WhatsApp Messaging Interoperability
developers.facebook.com> 7.5.1. Partner User Location. Any Partner Users that Partner Enlists or provides access to the Interoperable Messaging Services must be located and remain in the EEA. Without limiting Section 11 (Warranties), Partner represents and warrants that it will only (i) Enlist and (ii) enable access to the Interoperable Messaging Services by Partner Users that Partner independently validates are located in the European Economic Area, (i.e., a Partner User must be present within the European Economic Area within any consecutive sixty (60) calendar day period). If WhatsApp detects or otherwise has reasonable grounds to suspect a Partner User Enlisted to receive the Interoperable Messaging Services is not located in the European Economic Area or is no longer located in the EEA, WhatsApp reserves the right to immediately suspend such Partner User(s) from accessing the Interoperable Messaging Services, and if multiple violations are detected, Partner shall remedy Partner's location validation procedures to ensure compliance with the terms of this Agreement.
Looks like interoperability is geo-fenced to Europe only.
And that they are reluctantly complying in bad faith in the most hostile way they found. Is this going to fly? Where do these 60 days come from for instance? How is it any useful and who is going to want to implement such interoperability under such terms?
This reads like a lot of words to say Fuck You Europe to me.
Well, feelings are mutual, at least we are on the same page, them and me.
You may dislike it, but EU law only applies in the EU; it sounds like full compliance to me, not "bad faith" compliance.
Messaging-interoperability is the one aspect of the DMA I don't support. These apps are free to download; and if you care about security (and use Signal) you'll want to avoid cross-service messaging anyway.
> These apps are free to download
Yes but you aren’t truly free to choose which app you download. You have to use the one being used by the people you want to message. That is of strong benefit to incumbents.
Has there been meaningful innovation in messaging? I had free AIM on $3 T-Zones in 2006. So I see no downsides to just forcing interoperability.
Many add a bunch of bloat that I simply do not want. It'd be nice to have a chat app that only do chat.
Meta and Apple are paying for far more bandwidth than what AIM was moving around back then. Very high quality videos, audio, pictures, and gifs not to mention files and group video calls.
Their will. I'm perfectly fine receiving full quality media as files, I don't need meta to reformat my media to reduce their bandwidth bill and train their model, they could redirect me to the original file if I am using another messaging app.
> you aren’t truly free to choose which app you download. You have to use the one
Singular? You'd just use whichever app a given person is on (everyone here has 3+ chat apps installed). Wouldn't network effects only kick in when group chats are involved?
Yes, and failing that, you could simply revert to plain old SMS. IMO, a better course of action would have been forcing Whatsapp to provide an alternative way to access their group chats.
Or alternatively, forcing all phones and carriers to support RCS as a condition for certification, and funding the development of a quality FOSS RCS client.
> You may dislike it, but EU law only applies in the EU;
Even then, that consecutive 60-day limit sounds bizarre. For instance, someone who has dual citizenship could legitimately switch between an EU and a non-EU country every single month. Why shouldn't that person have access to these "Interoperable Messaging Services" when in the EU?
If you switch every month then you will have been present in the EU within any 60-day window?
Literally lawyering up the implementation
This is definitely their tactic, and it may work because they can be incredibly obstreperous at every turn and make the commission fight every small detail tooth and nail up to the highest court.
I don't support meta and apple's approach, but while something is done about it: I suppose you can use a (paid) vpn with servers in Europe, because meta shouldn't have access to your location by any mean beside the internet connection. Just a bandaid
Why don't you support it?
There are government services that use whatsapp in my country. This argument "just don't use it" is very tired.
Interoperability can be achieved with E2E encryption.
> Interoperability can be achieved with E2E encryption.
On paper yes. But I wouldn't trust it.
https://www.wired.com/story/whatsapp-interoperability-messag...
> There will also be the option, Brouwer says, for third-party developers to add a proxy between their apps and WhatsApp’s server. This, he says, could give developers more “flexibility” and remove the need for them to use WhatsApp’s client-server protocols, but it also “increases the potential attack vectors.”
--
> There are government services that use whatsapp in my country. This argument "just don't use it" is very tired.
I'm saying I wouldn't trust or use interoperability. If something/someone is on WhatsApp I'd do it through WhatsApp. Doesn't mean I can't use Signal with all those who use that.
Xmpp
Actually I forgot about iMessage. It’s the only service where forced interoperability makes sense (because you can’t “just download an app”, you’re locked out of the service unless you buy an Apple device), and yet it was excluded. Hopefully the EU changes the law so it applies to iMessage.
in Europe very few people are using iMessage, most of them are using Whatsapp
Southern europe yes, further north its almost no WA and a ton of iMessage
iMessage already interoperates, with SMS and MMS.
EU law only applies in the EU, but an actor who doesn't respect EU law outside of the EU may be refused business in the EU. I agree the precedents are not strong to propose an outright ban (eg. Coca Cola murdering trade unionists and forest defenders in South America) but it would perfectly make sense on paper.
Digital services are global. Regulation can be different from physical good regulation.
Heck, in the US even taxes are global
Edit: For US citizens
It seems all companies complying with EU laws (Meta and Apple) spent most resources on lawyers and accountants. To make this unattractive to users and competitors.
Without additional regulations across the globe it’ll be simpler playing the geofencing game for those companies.
That'll just come back to bite them in the ass during round 2
World's most stupendous & drawn out Yak shave, if one thinks about it
Sounds less like "bad faith" and more like "I was hoping that Meta would cave and offer this to everyone, but turns out they don't have to do that because EU jurisdiction ends at EU borders"?
Fair enough.
Now, not sure what I was hoping for. None of my messages currently go through Meta and I'm quite happy with this.
As an implementer, I certainly wouldn't want to police and track my users and their location for a chat service, and as a user I wouldn't want a chat service to track me.
I also certainly don't want to depend on a system which is unreliable because it artificially depends on my or my contacts position on Earth
This whole thing sounds like something I will not want to use anyway.
You tend to see similar terms around the "fair use" of free EU roaming.
Some of them even threaten back charges if it turns out you used more data abroad than at the home country over a long enough period.
I called their bluff once and got away with it, but their systems may have improved since then
So what happens when a EU citizens go on vacation in the US? No more sharing messages between platforms until they go back home?
this reads as if they can for 60 consecutive days and on day 61 they'd be disconnected from interoperable messaging
This is so absurd.
I think the previously often raised objections to interoperability were technically and economically mostly sound (federation is much harder to achieve in a secure way, thinking of key distribution, identifier verification etc.).
Now overcoming all of these obstacles and then going the extra mile to implement geofencing (which also has tons of edge cases!) completely undoes that argument.
I don't really see why WhatsApp would care, because once you have developed the interoperability, audited the apps, and done all that, it doesn't really cost WhatsApp anything if a user is using that app. They lose no profit, doesn't cost their servers any more than their own client would, etc.
WhatsApp makes their money from the business clients/apps (which aren't covered under this, which I think is fine by the way).
So why care where a user is on the planet? I just don't see the business reason for this. Maybe I'm missing something?
For one thing, they can't show ads in third-party clients. (I think they currently only do that in "stories" in their own client at the moment, but without competing clients, they always have the option to expand that.)
On the other hand, I could imagine their business messaging ambitions to be threatened by third-party clients: There's nothing stopping the vendors of these clients from undercutting Meta on business messaging rates.
And this is all assuming that third-party services couldn't provide their own business messaging services to first-party WhatsApp client users without paying Meta their list price. I don't know whether the DMA allows that, or if normal rates would still apply in that case.
The WhatsApp client does give Meta a window of opportunity to get data from users.
The data is otherwise E2E encrypted but when you see a link preview on WhatsApp Meta knows that.
Only the messages are encrypted, but there's a ton of metadata that isn't, e.g. who you talk to, when, where you are when you do so, ...
But in the client is the only time their code touches the actual unencrypted message data.
Also a lot of the data you mentioned will also not be available if you don’t use their client, eg: if you use Signal client then Facebook won’t get your location all as that’s not part of regular text message
Do they actually do that? Because I'm not so sure that they do.
The preview sends a request to some server on a Facebook subdomain. I know because I was sniffing traffic on my phone without any Facebook app installed other than WhatsApp.
Okay, but do they actually use any data from that? What does the privacy policy say? Have any effects been observed beyond "uses a facebook domain" (e.g. you see ads on Facebook for a site you had in preview)? Is there functional reason for using that domain?
Do you think I’m a Facebook employee…?
Because no one else can answer your questions.
Did you see the content of that domain? It might be spam/phishing protection, which can be done in a privacy-preserving way (e.g. sending only a truncated hash of the link TLD to a server and downloading a larger set of blocked domains for local filtering).
At least on my Mac, I also only see connections to the URL domain, nothing to a Facebook subdomain.
There’s like 1000 reasons why the domain could be used. (For example you wouldn’t want 1M phones destroying a website because it became viral on WhatsApp, hence a caching layer is probably needed)
I don’t work at Facebook on this specific system that handles link previews so I have no idea of the details.
The fact is that if they send a request containing the link I previewed which is tied to my IP which connects to my Facebook account then they can 100% correlate that information and figure it out.
Are they doing that? Maybe, maybe not. I don’t work there. But they can if they want to so it all comes down to trust. Do you trust Meta?
Meta and 'privacy-preserving' are a contradiction in terms.
Gosh, all of this is so locked down.
I've been waiting for this, and hoping I could "just" cook up some of my own code to use with WhatsApp, and/or integrate it with Pidgin or bridge to email or whatever. But the entire process is about as hostile as possible.
For example "Partner shall have in place a dedicated security team" basically excludes most startups, or most smaller companies.
It's not clear to me if this is really complying with the DMA – it's certainly not in the spirit of it, but less sure about the letter of it.
I think it's quite fair to demand basic security compliance for implementing an E2EE messenger.
That said, I'm sure we'll see open source libraries pop up everywhere to communicate with WhatsApp directly. There already are unofficial WhatsApp clients in various forms, but now they can use the protocol without risking breakage because they reverse engineered the contents of the protocol itself.
I think there will be plenty of space for the Beeper Minis out there right now.
> I'm sure we'll see open source libraries pop up everywhere to communicate with WhatsApp directly.
How so? Each of them would need approval by Meta + signing an NDA, and I can easily see that ruling out open source libraries.
Most of the protocol is already reverse engineered. Once less heavily obfuscated apps start using the external messengers API, implementing the rest of the protocol should be a lot easier.
> I think it's quite fair to demand basic security compliance for implementing an E2EE messenger.
That's really a decision you should make, and not WhatsApp – "do I trust this arp242 guy and his GitHub repo?"
And some auditing isn't necessarily too bad, I guess, but a lot of this goes far beyond "basic security"; it's the type of "corporate checkbox security" that we all know works so well.
You seem to be confusing interoperability with WA’s desires to make sure that e2e encryption isn’t broken.
What’s the point of thinking that WhatsApp is e2ee if anyone can write their own end point?
my friends and I use WhatsApp because we know the messages are secure. Imagine if every other group message had the “green bubble” equivalent experience if someone was using a custom client.
If that's your assumption, I've got bad news: People can already use third-party clients! WhatsApp "mods" for Android, third-party clients hooking into the web client etc. have all long been possible.
Without the DMA, Meta can make it very hard for any business model based on them, but it's never been a technical obstacle.
In a very similar way, you also need to trust your friends to not activate WhatsApp chat backups to Google Drive or iCloud without a password if you don't want end-to-end encryption to be compromised (there's no indication if they have it on or not), and that's the default suggestion by the official client.
You can do E2E encryption without all of these requirements. It's basically just TOFU some key when someone messages you. You can do 3rd-party implementation for other E2E messengers: Telegram, Signal (even though they don't like it), and of course XMPP (with extension).
I need to read a bit more carefully through the (limited) technical documentation they have; but all of this seems highly excessive. I'm not a distrustful or cynical person by nature, but I find it hard to avoid the impression that they intentionally made it as hard as possible.
I don't know what "the green bubble experience" means(?)
To be fair, there is one aspect where the platform is trusted with services like Signal and WhatsApp: Identity to phone number binding.
Many people don't actually ever verify their contacts' keys, but rather just rely on the platform provider to have done phone number verification correctly. In that sense, the security model is bit better than TOFU in practice.
> I'm not a distrustful or cynical person by nature, but I find it hard to avoid the impression that they intentionally made it as hard as possible.
There I fully agree. If anyone could find a way, it's the company running the largest messaging infrastructure in the world.
>What’s the point of thinking that WhatsApp is e2ee if anyone can write their own end point?
But even if you're using the official super secure endpoint, there's nothing preventing the user from taking a picture of the screen, which bypasses all protections.
So any messaging app that wants to implement Whatsapp interoperability has to apply for it, pray to get their blessing and then sign an NDA.
It is probably a positive change for end users, but far far away from the "open up your protocol" I was hoping for.
So the same loophole Apple us using to render the app distribution part of the DMA moot. I look forward to seeing whether the EU considers this an acceptable interpretation.
I was also hoping to just be able to build my own messaging app and use it to chat with people who have WhatsApp. I guess this is a first step, and better than nothing. Let's hope the DMA keeps evolving and also closing loop holes.
Related:
Making messaging interoperability with third parties safe for users in Europe
https://engineering.fb.com/2024/03/06/security/whatsapp-mess... (https://news.ycombinator.com/item?id=39614085)
Signal or matrix interop would be great. I use WhatsApp as the logistical tool of choice to communicate with my coworkers when away from the company but I wish I could uninstall it. Not my tribe.
Matrix has WhatsApp interop that works excellent. It somehow uses the web client, which I imagine could be replaced by real interop.
You can't uninstall WhatsApp that way though. Not just the web client, but also the app on your phone, which the web client proxies everything through.
The Web client doesn't need the app anymore, at least it works without having your phone on. You have to relogin every once in a while though.
Oh nice, that's an improvement!
There's an interesting philosophical question: if we have a fediverse or open source ecosystem for communication that is deeply integrated into Big Tech, does that make the fediverse stronger, or does it neuter the impact of fediverse as a possible "infrastructure-level" competitor of communication and information sharing?
We can look back in time to see that, ultimately, Google's adoption of XMPP was bad for XMPP.
It was also bad for Google, as it cost a lot to build, was almost completely unused by their userbase, and resulted in a lot of inbound spam.
Not sure if signal should interopt with data mining software. Keep that stuff isolated
They have usernames now.
Using it with a dedicated username for whatsapp contacts could be a way.
Signal would have to change how they work for that, at present it shares your profile name after you've initiated a chat using the "username" - very confusing choice of wording.
What do you mean? You can set a nickname but they'll send your phone number to everyone you chat with?
What's the point of nicknames then?
https://signal.org/blog/phone-number-privacy-usernames/
> Usernames simply allow you to initiate a connection on Signal without sharing your phone number
> Starting soon, your phone number will no longer be visible to people you chat with on Signal, unless they have it in their phone’s contacts. You will also be able to configure a new privacy setting to limit who can find you by your phone number on Signal. And, you’ll now be able to create an optional username that you can share with the people you want to connect with on Signal.
> unless they have it in their phone’s contacts
Lol. Why should they be allowed to associate my phone with my signal handle even then. If i want them to know I'll tell them.
> a new privacy setting to limit who can find you by your phone number on Signal
Double lol. Limit is not disable.
How about an option to "do not give my phone number to anyone, no matter what reason to pass it around you make up this week"?
And the obvious next step: do not get my phone number period. But that has been discussed before.
As far as I can tell, "limit" will soon mean "disable". They just can't flip that switch yet given that legacy clients will not know what to do about "numberless contacts".
> do not get my phone number period
I'd also like that, but they apparently use phone numbers as a primary key for account recovery and identification (e.g. on a new device without the old one present), so that's probably very hard to change architecturally.
There are some interesting concepts of "identityless messengers", but this is inherently hard to do on mobile – at least the platform operator will always know which identities are clustered together on a given device if you want efficient push notification delivery over APNs/FCM.
> There are some interesting concepts of "identityless messengers"
Like... icq... yahoo messenger... old skype... ?
And even some modern mobile chat apps i think.
These definitely all had a stable identity (ICQ number etc.)
What I mean is having an ad-hoc identifier per contact/group chat which doesn’t allow your various contacts to correlate that you are the same person.
Currently everyone who chats with me cannot see my phone number — even people who have my phone number saved in their phone (I was surprised as I thought it would still show this if they had it saved). There is a setting to entirely hide your phone number from everyone.
There's something really appalling that I discovered lately and I can't believe there isn't enough uproar about it. Every attempt to talk about this gets ignored or buried (maybe by people who want this ""feature"" to be kept quiet) so I will take every opportunity on existing discussions about Facebook to bring it up:
Facebook (and TikTok) store tracking data on iOS that the user CANNOT SEE and CANNOT DELETE:
• It shows my previous account even after I delete the app.
• Clearing Safari's cache does not work.
• Disabling iCloud Drive and iCloud Keychain does not work.
• Even completely signing out of iCloud does not work!
• On a Mac in the Terminal, you can go to ~/Library/Mobile Documents and "ls -al" to see hidden folders like "iCloud~com~Facebook~Messenger" that you cannot otherwise view or delete.
• Someone mentioned that even RESTORING an iCloud BACKUP will resurrect these "eternal cookies"!!
----
WHERE do they store this data?
WHY can't the user see this data?
WHY can't the user delete this data without going through the app?
WHAT ELSE do apps store on our devices that we aren't even aware of? (This is just what we can see: The list of saved accounts for "quick login")
HOW MANY other apps are secretly doing this?
WHY does Apple, parading around as a pompous paragon of privacy, even allow this in the first place??
Hey I can shed light on this. It’s the iCloud keychain. Disabling the keychain doesn’t delete existing entries. There is no way to modify the keychain on iOS (you can on Mac). Lots of apps store sign on data in the keychain for obvious reasons.
It would be really great to have a keychain section in iOS’s settings, like Keychain Access on Mac. The dev can build in-app functionality to delete keys from the keychain, but there’s not a huge incentive to.
Keychain storage doesn’t let FB track you, just store sign on info, keys, and the like. It’s not able to execute arbitrary code, it’s an encrypted place to store login info that Apple syncs between your devices.
Use them via Safari if you don’t want this (then your logins are saved & synced in Safaris keychain.)
It's not specific to iCloud Keychain--it applies to on-device Keychain on iOS devices, too, even if you don't use iCloud. Any developer can store data there with no way for the user to know or see what it's saving, and it's shared among all apps from the same developer. Keychain is quite a misnomer here--it's really "store any (short) data you want on a user's device without them ever being able to see or remove it". It transfers when you restore backups on new devices, too, even if you haven't had the developer's apps installed in the last decade.
This is an issue because if you ever use an app by a company, uninstall all their apps, and then install one of the developer's apps years later, they can tell it's the same iOS profile (even restored on a different device), profile what you do across those apps/installs/decades, and associate any accounts you log in with. Essentially they can put a permanent cookie that you can't even see on your iOS profile that's shared between their apps. If you use iCloud Keychain, they can probably profile you across all your devices regardless of whether you reset one.
Apple has said this isn't intended functionality and they were going to address the issue many years ago in iOS 10.3 by removing Keychain data when the last app from a developer was uninstalled [1], but they got cold feet. If I recall correctly, the reason was that some app developers were relying on this unintended functionality to ensure free trials couldn't be used more than once. Apple was going to introduce a service that could store only 2 bits of data to enable that use case and then revisit Keychain deletion when the last app from a developer is uninstalled, but it appears they haven't.
It would be great if they'd finally fix this.
This is also used heavily for abuse / spam / fraud prevention.
If you detect that a user is abusing your service, the ability to put a permanent cookie on their device is very useful.
This isn't effective against organized crime groups (they can just get Macs / use the web / whatever), but works well against your average troll or internet racist.
Still tracking, but a very different kind of tracking.
The "store 2 bits of information" approach Apple was moving exploring would solve at least a lot of that case. You could effectively store 3 pieces of information: 00 = default state, 01 = used free trial, 10 = banned, 11 = something else the developer wants to store about the iOS profile. You don't need to be able to uniquely identify it to ban it.
You’re right, I could have specified that even if you don’t use iCloud you have a keychain on iOS
> Keychain storage doesn’t let FB track you
It sure lets app developers identify me across app deletions and reinstalls!
I'm also not sure why Apple has kept this loophole open for so long when they are otherwise so focused on making sure user tracking across reinstalls is so hard (e.g. by making APNs tokens change after a reinstall, which used to not be the case as well, restricting access to read the device MAC address and other permanent identifiers etc).
You can theoretically do that, but that's against app store regulations. I'd imagine that logging out first, then deleting the app, should prevent the behavior because afterwards there's very little reason to have any sort of lingering keychain data. But at the end of the day, it's basically an honor system.
You can add/delete entries in the iOS keychain from the Passwords section.
And I am looking at my iPhone now and Meta does not store tracking data in the Keychain.
You certainly can not, here's some more info. Passwords and the keychain are separate items.
https://apple.stackexchange.com/questions/441112/how-can-i-r...
> Keychain storage doesn’t let FB track you
Are you serious? They literally know my previous accounts even after I DELETE the app, WIPE the iPhone, and login to the same iCloud account on ANOTHER iPhone.
They do this by storing some data. They can store data about anything else. How can be sure if we can't even LOOK at that data?
I only caught this because of the visible symptoms they CHOSE to show us: The list of previous logins.
This is nuts. There should be a grand total of zero files on my personal computing device that I cannot remove (no matter the consequences).
This seems fundamentally at odds with Apple's philosophy that they're providing you a rented appliance they control and which you have temporary access to.
I'm sure you can remove most and/or all Mac OS files, but they're increasingly using trusted computing and even designing their own chips to increase the control they have over the devices (and correspondingly limit user control).
They sell this as a security feature these days, but the appliance model predates that and security is kind of just along for the ride.
I'm glad to see that people feel strongly that they should have control over the files on their system. I'd like to see that help move us toward users having full control over their computers.
You can remove every file on your Mac.
And there are no eternal tracking cookies for Safari even first party ones are deleted every week.
then you have chosen the wrong platform. Just be grateful that the mighty apple even deems you worthy of having files
Android's security was way worse for years. How long did they even take before having granular permissions or a Privacy Report, if they do now at all?
uhm, they had different permissions granularized, in some ways worse than apple, some ways better.
but i was not talking security
It’s stored in your keychain.
Disabling the iCloud keychain doesn’t clear your local copy.
> Every attempt to talk about this gets ignored or buried (maybe by people who want this ""feature"" to be kept quiet) so I will take every opportunity on existing discussions about Facebook to bring it up:
Or maybe this happens because it's completely off-topic here and has nothing what-so-ever to do with WhatsApp?
Most of your other messages seem similarly off-topic: https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...
Not only that, people have already answered your question in a previous thread.
It's less of a "question" and more of a "WHY THE FUCK is this even a thing???" and why aren't people giving FB/Apple hell for this??
There was a popular post just a few hours ago about Filezilla (whatever that is) containing adware in the default download.
This is a FAR more grave violation of privacy than anything so far — Tracking people ACROSS reinstalls AND MULTIPLE PHONES!
Not sure why you are using this thread as technical support.
Or what tracking data you are referring to ie. is it cookies or local storage but either way you should maybe speak to Apple Support.
Yes iOS apps can store local data and if you're unhappy about it then just delete or reinstall the app.
> just delete or reinstall the app.
Well, that doesn't delete all local data. That's exactly the problem!
> WHY does Apple, parading around as a pompous paragon of privacy, even allow this crap?
Good alliteration.
Apple doesn’t enforce what the app does with app data. Apple makes sure that if the app uses a platform API that is sensitive, it gets your opt-in (or prohibits the use of the API altogether). Apple makes sure that the app publishes a privacy nutrition label. But what the app does inside with whatever data you choose to give it, that’s up to the app.
If you voluntarily choose to give data to the app, what the app does with it is your problem. Apple just tries to make sure the app can’t take data that you haven’t chosen to give it.
That would be a nice solution, but there is no "allow app to persist data beyond deletion/reinstall" user-grantable permission on iOS.
There is no indication whatsoever that an app will leave behind an Eternal Cookie on my device, nor am I given a chance to prevent it.
If I a EU citizen (wink wink) and want to communicate with my family member living in usa, will this let me or not let me?
If you reside within the EEA, yes. However, given the "wink wink", the answer might be no.
Meta is requiring that people reside within the EEA, not just are someone who is an EU citizen. They're requiring integrating services to give them the IP addresses of users and for the integrating service to confirm that you're within the EEA at least once in any 60 day period. If Meta thinks you're violating that as a user, they'll cut you off from the integration. If they think the integrating service is just violating it, they'll cut off the integrating service.
It looks like Meta might be requiring as much identifying information about you as they can get so it will probably be relatively easy for Meta to figure out who is cheating.
But if you're not trying to cheat, then yes you'd be able to message US WhatsApp users from a non-WhatsApp account in the EU.
I wonder how desirable and feasible a [matrix] interop would be.
> Matthew Hodgson, the cofounder of Matrix, which is building an open source standard for encryption and operates the messaging app Element, confirms that his company has worked with WhatsApp on interoperability in an “experimental” way but that he cannot say any more due to signing a nondisclosure agreement. In a talk last weekend, Hodgson demonstrated “hypothetical” architectures for ways that Matrix could connect to the systems of two gatekeepers that don’t use the same encryption protocols.
https://www.wired.com/story/whatsapp-interoperability-messag...
Matthew also did a Fosdem talk about it about a month ago: https://fosdem.org/2024/schedule/event/fosdem-2024-3345-open...
https://element.io/blog/the-eu-digital-markets-act-is-here/ gives some answers :)
Chances they'll make this available in any place where it's not required by law? zero? Or have they mentioned it at some point?
I'm sure the free market will handle it ;)
If only the DMA also required that users that are not E2E encrypted be displayed as such. As a user, it's important to know when your chat is actually secure. Competition should not be at the expense of security.
DMA requires that the interoperability be at the same level of encryption than normal chats. In whatsapp's case, that means all interoperability must be E2E
I am wondering if DMA forces Signal to also be less hostile to third party clients. It's not like they have been open to it up to now.
Signal is not classified as a gate-keeper and therefore no.
Is there some loophole to just do custom WhatsApp clients without running your own network?
One that never loads images would be lovely.
You literally have an option in WhatsApp do disable loading of audio/image/video.
Oh yes, it's there, thanks. I wonder when they added it...
Edit: Waaait a bit. I have it on iOS and I have it on some laptop where whatsapp desktop is an old version.
I can't find it on my desktop where their desktop app is the latest and greatest...
They probably "improved my whatsapp experience".
Edit 2: besides, that just doesn't download the photos, I think? They still take half the screen that could be used for displaying more text...
> I wonder when they added it...
At least 7-8 years. Probably from whenever it became possible to send media messages.
Does not work on any version of whatsapp desktop, even the ones that have the option present. I still get all the crappy gifs in my chats.
The option to disable auto download has been there since day 1.
I'm using Beeper with its Matrix bridges just fine
Wait list? Is that a secret society? Do I need two existing members to vouch for me?
No, it's just load management. They run a full matrix home server for all their users and a bunch of bridges.
Wow this shows the DMA might really do some good.
I'm impressed with EU regulation. Standardized chargers, ending roaming charges, GDPR, DMA. Definitly worth the side effects overall.
Side effects like horrendous cookie banners everywhere.
I really like the DMA too
Just use an Add-On like Consent-O-Matic that declines/accept (based on your preferences) automatically for you. This way you also don't have to deal with the illegal shady dark patterns, many companies use
After gdpr you can pretty consistently get companies to delete their data about you, and often get a data export. Those alone seem worth the consent pop ups.
Sigh
Just...use Matrix or XMPP or something ffs. The open protocols _already exist_.
They don't provide the same level of privacy that the Signal protocol does, though. Plus, I'm not sure why WhatsApp would implement a whole second protocol in the first place, they're doing this out of legal obligation, of out of free will.
I have some minor hope that WhatsApp will eventually switch to MLS+MIMI, as someone from Facebook does take part in the design process, but that could also be because of Facebook Messenger really.
>They don't provide the same level of privacy that the Signal protocol does, though
Can you elaborate on this please?
Signal is built around metadata minimisation. Messages contain the absolute bare minimum information to get delivered. Because there is only one server everyone is connected to, there is almost no routing metadata attached to the encrypted binary blob. You get a key and ciphertext and that's about it. Not even Signal knows the sender metadata that's part of the message, by encrypting it. Basically all Signal knows about you is your phone number, IP address, and the last time you checked the server. It also doesn't store messages for longer than it absolutely needs to (which leads to the desktop client needing to connect to your phone or vice versa for multi device chats).
XMPP needs to have a username and server name at the very least. This is because it needs to work in a federated context, and it doesn't use things like DHTs to decentralise messages in a way that allows hiding the routing data. The message body is encrypted, of course, and headers can be minimised, but there will always be unencrypted metadata. To quote the spec:
> The OMEMO protocol does not protect against attackers who rely on metadata and traffic analysis.
As for Matrix: the message body is usually mostly encrypted, but it's leaking a lot of metadata. Message IDs sometimes fine themselves outside of the encrypted envelope as well as timestamps and other information I don't think should need to be outside the encrypted envelope.
Neither XMPP nor Matrix were designed with encryption as a first priority and that led to protocol design choices regarding metadata that cannot be altered without breaking most clients. They also tend to store messages grouped by chat group/conversation, though multi device support is technically optional for XMPP. From a server dump of either XMPP or Matrix, someone can deduce what users are chatting to what users when. In Matrix, you could deduce what messages are responses, updates, or deletions of what other messages, as well as reactions. For Signal, you'd need wiretaps on both sides to deduce that level of information.
A protocol like Signal would be near impossible to federate. That said, if federation is your goal, MIMI+MLS seems to be the future. Matrix is moving towards MLS, Google's RCS encryption already uses MLS, and MIMI and MLS are often tied together in spec definitions. I believe the XMPP people are also working on (have finished work on?) embedding MLS in XMPP as an alternative to existing encryption methods.
The most hilarious part:
"Partner represents and warrants that it shall not introduce into WhatsApp’s Systems or Infrastructure, the Sublicensed Encryption Software, or otherwise make accessible to WhatsApp any viruses or any software licensed under the General Public Licence or any similar licence (e.g. GNU Affero General Public License (AGPL), GNU General Public License (GPL), GNU Lesser General Public License (LGPL)) containing a "copyleft" requirement during performance of the Services"
Viruses licensed under the MIT or BSD licenses are OK, though.
The lack of punctuation makes that a totally viable interpretation.
Would be a shame if someone where to use the EUPL-1.2 just to fuck with them :)
That entire section 6 is weird; because 6.1 talks about gaining access to WhatsApp's "systems, networks, databases, computers, or other information systems owned", and then 6.2 is the bit you quoted that talks about copyleft.
But ... it's not like WhatsApp is hiring me as a sysadmin for their servers, are they? Why would they give me access to their systems? They won't. This seems copy/paste legalese.
> But ... it's not like WhatsApp is hiring me as a sysadmin for their servers, are they? Why would they give me access to their systems? They won't. This seems copy/paste legalese.
"Access" in this case just means "ability to interact with". It doesn't imply root/admin abilities.
Can a binary even be gpl?
A binary can be under gpl sure. Type gcc in bash for example
“Any viruses” huh? The semantic gap between engineering and legal is real.
Why do all Meta websites intentionally break the back button? It makes me irrationally angry every time I visit facebook or instagram for how disrespectful it is, it's like it springs a trap where I'm not allowed to leave in the browser tab I arrived in.
A random feature I didn't know for too long is long pressing the back button, which opens a menu containig the last few locations. Typically that helps with sits who hijack the back button. Works also on desktop.
What I'd love is a crowdsourced database for known back button hijackers in e.g. Firefox: If too many people report a site as being broken that way, the back button API could be made opt-in for everybody in the site settings.
I find any site that does this to be user hostile and minimize my time spent there.
At least on Firefox, the back button continues to work on this site.
Does Microsoft's discussion forums work too? Because I wonder if Firefox has code to ignore backbitten pages.
> It makes me irrationally angry
That’s pretty much the purpose of Facebook? ;)
Please don't complain about tangential annoyances—e.g. article or website formats, name collisions, or back-button breakage. They're too common to be interesting.