In a viral blog post, Stripe engineer Rob Heaton writes an amusing short story in the second person about how two friends who’ve committed to a charity walk end up founding a startup that’s a creeper’s dream. At the center of his story is the mega-popular messaging app, WhatsApp.
WhatsApp is an app that lets users make calls and send messages of all kinds. It’s one of the biggest messaging apps in the world.
Heaton points out, though, that a minor feature on the service could make it easy to get a decent idea about when person is awake and active in the world. When someone downloads the app and connects it to their phone number, it defaults to making its “last seen” feature visible by default to anyone using the app. Since most people don’t mess with default settings, it’s a fair bet that a lot of people leave it enabled.
In the story, Heaton’s character sets up a Chrome web app programmed to look a specific person’s “last seen” status every ten minutes. He wants to know if the person has been sleeping an adequate amount, and by checking continuously realizes that his target has been staying up much too late. Realizing all he needs to track the sleep of millions of people is a phone number, he starts harvesting them and tracking everyone he can.
As long as WhatsApp leaves this last seen data in the clear for any WhatsApp user, this is easy.
So there’s some obvious caveats to this data leak. It only works for frequent WhatsApp users, and only the ones who haven’t changed their settings. So it might not reveal anything about the person someone was most interested in.
This reporter went through a ton of his contacts, and most of them seemed to have it turned off.
If someone can check people often enough, though, the scheme might still work. WhatsApp does not let users hide they fact that they are online, actively using the app, according to the app’s documentation.
The story really captures why apps should default to the most private setting and then let users choose to reveal more. Of course, that’s not what they want. They want people to reveal as much as possible, because that hooks other users in.
Anyone who wants to make sure they have their last seen data on lockdown can do so as follows:
- To change it on an iPhone, find the privacy settings by going to Settings, then Account and then Privacy.
- On Android, touch the menu button, then Settings, then Account and then Privacy.
Facebook bought the messaging service in 2014 for approximately $16 billion (mostly in stock). It famously adopted the Open Whisper Systems encryption protocol, making the content of messages private, even from Facebook. We dubbed it one of the top privacy victories of 2016.
WhatsApp and Facebook were not immediately available for comment.