> 7.5.1. Partner User Location. Any Partner Users that Partner Enlists or provides access to the Interoperable Messaging Services must be located and remain in the EEA. Without limiting Section 11 (Warranties), Partner represents and warrants that it will only (i) Enlist and (ii) enable access to the Interoperable Messaging Services by Partner Users that Partner independently validates are located in the European Economic Area, (i.e., a Partner User must be present within the European Economic Area within any consecutive sixty (60) calendar day period). If WhatsApp detects or otherwise has reasonable grounds to suspect a Partner User Enlisted to receive the Interoperable Messaging Services is not located in the European Economic Area or is no longer located in the EEA, WhatsApp reserves the right to immediately suspend such Partner User(s) from accessing the Interoperable Messaging Services, and if multiple violations are detected, Partner shall remedy Partner's location validation procedures to ensure compliance with the terms of this Agreement.
Looks like interoperability is geo-fenced to Europe only.
And that they are reluctantly complying in bad faith in the most hostile way they found. Is this going to fly? Where do these 60 days come from for instance? How is it any useful and who is going to want to implement such interoperability under such terms?
This reads like a lot of words to say Fuck You Europe to me.
Well, feelings are mutual, at least we are on the same page, them and me.
You may dislike it, but EU law only applies in the EU; it sounds like full compliance to me, not "bad faith" compliance.
Messaging-interoperability is the one aspect of the DMA I don't support. These apps are free to download; and if you care about security (and use Signal) you'll want to avoid cross-service messaging anyway.
It seems all companies complying with EU laws (Meta and Apple) spent most resources on lawyers and accountants. To make this unattractive to users and competitors.
Without additional regulations across the globe it’ll be simpler playing the geofencing game for those companies.
Sounds less like "bad faith" and more like "I was hoping that Meta would cave and offer this to everyone, but turns out they don't have to do that because EU jurisdiction ends at EU borders"?
I think the previously often raised objections to interoperability were technically and economically mostly sound (federation is much harder to achieve in a secure way, thinking of key distribution, identifier verification etc.).
Now overcoming all of these obstacles and then going the extra mile to implement geofencing (which also has tons of edge cases!) completely undoes that argument.
I don't really see why WhatsApp would care, because once you have developed the interoperability, audited the apps, and done all that, it doesn't really cost WhatsApp anything if a user is using that app. They lose no profit, doesn't cost their servers any more than their own client would, etc.
WhatsApp makes their money from the business clients/apps (which aren't covered under this, which I think is fine by the way).
So why care where a user is on the planet? I just don't see the business reason for this. Maybe I'm missing something?
I've been waiting for this, and hoping I could "just" cook up some of my own code to use with WhatsApp, and/or integrate it with Pidgin or bridge to email or whatever. But the entire process is about as hostile as possible.
For example "Partner shall have in place a dedicated security team" basically excludes most startups, or most smaller companies.
It's not clear to me if this is really complying with the DMA – it's certainly not in the spirit of it, but less sure about the letter of it.
I think it's quite fair to demand basic security compliance for implementing an E2EE messenger.
That said, I'm sure we'll see open source libraries pop up everywhere to communicate with WhatsApp directly. There already are unofficial WhatsApp clients in various forms, but now they can use the protocol without risking breakage because they reverse engineered the contents of the protocol itself.
I think there will be plenty of space for the Beeper Minis out there right now.
> I think it's quite fair to demand basic security compliance for implementing an E2EE messenger.
That's really a decision you should make, and not WhatsApp – "do I trust this arp242 guy and his GitHub repo?"
And some auditing isn't necessarily too bad, I guess, but a lot of this goes far beyond "basic security"; it's the type of "corporate checkbox security" that we all know works so well.
You seem to be confusing interoperability with WA’s desires to make sure that e2e encryption isn’t broken.
What’s the point of thinking that WhatsApp is e2ee if anyone can write their own end point?
my friends and I use WhatsApp because we know the messages are secure. Imagine if every other group message had the “green bubble” equivalent experience if someone was using a custom client.
If that's your assumption, I've got bad news: People can already use third-party clients! WhatsApp "mods" for Android, third-party clients hooking into the web client etc. have all long been possible.
Without the DMA, Meta can make it very hard for any business model based on them, but it's never been a technical obstacle.
In a very similar way, you also need to trust your friends to not activate WhatsApp chat backups to Google Drive or iCloud without a password if you don't want end-to-end encryption to be compromised (there's no indication if they have it on or not), and that's the default suggestion by the official client.
You can do E2E encryption without all of these requirements. It's basically just TOFU some key when someone messages you. You can do 3rd-party implementation for other E2E messengers: Telegram, Signal (even though they don't like it), and of course XMPP (with extension).
I need to read a bit more carefully through the (limited) technical documentation they have; but all of this seems highly excessive. I'm not a distrustful or cynical person by nature, but I find it hard to avoid the impression that they intentionally made it as hard as possible.
I don't know what "the green bubble experience" means(?)
>What’s the point of thinking that WhatsApp is e2ee if anyone can write their own end point?
But even if you're using the official super secure endpoint, there's nothing preventing the user from taking a picture of the screen, which bypasses all protections.
So the same loophole Apple us using to render the app distribution part of the DMA moot. I look forward to seeing whether the EU considers this an acceptable interpretation.
I was also hoping to just be able to build my own messaging app and use it to chat with people who have WhatsApp. I guess this is a first step, and better than nothing. Let's hope the DMA keeps evolving and also closing loop holes.
Signal or matrix interop would be great. I use WhatsApp as the logistical tool of choice to communicate with my coworkers when away from the company but I wish I could uninstall it. Not my tribe.
You can't uninstall WhatsApp that way though. Not just the web client, but also the app on your phone, which the web client proxies everything through.
There's an interesting philosophical question: if we have a fediverse or open source ecosystem for communication that is deeply integrated into Big Tech, does that make the fediverse stronger, or does it neuter the impact of fediverse as a possible "infrastructure-level" competitor of communication and information sharing?
There's something really appalling that I discovered lately and I can't believe there isn't enough uproar about it. Every attempt to talk about this gets ignored or buried (maybe by people who want this ""feature"" to be kept quiet) so I will take every opportunity on existing discussions about Facebook to bring it up:
Facebook (and TikTok) store tracking data on iOS that the user CANNOT SEE and CANNOT DELETE:
• It shows my previous account even after I delete the app.
• Clearing Safari's cache does not work.
• Disabling iCloud Drive and iCloud Keychain does not work.
• Even completely signing out of iCloud does not work!
• On a Mac in the Terminal, you can go to ~/Library/Mobile Documents and "ls -al" to see hidden folders like "iCloud~com~Facebook~Messenger" that you cannot otherwise view or delete.
• Someone mentioned that even RESTORING an iCloud BACKUP will resurrect these "eternal cookies"!!
----
WHERE do they store this data?
WHY can't the user see this data?
WHY can't the user delete this data without going through the app?
WHAT ELSE do apps store on our devices that we aren't even aware of? (This is just what we can see: The list of saved accounts for "quick login")
HOW MANY other apps are secretly doing this?
WHY does Apple, parading around as a pompous paragon of privacy, even allow this in the first place??
Hey I can shed light on this. It’s the iCloud keychain. Disabling the keychain doesn’t delete existing entries. There is no way to modify the keychain on iOS (you can on Mac). Lots of apps store sign on data in the keychain for obvious reasons.
It would be really great to have a keychain section in iOS’s settings, like Keychain Access on Mac. The dev can build in-app functionality to delete keys from the keychain, but there’s not a huge incentive to.
Keychain storage doesn’t let FB track you, just store sign on info, keys, and the like. It’s not able to execute arbitrary code, it’s an encrypted place to store login info that Apple syncs between your devices.
Use them via Safari if you don’t want this (then your logins are saved & synced in Safaris keychain.)
It's not specific to iCloud Keychain--it applies to on-device Keychain on iOS devices, too, even if you don't use iCloud. Any developer can store data there with no way for the user to know or see what it's saving, and it's shared among all apps from the same developer. Keychain is quite a misnomer here--it's really "store any (short) data you want on a user's device without them ever being able to see or remove it". It transfers when you restore backups on new devices, too, even if you haven't had the developer's apps installed in the last decade.
This is an issue because if you ever use an app by a company, uninstall all their apps, and then install one of the developer's apps years later, they can tell it's the same iOS profile (even restored on a different device), profile what you do across those apps/installs/decades, and associate any accounts you log in with. Essentially they can put a permanent cookie that you can't even see on your iOS profile that's shared between their apps. If you use iCloud Keychain, they can probably profile you across all your devices regardless of whether you reset one.
Apple has said this isn't intended functionality and they were going to address the issue many years ago in iOS 10.3 by removing Keychain data when the last app from a developer was uninstalled [1], but they got cold feet. If I recall correctly, the reason was that some app developers were relying on this unintended functionality to ensure free trials couldn't be used more than once. Apple was going to introduce a service that could store only 2 bits of data to enable that use case and then revisit Keychain deletion when the last app from a developer is uninstalled, but it appears they haven't.
It sure lets app developers identify me across app deletions and reinstalls!
I'm also not sure why Apple has kept this loophole open for so long when they are otherwise so focused on making sure user tracking across reinstalls is so hard (e.g. by making APNs tokens change after a reinstall, which used to not be the case as well, restricting access to read the device MAC address and other permanent identifiers etc).
Are you serious? They literally know my previous accounts even after I DELETE the app, WIPE the iPhone, and login to the same iCloud account on ANOTHER iPhone.
They do this by storing some data. They can store data about anything else. How can be sure if we can't even LOOK at that data?
I only caught this because of the visible symptoms they CHOSE to show us: The list of previous logins.
This seems fundamentally at odds with Apple's philosophy that they're providing you a rented appliance they control and which you have temporary access to.
I'm sure you can remove most and/or all Mac OS files, but they're increasingly using trusted computing and even designing their own chips to increase the control they have over the devices (and correspondingly limit user control).
They sell this as a security feature these days, but the appliance model predates that and security is kind of just along for the ride.
I'm glad to see that people feel strongly that they should have control over the files on their system. I'd like to see that help move us toward users having full control over their computers.
> Every attempt to talk about this gets ignored or buried (maybe by people who want this ""feature"" to be kept quiet) so I will take every opportunity on existing discussions about Facebook to bring it up:
Or maybe this happens because it's completely off-topic here and has nothing what-so-ever to do with WhatsApp?
> WHY does Apple, parading around as a pompous paragon of privacy, even allow this crap?
Good alliteration.
Apple doesn’t enforce what the app does with app data. Apple makes sure that if the app uses a platform API that is sensitive, it gets your opt-in (or prohibits the use of the API altogether). Apple makes sure that the app publishes a privacy nutrition label. But what the app does inside with whatever data you choose to give it, that’s up to the app.
If you voluntarily choose to give data to the app, what the app does with it is your problem. Apple just tries to make sure the app can’t take data that you haven’t chosen to give it.
If you reside within the EEA, yes. However, given the "wink wink", the answer might be no.
Meta is requiring that people reside within the EEA, not just are someone who is an EU citizen. They're requiring integrating services to give them the IP addresses of users and for the integrating service to confirm that you're within the EEA at least once in any 60 day period. If Meta thinks you're violating that as a user, they'll cut you off from the integration. If they think the integrating service is just violating it, they'll cut off the integrating service.
It looks like Meta might be requiring as much identifying information about you as they can get so it will probably be relatively easy for Meta to figure out who is cheating.
But if you're not trying to cheat, then yes you'd be able to message US WhatsApp users from a non-WhatsApp account in the EU.
> Matthew Hodgson, the cofounder of Matrix, which is building an open source standard for encryption and operates the messaging app Element, confirms that his company has worked with WhatsApp on interoperability in an “experimental” way but that he cannot say any more due to signing a nondisclosure agreement. In a talk last weekend, Hodgson demonstrated “hypothetical” architectures for ways that Matrix could connect to the systems of two gatekeepers that don’t use the same encryption protocols.
Readit News
Looks like interoperability is geo-fenced to Europe only.
This reads like a lot of words to say Fuck You Europe to me.
Well, feelings are mutual, at least we are on the same page, them and me.
Messaging-interoperability is the one aspect of the DMA I don't support. These apps are free to download; and if you care about security (and use Signal) you'll want to avoid cross-service messaging anyway.
Without additional regulations across the globe it’ll be simpler playing the geofencing game for those companies.
Some of them even threaten back charges if it turns out you used more data abroad than at the home country over a long enough period.
I called their bluff once and got away with it, but their systems may have improved since then
I think the previously often raised objections to interoperability were technically and economically mostly sound (federation is much harder to achieve in a secure way, thinking of key distribution, identifier verification etc.).
Now overcoming all of these obstacles and then going the extra mile to implement geofencing (which also has tons of edge cases!) completely undoes that argument.
WhatsApp makes their money from the business clients/apps (which aren't covered under this, which I think is fine by the way).
So why care where a user is on the planet? I just don't see the business reason for this. Maybe I'm missing something?
I've been waiting for this, and hoping I could "just" cook up some of my own code to use with WhatsApp, and/or integrate it with Pidgin or bridge to email or whatever. But the entire process is about as hostile as possible.
For example "Partner shall have in place a dedicated security team" basically excludes most startups, or most smaller companies.
It's not clear to me if this is really complying with the DMA – it's certainly not in the spirit of it, but less sure about the letter of it.
That said, I'm sure we'll see open source libraries pop up everywhere to communicate with WhatsApp directly. There already are unofficial WhatsApp clients in various forms, but now they can use the protocol without risking breakage because they reverse engineered the contents of the protocol itself.
I think there will be plenty of space for the Beeper Minis out there right now.
How so? Each of them would need approval by Meta + signing an NDA, and I can easily see that ruling out open source libraries.
That's really a decision you should make, and not WhatsApp – "do I trust this arp242 guy and his GitHub repo?"
And some auditing isn't necessarily too bad, I guess, but a lot of this goes far beyond "basic security"; it's the type of "corporate checkbox security" that we all know works so well.
What’s the point of thinking that WhatsApp is e2ee if anyone can write their own end point?
my friends and I use WhatsApp because we know the messages are secure. Imagine if every other group message had the “green bubble” equivalent experience if someone was using a custom client.
Without the DMA, Meta can make it very hard for any business model based on them, but it's never been a technical obstacle.
In a very similar way, you also need to trust your friends to not activate WhatsApp chat backups to Google Drive or iCloud without a password if you don't want end-to-end encryption to be compromised (there's no indication if they have it on or not), and that's the default suggestion by the official client.
I need to read a bit more carefully through the (limited) technical documentation they have; but all of this seems highly excessive. I'm not a distrustful or cynical person by nature, but I find it hard to avoid the impression that they intentionally made it as hard as possible.
I don't know what "the green bubble experience" means(?)
But even if you're using the official super secure endpoint, there's nothing preventing the user from taking a picture of the screen, which bypasses all protections.
It is probably a positive change for end users, but far far away from the "open up your protocol" I was hoping for.
Making messaging interoperability with third parties safe for users in Europe
https://engineering.fb.com/2024/03/06/security/whatsapp-mess... (https://news.ycombinator.com/item?id=39614085)
Using it with a dedicated username for whatsapp contacts could be a way.
Facebook (and TikTok) store tracking data on iOS that the user CANNOT SEE and CANNOT DELETE:
• It shows my previous account even after I delete the app.
• Clearing Safari's cache does not work.
• Disabling iCloud Drive and iCloud Keychain does not work.
• Even completely signing out of iCloud does not work!
• On a Mac in the Terminal, you can go to ~/Library/Mobile Documents and "ls -al" to see hidden folders like "iCloud~com~Facebook~Messenger" that you cannot otherwise view or delete.
• Someone mentioned that even RESTORING an iCloud BACKUP will resurrect these "eternal cookies"!!
----
WHERE do they store this data?
WHY can't the user see this data?
WHY can't the user delete this data without going through the app?
WHAT ELSE do apps store on our devices that we aren't even aware of? (This is just what we can see: The list of saved accounts for "quick login")
HOW MANY other apps are secretly doing this?
WHY does Apple, parading around as a pompous paragon of privacy, even allow this in the first place??
It would be really great to have a keychain section in iOS’s settings, like Keychain Access on Mac. The dev can build in-app functionality to delete keys from the keychain, but there’s not a huge incentive to.
Keychain storage doesn’t let FB track you, just store sign on info, keys, and the like. It’s not able to execute arbitrary code, it’s an encrypted place to store login info that Apple syncs between your devices.
Use them via Safari if you don’t want this (then your logins are saved & synced in Safaris keychain.)
This is an issue because if you ever use an app by a company, uninstall all their apps, and then install one of the developer's apps years later, they can tell it's the same iOS profile (even restored on a different device), profile what you do across those apps/installs/decades, and associate any accounts you log in with. Essentially they can put a permanent cookie that you can't even see on your iOS profile that's shared between their apps. If you use iCloud Keychain, they can probably profile you across all your devices regardless of whether you reset one.
Apple has said this isn't intended functionality and they were going to address the issue many years ago in iOS 10.3 by removing Keychain data when the last app from a developer was uninstalled [1], but they got cold feet. If I recall correctly, the reason was that some app developers were relying on this unintended functionality to ensure free trials couldn't be used more than once. Apple was going to introduce a service that could store only 2 bits of data to enable that use case and then revisit Keychain deletion when the last app from a developer is uninstalled, but it appears they haven't.
It would be great if they'd finally fix this.
[1] https://developer.apple.com/forums/thread/72271
It sure lets app developers identify me across app deletions and reinstalls!
I'm also not sure why Apple has kept this loophole open for so long when they are otherwise so focused on making sure user tracking across reinstalls is so hard (e.g. by making APNs tokens change after a reinstall, which used to not be the case as well, restricting access to read the device MAC address and other permanent identifiers etc).
And I am looking at my iPhone now and Meta does not store tracking data in the Keychain.
Are you serious? They literally know my previous accounts even after I DELETE the app, WIPE the iPhone, and login to the same iCloud account on ANOTHER iPhone.
They do this by storing some data. They can store data about anything else. How can be sure if we can't even LOOK at that data?
I only caught this because of the visible symptoms they CHOSE to show us: The list of previous logins.
I'm sure you can remove most and/or all Mac OS files, but they're increasingly using trusted computing and even designing their own chips to increase the control they have over the devices (and correspondingly limit user control).
They sell this as a security feature these days, but the appliance model predates that and security is kind of just along for the ride.
I'm glad to see that people feel strongly that they should have control over the files on their system. I'd like to see that help move us toward users having full control over their computers.
And there are no eternal tracking cookies for Safari even first party ones are deleted every week.
Disabling the iCloud keychain doesn’t clear your local copy.
Or maybe this happens because it's completely off-topic here and has nothing what-so-ever to do with WhatsApp?
Most of your other messages seem similarly off-topic: https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...
Not only that, people have already answered your question in a previous thread.
There was a popular post just a few hours ago about Filezilla (whatever that is) containing adware in the default download.
This is a FAR more grave violation of privacy than anything so far — Tracking people ACROSS reinstalls AND MULTIPLE PHONES!
Or what tracking data you are referring to ie. is it cookies or local storage but either way you should maybe speak to Apple Support.
Yes iOS apps can store local data and if you're unhappy about it then just delete or reinstall the app.
Well, that doesn't delete all local data. That's exactly the problem!
Good alliteration.
Apple doesn’t enforce what the app does with app data. Apple makes sure that if the app uses a platform API that is sensitive, it gets your opt-in (or prohibits the use of the API altogether). Apple makes sure that the app publishes a privacy nutrition label. But what the app does inside with whatever data you choose to give it, that’s up to the app.
If you voluntarily choose to give data to the app, what the app does with it is your problem. Apple just tries to make sure the app can’t take data that you haven’t chosen to give it.
Meta is requiring that people reside within the EEA, not just are someone who is an EU citizen. They're requiring integrating services to give them the IP addresses of users and for the integrating service to confirm that you're within the EEA at least once in any 60 day period. If Meta thinks you're violating that as a user, they'll cut you off from the integration. If they think the integrating service is just violating it, they'll cut off the integrating service.
It looks like Meta might be requiring as much identifying information about you as they can get so it will probably be relatively easy for Meta to figure out who is cheating.
But if you're not trying to cheat, then yes you'd be able to message US WhatsApp users from a non-WhatsApp account in the EU.
Deleted Comment
https://www.wired.com/story/whatsapp-interoperability-messag...
Matthew also did a Fosdem talk about it about a month ago: https://fosdem.org/2024/schedule/event/fosdem-2024-3345-open...