buro9 6d
"WhatsApp's end-to-end encryption is used when you chat with another person using WhatsApp Messenger. End-to-end encryption ensures only you and the person you're communicating with can read or listen to what is sent, and nobody in between, not even WhatsApp"

This has always been disingenious.

WhatsApp control the client, the client displays the unencrypted message, ergo WhatsApp can read the message.

It provably does when it interprets links and does a web page preview card.

Also... that is highly likely leaking your advert profile as even if the preview didn't then any visit to the website is outside of WhatsApp and is now tied to your IP, browser cookies, etc.

All of the above can be true without end-to-end encryption being broken or otherwise defeated on the server side.

FreeHugs 6d
Just because that the messages might be sent end-to-end encrypted from Sue to Joe does not mean Meta cannot read them.

Meta has control over the app Sue uses. So they could send them to Meta unencrypted in addition to sending them to Joe in an encrypted fashion.

Or they just extract the relevant terms:

Sue->Joe: "Hello Joe, I'm so excited! We are going to have a baby! Let's call it Dingbert. You're not the father! Jim is. I hope you don't mind too much!".

Sue->Meta: "Sue will have a baby"

Insta->Sue: "Check out these cute baby clothes!"

Maro 6d
Whatsapp FAQ:

WhatsApp's end-to-end encryption is used when you chat with another person using WhatsApp Messenger. End-to-end encryption ensures only you and the person you're communicating with can read or listen to what is sent, and nobody in between, not even WhatsApp. This is because with end-to-end encryption, your messages are secured with a lock, and only the recipient and you have the special key needed to unlock and read them. All of this happens automatically: no need to turn on any special settings to secure your messages.

Maro 6d
Some options:

1. Nobody is reading your WA messages, the same topics can be learned from your browsing activity or other msgs, eg. by reading your sms texts.

2. Meta is reading your messages directly in-transit, server-side.

3. Meta is not reading your messages server-side, but the Meta apps extract keywords from your conversations and request relevant ads from the ad servers.

4. Another non-Meta app is doing the above.


muzani 6d
WhatsApp Privacy Policy:

How We Work With Other Meta Companies

As part of the Meta Companies, WhatsApp receives information from, and shares information (see here) with, the other Meta Companies. We may use the information we receive from them, and they may use the information we share with them, to help operate, provide, improve, understand, customize, support, and market our Services and their offerings, including the Meta Company Products. This includes:


- improving their services and your experiences using them, such as making suggestions for you (for example, of friends or group connections, or of interesting content), personalizing features and content, helping you complete purchases and transactions, and showing relevant offers and ads across the Meta Company Products; and

verytrivial 6d
WhatsApp make no specific claims about who this encryption is keeping you safe from. And they also require you to agree that they can use your information and interactions for their legitimate business needs. I mean, WhatsApp is standing right there when you stuff the message into the box regardless of how safe the package is in transit once it's left your phone. And consider basically every 'enchancement' to security or privacy around Facebook was done under duress for years. Pre-acquisition WhatsApp is a different story, but that story is ancient history.

I didn't agree to the recent WhatApp nor Facebook's TOS so no longer have their product on my devices. I suggest you do the same, or just sit back and enjoy the specialised, relevant, targeted ads, but think twice before each send.

kulor 6d
I can attest I've seen this behaviour and played this game with a friend. We concocted obscure conversation points e.g "Flamingo statues" and not long after would get ads in the right ballpark of relevance on Instagram. Hard to know if it's nefarious as it could be mere coincidence or confirmation bias.

Tangental aside; it still confounds me where the business opportunity of WhatsApp resides for Meta if they "can't" get access to the data.

napolux 6d
IANAL of course, but you should read the ToS carefully and you will probably find something that allows them to read your messages anyway.

e2e encryption doesn't forbid to read the messages as you type or read them or read a screenshot of the screen or whatever they can do inside an app :P

They were caught activating your camera by "error" a while ago

As per the experiment you did...

We did the same experiment with a female friend a while ago. We started talking about her pregnancy (a topic we never touched, as she was single and of course not pregnant) in a group chat, specifically targeting her. Sure enough, after a couple of days her fb and instagram were full of strolley ads (but not ours) :)

itissid 6d
I always wondered how is the business decision between charging a dollar per year for no information sharing vs some information sharing but free made. Does anyone know of a messaging app that uses such a model?
avnigo 6d
Are you sending each other links or just mentioning the ads in text?

If this is just in text—and I'm definitely not defending Meta here—could it also be that the ads you see have got us so figured out already? The topic you choose to talk about may be influenced or seeded by your environment (online/offline), and one thing leads to the other almost deterministically.

Here's an experiment: try rolling a die a few times or using a random number generator to pick one word or more from a list like the EFF wordlists [0], and then talk about that exclusively.


jrochkind1 6d
One explanation I've heard for mysterious "We were talking about it in person but nothing else" ads, is that if you were connecting to the internet from the same Wi-Fi access point or IP address as someone else that did a web search on the topic or visited websites on the topic, it has connected you by way of shared internet connection.

Is it possible something like that happened?

In general, while anything is possible, my own occam's razor calculation is that if someone does have a way to get through ostensibly end-to-end encrypted messages, it's going to be government actors saving it for law enforcement/national security purposes. They wouldn't "waste" it on ad targetting. And if it's being secretly used for ad targeting so many people would know about it, people who aren't disciplined military bound by law to secrecy, that it would be quite likely to get out and be revealed and no longer secret.

titaniczero 6d
Another idea: test a null hypothesis. Block with your pi-hole or a proxy all the facebook traffic so the messages won't work. Then reproduce with the same exact behavior with your wife so all the external factors are the same except the facebook connection itself. It could be even more granular by trying to block just enough so it won't send the messages, allowing facebook ad trackers, etc.

If you try this several times, the messages are not working and the corresponding ads show up you can be sure that it is not because they are reading your messages. Which does not rule out the possibility that they might read them, but at least you can be 100% sure that your ads are not showing up because of your messages in this case.

fold3 6d
I had a video call with my mum on signal from her android phone to my macbook. Then I got very specific video recommendation in YouTube about our conversation within the same day. Her android is oppo. Could it be leaking the signal call and then cross match me with the phone numbers to my google account?
a-dub 6d
try an external source of true randomness for choosing your test topics. choices that seem random to you may be totally predictable.

i know that's wild, but also often true. humans are bad at randomness. there may be no direct leak at all of your test topics, they might just be guessable based on everything that is known about you, people like you and things you've been presented or looked at.

dan-robertson 6d
I think you partly may just be biased by happening to notice ads more if they fit the topic you sent to your wife or being lenient in deciding if ads meet the categorization. And if you dwell on an ad because it seems to match, you may get more similar ads.

Here is how I think you could design a more robust (but less fun) experiment:

- Come up with a bunch of topics, write them down on slips of paper, put the paper into a hat

- Each Monday, draw three topics from the hat, send some WhatsApp messages about the first, Messenger messages about the second, and don’t discuss the third. Don’t put the topics back in the hat.

- If you see any ads relating to one of the topics, screenshot them and save screenshots to eg your computer with a bit of the topic

- Separately, record which topic went to which platform

- After doing this for a while, go through the screenshots and (each of you and your wife or ideally other people) give a rating for how well the ad matches the topic. To avoid bias, you shouldn’t know which app saw the topic.

- Now work out average ratings / the distribution across the three products (WhatsApp vs Messenger vs none) and compare

snowmizuh-04 6d
The scarier thing to me is when ads match _conversations_ I have with my wife. I told her about this story this morning, and she reminded me about a conversation about stem cell research we had yesterday. I said something along the lines of 'I hope there is a breakthrough soon on regenerating the Isle of Langerhans in the pancreas to treat diabetes.' Sure enough, she noticed an article in her Google News feed later that day related to diabetes.

Once or twice may be a coincidence. Maybe. But this happens regularly and with startling specificity.

What could be listening? I'm a technologist like the rest of you. I know apps need permissions to the mic, I know it's not easy for an app to stay in the foreground. Is it my Roku? My smart TV?

Makes one want to go full Richard Stallman.

p.s. my wife just said it would be really funny if Google News showed an article now on people worrying about their tech listening to their conversations. I'll post an update if that happens...

planede 6d
Instead of speculating whether something like this could or could not be true, there should be a way to test it scientifically.

* Have pairs of mobile devices set up from factory configuration with WhatsApp and Instagram installed.

* Simulate conversations between each pair from select topics.

* Collect all ads from Instagram after the WhatsApp conversations from each device.

* Categorize ads to broad topics.

* Search for significant bias.

There are probably a lot of factors I'm missing here, and it's probably easy to introduce bias when there is none there. For example it's probably a good idea that a different person categorizes the ads into topics than the person handling the specific phone, otherwise the person might bias the categorization of the ads based on the conversation they had on WhatsApp beforehand. The person categorizing the ads should have no knowledge of the WhatsApp conversation that happened on the phone. The devices should probably be on different networks. There is probably a lot that I am missing here.

throw7 6d
My understanding was always that whatsapp controlled/has access to the key, so they can decrypt anything anyway. It wouldn't be surprising that "end to end" means that it includes you, your partner, and whatsapp.

it wouldn't be surprising that whatsapp gleans info from your comms and builds a profile of you, from which ads get injected. whatsapp is not selling your actual comms, but the likelyhood you'd be interested in certain things/products. sort of like how the three names supposedly only store metadata of your calls, not the actual call.

philliphaydon 6d
I’m convinced WhatsApp’s e2e is BS. Because multiple times I’ve mentioned something I’ve never even googled and then had Facebook ads for those things show up minutes later.

The most notable one being renting an apartment. I viewed an apartment then sent a message to the agent requesting window grills or latches and then had adverts for that stuff straight away.

When ever I mention this on HN I get downvoted with lame excuses as to why it happened but none of them are plausible.

My friend messaged me saying he needed to go buy kitty litter and I get adverts for cat toys and supplies on Facebook despite not even replying to him?

Anyone who believes WhatsApp is really e2e is a fool IMO.

xzjis 6d
I think Meta is reading your messages locally on your device and showing you personalized ads from the messages that are actually on your device. It's not uploaded on Meta's servers and not in anyway breaking the e2ee, because your device is one of the 2 ends. If you don't use Facebook or Instagram on your phone then no personalized ads is shown.

Everything above is supposition from something I vaguely remember but not 100% sure.

moralestapia 6d
(wrt some comments in this thread)

Is it so hard to believe that Meta is snooping on WhatsApp conversations? Meta, a company of unprecedented size that was built over monetizing your private data? A company who's been caught in plenty of scandals (like Cambridge Analytic) about this exact sort of thing (violating their users' privacy)?

Someone from this community, which generally means educated, tech-literate and sensitive to these topics shares a perfectly plausible observation, of something that has been experienced as well by plenty of other folks, me included; and then some people come and try to make up the most convoluted explanations (candy boxes from Kazakhstan just happened to be trending that specific day, nothing to see here, move along!) to this phenomena and try to shift the blame away from Meta. Why do you do this? Are you Meta employees? A PR agency they hired?

It's just baffling. Apparently some people DO want to be abused.

Plot twist: we all get ads about candy boxes from KZ now.

crazygringo 6d
I'm sorry, but this feels like a highly irresponsible FUD post to me. (And I am not a fan of Facebook in any way at all, so let's put that out of the way.)

For years and years and years, there have been people claiming their voice assistant (for example) is listening in on their conversation to show ads, and so forth. And it's always anecdote, never any hard data.

And the thing is, if this were the case, it would be relatively easy to prove with a controlled experiment that other people can replicate. And yet, somehow, magically that never happens.

Sure, Google used to algorithmically read your Gmail to show you relevant ads, but they were totally open about that, and then they stopped because it weirded people out anyways.

If Facebook were mining Whatsapp messages for ad topics, they'd probably be as open about it as Google was, out of pure self-interest. Because right now so much of their advertising is about how Whatsapp is trustworthy because it's E2EE etc. So if they were secretly analyzing messages, it would blow up the reputation of their main marketing message. There's a good chance it would be business suicide for Whatsapp. A profit-driven company probably isn't going to take that risk.

To be honest, this post feels social-engineered by a messaging competitor or something. I'm not saying it is, but the personal touch ("silly little game with my wife"), the innocent questioning ("Is... or am I missing something silly?"), and the total lack of any objective evidence (e.g. screenshots of messages and ads) are all HUGE red flags.

If Meta really is doing this, it's pretty easy to prove with hard data, and that's going to become a front-page news story on the New York Times. The fact that that hasn't happened leads me to think it's much more likely there's nothing here.

xerxesaa 6d
As someone who has actually worked on end to end encryption at Meta, I can tell you I am not aware of anything where the company reads your WhatsApp messages - either in transit or device. The company takes fairly serious measures to ensure it cannot even accidentally infer such contents.

I don't know what is happening in this specific case. Perhaps the ads came from some other similar search queries. Perhaps they came from the keyboard intercepting what was typed. Or perhaps something else that I can't think of. But I'm nearly certain it did not come from meta intercepting the contents of your messages.

It's hard to convince people at this point because many have lost trust in Meta as a company, and I understand that. But I still find it stunning that so many people are making so many false claims without any actual knowledge to back it up.

keyme 6d
For a few years, WhatsApp "e2ee" messages were stored in plain text on your Google drive backup (that's how it worked on Android. Don't know about apple). This was even stated in their FAQ.

This was as part of a FB/GOOG deal where the storage for WhatsApp backups did not count for your Google drive quota.

Recently the backups did finally become encrypted as well. With a key known to the WhatsApp app. (On Android, stored in a file called "key" in the apps local storage)

However, when you restore the backup, where does the key come from? From the WhatsApp servers, obviously.

So still, FB and GOOG together still have full access to your daily backed up messages.

And the free storage deal is still there, of course.

Please do correct me if I'm wrong and you know better.

atirip 6d
Every time I buy a new car, there suddenly are a lot of the same model everywhere I look.
berns 6d
You and your wife can both install Signal and play the same game. Then you can discard that Facebook is snooping on your messages. And you can think of bigger conspiracies which is always fun.