Another WhatsApp thread

DeletedUser496

Sorry to bring this up.
I (personally) strongly dislike the afromentioned application due to privacy concerns, and at the moment I haven't installed it.
Thing is that in my country literally everyone uses it and I am the only person that I know of that does not have it.
Most of people have even never heard of Signal and getting them to use it is quite the challenge and when I try to explain them the benefits of using a privacy respecting app they look at me like I have an aluminium foil on my head
On top of that my job requires to maintain relationships with some clients that obviously don't use WhatsApp
Basically not using WA is quite the social challenge and results in a "digital isolation" and makes real life interaction way harder
Is anybody in the same situation?
How do you navigate/ manage it?
How do you make said application a little less privacy intrusive (I.e. using a separate profile, different telephone number, VPN always on, etc) / what strategies do you use with that goal in mind?

DeletedUser557

DeletedUser496 While not particularly useful right now, it's worth noting that Facebook has started rolling out third-party chat support for EU users (and for VPN users perhaps?) as required by the DMA. There are only two very niche apps mentioned right now, but I expect more normal apps will come along eventually.

brandy078

I still a have a WhatsApp account, which I use only to get notifications in some groups.
WhatsApp is in its own profile with just an always on VPN. No contacts are stored on this profile. The profile doesn't run in the background.
I told everyone that they can reach me only on Signal, or Threema.
When someone sends me a private message on WhatsApp I don't respond or I take minimum 2 or 3 days to answer. And I don't use WhatsApp for my reply. Mostly I send a message via RCS.
I never send an WhatsApp. I use Signal, Threema and RCS to write.
My family and some of my friends use Signal now too.
I think when your friends will see that you are not reachable on WhatsApp they will use another way to stay in touch.
If not, you are not important enough for them -hard but true
Wish them a farewell.

DeletedUser496

brandy078
I was thinking about a similar setup with separate profile
Do you use a different number for your WhatsApp account and did you open the WhatsApp account with the sim inserted in the phone where you actually have the account or did you use another phone?
I tried to open an account with network only and a dumb phone for confirmation, but WhatsApp wasn't having it and wanted phone access.
I did not give in since I feared it might get my mobile identifiers

brandy078

DeletedUser496 I bought a new prepaid sim exclusively to register my WA account. Used my phone to register. Never gave WA phone permission -pretty sure it worked and I got a code via sms. The sim card stays deactivated in my phone.
It's not perfect and I would like to avoid anything from meta, but it's a way to keep it as private and secure as possible I think.

brightjob4495

I use WhatsApp through an XMPP client (Cheogram) and a self-hosted XMPP server (Snikket) and gateway (slidge-whatsapp). I have Whatsapp installed on an old phone that sits off in a drawer.

The most important people in my life use Signal to speak with me, but as it's your case, Whatsapp is unavoidable where I live. I tried not having it, but the isolation has real-life consequences

brandy078

brightjob4495 Sounds you know what you're doing. :D
But I fear that's beyond my modest technical abilities.

TacticalCheddar

DeletedUser557 It's great that you no longer have to rely on their atrocious app, but the confidentiality of your messages still relies on Meta and their protocol. And considering their history of deceiving users and exploiting their data, you would be better off to just go with Signal and limit Whatsapp use as much as possible.

DeletedUser557

TacticalCheddar Sure, if you're able to get your friends and family to switch over with you. But as we all know that can be nigh on impossible. So having the option to not use their applications but still communicate with people is wonderful progress.

DeletedUser496

@brightjob4495 that's quite the setup! I am guessing you use it for other messaging apps as well?
@DeletedUser557
I have read about interoperability.
If I have to be honest it worries me a little bit: if I understand correctly if I was to use Signal to communicate with a whatsapp user some of my info would leak out to Meta and I might be profiled based on what my interactions with WhatsApp users are, and provided that they save my contact with real life name I would be a part of Meta social graph (If I understand correctly how this is going to work)
One solution might be to create another Signal account to use for WhatsApp contacts only I guess.
What do you think?

DeletedUser557

DeletedUser496 When it comes to Signal they've already stated that they will not enable third-party chats with Whatsapp. So that is not something to worry about.

I don't know what information gets transferred beyond the message, but they have feature documentation and requirements available here if you want to to check yourself.

I think the way to use third-party chats is if you need to use Whatsapp, then being able use a third-party app minimizes the data Facebook can get. Which is a win in my book. Also, should Whatsapp start requiring Play Integrity API you won't (I'm assuming) be affected by that.

brightjob4495

DeletedUser496 @brightjob4495 that's quite the setup! I am guessing you use it for other messaging apps as well?

I use it for Matrix and XMPP itself too, but mainly Whatsapp. I found this to be easier than self-hosting Matrix. I used to use Beeper before that, but prefer to self host and avoid yet another third party having my data.

23Sha-ger

Using a VPN in the modern realities is a good choice regardless of Facebook or Google tracking you.
WhatsApp became de-facto almost unavoidable in some countries, including mine.
Signal is not an option for "short-term" contacts like your clients, contractors, logistic workers, etc.
Slidge-WA is not hard to configure if you are familiar with setting an XMPP server, but I found it less robust
than just using the Web whatsapp version on a dedicated VM on my desktop, and an "emergency fallback"
on a secondary profile that is always disabled, unless I wait for an important chat and I'm on the road.

DeletedUser496

@DeletedUser557 good to know that they are not going to support interoperability.. And yeah if other apps will be supported it will be great. I might just install one of those and use it to communicate via WhatsApp.

@23Sha-ger I agree, a solid VPN is a must in today's landscape.
VM on your machine: What kind of setup do you use?
Which OS for web version? Linux based system I guess?
Have you tried other stuff such as Wayland? Never used it and not sure how solid / safe it is.

23Sha-ger

DeletedUser496
Barebones NixOS with ungoogled-chromium.aarch64-linux package for Whatsapp.

Gnome and KDE default to Wayland, but I use XFCE and X to save on RAM.
This runs perfectly on a macOS as a host, but has nothing to do with this topic.

DeletedUser496

Many thanks to everybody for their replies. Lots of creative solutions here!

@23Sha-ger Whatsapp inside VM sounds solid + separate profile / no contacts access on mobile for emergencies / when travelling. VPN + killswitch always on.
@brandy078 Whith this kind of setup one might also avoid answering as soon as a message arrives since notifications are always off.
Not sure, but this may have some benefits regarding the Careless Whisper vulnerability (don't know if it was patched or not) since having a device almost always off might make behaviour more unpredictable and metadata less vauable (digressing a bit here maybe)

I agree with @TacticalCheddar : try to move as many ppl as possible to Signal (even if not always that easy unfortunately). I managed to bring all my family and closest friends, but the "convenience over privacy" crowd is rather reluctant to change.

@brightjob4495 your setup is very well crafted and interesting. How much metadata do you reckon you are able to avoid sending out to Meta by doing so and how much metadata are you still sending ?

I apologize if I "overtagged", but I did not want to spam the post with too many replies.

brightjob4495

DeletedUser496 @brightjob4495 your setup is very well crafted and interesting. How much metadata do you reckon you are able to avoid sending out to Meta by doing so and how much metadata are you still sending ?

I'm sharing my phone number, the IP of my server, which groups I'm in and who I'm talking to and when, which is unavoidable.

I'm avoiding sharing anything the app itself could have access to: app interactions, when I'm connected and my phone's IP of course. Probably what apps I have installed on my phone, local network devices, what WiFi networks I have saved on my phone and advertising ID if I had Play Services. And if I had given the relevant permissions, nearby devices, phone media files, contacts, location, microphone and sensor data. And probably more things I can't recall right now.

Then there's all the weird shenanigans Meta might pull off. From my point of view, any software developed by Meta might as well be malware, because they behave like malware: their apps are full of dark patterns tricking the user to give permissions they don't need. Sometimes they get caught having their apps and libraries in other apps or websites behave as if they were malware. The last one I remember the one where they were deanonimising mobile web browser traffic through localhost port communication between their libraries embeded in webs and their apps. Vanadium's defaut settings weren't vulnerable to this, but most mainstream browsers were unless extra protections were enabled. What other things might they be doing that they haven't been caught yet? For example it's theoretically possible to use gyroscope data as a low fidelity microphone, so I assume that if any of their apps has the sensors permission granted (which can only be denied in GrapheneOS), they'll do that.

In summary, Meta is by far the big tech company I trust the least.

gos208197

If you want to better understand WhatsApp metadata that is retained by Meta, you can read United States federal applications for search warrants. Simply query for "united states v whatsapp" at https://www.courtlistener.com/recap/ and you'll find many results. You can toggle the "Only show results with PDFs" query option to limit the results to ones where you can actually read the search warrant applications.

Example: https://storage.courtlistener.com/recap/gov.uscourts.moed.214013/gov.uscourts.moed.214013.1.0.pdf (pages 7-9 and 12-14 for WhatsApp details).

Be aware that if you use push notifications through Google's Firebase Cloud Messaging (FCM), your WhatsApp account is linked to other accounts on your phone that use FCM. For example, if you use WhatsApp and ProtonMail on your phone and have Google Play Services installed, the WhatsApp and ProtonMail accounts can be linked together through push notification tokens. See https://www.washingtonpost.com/technology/2024/02/29/push-notification-surveillance-fbi/ (https://archive.ph/p9UpH). You can also search RECAP for "push token" to find numerous relevant search warrants that use this technique. See https://discuss.grapheneos.org/d/9407-governments-obtaining-push-notification-metadata-from-applegoogle for one of many GrapheneOS discussions on the topic.

DeletedUser496

@brightjob4495 thanks for your detailed explanation. I agree on everything you say about Meta apps and their "ecosystem". Always refreshing to hear that people who are finding themselves in the same predicament I am in are working out creative solutions to "minmize the damage".
I will look into the setup you are using.

@gos208197 many thanks for the links you provided, especially the US federal application. I appreciate it, very interesting.
I have read the US federal application carefully.
As you suggested pages 7-9 and 12-14 and it really begs the question if despite the fact that they declare that they cannot read the messages of the users they actually have ways to read them - page 13 point 9 seems to suggest it but I might be making a mistake - It also looks like that even if they are unable to read the messages all the metadata they have would make it rather superfluous since I guess conversations content might be easily inferred
I honestly did not consider the notifications issue, but reflecting on it it does make a lot of sense.
On this last point you raised would the following solutions work to avoid account linking:
1 - Obviously not having google service installed on said profile would bypass the issue
2 - would using google play services without account login mitigate account linking? Or would that still generate some device identifiers that can be linked to the device? I see that they are talking about google accounts in the articles

The amount of information they have is rather concerning. It is very obvious in my personal opinion that said application is to be used in a very minimal way only when strictly unavoidable and without sharing any information that a person would not feel comfortable in sharing in a public venue.

DeletedUser496

Edit: I made a mistake.
Page 13 point 9 refers to communications between said app and any person regarding the account, not the messages of the account and it does not suggest that they can read the messages