[lxgr]

This is so absurd.

I think the previously often raised objections to interoperability were technically and economically mostly sound (federation is much harder to achieve in a secure way, thinking of key distribution, identifier verification etc.).

Now overcoming all of these obstacles and then going the extra mile to implement geofencing (which also has tons of edge cases!) completely undoes that argument.

[arp242]

I don't really see why WhatsApp would care, because once you have developed the interoperability, audited the apps, and done all that, it doesn't really cost WhatsApp anything if a user is using that app. They lose no profit, doesn't cost their servers any more than their own client would, etc.

WhatsApp makes their money from the business clients/apps (which aren't covered under this, which I think is fine by the way).

So why care where a user is on the planet? I just don't see the business reason for this. Maybe I'm missing something?

[lxgr]

For one thing, they can't show ads in third-party clients. (I think they currently only do that in "stories" in their own client at the moment, but without competing clients, they always have the option to expand that.)

On the other hand, I could imagine their business messaging ambitions to be threatened by third-party clients: There's nothing stopping the vendors of these clients from undercutting Meta on business messaging rates.

And this is all assuming that third-party services couldn't provide their own business messaging services to first-party WhatsApp client users without paying Meta their list price. I don't know whether the DMA allows that, or if normal rates would still apply in that case.

[akdev1l]

The WhatsApp client does give Meta a window of opportunity to get data from users.

The data is otherwise E2E encrypted but when you see a link preview on WhatsApp Meta knows that.

[Vinnl]

Only the messages are encrypted, but there's a ton of metadata that isn't, e.g. who you talk to, when, where you are when you do so, ...

[akdev1l]

But in the client is the only time their code touches the actual unencrypted message data.

Also a lot of the data you mentioned will also not be available if you don’t use their client, eg: if you use Signal client then Facebook won’t get your location all as that’s not part of regular text message

[arp242]

Do they actually do that? Because I'm not so sure that they do.

[akdev1l]

The preview sends a request to some server on a Facebook subdomain. I know because I was sniffing traffic on my phone without any Facebook app installed other than WhatsApp.

[arp242]

Okay, but do they actually use any data from that? What does the privacy policy say? Have any effects been observed beyond "uses a facebook domain" (e.g. you see ads on Facebook for a site you had in preview)? Is there functional reason for using that domain?

[akdev1l]

Do you think I’m a Facebook employee…?

Because no one else can answer your questions.

[lxgr]

Did you see the content of that domain? It might be spam/phishing protection, which can be done in a privacy-preserving way (e.g. sending only a truncated hash of the link TLD to a server and downloading a larger set of blocked domains for local filtering).

At least on my Mac, I also only see connections to the URL domain, nothing to a Facebook subdomain.

[akdev1l]

There’s like 1000 reasons why the domain could be used. (For example you wouldn’t want 1M phones destroying a website because it became viral on WhatsApp, hence a caching layer is probably needed)

I don’t work at Facebook on this specific system that handles link previews so I have no idea of the details.

The fact is that if they send a request containing the link I previewed which is tied to my IP which connects to my Facebook account then they can 100% correlate that information and figure it out.

Are they doing that? Maybe, maybe not. I don’t work there. But they can if they want to so it all comes down to trust. Do you trust Meta?

[petre]

Meta and 'privacy-preserving' are a contradiction in terms.