this post was submitted on 20 Jan 2025
102 points (88.6% liked)

Technology

60644 readers
3938 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
102
WhatsApp interoperability with Signal (lemmy.world)
submitted 1 day ago by [email protected] to c/[email protected]
91 comments fedilink hide all child comments
 

Does anyone know where this is at? I thought WhatsApp were being forced by the EU in 2024 to introduce this under the Digital Markets App? I'm googling, but am finding very little info.

It would be great if we could use Signal to communicate with WhatsApp groups. The sooner I can delete WhatsApp the better.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 3 points 20 hours ago* (last edited 20 hours ago) (1 children)

I would like to hear more specific details about the loss of privacy that would require the integration with whatsapp for signal users.

  • E2EE would be broken?
  • which specific metadata of signal users would be exposed (metadata that is not now required by signal)? less metadata of current whatsapp users would be required?
  • integration could be a user option?

Because I see a lot of fear but few details that justify it.

[–] [email protected] 4 points 18 hours ago* (last edited 17 hours ago) (1 children)

https://www.trustedreviews.com/versus/whatsapp-vs-signal-4309419

Neither WhatsApp nor Signal are realistically vulnerable to EE2E being comprimised by a man in the middle style attack, they use the same standard.

But if your threat model only includes being worried about random or organized hackers, then you must not be worried about your own government, or governments it cooperates with.

In a nutshell, when you send a message or photo, metadata is also sent out. Metadata includes information about when the message was delivered, who it was sent to and more. Metadata is not protected by end-to-end encryption, meaning that while the content of your message is safe, a lot of information can still be gleaned from it.

Signal has developed a technology for protecting metadata called Sealed Sender. This allows for metadata to be hidden, giving you an added level of security and privacy. WhatsApp does know the IP address and technical information showing that the request comes from the WhatsApp app.

Law enforcement can fairly easily figure out your real identity if they have your metadata from enough messages.

Almost all modern, advanced surveillance is built around the analysis of metadata to establish patterns and narrow down the pool of suspects or persons of interest down to actual specific individuals.

WhatsApp stores your metadata.

Signal does not.

What exact kinds of metadata are we talking about?

https://archive.is/fiAYP

Well we got the bare minimum basics, which are often enough on their own to narrow down to a person:

IP Address.

Send / Recieve Time of Message.

Rough Estimate of Message Length.

Either Rough or Fine GeoLocation Coordinates.

Then we've got everything else that's connected to the 'Meta'verse:

Phone Number

Profile Name (Usually your Real Name)

Email

Anything you've posted on or linked to a Meta Account (Facebook, Instagram)

Or, potentially anything else!

WhatsApp’s privacy policy describes how personal data shared with Facebook “may include other information identified in the Privacy Policy….or obtained upon notice to you or based on your consent”.

Also, WhatsApp sometimes actually stores your actual messages:

WhatsApp does not store messages, but if a message cannot be delivered immediately, it is kept in an encrypted form on the servers for up to 30 days before it is delivered. If it is not delivered, it is then deleted. It does keep track of how often you use the WhatsApp app and your usage habits whilst in the app.

Signal also does not store its messages, and it will not try and link this phone number to an identity, meaning that it won’t have access to your location, email, or other private information.

Because WhatsApp, in some cases, stores your actual messages, that means they can be legally compelled to decrypt them and reveal them to law enforcement.

Signal does not store your actual messages, and thus cannot be legally compelled to provide something they do not possess.

Finally, Signal is a non profit, WhatsApp is a subsidiary of Meta:

WhatsApp is currently owned by Meta, formerly known as Facebook. Due to this integration and WhatsApp’s privacy policy, your information will be shared in order to help Meta better customise its user’s experiences.

Signal is instead owned by the Signal Technology Foundation, which is a registered non-profit that is run on donations from its users. Due to this, Signal does not need to share its user’s information with third-party apps and it’s unlikely that this will change in the future

MegaCorps have every incentive to make as much money as possible, which means selling and making available as much of your data as possible.

A non profit does not have this built in, contradictory incentive.

...

Even without the actual contents of data being revealed, lets throw in some examples of being an American and using WhatsApp where you are potentially fucked:

You live in a state that criminalizes abortion, or gender affirming care, and you plan and execute a plan of getting an abortion/receiving gender affirming care at a clinic, sending messages before, whilst in transit to, at, and returning from the clinic.

You plan, attend, and coordinate a pro palestinian or pro trans rights, or pro health care reform rally, which has some violent act occur, or perhaps even without that.

...

If Signal integrated with Meta, I mean WhatsApp, this would provide at least that bog standard metadata (which, again, is very often enough to profile and identify a person) and potentially actual msg content to WhatsApp from the Signal user, which would comprimise then Signal user's security... which defeats the entire point of using Signal.

For this not to be the case, Meta would have to agree to switch over to Signal's standards, which they will never do.

EDIT:

If Signal did integrate with Meta, and allow the user to msg a WhatsApp user, it would be leaking your IP every single time you do so, so basically it would have to put a warning on every msg you send that way, similar to Firefox warning you that the website you're trying to visit has no HTTPS or expired security credentials.

There's no point.

The classic tech company approach is embrace, extend, extinguish.

Lemmy and other fediverse people/communities recently learned this the hard way, trying to integrate with Meta and then oh whoops, looks like that'll be a one way relationship.

EDIT 2:

Its basically this meme, just replace 'minority social group' with 'privacy conscious users' (which apparently just actually is a minority social group at this point):

[–] [email protected] 2 points 18 hours ago (1 children)

So, we had people who loved to send unencrypted SMS messages with Signal. And now we have people who opposes to send encrypted E2EE messages because they could leak supposedly a lot of metadata such as "when the message was delivered, who it was sent to and more" and it would be the end of privacy in Signal.

We should not forget that this only happens if you send messages out of Signal. This would be optional for every user of Signal.

Interoperatibility is the CORE of Internet. Silos are contrary to the idea of Internet. This is an opportunity to interconnect systems, to boost innovation and to give the opportunity to signal and others to gain users, which is now almost impossible with the current monopoly of whatsapp in Europe.

I imagine all the extremist of privacy in Signal with a Proton email account. And I imagine them only sending/receiving emails from other Proton email accounts. Sending to SPAM or to the delete folder every other email because other emails do not achieve the privacy requirements of Proton. In fact, the only real good solution for privacy with Email is to delete the Email account.

[–] [email protected] 2 points 17 hours ago* (last edited 17 hours ago) (1 children)

If you don't know how big a deal metadata is, you do not understand anything about online data security and privacy.

Sorry, real privacy is silo'd, just like the vast majority of online traffic is, the widely agreed upon base interoperability standards are not private or secure.

SMS is an insecure interoperable standard.

Meta is an insecure silo.

Stop pretending it is an interoperable standard, it isn't, it's just a popular, shitty silo.

Signal is a secure silo.

I'm all for upgrading the universal messaging standards to Signal's, but that'll never happen, because governments (EDIT: and databroker MegaCorps) don't actually like real privacy.

If you wanna stay in a mainstream, dream for corporate data brokers and government surveillance silo, go ahead, nobody is stopping you.

If you wanna join the 'we actually have privacy' silo, well, it does things differently, and it's on you to acclimate to those differences instead of destroying them and demanding assimilation and thus destruction of the very privacy that makes it distinct.

Please see my above post, I edited and expanded it with an illustrative comic as you were making your reply.

EDIT 2: Also Proton is cozying up to Trump, publically, guess you missed the memo on that.

[–] [email protected] 2 points 16 hours ago* (last edited 16 hours ago) (1 children)

It is easy, even if interoperability is enabled, do not send messages out of Signal. It would be your option. But other people with non military-grade privacy requirements could benefit of improved privacy when it sends messages to whatsapp users from signal app because signal app is foss and signal would enforce better security and privacy than whatsapp app. Signal would gain traction and it could reach more people willing to abandon Meta and corps.

[–] [email protected] 0 points 14 hours ago* (last edited 14 hours ago) (1 children)

... No, you don't get it.

Every time a Signal user would send a message to WhatsApp, they'd be leaking metadata to WhatsApp, because WhatsApp would create and store metadata from the Signal message it recieves, which would make the Signal user insecure, less secure, because WhatsApp will sell that data to data brokers or provide it to the government if requested.

This represents a loss of privacy and security to Signal users, not an increase.

... Also, Signal is not actually 100% foss, it uses some closed source, Google provided components.

Molly FOSS is a fork of Signal that replaces these Google components with fully foss ones.

...

You keep acting like Signal has some need to expand its market share, and that the best way to get it to do so is by abandoning its core, primary feature, the reason people use it.

Signal will likely never do this, because they are interested in security and privacy, not comprimising security and privacy in hopes of gaining popularity and market share.

Again, see the comic I already linked.

You are demanding that two incompatible things be made compatible because one of them is better, but you fundamentally do not understand that making them compatible will make the better thing as bad as the worse thing.

You can fit the square peg into the round hole, but only if you shave down the square peg into a cylinder, at which point, you no longer have a square peg.

If you got your way and Signal could message WhatsApp, and then you started using Signal to just only talk to WhatsApp users, you might as well just be using WhatsApp to talk to WhatsApp users, it would be the same level of (in)security.

This would also make no sense for Signal to do because it would make their own software pointless, just an alternative gateway to WhatsApp, with less features than WhatsApp and less security than it had before.

...

If you wanna make a Signal fork that can interoperate with WhatsApp, go right ahead, no one is stopping you.

Set up a clone of the Signal repo, setup a WhatsApp business account, purchase access to WhatsApp's API, host and pay for your own servers to manage the WhatsApp end of the system, and write your desired interoperability features into your Signal fork, then release it as an app for android, iOS, macOS, windows and linux.

Here's an intro to the WhatsApp API:

https://nativemsg.com/resources/text-marketing/the-ultimate-guide-to-whatsapp-api-everything-you-need-to-know/

Here's the Signal repo:

https://github.com/signalapp

Best of luck!

[–] [email protected] 1 points 13 hours ago

Best of luck also for your next fork. Please share with us your improvements in metadata privacy.