Hacker News new | ask | show | jobs
by yulaow 1987 days ago
technically it is facebook in violation of GDPR considering that all the data in the addressbook is easily considered personal data for a commercial entity and so facebook should ask the permission to each owner of those numbers before collecting them.
1 comments
omk 1987 days ago
https://faq.whatsapp.com/general/contacts/about-contact-uplo...

Based on this they do not store information of users who have not signed up and only store a cryptographic hash. The hash isn't created on the device, so the servers definitely get it.

link
pfortuny 1987 days ago
There are just 10^9 phone numbers in Spain. Say 0.01 sec/hash (which is A LOT), you have 10^8 seconds. You can decrypt all the hashes in 0.3 years...

"Cryptographic hash" is as bullshit as "MD5 encrypted passwords".

link
daemin 1987 days ago
Or you know just create a rainbow table of all the phone numbers in the world and match the hashes against that. Would probably be faster.
link
Rygian 1987 days ago
If I'm being optimistic, the hashes of a user's contacts are salted with the user's own phone number, so the space could be 10^18.
link
stiray 1987 days ago
Just a small detail about cryptographic hash:

https://gdpr-info.eu/art-4-gdpr/

"‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"

Cryptographic hash of phone number is still uniquely identifying natural person and is by GDPR still under the definition of personal data. The GDPR authors knew what they were doing - or they were lucky although also other parts of GDPR suggest that they had some technical think-tank behind it.

Anyway, hashing doesn't solve anything, whatever "obfuscation" is used/invented, as long as information points to "natural person" it is considered personal data.

link