• 0 Posts
  • 7 Comments
Joined 10 months ago
cake
Cake day: January 26th, 2024

help-circle

  • Well, WhatsApp is owned by Facebook. They are a large player, so they are under a bunch of scrutiny.

    But at the end of the day, WhatsApp clearly states it takes all this information. They only claim to keep your messages end-to-end encrypted.

    I wonder if this applies to text messages only, or to things like voice memos, images/videos, gifs, etc. as well.

    WhatsApp doesn’t let you send documents if you don’t give it full access to your files. Sure, maybe they pinky-promise don’t do anything but this is Facebook we’re talking about.

    The same caveat goes for photos and videos - you can’t even send a photo if you don’t give it the camera permission and gallery access, something it clearly doesn’t need just to send a single picture.

    Additionally, WhatsApp loads previews of websites. Sure, on the privacy violations list that’s pretty low-priority but I’d still like to not have a link contacted before I can take my 3 seconds to look at it and decide wether it’s worth clicking. Especially since a lot of my contacts send obvious scams (“send this message to 10 contacts for a chance to win a free iPhone” type bullshit mostly).

    Revoking WhatsApp’s contacts permission will not show peoples’ nicknames - it will only ahow numbers. Yet you have to give yourself a nickname on WhatsApp, so they clearly have some interest in your contacts. Otherwise they wouldn’t block it outright when it’s an already implemented feature to show nicknames for numbers not in the contact list.

    All quite suspicious if you ask me. Although I don’t work in cyber security so it’s clearly just incoherent rambing from me.



  • Depends. According to the GDPR for any processing of PII you need consent from the data subject or a reasonable basis why you have to act upon the data (your servers communicating with an IP adress is neccesary for your service to function). Saving the adress isn’t, so you need consent or other legislation under which you’re required to store it that trumps the GDPR. That’s the so-called “overriding legitimate interest”. It doesn’t mean “interest = money”, “data = money” therefore “data retention = overruling legitimate interest”.

    Keeping leaked data or scraping it from public sources is still problematic since you do nees consent.

    If you’re approached as a 3rd party by someone with data who sells them to you you are obliged to make sure the data you’re given has been aquired with consent. Often times checks aren’t in place, and ultimately, if you’re given “bad data” by the intermediary you cab always claim they kenw they should’ve notified you but didn’t.

    If you’re scraping leaks, well, there’s no one between you and the data subject who can take the fall. You’ve knowingly collected “bad data” unilaterally.