Looks like interoperability is geo-fenced to Europe only.
This reads like a lot of words to say Fuck You Europe to me.
Well, feelings are mutual, at least we are on the same page, them and me.
Messaging-interoperability is the one aspect of the DMA I don't support. These apps are free to download; and if you care about security (and use Signal) you'll want to avoid cross-service messaging anyway.
Without additional regulations across the globe it’ll be simpler playing the geofencing game for those companies.
Some of them even threaten back charges if it turns out you used more data abroad than at the home country over a long enough period.
I called their bluff once and got away with it, but their systems may have improved since then
I think the previously often raised objections to interoperability were technically and economically mostly sound (federation is much harder to achieve in a secure way, thinking of key distribution, identifier verification etc.).
Now overcoming all of these obstacles and then going the extra mile to implement geofencing (which also has tons of edge cases!) completely undoes that argument.
WhatsApp makes their money from the business clients/apps (which aren't covered under this, which I think is fine by the way).
So why care where a user is on the planet? I just don't see the business reason for this. Maybe I'm missing something?
I've been waiting for this, and hoping I could "just" cook up some of my own code to use with WhatsApp, and/or integrate it with Pidgin or bridge to email or whatever. But the entire process is about as hostile as possible.
For example "Partner shall have in place a dedicated security team" basically excludes most startups, or most smaller companies.
It's not clear to me if this is really complying with the DMA – it's certainly not in the spirit of it, but less sure about the letter of it.
That said, I'm sure we'll see open source libraries pop up everywhere to communicate with WhatsApp directly. There already are unofficial WhatsApp clients in various forms, but now they can use the protocol without risking breakage because they reverse engineered the contents of the protocol itself.
I think there will be plenty of space for the Beeper Minis out there right now.
How so? Each of them would need approval by Meta + signing an NDA, and I can easily see that ruling out open source libraries.
That's really a decision you should make, and not WhatsApp – "do I trust this arp242 guy and his GitHub repo?"
And some auditing isn't necessarily too bad, I guess, but a lot of this goes far beyond "basic security"; it's the type of "corporate checkbox security" that we all know works so well.
What’s the point of thinking that WhatsApp is e2ee if anyone can write their own end point?
my friends and I use WhatsApp because we know the messages are secure. Imagine if every other group message had the “green bubble” equivalent experience if someone was using a custom client.
Without the DMA, Meta can make it very hard for any business model based on them, but it's never been a technical obstacle.
In a very similar way, you also need to trust your friends to not activate WhatsApp chat backups to Google Drive or iCloud without a password if you don't want end-to-end encryption to be compromised (there's no indication if they have it on or not), and that's the default suggestion by the official client.
I need to read a bit more carefully through the (limited) technical documentation they have; but all of this seems highly excessive. I'm not a distrustful or cynical person by nature, but I find it hard to avoid the impression that they intentionally made it as hard as possible.
I don't know what "the green bubble experience" means(?)
But even if you're using the official super secure endpoint, there's nothing preventing the user from taking a picture of the screen, which bypasses all protections.
It is probably a positive change for end users, but far far away from the "open up your protocol" I was hoping for.
Making messaging interoperability with third parties safe for users in Europe
https://engineering.fb.com/2024/03/06/security/whatsapp-mess... (https://news.ycombinator.com/item?id=39614085)
Using it with a dedicated username for whatsapp contacts could be a way.
Facebook (and TikTok) store tracking data on iOS that the user CANNOT SEE and CANNOT DELETE:
• It shows my previous account even after I delete the app.
• Clearing Safari's cache does not work.
• Disabling iCloud Drive and iCloud Keychain does not work.
• Even completely signing out of iCloud does not work!
• On a Mac in the Terminal, you can go to ~/Library/Mobile Documents and "ls -al" to see hidden folders like "iCloud~com~Facebook~Messenger" that you cannot otherwise view or delete.
• Someone mentioned that even RESTORING an iCloud BACKUP will resurrect these "eternal cookies"!!
----
WHERE do they store this data?
WHY can't the user see this data?
WHY can't the user delete this data without going through the app?
WHAT ELSE do apps store on our devices that we aren't even aware of? (This is just what we can see: The list of saved accounts for "quick login")
HOW MANY other apps are secretly doing this?
WHY does Apple, parading around as a pompous paragon of privacy, even allow this in the first place??
It would be really great to have a keychain section in iOS’s settings, like Keychain Access on Mac. The dev can build in-app functionality to delete keys from the keychain, but there’s not a huge incentive to.
Keychain storage doesn’t let FB track you, just store sign on info, keys, and the like. It’s not able to execute arbitrary code, it’s an encrypted place to store login info that Apple syncs between your devices.
Use them via Safari if you don’t want this (then your logins are saved & synced in Safaris keychain.)
This is an issue because if you ever use an app by a company, uninstall all their apps, and then install one of the developer's apps years later, they can tell it's the same iOS profile (even restored on a different device), profile what you do across those apps/installs/decades, and associate any accounts you log in with. Essentially they can put a permanent cookie that you can't even see on your iOS profile that's shared between their apps. If you use iCloud Keychain, they can probably profile you across all your devices regardless of whether you reset one.
Apple has said this isn't intended functionality and they were going to address the issue many years ago in iOS 10.3 by removing Keychain data when the last app from a developer was uninstalled [1], but they got cold feet. If I recall correctly, the reason was that some app developers were relying on this unintended functionality to ensure free trials couldn't be used more than once. Apple was going to introduce a service that could store only 2 bits of data to enable that use case and then revisit Keychain deletion when the last app from a developer is uninstalled, but it appears they haven't.
It would be great if they'd finally fix this.
It sure lets app developers identify me across app deletions and reinstalls!
I'm also not sure why Apple has kept this loophole open for so long when they are otherwise so focused on making sure user tracking across reinstalls is so hard (e.g. by making APNs tokens change after a reinstall, which used to not be the case as well, restricting access to read the device MAC address and other permanent identifiers etc).
And I am looking at my iPhone now and Meta does not store tracking data in the Keychain.
Are you serious? They literally know my previous accounts even after I DELETE the app, WIPE the iPhone, and login to the same iCloud account on ANOTHER iPhone.
They do this by storing some data. They can store data about anything else. How can be sure if we can't even LOOK at that data?
I only caught this because of the visible symptoms they CHOSE to show us: The list of previous logins.
I'm sure you can remove most and/or all Mac OS files, but they're increasingly using trusted computing and even designing their own chips to increase the control they have over the devices (and correspondingly limit user control).
They sell this as a security feature these days, but the appliance model predates that and security is kind of just along for the ride.
I'm glad to see that people feel strongly that they should have control over the files on their system. I'd like to see that help move us toward users having full control over their computers.
And there are no eternal tracking cookies for Safari even first party ones are deleted every week.
Disabling the iCloud keychain doesn’t clear your local copy.
Or maybe this happens because it's completely off-topic here and has nothing what-so-ever to do with WhatsApp?
Most of your other messages seem similarly off-topic: https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...
Not only that, people have already answered your question in a previous thread.
There was a popular post just a few hours ago about Filezilla (whatever that is) containing adware in the default download.
This is a FAR more grave violation of privacy than anything so far — Tracking people ACROSS reinstalls AND MULTIPLE PHONES!
Or what tracking data you are referring to ie. is it cookies or local storage but either way you should maybe speak to Apple Support.
Yes iOS apps can store local data and if you're unhappy about it then just delete or reinstall the app.
Well, that doesn't delete all local data. That's exactly the problem!
Good alliteration.
Apple doesn’t enforce what the app does with app data. Apple makes sure that if the app uses a platform API that is sensitive, it gets your opt-in (or prohibits the use of the API altogether). Apple makes sure that the app publishes a privacy nutrition label. But what the app does inside with whatever data you choose to give it, that’s up to the app.
If you voluntarily choose to give data to the app, what the app does with it is your problem. Apple just tries to make sure the app can’t take data that you haven’t chosen to give it.
Meta is requiring that people reside within the EEA, not just are someone who is an EU citizen. They're requiring integrating services to give them the IP addresses of users and for the integrating service to confirm that you're within the EEA at least once in any 60 day period. If Meta thinks you're violating that as a user, they'll cut you off from the integration. If they think the integrating service is just violating it, they'll cut off the integrating service.
It looks like Meta might be requiring as much identifying information about you as they can get so it will probably be relatively easy for Meta to figure out who is cheating.
But if you're not trying to cheat, then yes you'd be able to message US WhatsApp users from a non-WhatsApp account in the EU.
https://www.wired.com/story/whatsapp-interoperability-messag...
Matthew also did a Fosdem talk about it about a month ago: https://fosdem.org/2024/schedule/event/fosdem-2024-3345-open...
I'm sure the free market will handle it ;)One that never loads images would be lovely.
Edit: Waaait a bit. I have it on iOS and I have it on some laptop where whatsapp desktop is an old version.
I can't find it on my desktop where their desktop app is the latest and greatest...
They probably "improved my whatsapp experience".
Edit 2: besides, that just doesn't download the photos, I think? They still take half the screen that could be used for displaying more text...
I'm impressed with EU regulation. Standardized chargers, ending roaming charges, GDPR, DMA. Definitly worth the side effects overall.
I really like the DMA too
Just...use Matrix or XMPP or something ffs. The open protocols _already exist_.
I have some minor hope that WhatsApp will eventually switch to MLS+MIMI, as someone from Facebook does take part in the design process, but that could also be because of Facebook Messenger really.
Can you elaborate on this please?
"Partner represents and warrants that it shall not introduce into WhatsApp’s Systems or Infrastructure, the Sublicensed Encryption Software, or otherwise make accessible to WhatsApp any viruses or any software licensed under the General Public Licence or any similar licence (e.g. GNU Affero General Public License (AGPL), GNU General Public License (GPL), GNU Lesser General Public License (LGPL)) containing a "copyleft" requirement during performance of the Services"
But ... it's not like WhatsApp is hiring me as a sysadmin for their servers, are they? Why would they give me access to their systems? They won't. This seems copy/paste legalese.
"Access" in this case just means "ability to interact with". It doesn't imply root/admin abilities.
That’s pretty much the purpose of Facebook? ;)