[parliament32]

By using your conversation metadata, to sell you better ads or sell the data to other advertisers.

>b-b-but it's encrypted!

Doesn't matter. They know who you are, because your account is linked to your FB account (either directly or just by matching your phone number). Then you send them your full contact list when you install the app (have you tried using WhatsApp without the Contacts permission?). Then they can see metadata about who you talk to and how often.

Pulling up those advertising profiles, they can add to your profile: for example, if a good portion of the contacts you talk to daily have "interested in cars"/"republican"/"male 25-29" in their profile, there's a good chance you fall into those categories too.

[hbcondo714]

>b-b-but it's encrypted!

Facebook actually updated their LIMITATIONS OF KEY METRICS AND OTHER DATA section at the top of their annual and quarterly reports[1] this year to say that "as a result of limited visibility into encrypted products, we have fewer data signals from WhatsApp user accounts and primarily rely on phone numbers and device information to match WhatsApp user accounts with accounts on our other products". Prior to 2020, did they not disclose this in their reports.

[1] https://last10k.com/sec-filings/fb

disclosure: I work on Last10K.com

[parliament32]

Yes, we can all agree that E2EE means FB isn't reading your messages and using that data (like they do, for example, in FB Messenger / IG messages). But the metadata is still valuable, and not encrypted, and is probably how they're making money with the product.

[hbcondo714]

I can't attest to this metadata but it's just worthy to note Facebook starting telling shareholders this year that they have "limited visibility into WhatsApp user activity due to encryption".

[Talinx]

A closed-source App could send the private key to a server. I hope WhatsApp doesn't do that.

[parliament32]

They absolutely could. But, given the popularity of FB properties, I'm sure there are several groups who decompile their releases on a regular basis and I'm sure there'd be a lot of screaming if the E2EE wasn't implemented properly (see: the Zoom E2EE debacle).

[Barrin92]

At least in Europe that is not true, from their official page

"We do not share data for improving Facebook products on Facebook and providing more relevant Facebook ad experiences.Today, Facebook does not use your WhatsApp account information to improve your Facebook product experiences or provide you more relevant Facebook ad experiences on Facebook. This is a result of discussions with the Irish Data Protection Commissioner and other Data Protection Authorities in Europe[...]

Importantly, WhatsApp does not share your WhatsApp contacts with Facebook or any other members of the Facebook Companies, and there are no plans to do so."

https://faq.whatsapp.com/general/security-and-privacy/how-we...

[sliq]

What they say in official text is not automatically what they actually do. Example: maybe they dont sell data to Facebook, but to a middle-man company. And this company sells to Facebook. Disclaimer texts are shady things!

[Barrin92]

that would also be illegal under GDPR. Not to mention it's a misunderstanding about how Facebook works. Facebook does not sell data at all, they sell ad-space based on their own data.

[fsflover]

> that would also be illegal under GDPR

Not a problem to Facebook: https://ruben.verborgh.org/facebook/#history

[Barrin92]

not sure what the relevance here is. That user is complaining about not getting network data from Facebook which may not be covered by GDPR, rather than his personal data he stored on the service.

However giving your data to third parties without your explicit consent is without a doubt a violation of GDPR.

[jlokier]

> have you tried using WhatsApp without the Contacts permission?

Yes, that's how I use WhatsApp. It sucks because all I see is conversations and calls from phone numbers without names.

But I don't trust WhatsApp enough to share my whole contacts list with them.

I would be happy to grant permission for individual number-name associations to be visible to WhatsApp, if that was possible. It's the contacts list as a whole I'm not willing to share; the people I'm actually talking with on it would be fine.

But no, we can't have sensible things like that.

Showing the numbers is very silly, because WhatsApp knows the name of every person I'm talking with. It has their name from the person at other end! But no, it has to use the Dark Pattern(tm) of showing numbers to pressure me into sharing all my contacts, which it doesn't actually need.

[zbuf]

> But I don't trust WhatsApp enough to share my whole contacts list with them.

Trouble is, you don't have to. Your friends have already shared /their/ contact lists.

You're already a node in the network, even if you've never logged in.

[jlokier]

There may be a node. But even so, it is a myth that the social networks know everything from other people's shared information.

WhatsApp does not know which people/entities I have in my contacts list.

That cannot be deduced from other ordinary people's lists.

It is a two-sided issue. On the one side: We should understand that we can't completely hide our personal information because other people share it without our consent, and that we should all be more careful what we share because it can harm other people, and is without their consent.

But on the other side: There is still value in limiting what we share about ourselves and others, because what other people share is limited and does not produce as complete a picture as when we add more to it ourselves.

So, WhatsApp knows about specific contacts other people have entered which include me, but it doesn't know what's on my full list. There are many things which can be estimated from my contacts list which I don't want to share and can't be deduced from other people's contact lists:

- Which banks I bank with.

- Which credit cards I have.

- Which recruiters I've been talking with.

- Which prospective companies I've talked with about getting a job.

- Which clients I'm doing business with or have done.

- Which taxi firms I use.

- Which restaurants I know well enough to have in my list.

- Which lenders I'm borrowing from.

- Which debt collectors I'm talking or not talking with.

- Which people I have a secret affair with, who are smart enough not to share their contacts list.

- Which journalists I'm in touch with, who are smart enough not to share their contacts list.

- Who I'm organising protests against the state with, who are smart enough not to share their contacts list.

- Who I know well enough to have not just their number but also their email address and other contacts, home address, notes etc.

- Which other communication applications I'm using if those store contacts in the list.

As well as the number of each of the above, to suggest which aspects of my life to target for advertising, policing, or general intimidation and election manipulation.

[2Gkashmiri]

whoa. this is one reason i am STILL NOT ON WHATSAPP..... seriously.

this comes from back when truecaller was introduced and i had an iphone. saw permission to access contacts. never used the app, even today. same for whatsapp or facebook. call me paranoid, but i don't want being "linked". same reason i dont have a google account and even though i have been using an android device for the past 2 years, there is no account and i use something like aurora store to get apps. works decent enough

[jlokier]

I have a "junk" Google account on my phone. It's not linked to anything except my phone. I don't even know the account name.

It means I can't use in-app payments, and will never pay for an app, but at least I can download essential (to me) apps like banking apps from the Play store.

[2Gkashmiri]

oh. why dont you try aurora store? that app allows you to download actual play store apps which is what i use. it uses anonymous google accounts to login and give you access.

[jlokier]

Thanks! I don't know if I will, because I'm loathe to mess with something so life-critical that is working, but I appreciate the pointer.

[mikestew]

have you tried using WhatsApp without the Contacts permission?

Not to be pedantic about an off-hand comment, but yeah, works fine, AFAICT. I'm not even a "pro" WhatsApp user: I use it strictly for the one social group that didn't think SMS was good enough. Meaning I didn't have to know the secret incantation. I'm sure I was asked about contacts, to which I assume I said "FB? Hahaha, no way!" And if I go to the Status tab, it sho'nuff complains about me not uploading contacts and if I want status of all my WhatsApp peeps, I need to upload contacts.

[mftrhu]

> have you tried using WhatsApp without the Contacts permission?

Yes. It works. Reaching out to new people is a PITA, as you have to append their phone number to a an api.whatsapp.com/send?phone= URL and open that on your phone, but it works.