HN Gopher Feed (2017-10-09) - page 1 of 10
Tracking friends and strangers using WhatsApp
346 points by robheatonhttps://robertheaton.com/2017/10/09/tracking-friends-and-strange...
KamogTechs - 2 hours ago
Nice and very well written article,most of my friends use whatsapp
and would be mortified if they actually understood most of this.
RobertoG - 1 hours ago
Even without, unfortunately (I'm sure they are wonderful),
knowing your friends, I bet you a cookie that they don't care.
kzisme - 1 hours ago
Maybe I'm in the minority, but I haven't ever used WhatsApp. Is
there a huge benefit to using it over SMS, or something similar?
marindez - 1 hours ago
It's free (unlike SMS or MMS) and back in the day it was the only
service that worked reliably on all mobile platforms and didn't
use PINs or usernames--just the phone numbers in your contact
list so it was plug&play: just install it and you can talk to
zuppy - 1 hours ago
Group messages don't really work over sms with different device
types. Same for attachments, multimedia, location data.
zaat - 1 hours ago
* SMS delivery isn't guaranteed.* SMS don't have read receipt.*
SMS depends on cellular connectivity.* SMS and MMS have very
limited media transfer support.* SMS don't have feature similar
zuppy - 38 minutes ago
> * SMS don't have read receipt.Yes, they do. iPhones don't
seem to do that, but old GSM phones did it (like my first
phone, Ericsson T20, which got released in 2000). Androids have
read reports in the default message app, if I'm not mistaken.
zaat - 12 minutes ago
No, they don't. The protocol supports delivery report only.
And the meaning of that report isn't necessarily what you
believe or wish it to be: ...the exact meaning of
confirmations varies from reaching the network, to being
queued for sending, to being sent, to receiving a
confirmation of receipt from the target
hnaccy - 1 hours ago
>* SMS don't have read receipt.I feel like this is a pro.
zaat - 48 minutes ago
While I can see your point, it really depends on usage
purpose and taste. For many this is the most valuable feature
of the app.
j_s - 3 hours ago
Stalking Your Friends with Facebook Messenger |
https://news.ycombinator.com/item?id=9609286 (May 2015, 185
comments)when you send a message from the Messenger app there is an
option to send your location with itthe mobile app for Facebook
Messenger defaults to sending a location with all messages
chis - 3 hours ago
Facebook doesn't do this
JamieF1 - 2 hours ago
Reminds me of an article I wrote up about tracking who's talking to
who on WhatsApp: https://medium.com/p/finding-out-if-2-people-are-
abcdabcd987 - 2 hours ago
I think I did almost the same thing three years ago. See:
https://www.v2ex.com/t/121272 (in Chinese only, sorry. I should
translate it to English when I'm free)
jimmies - 3 hours ago
If you trust those """services""" to be secure and trust that they
care about your privacy, then you will be betrayed sooner or later,
in ways you can't think of -- just like in the article.Fun fact,
years ago I accidentally found out that my girlfriend at the time
cheated on me on Snapchat, without me actually exploiting anything.
She told me to join it with her, telling me that is going to be
fun. Snapchat kept track of useds' activity and gamified it to
incentivize you by scoring your activity then. Each person has a
public activity score when you tap on their profile. One day, I
noticed that her Snapchat had more than twice the score that I had.
So I clicked on her profile and there it is some strange dude
having a score higher than me, it turned out that was her
""""ex"""" (I actually never asked her even for his name before, I
found out only after that). I never consciously looked for
anything, I trusted her 100%, the score was just there on my
screen.Thanks Snapchat for their stupid gamification efforts,
otherwise I would have wasted more time on her. But since that
accident, I never trust proprietary shit that has money to make,
ads to sell, governments to please, and incentives to grow, even it
says its selling point is to protect your privacy, like Snapchat.
It's not about the "end to end encryption" or "finer privacy
control" or "only allow when app is in foreground" or "restricted
sharing" or "MIT open sauce license" or "export your data" or "only
listening to hotwords" or "open APIs," it's about the intent. If
the intent was to expand and make money, then all those techs won't
be the magic pill that suddenly cures the ill intent. Anyway,
privacy my ass, man.
rconti - 3 hours ago
Wait, when you view her profile (as a friend), it shows who has
the highest 'score' in terms of contact with her? Wow, that IS a
lot of data if they break it down by contact pairs.
Puer - 3 hours ago
Snapchat used to publicly display each person's "best friends"
list, but not anymore.
jimmies - 3 hours ago
Yep. It was called Snapchat score or something. It had a list
of top 3 people or so and how much score they had with each
other. It was unreal.This was back in spring-summer 2015.
ReverseCold - 16 minutes ago
Now it shows you the live current location of all your
friends, no one I know has it turned off.Wth people?
marindez - 3 hours ago
What I don't like about WhatsApp is that even if you hide your last
connection time, everybody gets to see whether you're online.
arunc - 1 hours ago
I was exactly thinking about this last night. It's bad that
WhatsApp doesn't hide the online status.
thanatropism - 3 hours ago
I'm increasingly inclined to keep my phone on airplane mode for
most of the day.Now, I just need to train people into calling me
only between x:00 and x:05. But I don't get many calls anymore,
diegorbaquero - 40 minutes ago
I made an MVP 2 years ago: https://www.producthunt.com/posts
kyranjamie - 1 hours ago
Enjoyed the article, but my favourite part is the reference to
Garth Marenghi's Darkplace in the description.
throw2016 - 2 hours ago
People avoid thinking too much about things that are working as
advertised. How many people wonder about how exactly their cars
work or the global financial system works yet they are impacted by
both of these. They may reserve curiosity for other things
depending on their interests.And here the problem begins, a lot of
software engineers seem to conflate this disinterest to stupidity
and think this gives them a right to do whatever they want with
other people's data.There is a fundamental lack of understanding
and respect of other people rights and privacy and an easy
dehumanization that is disconnected from human society and the
evolution of fundamental rights like like the right to privacy.
Regulation will catch up and eventually address this as more people
become aware but is a troubling reflection of a large part of the
sqren - 3 hours ago
Very well written article - and I love your drawings! I did a
similar story a while back on how you can track your friends sleep
patterns using Facebook Messenger . I'm sure there are lots of
other services that have this problem, and most users are
blissfully unaware. https://medium.com/@sqrendk/how-you-can-use-
jagjotsingh - 3 hours ago
Loved the article. The increasing pace with the article gives you a
rush which was amazing!Very well written.
antirez - 3 hours ago
A few weeks ago there was a similar discussion, and I commented the
following:If you think there is no problem, you are wrong. The blog
post does not show all the information leaks that this implies.
Example: I can modify the script to monitor all the numbers I've in
my phone, so that based on the online/offline status in a few weeks
I can be able to guess who is having conversations together,
discovering cheatings, work affairs, ... EDIT: Practical example.
After collecting enough data about user X I create a table about
the probability of this user being online in a given few-minutes
time ranges. Then I check the online frequency of that user
compared to the online statuses of another user Y. If the
difference compared to the expected probability is significant,
than I can suspect the two are chatting. Another thing I can use is
that attivation delay of the online status, since often X sends a
message to Y and this results in, a few seconds after, Y to be
online, and then the contrary.[then an HN user said she/he was not
sure this was serious because maybe the users casually had similar
patterns, so I replied:]If you check the model I described in my
comment, it should filter the "bus problem", since it will detect a
chat only if, compared to the standard "bus time" probability of
the user A chatting, it is chatting more if in the same range also
B is chatting. If you add to this that people on Whatsapp usually
do not talk to the exact minutes, it is definitely possible to
create a robust system for guessing with good probability of two
have often conversations. Also note that the phone numbers in input
are not random, are the ones of a connected circle of persons. Add
to this the fact that we can split the ranges even, potentially, by
few minutes, and you can even detect interesting stuff for people
having continuos chats with multiple persons like teenagers.
Another thing that is possible probably is also "groups detection",
since at new messages a set of users will activate at the same
time.[And the attack can be refined a lot with more powerful
amelius - 2 hours ago
A similar indirect way can be used to extract information out of
Google's database. For example, launch an ad-campaign for any
product, directed at people who love cats. Now if people click on
the ad and buy the product, you know they must love cats.
j_s - 54 minutes ago
Most Tor busts follow a similar pattern, watching both ends of
the connection.There is a real need for a "tor delay" metadata-
disruption-as-a-service, where random strangers invoke one
another's web callbacks and report back the result for Bitcoin
(Strangers on a Train -style). Someone put it on the block chain
and start an ICO!
kuschku - 15 minutes ago
This isn?t just necessarily a problem with WhatsApp. The same
applies to IRC, if you set away states.Even if you don?t set away
states, one can simply monitor every channel you?re in, every
message you send, and then quickly determine what timezone you?re
in, when you sleep, when you?re on vacation, etc.Here?s an
example graph of a user, every dot is a message:
https://i.imgur.com/DrgVvVw.png and here one from a user with
more regular sleep patterns: https://i.imgur.com/a1xdSqR.png
(notice the timezone transition when daylight savings time
starts? And notice how the user takes about 2 weeks to adjust?)
KGIII - 9 minutes ago
In chat applications, those features were the first to get
disabled. As I recall, one of the MSN Messenger features
required you to sign in before you disabled it.Anyhow, I'd
disable showing online status, typing status, or automatically
changing status based on activity.This was a decade and a half
ago, probably longer. The principle remains the same. No, no I
don't want you to know when I'm in front of my computer,
typing, or otherwise. If I want to appear online, I'll manually
polote - 2 hours ago
The thing is, this method works pretty well if people are
chatting in real time, if you wait like 10 minutes to answers
messages, it is much more difficult to create the links.Moreover
if people are using all the time Whatsapp, it is again much more
difficult to do.But I agree with you, there are many situations
where these could work
antirez - 2 hours ago
Unfortunately even under much more noise than the Whatsapp
activation patterns, we have seen timing attacks working in
incredible reliable ways, with the network in the middle adding
random delays, and even when the task at hand was to misure
very small differences in time. So I guess that if this attack
already seems feasible in certain contexts, it can only get
much better using more advanced techniques.
squigg - 3 hours ago
I loved this article. It is beautifully written, given both the
hacking curiosity on display as well as the real-world privacy
impact it demonstrates. Most of my family use whats-app and would
be mortified if they actually understood most of this. Not saying
they would stop using it, as the trade-off is a great social app,
but it would make them think more broadly about how the world is
jxramos - 3 hours ago
It takes a real turn towards developer centered humor with the
opening line "With even more time on your hands than ever before,
you go just a bit mad and start...". Great Deus ex Machina type
segue into all out yummy tech craziness he relishes out.
KGIII - 5 minutes ago
It sort of reminds me of gonzo-style journalism. I took a look
at their other articles, well some of them, and like their
style. I'm not sure if it would appeal to a larger audience,
but I liked it.
tcmb - 3 hours ago
Nobody has to stop using WhatsApp, the scenario described in the
article can be prevented simply by changing the app's privacy
polote - 3 hours ago
Wrong, if you deactivate the feature 'last seen at' it doesn't
change anything because you can still get the same information
with the feature 'is online now' and this feature can't be
slig - 3 hours ago
AFAIK, it will display that the user is online (i.e: the user
is using the app) regardless of the privacy setting.
option_greek - 3 hours ago
Of course, the elephant in the room is that all this info and much
more is with WhatsApp, Facebook, Google and what ever garbage app
is installed on your phone. I agree that the article is more about
targeted surveillance towards certain users but that is where NSA
and secret letters come in :).
janwh - 2 hours ago
Nevermind the clever writing but the issue has been known for
years?and beautifully exploited with the selfhostable ready-made
solution WhatsSpy Public since Feb 2015:
https://gitlab.maikel.pro/maikeldus/WhatsSpy-Public/ It's not
actively maintained anymore but Maikel deserves some credit for it.
Havoc - 3 hours ago
I suspect a fairly small percentage of users is active enough that
you get usable hourly data.
polote - 3 hours ago
I agree with you, whatsapp is not like Tinder or Facebook you
don't open it every 2 minutes to check if there is something new.
koolba - 3 hours ago
Do you really check Tinder for new "content" every two minutes?
polote - 3 hours ago
> The company said that, on average, people log into the app
11 times a dayhttps://www.nytimes.com/2014/10/30/fashion
/tinder-the-fast-g...But yes not every 2 minutes
vincentkriek - 3 hours ago
WhatsApp will definitely be opened more than 11 times a
day. I would argue the average is a lot closer to 11 times
an hour than 11 times a day.
vegbrasil - 3 hours ago
It is in a lot of countries.
raarts - 3 hours ago
That depends on the country. In the US, people still tend to
text a lot, but in most of Europe, Whatsapp totally replaced
rconti - 3 hours ago
Is this because of their still-utterly-broken roaming model?
(supposedly to be remedied soon)
morsch - 2 hours ago
Soon was June 2017. But I doubt it has anything to do with
roaming. Maybe more people paid per SMS for a longer time
than in the US? I know I still do; I could add unlimited
messages to my monthly contract for 1 EUR or so, but what's
rconti - 1 hours ago
Interesting. My assumption was that Europe was much more
okay with pay-per-use than the US was. It was always
strange to someone in the US that a European would pay
different amounts for a call depending on what kind of
phone you were calling, where in the US both parties
simply paid for their airtime if they wanted to use
mobile phones.SMS took off faster in Europe than in the
US, but we've had bundled packages for so long that the
individual cost per text wasn't such an issue, and now on
many plans they're unlimited.I guess the differing cost
structure depending on who you're texting and from where
may have spurred the adoption of WhatsApp, whereas in the
US, even if you WERE paying per text, it was the same
across a territory of many thousands of miles and
hundreds of millions of people. And, the same way that
many folks in the US do not even have a passport, they
tend also not to have a reason to text internationally.
The size and homogeneity of the country benefits the
adoptions of some technologies, but hinders the adoption
rconti - 1 hours ago
paganel - 2 hours ago
It's also because it's much easier sending photos and live
recordings using whatsapp compared to any other app outhere
(FB is too clunky, the rest of the apps don't have a
critical mass in most of Europe.
cosarara97 - 1 hours ago
SMS are expensive in some countries, even without roaming.
I'd pay 0.10? for every message, if I ever sent any.
notzorbo3 - 2 hours ago
It's probably a combination of high cost of texts at the
time when Whatsapp became popular, no limit (or much larger
limit) to the size of texts, a reasonable probability of
texts not arriving or arriving late and a "fuck telcos for
squeezing millions of euros from their users for no other
reason than to turn massive profits from texting" attitude.
ClassyJacket - 1 hours ago
Right, but you don't need to "check" it since it has
notzorbo3 - 2 hours ago
That's even worse, because it makes it easier to correlate when
two people are Whatsapping with each other. If they both happen
to be online at the same time a lot...
poisonarena - 2 hours ago
I live in Colombia, before then Mexico, and yes you do check
on it every 2 minutes everyone does, at least in Latin America
parthdesai - 11 minutes ago
Same in India.
avip - 2 hours ago
That's a per-country thing. There are countries where Whatsapp
is the de-facto standard for passing information.
lbebber - 3 hours ago
It depends where; in Brazil, for instance, WhatsApp groups are
becoming the main social network for a large amount of
people?nevermind 1:1 chat.
yoavm - 3 hours ago
I guess it really depends where. I believe here, where WhatsApp
is pretty much the _only_ method of communication, people most
definitely check it every few minutes, and especially before they
go to bed.
tcmb - 3 hours ago
Honest question, isn't this what notifications and icon badges
are for? It's easy to see if there's anything new without
opening the app.Related question, does WhatsApp send the
heartbeat only when I open the app, or every x minutes as long
as it has a network connection?
polote - 3 hours ago
Only if you go on the app
mateus1 - 2 hours ago
Brazilian here, I probably check Whatsapp +50 times a day and I'm
not a heavy user.
himlion - 3 hours ago
In some countries WhatsApp is the main form of communication
between friends and people are on it every waking minute.
thedaniel - 3 hours ago
I suspect the opposite - given that whatsapp dominates texting in
europe, and twice as many people live in europe as the USA (which
is upon what i suspect you base your assumption here)
anonu - 20 minutes ago
I think there's more than 1.3 billion users on WhatsApp - its
massive - I am personally checking it constantly (> once an
hour)It's certainly a more popular app outside of the USA. They
initially gained traction because they were willing to make apps
for things other than iphones and androids - which gave them a
huge following in the developing world where people may still use
10+ year old candy bars.
youeeeeeediot - 3 hours ago
Always wondered what would happen if someone was to happen to have
every valid US/CAN number in their contact list (all 3-4 billion),
since WhatsApp doesn't validate you actually know the contact just
that you have their phone number.
carroccio - 3 hours ago
They ban your IP. Anyway with some effort you can deanonimize a
lot of numbers (eg: status/name/profile photo).
CommentCard - 3 hours ago
Is there a known upper limit on the number of #s one account
can have?I suppose you could use that limit to set up enough
WhatsApp accounts on proxies to effectively have access to all
tcmb - 3 hours ago
There's another startup idea.
CommentCard - 3 hours ago
It might be worth doing just so WhatsApp will change how
they validate access to #s.
ballenf - 2 hours ago
The idea being you incentive WhatsApp users to install your
app that then harvests all their contacts and collates the
"last seen" info on all of them. If they delete your app,
you setup a proxy to imitate their device and continue the
has a couple "loopholes" that one can drive a truck
through.Is that the idea? Seems doable if you're not too
risk averse, have no family and live in a country with weak
extradition laws. Kidding, there's nothing illegal about
any of this stuff or FB, Google and lots of other companies
would not be in business.FB would have a civil claim
against you -- they paid several billion dollars for the
legal right to all that user data!
CommentCard - 2 hours ago
You wouldn't need an app or other WhatsApp users beyond
your distributed proxy accounts. You'd be running the
monitoring through these proxies.Creating an app with the
sole purpose of backdooring WhatsApp on a user's phone
seems like it'd open you up to a lot of lawsuits.
Ethically its a mite more questionable, but the original
article is still unethical in that you're monitoring
people without consent.Like I said above, I'd do this
just so that they'd crack down on it. It's still a "means
justify the ends" argument, however, so you have to be
quite comfortable with moral relativism.