Exploiting silent delivery receipts to monitor users on instant messengers

Researchers say your messaging apps’ “delivered” checkmarks can be turned into ghost pings—silent nudges that never show up on your screen but still trigger delivery receipts. Rapid-fire pings could reveal if you’re online, whether your screen is on, how many devices you use, and even drain battery or data. WhatsApp and Signal are named, and targeting only needs a phone number. Cue the meltdown: privacy folks call this a doorbell for stalkers, not a feature, and want a redesign that stops receipts for invalid messages. The paper’s title even spawned a meme: “Careless Whisper,” because your app’s whisper gives you away.

Biggest outrage: Signal Foundation’s silence. One commenter sighed, “still no comment from the foundation,” calling it an obvious bug. Others push back: delivery receipts help normal users, so fixing it without breaking convenience is tricky. Drama escalated when a user linked the FBI’s push‑alert tactic [https://www.pressherald.com/2024/02/29/the-fbis-new-tactic-catching-suspects-with-push-alerts/], fueling worries that ghost pings might be cop‑bait. Jokes flew (“turning off my phone like it’s Y2K”), but beneath the memes, trust is wobbling. People want receipts on the receipts—clear answers, throttles, and opt‑outs, not radio silence.