equivalent experience if someone was using a custom client.
Without the DMA, Meta can make it very hard for any business model based on them, but it's never been a technical obstacle.
In a very similar way, you also need to trust your friends to not activate WhatsApp chat backups to Google Drive or iCloud without a password if you don't want end-to-end encryption to be compromised (there's no indication if they have it on or not), and that's the default suggestion by the official client.
I need to read a bit more carefully through the (limited) technical documentation they have; but all of this seems highly excessive. I'm not a distrustful or cynical person by nature, but I find it hard to avoid the impression that they intentionally made it as hard as possible.
I don't know what "the green bubble experience" means(?)
Many people don't actually ever verify their contacts' keys, but rather just rely on the platform provider to have done phone number verification correctly. In that sense, the security model is bit better than TOFU in practice.
> I'm not a distrustful or cynical person by nature, but I find it hard to avoid the impression that they intentionally made it as hard as possible.
There I fully agree. If anyone could find a way, it's the company running the largest messaging infrastructure in the world.
But even if you're using the official super secure endpoint, there's nothing preventing the user from taking a picture of the screen, which bypasses all protections.
It is probably a positive change for end users, but far far away from the "open up your protocol" I was hoping for.
Making messaging interoperability with third parties safe for users in Europe
https://engineering.fb.com/2024/03/06/security/whatsapp-mess... (https://news.ycombinator.com/item?id=39614085)
Facebook (and TikTok) store tracking data on iOS that the user CANNOT SEE and CANNOT DELETE:
• It shows my previous account even after I delete the app.
• Clearing Safari's cache does not work.
• Disabling iCloud Drive and iCloud Keychain does not work.
• Even completely signing out of iCloud does not work!
• On a Mac in the Terminal, you can go to ~/Library/Mobile Documents and "ls -al" to see hidden folders like "iCloud~com~Facebook~Messenger" that you cannot otherwise view or delete.
• Someone mentioned that even RESTORING an iCloud BACKUP will resurrect these "eternal cookies"!!
----
WHERE do they store this data?
WHY can't the user see this data?
WHY can't the user delete this data without going through the app?
WHAT ELSE do apps store on our devices that we aren't even aware of? (This is just what we can see: The list of saved accounts for "quick login")
HOW MANY other apps are secretly doing this?
WHY does Apple, parading around as a pompous paragon of privacy, even allow this in the first place??
It would be really great to have a keychain section in iOS’s settings, like Keychain Access on Mac. The dev can build in-app functionality to delete keys from the keychain, but there’s not a huge incentive to.
Keychain storage doesn’t let FB track you, just store sign on info, keys, and the like. It’s not able to execute arbitrary code, it’s an encrypted place to store login info that Apple syncs between your devices.
Use them via Safari if you don’t want this (then your logins are saved & synced in Safaris keychain.)
This is an issue because if you ever use an app by a company, uninstall all their apps, and then install one of the developer's apps years later, they can tell it's the same iOS profile (even restored on a different device), profile what you do across those apps/installs/decades, and associate any accounts you log in with. Essentially they can put a permanent cookie that you can't even see on your iOS profile that's shared between their apps. If you use iCloud Keychain, they can probably profile you across all your devices regardless of whether you reset one.
Apple has said this isn't intended functionality and they were going to address the issue many years ago in iOS 10.3 by removing Keychain data when the last app from a developer was uninstalled [1], but they got cold feet. If I recall correctly, the reason was that some app developers were relying on this unintended functionality to ensure free trials couldn't be used more than once. Apple was going to introduce a service that could store only 2 bits of data to enable that use case and then revisit Keychain deletion when the last app from a developer is uninstalled, but it appears they haven't.
It would be great if they'd finally fix this.
If you detect that a user is abusing your service, the ability to put a permanent cookie on their device is very useful.
This isn't effective against organized crime groups (they can just get Macs / use the web / whatever), but works well against your average troll or internet racist.
Still tracking, but a very different kind of tracking.
It sure lets app developers identify me across app deletions and reinstalls!
I'm also not sure why Apple has kept this loophole open for so long when they are otherwise so focused on making sure user tracking across reinstalls is so hard (e.g. by making APNs tokens change after a reinstall, which used to not be the case as well, restricting access to read the device MAC address and other permanent identifiers etc).
And I am looking at my iPhone now and Meta does not store tracking data in the Keychain.
https://apple.stackexchange.com/questions/441112/how-can-i-r...
Are you serious? They literally know my previous accounts even after I DELETE the app, WIPE the iPhone, and login to the same iCloud account on ANOTHER iPhone.
They do this by storing some data. They can store data about anything else. How can be sure if we can't even LOOK at that data?
I only caught this because of the visible symptoms they CHOSE to show us: The list of previous logins.
I'm sure you can remove most and/or all Mac OS files, but they're increasingly using trusted computing and even designing their own chips to increase the control they have over the devices (and correspondingly limit user control).
They sell this as a security feature these days, but the appliance model predates that and security is kind of just along for the ride.
I'm glad to see that people feel strongly that they should have control over the files on their system. I'd like to see that help move us toward users having full control over their computers.
And there are no eternal tracking cookies for Safari even first party ones are deleted every week.
Disabling the iCloud keychain doesn’t clear your local copy.
Or maybe this happens because it's completely off-topic here and has nothing what-so-ever to do with WhatsApp?
Most of your other messages seem similarly off-topic: https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...
Not only that, people have already answered your question in a previous thread.
There was a popular post just a few hours ago about Filezilla (whatever that is) containing adware in the default download.
This is a FAR more grave violation of privacy than anything so far — Tracking people ACROSS reinstalls AND MULTIPLE PHONES!
Or what tracking data you are referring to ie. is it cookies or local storage but either way you should maybe speak to Apple Support.
Yes iOS apps can store local data and if you're unhappy about it then just delete or reinstall the app.
Well, that doesn't delete all local data. That's exactly the problem!
Good alliteration.
Apple doesn’t enforce what the app does with app data. Apple makes sure that if the app uses a platform API that is sensitive, it gets your opt-in (or prohibits the use of the API altogether). Apple makes sure that the app publishes a privacy nutrition label. But what the app does inside with whatever data you choose to give it, that’s up to the app.
If you voluntarily choose to give data to the app, what the app does with it is your problem. Apple just tries to make sure the app can’t take data that you haven’t chosen to give it.
Meta is requiring that people reside within the EEA, not just are someone who is an EU citizen. They're requiring integrating services to give them the IP addresses of users and for the integrating service to confirm that you're within the EEA at least once in any 60 day period. If Meta thinks you're violating that as a user, they'll cut you off from the integration. If they think the integrating service is just violating it, they'll cut off the integrating service.
It looks like Meta might be requiring as much identifying information about you as they can get so it will probably be relatively easy for Meta to figure out who is cheating.
But if you're not trying to cheat, then yes you'd be able to message US WhatsApp users from a non-WhatsApp account in the EU.
https://www.wired.com/story/whatsapp-interoperability-messag...
Matthew also did a Fosdem talk about it about a month ago: https://fosdem.org/2024/schedule/event/fosdem-2024-3345-open...
I'm sure the free market will handle it ;)One that never loads images would be lovely.
Edit: Waaait a bit. I have it on iOS and I have it on some laptop where whatsapp desktop is an old version.
I can't find it on my desktop where their desktop app is the latest and greatest...
They probably "improved my whatsapp experience".
Edit 2: besides, that just doesn't download the photos, I think? They still take half the screen that could be used for displaying more text...
At least 7-8 years. Probably from whenever it became possible to send media messages.
I'm impressed with EU regulation. Standardized chargers, ending roaming charges, GDPR, DMA. Definitly worth the side effects overall.
I really like the DMA too
Just...use Matrix or XMPP or something ffs. The open protocols _already exist_.
I have some minor hope that WhatsApp will eventually switch to MLS+MIMI, as someone from Facebook does take part in the design process, but that could also be because of Facebook Messenger really.
Can you elaborate on this please?
XMPP needs to have a username and server name at the very least. This is because it needs to work in a federated context, and it doesn't use things like DHTs to decentralise messages in a way that allows hiding the routing data. The message body is encrypted, of course, and headers can be minimised, but there will always be unencrypted metadata. To quote the spec:
> The OMEMO protocol does not protect against attackers who rely on metadata and traffic analysis.
As for Matrix: the message body is usually mostly encrypted, but it's leaking a lot of metadata. Message IDs sometimes fine themselves outside of the encrypted envelope as well as timestamps and other information I don't think should need to be outside the encrypted envelope.
Neither XMPP nor Matrix were designed with encryption as a first priority and that led to protocol design choices regarding metadata that cannot be altered without breaking most clients. They also tend to store messages grouped by chat group/conversation, though multi device support is technically optional for XMPP. From a server dump of either XMPP or Matrix, someone can deduce what users are chatting to what users when. In Matrix, you could deduce what messages are responses, updates, or deletions of what other messages, as well as reactions. For Signal, you'd need wiretaps on both sides to deduce that level of information.
A protocol like Signal would be near impossible to federate. That said, if federation is your goal, MIMI+MLS seems to be the future. Matrix is moving towards MLS, Google's RCS encryption already uses MLS, and MIMI and MLS are often tied together in spec definitions. I believe the XMPP people are also working on (have finished work on?) embedding MLS in XMPP as an alternative to existing encryption methods.
"Partner represents and warrants that it shall not introduce into WhatsApp’s Systems or Infrastructure, the Sublicensed Encryption Software, or otherwise make accessible to WhatsApp any viruses or any software licensed under the General Public Licence or any similar licence (e.g. GNU Affero General Public License (AGPL), GNU General Public License (GPL), GNU Lesser General Public License (LGPL)) containing a "copyleft" requirement during performance of the Services"
But ... it's not like WhatsApp is hiring me as a sysadmin for their servers, are they? Why would they give me access to their systems? They won't. This seems copy/paste legalese.
"Access" in this case just means "ability to interact with". It doesn't imply root/admin abilities.
That’s pretty much the purpose of Facebook? ;)