Clippy was the pretext not the goal

And the company came under fire again in 2018 after The Wall Street Journal revealed it was allowing third-party developers to trawl users’ Gmail inboxes, to which Google responded by reminding users it was within their power to grant and revoke those permissions.

So you can remove those permissions, just that it’s enabled by default. Shitty design, but it’s not mandatory to enable those, just like how you are not forced to use edge when you get a Windows computer.

Mullvad is in a 14 eye yet is extremely respected in the community.

But the protocol has already been published and there’s not much changes needed (except maybe the quantum layer?). Charging a custom license would only push the others to develop a different protocol, one that might not be as private compared to Signal.

It’s good enough for NSA to catch a terrorist, not necessarily useful enough for FB to produce targeted ads. If one plans to commit terrorism, Whatsapp is definitely not the best platform.

According to the article you linked: “In most cases, if metadata must be generated and/or used, it should be either 1) minimal or 2) encrypted so that it’s unreadable by the server handling the request(s)”. So most of the important metadata from your files will be encrypted, which make them inaccessible by Whatsapp unless they decrypt it (thus breaking the e2ee promises). Maybe they’ll know the file size or the file name, which you can easily change; what will they do with that?

So they are pretty much left with IP (if you don’t use VPN) and phone numbers you have contacted (which is already know by Apple/Google, NSA, etc. if you have a phone number and use it for calls).

Except it is more private than alternatives like Instagram DMs and FB Messenger (ironically all by the same company), which are not e2ee.

@glacier’s response pretty much covers it all, and it’s confirmed in the Whatsapp Faq.

Sure, they could find out who you are based on someone who added you as contact. But if you don’t have a FB account, or don’t use your real name there, all they’ll know is that you have a WhatsApp account, but won’t see your messages, unless someone reports your messages. Sure, that’s not as great as Signal, but much better than Discord/Slack/Snapchat/etc.

There’s also the issue of trust. Can we trust Whatsapp when they claim it’s e2ee? There’s no way to verify, but the same can be said for other OSS alternatives; for instance, telegram servers are not open source and the client you download might not be the one you see on GitHub., So there’s no guarantee your private key is not sent to the server at any point.

Whatsapp is end-to-end encrypted