• whofearsthenight@lemm.ee
    link
    fedilink
    English
    arrow-up
    2
    ·
    11 months ago

    I didn’t know that. Hmm, sounds like it’s decently likely this is a bit overblown then. I mean, I suppose there are a lot of lazy companies out there that will skip this, but that severely limits the functionality in a way that it’s going to force the secure method.

    • towerful@programming.dev
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      11 months ago

      It opens users to timing attacks.
      If there are 10000 notifications per second. And across 100 incidents user A does something to cause a notification and user B receives a notification within network latency time periods, it is likely user A is talking to user B.
      Whilst that seems like arbitrarily useless data, having this at the giga/peta scale that the US government is processing it, you can quickly build a map of users “talking” to users.
      Now, this requires the help of other parties. You need to know that user A is using WhatsApp at the time. And yeh, you don’t know what the message is, but you know that they are hitting WhatsApps servers. And you know that within 5 minutes of User B receiving a notification, they are also then contacting WhatsApp servers.
      So now you know that user A is likely talking to user B via WhatsApp.
      And also user G, I X and M are also involved in this conversation.
      And you bust user G on some random charge. And suddenly warrants are issued for more detailed examination of users A, B, I, X and M.
      Maybe they have nothing to hide and are just old college friends. Or maybe they are a drug ring, or whatever.

      It’s all the “I have nothing to hide”, phones being tied to a person, privacy and all that.
      We can’t really comprehend the data warehouse/lake/ocean level of scale required to realise what all the little pieces of meta data and tracking information being able to add up to “User A is actually this person right here right now and they bought a latte at Starbucks and got 5 loyalty points” level of tracking.

      Is it likely this bad?
      Probably.
      Theres the “Target knows I’m pregnant before told anyone” story.
      https://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/

      That’s over a decade ago. It’s not let off. And you can bet that governments are operating at a level a few years beyond private industry.

      So yeh, every bit of metadata counts