You're right. WhatsApp Business API has a cost (which varies depending on country and type of message the Business initiates). I'm hoping to recover the cost through monthly subscriptions.

And I think you can do more about E2E encrypting it. Or at least trying to. At some point, people don't want plaintext journals floating around stored permanently. Although I know it starts as cleartext on whatsapp's servers

> people don't want plaintext journals floating around stored permanently

this is facebook. they're data-mining pictures of your dog for money. I don't think privacy/safety is expectable with meta

> Although I know it starts as cleartext on whatsapp's servers

WhatsApp uses the Signal protocol[1], so the text is never plaintext on the wire (or servers).

1. https://signal.org/blog/whatsapp-complete/

> whatsapp E2EE is a joke

Could you please elaborate why (in detail)?

My guess is since its closed source, no one beside them can verify that the supposedly e2e is even true, or exist in current latest binary. Sort of telling everyone that I've got a mountain of gold inside my house but the door is locked, no one beside me could verify my claim. Security and/or privacy via obscurity is moot.

You can always go ahead and decompile the apps and then show everyone that they’re in fact lying, that story would be huge. That alone doesn’t make it true, but there have so far not been hints of them pulling weird stuff with their e2ee, unlike telegram, for example. They’re even working on improving the default mode 99% of users use e2ee chat apps with - trust on first use (TOFU): https://engineering.fb.com/2023/04/13/security/whatsapp-key-...

They probably do all kinds of horrible stuff with the metadata. I’m honestly too lazy to read the privacy policy. But I have yet to see critique of their e2ee that’s actually backed up by substance instead of people’s imaginations.

If debunking security and/or privacy claims, and indirectly, to prove security and/or privacy claims is as simple as reverse engineering binaries then the very concept of open source for better privacy and/or security itself would be moot. Its outrageous to even suggest that.

It’s certainly not outrageous. It’s how people regularly find vulnerabilities in all kinds of closed-source software.

It certainly is for proving privacy claims. Even finding vulnerability by reverse engineering is to debunk security claims, not to strengthening it.

The topic has been e2ee, which is first and foremost about security. You can have e2ee without privacy, as is likely the case with WhatsApp.

You certainly can “prove” and “disprove” “security” by reverse engineering, to the same extent a source code review can (or even more, since you’re looking at what’s actually running on the device). It can often require a bigger time investment, but even that’s not always the case in my experience, especially if you’re working with a really bad code base.

They also handle and store users backup unencrypted by default so they have access to all messages in plaintext in multiple opportunities.

Meta has access to the backups that are stored on each individual’s Google Drive/iCloud? How does that work exactly? Please elaborate.

> Meta has access to the backups that are stored on each individual’s Google Drive/iCloud?

Why the surprise?

Meta has access to the folder it manages in the user's Google Drive. That's obvious, otherwise they wouldn't be able to write to it.

The app uses the (i)phone OS’s cloud storage APIs to write to the backup folder, meta’s servers don’t have access to any credentials. For Android I currently can’t check, but it’s obvious from their FAQs that they have the app upload to Google‘s servers even if they don’t use the OS APIs there: https://faq.whatsapp.com/481135090640375/?cms_platform=andro...

They have indirect control over the user’s backup folder via the app, but meta would need to distribute a malicious update to everyone that causes the user’s apps to download the backup and send it to meta, at which point they could just skip trying to access the backup and directly upload the chats from the app.

It’s impressive how much misinfo you’re spreading.

Edit: Meta’s actions over the years clearly show that they don’t want to know the contents of your messages. Not knowing their contents means, for example, that they don’t have to run scanners to detect illegal content (but users can report messages). They benefit from making WhatsApp a secure platform, as it allows them to collect everyone’s metadata, which apparently has lots of value to them.

> but it’s obvious from their FAQs

Haha. That's a great proof! Not the closed source, not the proprietary protocol they use to talk with their server, but their FAQ.

> They have indirect control over the user’s backup folder via the app, but meta would need to distribute a malicious update to everyone

Please give us the results of your research when you reverse-engineered Meta's apk to prove your point as this is what you think others should do. Otherwise it is just big talk.

"oh but if that was the case you would get rich reporting it!". More low IQ reasoning. You will get sued to death, I know people that did so and now have to waste time and money with the legal system.

Yes - I would love that too. Please back that up?

Huh yeah that's good to hear. As a small note, on my personal bot I set up a simple journaling (and then just used google sheets as the backend!) includes a nominal 'rating' 1-10 so I can see how my mood fluctuates.

Especially if they do it every day/most days, having the option to see what you wrote "on this day" 2-3 years back is great. Especially when I try to include people's names who I was interacting with (but who are easy to forget 3 years later). It can be a nice reminder to text them and say you were "just randomly", unprompted, thinking about them -- 'How's it going?'

I do agree that getting to read entries from your past is quite magical and has to be experienced to really understand it.

Fantastic that you've set it up for yourself.

Yes it is paid but there are good unofficial APIs (better than the official actually). The problem as you would expect is that they aren't highly reliable and losing messages is common.