[lxgr]

Is there any chance that the client needs the online status for some internal optimization, e.g. in order to deliver messages for online contacts to a different server than those destined for offline contacts? I could imagine delivery paths to be quite different (one would be immediately passed through in-memory while the other would be stored in some database and potentially trigger mobile push notifications).

In that case, it is nice to at least visually expose that this information is available to bad actors using custom clients too.

However, this fails as a possible excuse ever since Facebook acquired WhatsApp, given that they have essentially unlimited resources available and could easily implement a privacy proxy to hide this information from clients.

[hiq]

In any case there cannot be a good reason to share the online status / last seen date before any interaction has happened between two contacts, and approved by the receiver.

If you have had no interaction with someone, you should first accept a message (and not report it as spam) before this information is shared. Ideally that would be the default as well for the About field and the profile picture.

[lxgr]

I definitely agree – none of my hypotheses make for a good reason. I'm just wondering if there's anything technical behind what seems to be a quite stubborn decision that also sticks out (as everything else has controllable privacy options).

Another weird decision is that read receipts are not possible to be deactivated in group chats, but there is no explanation for that that I could think of (delivery receipts might be required for faster encryption key ratcheting, but the read status has no significance at all for the protocol).