I hate Facebook as much as anyone here on HN, but the enemy of my enemy is my friend.
If keeping end-to-end-encryption also happens to be in the interest of some faceless multinational corporation, we can use their resources in this fight.
We can go back to fighting Facebook once this is over.
This is something I don't understand that continues to happen in politics, technology and many other facets of life. Why do you have to either fully support or fully be against a entity? You can selectively like some things someone does while not liking other things they do, same goes for corporations. You also don't have to justify bad things by listing good things they've also done, you can just like the good thing and hate the bad thing.
People are so black and white. Don't think it's a new thing, but the internet has made it very popular to be black and white in our thinking.
The social benefits of this type of thinking are too big to ignore for many people. You get to be a part of a group. (I'm going to skip any hand-wavey allusions to evolutionary psych because they don't really add much.)
I get the appeal. I'm just not always one of them. I'm sure I'm black and white on some things, but I always joke that my teamwork/togetherness gene is busted for the most part.
In my humble opinion, this is partly why most modern democracies have reduced themselves into two party theater. Much more time is spent arguing optics and deciding who's truly the scotsman in the current crop of leaders than what policies are best suited to achieve goals the electorate might be interested in reaching.
The two party system is usually a side effect of first past the post voting systems. Since elections only allow voters to choose one candidate, a third party candidate end up splitting the vote and taking votes away from the candidate who is closest to their political stance.
People see that and decide the rational choice is to vote for the candidate that they hate the least with the highest chance of driving, and third parties merge to form coalitions that actually have a chance of winning. Rinse and repeat until you only have two parties. (CPG Grey did a great video on this https://youtu.be/s7tWHJfhiyo)
Check out Ireland for how to set up a voting system that doesn't converge to two parties
> third parties merge to form coalitions that actually have a chance of winning. Rinse and repeat until you only have two parties.
I would suggest that this probably isn't the case. Since there is no requirement for a majority vote share in first past the post, the same results can be achieved by splitting parties. The parties have more targeted appeal, just enough to squeak past the other parties. This is the case in India, for example.
> I would suggest that this probably isn't the case.
It is; both the theoretical and empirical support for this being the effect of FPTP is overwhelming.
> They can be acheived by splitting other parties, but while Party A can choose to form a superparty eith Party B, it can’t choose to durably split Party C instead. Parties in FPTP will, to the extent that they can get away with it, funnel support to minor party candidates that will split the vote of their major opponent, but that’s a short-term tactical rather than long-term strategic maneuver.
> The parties have more targeted appeal, just enough to squeak past the other parties. This is the case in India, for example.
It’s really not, though India is complicated by being a federal system (which means a bunch of different electoral area with different and interacting party systems) and being in the middle of a long realignment from, at the national level, a dominant-party system under Congress (and looks a lot like at least temporarily to a dominant party system under BJP, again at the national level.)
> why most modern democracies have reduced themselves into two party theater
Is that true? It's certainly not the case in Germany, where we have ~6 relevant parties at the moment. I'm pretty sure other European nations, like Italy, often form their governments from multi party coalitions as well.
In the US I'd primarily blame the way votes are counted (majority of majorities). I'd expect other parties to rise to relevance if a different voting system was used, e.g. parties getting seats in the house of representatives proportional to their votes, instead of composing it from the winners of the individual districts (or a hybrid, like in Germany).
In 2012, when the top two candidates have ~50% of the votes & four candidates total are above 10%?
In 2007, when the top two candidates have ~50% of the votes & four candidates total are above 10% (note: note the same parties)?
In 2002, when the top two candidates have ~35% of the votes and the loss of the leading left wing candidate was blamed on too many different left wing parties fielding candidates and getting votes?
In 2002, when the top two candidates have ~45% of the votes & four candidates total are above 10%?
Same thing for 1995, 1988, 1981.
In the last US presidential election, the top two candidates got a combined 98.17% of votes. The next candidate got 1.18%. This is a completely different situation.
Most political systems tend to converge into a two-party system.
I think the internet has made people more vocal but access to opposing and nuanced viewpoints has made a lot of people grey. I know that's the case for me, not sure if it encapsulates the majority.
Do you have a source for that? Coming from a country where there are 16 different parties in parliament (the Netherlands), neighboured by two countries which each have at least five parties in parliament (Belgium and Germany), I find that statement difficult to believe.
Widely used voting systems converge on two parties. The worst offender is the first-past-the-post system. Instant-run-off voting is better, but still converges on two parties.
Wish I had a good citation for you, but I do have an try-it-yourself guide on voting systems to link to: https://ncase.me/ballot/
I don't want to get into who's your enemy and your enemy's enemy and why, but in general the enemy of you enemy is only the enemy of your enemy. It can be your enemy too.
Lighthearted example: any competitive game between 3 or more players. There might be occasional alliances but everybody is the enemy of everybody else.
In any competitive game, if you’re ranked as #2 player, but you can join forces with player ranked #3 to eliminate player ranked #1, your best course of action is do that.
After player #1 is defeated, you have a good chance to defeat player #3 (because you’re #2, meaning you’re better player).
Player #3 joins this campaign in hope to defeat you, but also because they can get whatever second place gives.
The idea is that you can both defeat the common enemy leaving only one fight afterwards. It doesn’t mean you’re actually bffs with the enemy of your enemy
I also dislike and don't trust Facebook, but I agree. I often have to remind myself that Facebook are just a business with dubious practices. They're not some evil entity hellbent on destroying privacy in every shape or form.
WTF is going on with their cookie dialog? Surely that's not even remotely legal? There is just agree and a second dialog with guidance on how to clear cookies per browser (???) and a second agree button.
That's not even an attempt at a dark pattern nudging you towards one option...it's just do you agree or do you agree.
Hard to trust companies that think that's how consent works...
Facebook's own dialogue is relatively similar – you do get one option for Facebook's own advertising tracking and another for every third-party function mushed together (no differentiation between functional, analytical, advertising, etc.), but in the end no matter what you choose there's still only one 'Accept cookies' button.
"Can WhatsApp work with law enforcement without traceability?
WhatsApp respects the important work law enforcement does to keep people safe. Our dedicated team reviews and responds to valid law enforcement requests. We respond to valid requests by providing the limited categories of information available to us, consistent with applicable law and policy. We also have a team devoted to assisting law enforcement 24/7 with emergencies involving imminent harm or risk of death or serious physical injury. We consistently receive feedback from law enforcement that our responses to requests help solve crimes and bring people to justice.
It’s also important to understand that depending upon the nature of their investigations, law enforcement officials have multiple investigative tools, and may obtain information from many sources, including different companies, other governments, or from users’ devices. More information about how we work with law enforcement can be found here."
*************************
Can Facebook clarify what these limited categories of information are?
While reading this article I had the following reaction - Facebook would like to prevent traceability to preserve user privacy. That makes complete sense. Oh wait - they say they do have means of helping law enforcement and governments, wait a minute, in a fully encrypted system end to end how are they able to help governments in emergencies at all?
So my question here is that in a hypothetical scenario where terrorists are using whatsapp to coordinate an evil plot, which to most people would fit a scenario where Facebook can and should help the government - what is it that Facebook can do to help a government?
The only way I can see them being able to help the government is if they have the ability to selectively turn off end to end encryption for specific numbers (probably based on a warrant from a court). Will Facebook confirm if this is the case?
> So my question here is that in a hypothetical scenario where terrorists are using whatsapp to coordinate an evil plot, which to most people would fit a scenario where Facebook can and should help the government - what is it that Facebook can do to help a government?
This logic has been used to justify mass-surveillance and degrade encryption for national security and "protecting the children" narrative. The problem is that governments also use this as a way to suppress civil liberties.
What if the government declares a journalist uncovering a multi-billion arms deal scam or some human-rights violations as a terrorist ? In the eyes of the law this qualifies the government to acquire private messages. Why should the government have this power ? The hardcore terrorists and journalists know about encryption and will setup their public keys for encrypted communication. It's the common man who is affected by such stupid legislation.
I think you've misunderstood the rhetorical device @dman is using. They're not saying Facebook should have the tools to help a government; they're asking what tools they have when they do want to help.
Their argument is tracing persons vs tracing content.
If law enforcement comes with a warrant against a specific person of interest, then WhatsApp presumably has ways and means to pull all metadata associated with that person's account (which presumably includes all contacts, metadata about all messages sent/received - timestamp & other-party contact details, along with app metrics – IP addresses, mobile device/network information etc).
It would be same as a telephone network except for the actual content itself.
If they also have a way to eavesdrop on content by breaking end to end encryption (and users don't care when WhatsApp on their device says the other parties signature changed), there's that possibility that they could be under gag order to not acknowledge that.
In intelligence, the metadata around the messages are sometimes more important than the contents itself. Parallel reconstruction is absolutely a tool and often law enforcement can get what they need through other means. It's just another puzzle piece in an investigation.
For example:
who talks to whom
when a user comes online, is most active, and general traffic analysis patterns
what groups a user might be present in and how active they are
what are the type of contents of a specific message (image, text, video)
As other users have noted as well, it's unclear as to the data sharing agreements these large companies have with various government agencies. For example if an agency has data access to messages DB, what does end to end matter? End to end encryption usually means un-snoopable data in transit, not data at rest.
I’d add account details (including profile pic), platforms being used, IP addresses, and linked accounts (including phone #) to that list. E2E protects your messages from interception, but literally everything else is fair game.
I wish Facebook was a lot more clear about what it shares and when. People need to be aware of what information exposure they have to digital platforms.
It sounds like fancy talk for "we don't share the content, we just share the metadata." Or in this case, "we encrypt the content, but we don't encrypt the metadata"
Of course, the metadata has always been more valuable than the exact content of your message, but it's always presented as a negligible detail.
> Of course, the metadata has always been more valuable than the exact content of your message
If you're doing something sensitive, like smuggling drugs or talking to NSA whistleblowers, the difference between metadata vs data is the difference between "the government is looking for an excuse to put you in jail" vs "the government gets a conviction".
I don't trust Facebook when it comes to messaging. But even if I did they could easily rollout a backdoor to a specific client. In the worst case, they need some help from google and apple.
This is something people are just not talking about for some reason.
WhatsApp/signal style apps cannot be secure to this sort of attack. You would think now that a public mass attack has been successfully carried out (encrochat) people would get it. I don't know if it's submarine marketing or what but people think the current situation is just fine.
Your contacts weren't known to the WhatsApp server, now they are. There's no reason the next automatic update for signal can't contain code to send your keys to the server, and it wouldn't be the first centralized E2EE app to do that.
The backups are an interesting thing that you bring up. The cynic in me cant help thinking that even as companies posture about being pro privacy, they do design features in a way where they can subvert privacy with plausible deniability.
For instance the move away from screen passwords to biometric things like fingerprints had me thinking about the fact that from a police pov - if they have a suspect in custody, forcing the suspect to put their thumb on the phone is probably a lot easier than getting them to reveal their password.
Phrased another way, I find it hard to imagine that big companies are able to tell the state to take a hike and get away with it.
Which is why I have been very wary on why almost the entire industry has moved to biometrics. In a way its a cheap way of throwing the privacy gauntlet back to the user rather than standing up to governments.
If they are claiming E2EE then they can't admit anything like this if they are to avoid having to produce message content to law enforcement. So for this debate it doesn't much matter if the E2EE is actually bogus.
Are you sure?
You seem to be suggesting the Facebook could instruct whatsapp on my phone to snoop on my messages.
Also my backups of Whatsapp are only on google drive as far as I know.
I agree that this is pretty sketchy, but the US government has harassed Facebook time and memoriam. It doesn't come as any surprise to me that they're able to to use their leverage here to get user data the same way they get it from Google, Apple, and every other Top 500 company that incorporates in the United States.
the entities affected were powerful in their own right, just happened to be in the opposition to the central govt in one case, and in another, a top media personality in opposition to Mumbai's state govt/police machinery.
It's such a shame that Facebook was allowed to buy WhatsApp (and Instagram). WhatsApp itself seems truly pro-privacy, but that counts for diddly-squat when it's owned by Facebook.
What do you mean 'allowed' (Im not being snarky, honestly curious please take the question as not an attack)? The creators just sold it, private company, private service they could have sold it to anyone they wanted. I think in hindsight they regret selling it to FB, but it's really hard to turn down billions of dollars.
Right but I didnt see anything in this acquisition that would trigger antitrust (WhatsApp only, I did see issues with Instagram). And independent messaging app that didnt have ads seems like a safe purchase from a legal standpoint. That is why I asked the OP why he was surprised it was allowed.
(I'm not the above commenter but also disagreed with your prior comment)
> The creators just sold it, private company, private service they could have sold it to anyone they wanted.
I understand and agree with your take now, but this sentence from your last comment seemed like a different line of thinking.
If a creator can just sell it to anyone because it's a private company, that's false and that's a different argument than the specifics of this case not triggering antitrust law.
WhatsApp being bought by Apple could have easily been construed as anticompetitive, so it wasn't just that a creator can sell a private company to anyone they want. (Also, Facebook Messenger could be a reason that Facebook's purchase of WhatsApp is anticompetitive, but neither service was as prevalent at the time).
Makes sense I should have been more clear (also why I said I wasnt trying to be snarky because I could easily read my first comment as such). I think at the time this sale happened any messaging service could have been sold to any company without government stoppage. The anti competitive guidelines are as such:
- agreements between competitors, also referred to as horizontal conduct
- monopolization, also referred to as single firm conduct
I think this sale would still go through today as for FB still has messenger and Whatsapp as separate products and (arguably) still free. I havent thought about it Apple purchased it. I think that still may have gone through too unless they stopped the app working on Android.
I agree with you that the sale doesn't come under current anti-trust laws. My position is that there ought be broader market health protections that allow for intervention in cases such as these on the basis that the reduced competition is detrimental to society / consumers even though it doesn't constitute a monopoly and may not be intentionally anti-competitive.
M&A is regulated, it's not a totally free market. If company A buys company B, the government allowed them to do so. There are plenty of scenarios where they won't.
I agree with that but a independent messaging app seems perfectly safe for FB to purchase. Instagram a little different but I never saw the government being concerned or potentially not allow this one to go through. That is why I was curious about the OPs perspective because maybe they did see something (not counting hindsight and that FB is a terrible company, but only in the moment)
It's simple: OP's perspective is that even though the purchase was not stopped, it should have been. That to you it seemed a perfectly safe purchase is completely irellevant to his argument.
I would like to know why he thinks it should have been stopped. At the time of that purchase I think any messaging platform could have been sold to anyone and not been stopped (imo).
Again, it's simple: he says it should have been stopped, not that it could have been stopped. Or you could read it as "in a better system, this purchase would have been seen as anticompetitive and stopped". I happen to agree with the sentiment.
Again, I ask why. It wasn't anti-competitve because the service still exists as a standalone service just with a different owner. I see what you are saying it just does not make any sense in terms of antitrust or anti-competitiveness
It's not really standalone. The privacy implications are case in point. Facebook is a vehemently anti-privacy company, and it's not going to allow WhatsApp to undermine on this point. If WhatsApp (or indeed Instagram) were truly independent then we may well see competition on this front.
WhatsApp wouldn't exist today (at least not at the current scale) had Facebook not bought it. They have operated for over a decade now, serve 2 billion users, and have made close to zero revenue the entire time.
They also had very low costs before the facebook acquisition. They had a very small development team and very low server costs.
Sure, things like adding group video calling massively increased their costs, and they probably couldn't have done it without facebooks help, but without that they probably could have survived on 1 ad message per year, or on $0.50 per year (which they actually charged for a while).
That's not true. They were charging $1/user/year (possibly only on Android and in some countries) before their acquisition. And their costs were low. I'm pretty sure they were profitable.
> WhatsApp’s six-month revenue for the first half of 2014 totaled $15.9 million and the company incurred a staggering net loss of $232.5 million, though the majority of that loss was for share-based compensation.
It doesn't seem to be too relevant: it's the year of acquisition and the loss is due to the "share based compensation". Remembering what I've read, before they were really small company with small number of servers properly handling all the uses.
Not true - that loss was based on employee compensation due to the size of the deal and realized stock appreciation. WhatsApp could have covered operating costs indefinitely from user $1 payments.
Let’s be honest, nobody would have paid that $1 (you had a free year before you had to pay IIRC). Everyone would have switched to another free service.
WhatsApp is in a good position to become a "lightweight" Slack competitor, since so many small companies already use it for work.
In my country (Argentina) it became a de-facto platform for selling for small businesses, grocery stores and restaurants. There are a couple of 3rd party e-commerce platforms that generate the order and then simply drop it through WhatsApp so you can continue through there and handle the payment manually.
... There are many ways in which WhatsApp could have explored making profits. Facebook simply made it stagnate.
Is how Facebook is trying to off-load cookie control onto the user's browser configuration anything close to compliant with law?
This is the only instance of a company I have seen not bothering with 'Accept' vs some other complicated choice dialog (and I only saw this because I was annoyed by WhatsApp forcing the TOS change and, lo, they seem to be forcing 'Allow all' for cookies too?)
Telling my browser my privacy preferences and then requiring sites to follow that seems like the holy grail of privacy to me. Next up: Do Not Track. If it's set, skip the dialog and follow my preference instead. Along with that, browsers should make it into a drop-down with [do not track | do track | do not express a preference], so that people who prefer personalization also don't need to suffer the dialogs.
Companies like Facebook have a very simple way to protest the current crypto laws. They could publicly announce they are going to disable any crypto for each and every politician and their family members when they vote or act against it.
You'd be surprised... I know most higher-up people, even the ones in tech who should really know better, still make very questionable decisions around digital security. Often totally in breach of policy they themselves introduced. And get away with it due to their leverage. I worked in IT a long time and it's been so many times that I saw the 'please turn off the annoying security restrictions for us, we're the bosses so we know better' coming around. They often have a huge security awareness gap: themselves.
Though to be fair: Most of us have that gap. I know I do. But they have the clout to override policy.
Don't expect someone to be sensible just because they're at the top somewhere.
Can't traceability be implemented with digital signatures? WhatsApp could sign my messages with my encryption key and always forward messages with their original signatures as metadata. Wouldn't that implement traceability? I guess that's the "fingerprint" this article alludes to. I don't see the technical limitation, just a policy one. WhatsApp wouldn't need a centralized store of all messages.
I dont see the argument posed here. If a user sends a new message to 2nd user, and 2nd user forwards the message to a government agent, and agent asks for the origin of the message, there is a way to both encrypt the message and trace it. It's called convergent encryption. And I thought this was how whatsapp was tracking messages that were forwarded multiple times. By checking their base hash.
FYI convergent encryption is hashing the original message, using hash as key to encrypt message, and sending hash key to user via 2nd encryption. The hash encrypted message will generate a second hash which will be used to track the spread of a message.
WhatsApp should give an option to upload my public-key. I want to generate public key on my computer using some other free software. For non-tech users, they may keep generating keys however they want. But there should be an option.
That is the only way to guarantee that it really supports privacy.
Facebook talking about respecting human rights and privacy... If you want to make a truly secure messaging platform release the client and server side source code or gtfo.
Even if they release their server side source code how can you ensure that the deployed version matches the source ? Eventually there is always a thread of trust.
The point however is that the government of India is forcing private corporations to break privacy related measures to suppress civil liberties.
You could host software yourself and communicate within your circle only.
It seems like this may be the future - someone just has to make it easy for people to create groups that will deploy the server and generate the app.
But that would be a matter of time when governments will start to regulate hosting providers and e.g. banning hosting of communication servers.
Sometimes I wonder if "truly secure" messaging platform and "internet" messaging platform are incompatible. Is the reality that any internet based digital messaging platform is insecure in the long term. Eventually, your messages can be retrieved, traced, even tracked real time.
I think if your information needs security, don't put that information on the internet.
The biggest obstacle to secure messaging is making it friendly to users.
All popular end-to-end encrypted messengers manage user's public keys for them. And usually provide the client code too. And may have unencrypted backups. And may have account recovery mechanisms that can be abused.
Each of those makes it easy for the user, but degrades security.
Can't whatsapp pull off a big brain time and disallow forwarding ?
Then users must copy and paste messages, links and media. Hence every message is a source message.
The "Forwarded" note helps identify misinformation. If there's a message that says "2 Muslims came to my house yesterday, stole my baby, and ate her" and it comes from your friend you might actually believe it. If it says "Forwarded" you have a better signal that it's fake.
The same 'Forwarded' tag can be easily attached to a message that is copy-pasted verbatim (atleast from another whatsapp message). Anecdotal evidence suggests that 'Forwarding' is just way too easy as compared to copy pasting an entire message to each person you want to send to. So forcing people to do this would indeed reduce the amount of misinformation being spread via unvetted forwards (at the cost of 'valid' forward messages - which I think are too few to matter).
That kind of "search" might still need a warrant. For example, there was a court decision some years ago which determined that using IR cameras to detect marijuana grow lights inside a home requires a warrant, since people have an expectation of privacy that no one can see through their walls.
IANAL so I'm not sure whether expectations of privacy for letters are legally as strong as they are your own home, but it certainly seems possible...
If keeping end-to-end-encryption also happens to be in the interest of some faceless multinational corporation, we can use their resources in this fight.
We can go back to fighting Facebook once this is over.