undefined | Better HN

0 pointsomk5y ago0 comments

https://faq.whatsapp.com/general/contacts/about-contact-uplo...

Based on this they do not store information of users who have not signed up and only store a cryptographic hash. The hash isn't created on the device, so the servers definitely get it.

0 comments

pfortuny5y ago

There are just 10^9 phone numbers in Spain. Say 0.01 sec/hash (which is A LOT), you have 10^8 seconds. You can decrypt all the hashes in 0.3 years...

"Cryptographic hash" is as bullshit as "MD5 encrypted passwords".

daemin5y ago

Or you know just create a rainbow table of all the phone numbers in the world and match the hashes against that. Would probably be faster.

Rygian5y ago

If I'm being optimistic, the hashes of a user's contacts are salted with the user's own phone number, so the space could be 10^18.

stiray5y ago

Just a small detail about cryptographic hash:

https://gdpr-info.eu/art-4-gdpr/

"‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"

Cryptographic hash of phone number is still uniquely identifying natural person and is by GDPR still under the definition of personal data. The GDPR authors knew what they were doing - or they were lucky although also other parts of GDPR suggest that they had some technical think-tank behind it.

Anyway, hashing doesn't solve anything, whatever "obfuscation" is used/invented, as long as information points to "natural person" it is considered personal data.

j / k navigate · click thread line to collapse