commented: See this response from the head of the Signal Android team. commented: Ok, that’s why this functionality is required and cannot be artificially delayed. But no mention of why the client is ack’ing reactions to messages that don’t exist on its end, or at least reporting them to the server after some threshold so abusers can be detected. commented: Yeah, these sorts of attacks are inevitable in any low latency network service. I do think that we need to be more proactive about spam and degrade privacy protections based on heuristics. I agree with you that client side detection and automatic reporting of this behavior would be an appropriate privacy trade-off and effective mitigation in this case. However, purely client side heuristics for more complex cases can be easy to bypass because spammers have access to those filters too. For example, Matrix struggles with child porn spamming and any client side image scanning service can be trivially bypassed. Instead, new messages from new accounts (for example) could be blurred and the user prompted to enable external scanning (at least for the first few messages). commented: Probably because they want to achieve low latency / low computational overhead. However I would argue making it transparent when this is happening would also solve the issue. Based on that info one could take additional steps. commented: Note for moderators: I submitted with non-clickbait title. The article's title is "Free spy tool can track 3 billion WhatsApp users, drain batteries and data limits". commented: So you can see if someone is engaged with your conversation and this is a timing attack of some kind? Based on routing I guess this would leak no more information than the number of hops between you and your conversation partner. Does anybody remember when things like Tinder were publishing exact distance information between people allowing triangulation? They solved it by essentially chopping off the more detailed bits in the lat-longs they used for that calculation, plus minor additional obfuscation. This side channel, by comparison, probably can't tell you which country your conversation partner is even in without significant additional resources. commented: It doesnt have to be your conversation, it tells you if the app is open, or if the device is locked or not. From that you can deduce when the victim wakes up or goes to sleep, for example. .