“We do not track your *PRECISE* location, we don’t keep logs of who everyone is messaging and we do not track the *PERSONAL* messages people are sending one another," it added. “We do not provide *BULK* information to any government.”
When you use credit or debit cards your transactions and data related to it is collected and sold. When you apply for mortgages and close on a house all that information you put in there is collected and sold.
When you put your address in for the post office, when you apply for a drivers or fishing license... Your local governments collect that information and sell access to it.
Meta tries to then tie in your online and app/phone activity with your legal/financial identity it can obtain through partner data brokers.
This is Facebook's businesses model.
So, yes, this data is available to pretty much anybody that is willing to pay for it. Which includes governments.
None of this should be surprising to anybody at this point. Apple, Google, Microsoft, etc.. all of these companies will do this to greater or lesser extents nowadays since has worked out so well for Meta's bottom line.
group messages and messages (metadata),
messages to business accounts (these they can read in full as the client send to a meta owned private key),
and who forwards media to who (deduplication and cdn)
and links (thanks to previews)
and it scans and uploads your contact list in full all the time.
The real question is where they draw the line, not if they do it ever.
Now I don't know the exact details of which governments had which access (was it just for warrants, which nations, what was the line between actual terrorist versus persecuting journalists), but there was absolutely bulk export and the fact that they are lying about it makes me inclined to presume the worst.
The US agency would type in the gmail address of the subject (ie the primary key/identifier) and somewhere between the agency and Google a decision would be automatically made as to whether the owner of the account was a US person* or not.
If yes - FISA warrant was required
If no - the US agency user would have immediate access to the entire google account (think Google Take Out).
In other words, if you were not a US person there was no duty to protect data.
* = US Person is either a US citizen located anywhere in the world or anyone of any nationality who is physically in the US (current interpretation includes visa holders, visitors and even undocumented but that's shifting)
While I can totally imagine that governments would mass-export data, and I don’t doubt your friends claim, I can also imagine more innocent interpretation of this work.
I once worked on a large company’s GDPR data-export project. It was a large enough company that it also had a dedicated team to handle legal requests regularly from government(s). GDPR exporting needs to work “at scale” for all accounts, without human-in-the-loop work, and without causing any load issues to running services. The same system also handled legal requests, where the legal team could get an export for a user (almost) identically to the process of a user getting their own data. The legal team had tools set up to work with warrants, subpoenas and similar (internationally) legal data requests from courts and law enforcement. It looks like a “mass export” system, because it was, but it wasn’t used in “bulk requests” from the legal system.
From https://faq.whatsapp.com/444002211197967/?locale=en_US:
> In the ordinary course of providing our service, WhatsApp does not store messages once they are delivered or transaction logs of such delivered messages. Undelivered messages are deleted from our servers after 30 days. As stated in the WhatsApp Privacy Policy, we may collect, use, preserve, and share user information if we have a good-faith belief that it is reasonably necessary to (a) keep our users safe, (b) detect, investigate, and prevent illegal activity, (c) respond to legal process, or to government requests, (d) enforce our Terms and policies. This may include information about how some users interact with others on our service. We also offer end-to-end encryption for our services, which is always activated. End-to-end encryption means that messages are encrypted to protect against WhatsApp and third parties from reading them. Additional information about WhatsApp's security can be found here.
Note specifically "information about how some users interact with others on our service", which contradicts their claim they don't keep logs of which people are messaging each other.
I'm much more inclined to believe they track everything in high precision and also MITM all the messages. Especially now that they are inserting ads.
I'm no apologist for Facebook, none of whose services I use. But get your facts straight. They are not 'inserting ads' in your chats, as you imply. AFAIK they are adding adds to the never-used 'Updates' tab.
Annoying from an ad perspective, no doubt. Vastly different from a are-they-MITMing-your-messages perspective.
"WE don’t keep logs of who everyone is messaging..."
"We don't KEEP logs of everyone who is messaging..."
"We don't keep logs of EVERYONE who is messaging..."
Etc.
> We do not track your PRECISE location
If they log IP addresses, they can't say they don't log location at all.
> we don’t keep logs of who everyone is messaging
Seems like a pretty strong claim
> we do not track the PERSONAL messages people are sending one another
I don't know much about their business offering, but it seems likely it's not e2e encrypted or has some kind of escrow. Businesses often multiple people to be able to access an account and that is best done without e2e encryption... let alone auditing requirements.
> We do not provide BULK information to any government
Because they are subject to subpoena and search warrants. They are legally required to provided tailored information to governments.
====
All in all it's pretty much what you'd expect for Whatsapp's "e2e but otherwise conventional saas" approach. If you want better, use signal.
> Actualllly you can't prove that it was me who made that search query.
> Actualllly you can't prove that it was me who had that cellphone around that cell tower. Could have been anybody. I could have been hacked.
Judges always allow those evidence and jury always views it as incriminating. What makes more sense, that some unknown hacker hacked into your account and googled something about the thing you're here for, or that you actually just googled it yourself?
On Android, push notifications were always processed by the receiving app, so it can just decrypt a payload directly (or download new messages from the server and decrypt these); on iOS, this isn't as reliable (e.g. swiping the app out of the app switcher used to break it in several iOS versions), but "VoIP notifications" and the newer "message decryption extension" [1] are.
The same principle applies to Web Push – I believe end-to-end encryption is even mandatory there.
[1] https://developer.apple.com/documentation/usernotifications/...
Surely they must, how else are the messages… you know… available when you use the app?
just selected people then?
"This may include information about how some users interact with others on our service."
Much of the terrain is similar to Afghanistan. Tribal islamic alliances are resilient against loss of central governance. There is a massive porous mountainous border to 2+ countries that conceivably will look the other way for certain islamic militants.
I know everyone wants to gobble down the campaign about complete air superiority and toppling of leaders, and that WhatsApp may be separating the regime from 52 virgins, but realize this is a propaganda campaign. This initial propaganda only serves to manufacture consent long enough to buy citizens in to blood so they can't back out. We're in the process of being tricked.
Whatever the case, the current Iran regime hasn't given nuclear material, chemical weapons, or biological weapons to these terror groups.
If the current Iran regime is eliminated from afar, with some fly-by bombings or whatever, what happens in the chaos that follows? Nuclear material and other weapons do not poof out of existance when the government that created them falls. Which group will control the nuclear material going forward? Roll the dice to find out.
I suspect what Israel is hoping for is that if they disrupt Iranian internal security enough, Iran wont be able to put down protestors. In the past there have been protests that Iran had to put down violently, so its not crazy. At the same time, hard to imagine anyone going out to protest while bombs are falling, and external threats tend to increase support for incumbants. So probably a long shot.
What they will probably settle for is blowing up their nuke stuff and missles, hoping that the economic disruption of the war is enough that its too expensive for iran to rebuild it.
Of course, nobody really knows.
It wouldn't be a cake walk. But America could topple the government in Tehran about as easily as it did in Baghdad or, frankly, Kabul. The problem in Iraq and Afghanistan wasn't a failure to decapitate the opposing state. It was in filling the vacuum that left.
Everyone wants to gobble down... I.e. here’s another invasion war but it’s our ally this time so it’s good actually. They’re gonna dezanify^W de-islamism Iran.
I wish this meme that "whatsapp is secure because it uses e2e encryption" would die.
Why does it matter if the messages are e2e encrypted if the messages are managed on the two ends of the channel by a closed source binary that does who-knows-what.
The whatsapp app itself sees the clear text message. What it does with that information... or what "metadata" it extracts to send to their servers.. who knows.
Because WhatsApp uses end-to-end encryption, any backdoor must necessarily be on the client side, and all client-side code can ultimately be reverse-engineered. This makes such backdoors very tricky to implement.
With that said, while I think a "general backdoor" (one that weakens the crypto algorithms so much that all messages can ultimately be read by Meta) is super unlikely, a "vulnerability" in some image parsing library, designed and implemented by the NSA, and only used on the most interesting targets... now that's a different story.
True, but it might be a part of an update that only hits a white-list of users, so you won't find the actual code that steals your private keys if you're on that list.
Right into my veins
The meme/trope is that you can't possibly know what such an app does without the source. It just isn't true. There'd be no meaningful phone vulnerability research if it was.
Imagine if they pushed an update of the app out with the vuln to only some users, or users in {country} in their app release configs
Would you prefer your dissident messages be read by Meta Corporation or the Islamic Republic of Iran? That's the difference.
No, there's no technical difference in the sense that neither solution can be verified to be probably secure vs. third party inspection. But in the real world the specifics of who the actors are are and the tactics they are known to employ are absolutely part of the threat model.
I'd prefer my messages to not be available to an actor shown to be using AI to select targets for bombing campaigns.
Neither please! Corpos can obviously sell out or be pressured into giving out info to all sorts of agencies
So more than fearing Israel, they actually fear the public that has an encrypted communication channel that can't be tapped by their police. Explains a lot.
Could be some other mechanism (e.g. Google Drive or some other kind of malware), hard to be sure in the world, where since 2011 Snowden's revelations, bugs are placed my NSA and CIA everywhere, starting from hardware and firmware.
if it was it would be true for telegram as well.
Russian soldiers participating in the invasion of Ukraine. FTFY.
The IDF's Unit 8200[1] can probably hack most phones in Iran. And if not any of the private companies selling spyware software like the NSO Group[2 and 3].
[1] https://en.wikipedia.org/wiki/Unit_8200
[2] https://en.wikipedia.org/wiki/NSO_Group
[3] https://mepc.org/commentaries/israeli-cyber-companies-overvi...
How do you send an "invisible" SMS to other country's cellular network undetected? Especially on a mass scale...
I know about OMA DM, and FOTA update/access, and binaries certain US operators pre-install into phones/modems for remote access, etc. since I was reverse engineering this stuff. I just don't see how this would be invisible from the targetted country's cellular network operator.
By "chance" the rightful crown prince (Pahlavi dynasty), an exile, is now making a comeback on social media, saying that the current iranian regime shall fail.
There are talks online as to how the current regime is falling: and there are a lot of people who would be very happy to see those bearded men ruling by sharia law gone.
The last thing the religious cracknuts at the helm of that islamic state want are iranians themselves using the opportunity to topple up the regime.
When they say: "Delete WhatsApp to not help Israel locate you" what they really mean is "Do not share the vids of the crown prince announcing he'll give you a life without sharia punishment".
Also car tech and cameras. Literally a wet dream if I worked at a three letter agency, real time surveillance of streets which is actually extremely difficult normally. Can't think of how many times I've wanted a recent picture of a street or house miles away, with 360 car cameras you can track people, see changes maybe from just minutes ago.
I don't know why these countries don't block or mandate these features are completely turned off.
A common sentiment in this thread. My gut and practical experience both tell me this is true on some level, but how do folks distinguish tinfoil hat conspiracy from legitimate speculation?
The UK now has laws to gag domestic companies and force them to implement backdoors.
I mean, nothing Snowden revealed was shocking to anyone in IT at the time. He just brought receipts.
Plausibility and evidence, for which there's plenty in this case.
Although it seems less likely to me that Western apps have backdoors and more likely that Western law enforcement and intelligence have free access to the data, but it's probably both.
The NSA, and it's partners, capabilities and the lengths it is willing to go to are staggering.
they don't. that's the whole point
Potentially they might be worried about anti-regime activists organizing on whatsapp and want to push people to more easily monitoriable alternatives.
If iran knew meta was doing this for a long time, then it raises the question of why they are just asking people to delete it now. One would presume that such a serious opsec issue would require immediate action.
If they just figured this out right now, its a bit hard to imagine how that happened given how disruptive the bombing campaign has been.
The timing just seems really suspicious to me.
Why trust a US company when the US helped Israel attack Iran while in negotiations ?
> Why trust a US company when the US helped Israel attack Iran while in negotiations ?
Potentially. However given that whatsapp/meta is just one random american company that is already banned in Iran (afaik) it seems like that would be a really random action if it was purely about retaliating against usa.
This is the perfect time for an uprising.
The Kurds are already starting whatever they’ve been planning.
The classic approach, airlifting the Ayatollah to a dacha in Moscow while the IRGC saves face and plots a forever path to new elections, falls apart when you consider how Iran’s internal security and geopolitical alignment would need to be sculpted in a way that would satisfy the great powers. (Iranian crude fuels China’s refineries.)
Mainly because they don’t have one and never had one. Hard to dismantle something you don’t have. Even harder to do so credibly.
They had programs to obtain a nuclear deterrent. They can dismantle those programs. But they never had the actual nuclear deterrent itself.
Honestly, I don’t think the American people have the stomach for another Middle Eastern war, and Israel has shown in the past that if you recognize their right to exist in some form, they’ll leave you the hell alone - see Egypt, Jordan, etc.
So if he pulled back from those two rivalries, I doubt that hurts him much. I’d see it as riskier because of internal power struggles and possibly from regional rivals, but who knows.
Guy’s in his mid 80s and there’s a decent chance Mossad knows exactly where he is. He’s got one foot on a banana peel and the other foot in the grave regardless.
It’s likely that any two-state solution to the Israel-Palestine crisis would roughly look like how things were before the Six-Day War.
However, I’m getting more at the fact that Iran is unwilling to accept a two-state solution because necessarily, one of those two states would be Israel.
Though I must say, the regime itself seems to really believe this, for example there was some news that high-ranking officials are now banned from using electronic devices that connect to the internet like mobile phones.
1. Politics has been getting more freedom here lately, especially if it's the first story about something new. This is, as far as I can see, the first story about this.
2. The story has an interesting technical component, about encryption, privacy, and tracking - things that a lot of HN users care about.
3. It mostly hasn't deteriorated into a flamefest.
Number two on your list shouldn't apply because we've seen many technical articles about Tesla, DOGE, etc flagged in the past months
3 shouldn't apply either because we lose posts every day just because they have the "potential" for flaming.
To me, the most interesting thing about this conflict is the side-choosing of the other nations, because that reveals what kind of games they're playing.
"It banned WhatsApp and Google Play in 2022 during mass protests against the government over the death of a woman held by the country’s morality police. That ban was lifted late last year. ( https://apnews.com/article/iran-social-media-whatsapp-google... ) "
Could you elaborate on that? Is anyone behaving out of the totally expected?
Cell phones.
While tracking is an unfortunate consequence, cell phones and smartphones have become indispensable aspects of our daily lives. We can lament their prevalence or highlight their negative impacts, but reducing cell phones to “tracking devices people pay for” is an overly simplistic view IMHO.
The real issue is that we’re still guessing. Does anyone actually feel confident about any of this?
WhatsApp heavily nudges users into backing up their chats to iCloud or Google Drive. These backups are, by default, unencrypted (or at least encrypted using a key known to Meta). And most users just use the defaults.
It's exactly the same story with iMessage: If "iCloud Backup" and "iMessage in the cloud" are activated (again, Apple nudges users into these by default), all received messages get uploaded to Apple using a key available to Apple, unless "Advanced Data Protection" is also enabled (decidedly not the default).
Users can deviate from these defaults (and both parties to a conversation need to, for the conversation to actually be private!), but they can already also just use Signal if sufficiently motivated.
> The solution to this problem, he says, is artificial intelligence. The book offers a short guide to building a “target machine,” similar in description to Lavender, based on AI and machine-learning algorithms. Included in this guide are several examples of the “hundreds and thousands” of features that can increase an individual’s rating, such as being in a Whatsapp group with a known militant, changing cell phone every few months, and changing addresses frequently.
What really matters is modeling real world threats and minimizing risk at every point in the system. That’s where GOSPL.CHAT stands out. It was designed with context-aware security from the ground up, with critical safeguards like:
No plaintext ever accessible to intermediaries or vendors
Zero-knowledge archives, where only the end user can decrypt their data
No export features or backdoors that can be exploited
These protections mean that even if infrastructure is breached or supply chains are compromised, user data remains unreadable. GOSPL doesn’t just promise encryption — it ensures resilience in the face of real threats. That’s the level of trust we actually need.
For the population in general though and in special those who don't like the people in charge of the country, WhatsApp is a great tool. I have to worry about WhatsApp and Meta as I'm in the "west", but there's no chance in hell Meta's going to provide data on any user to the Iranian government... it's a good option for Iranians.
This was an opportunity for Meta to signal that it wasn't in support of its technologies being used this way, to do top-to-bottom public audit of how this came to be and to prevent it from ever happening again.
Instead, Meta had an incredibly scummy response [3]. They said that "WhatsApp has no backdoors". A "backdoor" and a vulnerability are different, and Meta at the time knew [4] that it had a vulnerability which could have been used in that exact situation (since all Gazan telecoms are surveilled by Israel).
Given Meta's senior leadership is pro-Israel, with their CISO being former Israeli intelligence, and with them massively putting their thumb on the scales to shut down pro-Palestinian activism [5][6][7][8] (including shutting down dissent of it internally [9]).
Now, Meta is aligning with the US military [10], and with the Trump administration [11] which is trying to support a war against Iran that Israel started.
Literally any country which is not US/West aligned should be actively moving their citizenry off Meta.
[1] https://blog.paulbiggar.com/meta-and-lavender/ [2] https://www.972mag.com/lavender-ai-israeli-army-gaza/ [3] https://www.middleeastmonitor.com/20240418-israel-using-meta... [4] https://theintercept.com/2024/05/22/whatsapp-security-vulner... [5] https://7amleh.org/storage/meta/Erased%20and%20Suppressed%20... [6] https://theintercept.com/2024/10/21/instagram-israel-palesti... [7] https://www.bbc.com/news/articles/c786wlxz4jgo [8] https://www.business-humanrights.org/en/latest-news/report-a... [9] https://7amleh.org/storage/Advocacy%20Reports/Delete%20the%2... [10] https://www.snopes.com/fact-check/us-army-tech-executives/ [11] https://www.bbc.com/news/articles/c8j9e1x9z2xo
"Asks" instead of banning? yet the US wants to ban TikTok
Israel will be US/UK's scapegoat, they'll pretend they are the good guy while they force Israel into a war nobody wants
