Viewing a single comment thread. View all comments

AntiProDenialist wrote

Reply to comment by Zerush in by !deleted30

Same as in Gnail, which are read by employees and bots searching for keywords, due to the US anti-terrorist policy (used as an excuse).

Either I'm misunderstanding you or you are misunderstanding me. The two cases are not remotely similar. Read the Gizmodo article, and read the Ars Technica article I linked. Neither allege that WhatsApp is automatically flagging messages for review.

The reaction of the people would be very different when the postman would open our correspondence to read it, before putting it in our mailbox, although it is exactly the same.

A more apt analogy would be if someone sent me a letter in the mail threatening to kill me and I took that letter to the local police station so they could be aware of the issue. The messages are being shared by the users of the app to the moderators through the report system. WhatsApp uses end-to-end encryption (which does not mean it should be trusted, it is still proprietary and for-profit, but it is better than many other popular messaging services).

The tracking and surveillance of the user by large companies has reached a highly indecent and criminal level, no private company has the right to spy on us and record our activities, but most users do not seem to bother.

I fully agree. In an ideal world people would be using Signal or some other open source end-to-end encrypted messenger. My worry is that press like this will serve to push average people away from WhatsApp and into something worse, like SMS, unencrypted email, Facebook Messenger etc.

Either way, misinformation should be corrected, regardless of who it benefits. Yes, fuck WhatsApp, but fuck WhatsApp for the right reasons.

3

Zerush wrote (edited )

It is certainly not directly related to the article, with which I also agree, but it is encompassed in this one.. The sublaying problem is the surveillance by great companies generalized, which is a big risk for security and which will destroy the freedom and independence of Internet.

And no, I do not agree on your simile, the simile would be others read all the letters by default, to find one that talks about a murder. It is clear that I go to the police, if I receive a threatening letter, but it is I who wants to read this message in MY correspondence, not someone else to do it for me, the postman or the post office.

Messages and correspondence can only be accessed by third parties by definition, when there is a court order. In this case, it will be the security forces, but never a private company that access or uses the content for its own purposes. It is also not true that an SMS is easier to access than a service like WhatsApp, often used on WiFi networks, in the worst case in a public WiFi in a McDonalds.

It is also not relevant for privacy or security, if the product is OpenSource or not, it depends on the purpose or the type of license it has, many OpenSource products carry tracking APIs from Google, Facebook, Amazon and others, which are also OpenSource. Apart from the security and privacy of the product, its maintenance and the frequency of security updates also influence, even more important in OSS, since hackers can also see the source code to find security holes or to inject all kinds of malware.

Privacy and security is specified in the PP and TOS of this. Mozilla, for example, uses trackers from Google (Alphabet Inc) and others to create its revenue. OpenSource has many advantages over development, customization, and the ability to use and share code for other products, but believing that FOSS stands for privacy and security is a huge mistake that many make.

2

AntiProDenialist wrote

And no, I do not agree on your simile, the simile would be others read all the letters by default, to find one that talks about a murder. It is clear that I go to the police, if I receive a threatening letter, but it is I who wants to read this message in MY correspondence, not someone else to do it for me, the postman or the post office.

The users are sharing the contents of the reported message with the WhatsApp moderators. Otherwise there would be no point in reporting the message. The Ars Technica article I linked makes this clear. I have stated this twice. You seem to just ignore this point. Is it wrong? Tell me how.

Messages and correspondence can only be accessed by third parties by definition, when there is a court order. In this case, it will be the security forces, but never a private company that access or uses the content for its own purposes. It is also not true that an SMS is easier to access than a service like WhatsApp, often used on WiFi networks, in the worst case in a public WiFi in a McDonalds.

This is laughable. End-to-end encryption is not defeated by McDonald's Wi-Fi. Read up on encryption.

It is also not relevant for privacy or security, if the product is OpenSource or not

I'll stop you right there. It is absolutely relevant. If the public can't vet the source code then the program should not be trusted.

it depends on the purpose or the type of license it has

Which open source license has any affect on the privacy or security of its users?

many OpenSource products carry tracking APIs from Google, Facebook, Amazon and others, which are also OpenSource

Google, Facebook, and Amazon are not open source. They may use open source software as parts of their services, and they may develop and contribute to open source software. Either way, your point seems to be that open source software doesn't guarantee privacy or security. No one is going to refute that. It's like pointing out that a bodyguard doesn't guarantee your safety.

hackers can also see the source code to find security holes or to inject all kinds of malware.

This is also laughable. No shit, hackers can find vulnerabilities in the source code. So can developers, security researchers, and anyone else who wants to read the source code, and those vulnerabilities can be properly disclosed and fixed.

Hackers can also (and often do) find vulnerabilities in proprietary software, where there are far fewer eyeballs. Additionally, with fewer eyeballs, proprietary software can more easily get away with being purposefully malicious (for instance, if a WhatsApp server could tell the client to send all of their unencrypted messages to a third party, the public wouldn't know of this feature until it was observed in practice or through reverse engineering).

Privacy and security is specified in the PP and TOS of this

Privacy Policies and Terms of Service don't get to choose what programs are or aren't secure.

Mozilla, for example, uses trackers from Google (Alphabet Inc) and others to create its revenue.

Mozilla gets revenue from setting Google to the default search engine. If I'm missing something please let me know. Either way, open source software violating user privacy for money is not unheard of. The public has access to the source code responsible for that behavior and has the ability to modify and redistribute a privacy-friendly version of the program. You can't do that with proprietary software.

3

Zerush wrote (edited )

Ok, as I say before, it,s not directly related to the article, but generally surveillance is a problem. That moderators read reported posts is clear, but that this is also done by the Facebook company it is also a fact. APIs of Google, Facebook and others are foss and you can find them in GitHub (Microsoft). Also true that Mozilla use trackers from Google, see Blacklight analyse of Mozilla.

Blacklight detected this website sending user data to Alphabet, the technology conglomerate that encompasses Google and associated companies like Nest. The Silicon Valley giant collects data from twice the number of websites as its closest competitor, Facebook.

OpenSource is private as the author pretend it, same as in closed source, specified in the PP of the product, which nobody read. Secure is only a product which has a regulary maintenance, FOSS discontinued (a lot) or poorly atended is un magnet for any kind of malware (I know). A hacker don't need inverse engineering to find security holes in open source codes.

Yes, the public has access to the source code, but how many users are able to read and check hundreds of thousands of lines of code and also check related external resources? If the vast majority do not even read the TOS and the PP.

What privacy is there, without going any further, in Chromium if it is used as is? Chromium is from Google and FOSS.

The main reason for OpenSource is technical, advantageous for the development of software (or also Hardware), due to the possibility of sharing resources, customizing and making changes to other products.

One last question, if in WhatsApp the messages are supposedly encrypted, inaccessible for WhatsApp itself, as stated in the PP, how then can the mods access it? It doesn't add up to me if this is true.

3

AntiProDenialist wrote (edited )

Ok, as I say before, it,s not directly related to the article, but generally surveillance is a problem. That moderators read reported posts is clear, but that this is also done by the Facebook company it is also a fact.

Okay, perhaps I was misunderstanding you, you won't find any disagreement on this issue here.

APIs of Google, Facebook and others are foss and you can find them in GitHub (Microsoft). Also true that Mozilla use trackers from Google, see Blacklight analyse of Mozilla.

Okay, I plugged in mozilla.org to this site, and it says it uses Google Analytics and Google Tag Manager (which appears to be a part of Google Analytics). I don't think these are even services that Mozilla could use for profit, but I'm not very familiar with these so please let me know if I'm mistaken. Looking at the source code of mozilla.org for myself I found a comment containing a link to this issue which states:

Yes, www.mozilla.org... [uses] Google Analytics premium to understand how our websites are working... Our Google Analytics premium account is set to opt-out on all of 3rd party uses of the data and the only people who have access to the anonymous aggregated data is Mozilla Employees. This is not the normal Google Analytics setup that most people use on other websites.

I don't see much issue with this outside of Google handling the data (I would prefer Mozilla to handle it themselves, but it's not much of a concern to me).

OpenSource is private as the author pretend it, same as in closed source, specified in the PP of the product, which nobody read.

This doesn't make any sense.

Secure is only a product which has a regulary maintenance, FOSS discontinued (a lot) or poorly atended is un magnet for any kind of malware (I know).

Yes. Don't trust unmaintained software. This isn't specific to open source.

Yes, the public has access to the source code, but how many users are able to read and check hundreds of thousands of lines of code and also check related external resources? If the vast majority do not even read the TOS and the PP.

The point is not that everyone should read all of the source code of all of the software that they use. The point is people can read the source code, so a user can expect a sufficiently popular open source project to have many eyes on it, including independent parties, and maybe even security researchers. You can see all of the different contributors and the discussion between contributors. This is far better than trusting software that was developed behind closed doors.

What privacy is there, without going any further, in Chromium if it is used as is? Chromium is from Google and FOSS.

Like I said, we can bring up any number of FOSS programs that violate user privacy. It's besides the point. We know that chromium is not privacy-respecting by default, and that is why there are forks that serve to "de-Google" chromium, like the fork used by QtWebEngine, which is the base of multiple alternative browsers. If chromium were closed source then we would only know that it violates user privacy at the discretion of Google, via a privacy policy, and I'm sure you would agree a company might mislead/lie in their privacy policy. I'm also not certain how legally binding privacy policies are, or if they are even required at all.

One last question, if in WhatsApp the messages are supposedly encrypted, inaccessible for WhatsApp itself, as stated in the PP, how then can the mods access it? It doesn't add up to me if this is true.

This was the point of my "threatening letter" analogy earlier. By using WhatsApp's "report" mechanism, the user (who has the unencrypted messages) instructs the WhatsApp client to send the reported messages to WhatsApp's servers for their human moderators to review.

3

Zerush wrote (edited )

I adree with this points and he certainly didn't have any bad intentions against your views. I only intend to clarify and make a few points on an important topic. About Mozilla, if you look at the analysis below, apart from Google analytics, you will also find Alphabet Inc, a Google company, dedicated to disseminating content for advertising companies and which is the tracker that Mozilla uses. I always prefer OpenSource applications, but I know that, what many say, 'what is not FOSS = Crap' or 'FOSS is synonymous with privacy and security', which in my opinion is false, this is not the purpose of OpenSource by default and also dangerous to believe, I know from my own experience.

The many eyes that monitor a FOSS cannot be generalized, since if it is complex applications, they can have millions of lines of code.

In the field of browsers, we are talking about mainly 3 engines, Gecko, WebKit and Blink, the basis for around 100 browsers and another 70 that were discontinued.

In the vast majority, they are forks that make each other with small changes and putting their own logo, because major changes are impossible to make by any developer alone and is reserved for more numerous and active teams or communities, given the complexity of the product, not even talking about maintenance, which is mainly limited to patching holes and bugs that are found later.

Many fall by the wayside for this reason, in a fairly saturated market dominated by the Big 4 (well, Mozilla not so much anymore, currently in freefall, which is sad).

PD, Maybe usefull for you, Blacklight is very usefull to check webs, despite it discover only the most used Tracking tecnics and naturally can't check sites, which need an account to enter (Facebok, f.Ex.). You can ad it also to your search engines list you use

https://themarkup.org/blacklight?url=%s

For Android apps is recomended to use Exodus Privacy, which permits to check the apps you use.

2

AntiProDenialist wrote

About Mozilla, if you look at the analysis below, apart from Google analytics, you will also find Alphabet Inc, a Google company, dedicated to disseminating content for advertising companies and which is the tracker that Mozilla uses.

Blacklight reports 1 tracker, that is Google Analytics. We know Google Analytics is owned by Google, and Google is owned by Alphabet. This doesn't contradict anything I said in my previous reply.

The many eyes that monitor a FOSS cannot be generalized, since if it is complex applications, they can have millions of lines of code.

Yes, complex programs are more difficult to vet. Ideally we should prefer simpler programs whenever possible (for more reasons than just security, but that's a separate topic), but that is becoming more and more difficult as the software landscape evolves. Regardless, I can trust a complex FOSS program (Firefox, the Linux kernel, X11, LibreOffice, to name a few) much more than I can trust any proprietary program.

In the field of browsers, we are talking about mainly 3 engines, Gecko, WebKit and Blink, the basis for around 100 browsers and another 70 that were discontinued.

Yeah, browsers are fucked. Any browser that can handle the modern web is a bloated turd with many vulnerabilities waiting to be discovered.

In the vast majority, they are forks that make each other with small changes and putting their own logo, because major changes are impossible to make by any developer alone and is reserved for more numerous and active teams or communities, given the complexity of the product, not even talking about maintenance, which is mainly limited to patching holes and bugs that are found later.

Yes, this is sadly true. QtWebEngine (based on Blink) is an exception to this, actively maintained by the Qt Project, with 14 contributors in the last month excluding a bot. But yes, what you're saying is correct, and it has the (very intended and very anti-competitive) effect of solidifying Google's dominance over the web.

PD, Maybe usefull for you, Blacklight is very usefull to check webs, despite it discover only the most used Tracking tecnics and naturally can't check sites, which need an account to enter (Facebok, f.Ex.). You can ad it also to your search engines list you use

https://themarkup.org/blacklight?url=%s

For Android apps is recomended to use Exodus Privacy, which permits to check the apps you use.

I browse the web mostly with JavaScript disabled and I use very strict security settings in Firefox (blocks all known trackers, tries to resist fingerprinting, doesn't keep any data on shutdown) with almost no extensions. Trackers aren't much concern to me (although they do suck).

On Android I only use one proprietary app (WhatsApp, and I don't have any choice about it), and a few open source apps. I'm more worried about the operating system itself and the apps that come preinstalled with it, instead of the apps that I've installed (hopefully open source phones can become usable soon).

2

Zerush wrote (edited )

I use Vivaldi and sometimes UR and FF. As extensions I mainly use Trace and Site Bleacher. Also uBlock Origin in FF, in Vivaldi I don't need with its own blockers where are also the filterlists from uBO and others. In Android also Vivaldi and naturally OpenSource apps from F-Droid as much as possible, proprietary only an app for medical appointments, that I need as an old retiree that I am.

Because of this I use Windows10 (tuned, without telemetries and other spy-crap it has by default). Well, at least it has the biggest catalogue of FOSS of all OS.

2