Thoughts in the time of privacy breaches – Instant Messengers

We are in time of privacy breaches or to say no privacy. I have been reading through many technical articles which were discussing about the latest happening in the cyber security and privacy related matters. Based on those readings, I am trying to jot down what I could understand with my little brain.

March 2018 saw one of the biggest privacy breach known to man – Cambridge Atlantica. Following that, WhatsApp co-founder calls to delete facebook as the fallout intensifies.

This made me think how secured is WhatsApp itself. I started reading, in search of what are the security features in instant messaging software available in market now.

Data collection

All, softly put, most of the web sites, mobile device applications collect user data. They call it metadata. Edward Snowden very well explains it by replacing the word ‘metadata’ with ‘Activity Records’. That gives a not-so-techie person, a perspective of what it is.

Facebook or WhatsApp (example) know that you called Dominos Pizza on last Friday night 8 O’clock, from a Walmart near your friend’s home. But they don’t know what you ordered/talked over the phone.

A ‘moderately techie’ guy would think, that is not possible because we have HTTPS, End-to-end encryption protocol in place. That would prevent people from snooping in to what we are doing.

Wrong.

Encryption protocols

There are mainly two encryption protocols followed in major IM software.

Facebook Messenger, WhatsApp and Allo uses “Signal” protocol. Whereas Telegram uses “MTProto” protocol.

Signal protocol

The Signal Protocol (formerly known as the TextSecure Protocol) is a non-federatedcryptographic protocol that can be used to provide end-to-end encryption for voice calls, video calls,[3] and instant messaging conversations.[2]The protocol was developed by Open Whisper Systems in 2013[2] and was first introduced in the open source TextSecure app, which later became Signal.

-Wikipedia

MTProto

The protocol was developed by Nikolai Durov and other developers at Telegram and is based on 256-bit symmetric AESencryption, 2048-bit RSA encryption and Diffie–Hellman key exchange

-Wikipedia

Here comes the hero. There is an all new IM software which is available on Signal Protocol. And, this article is an advocacy for “Signal” messenger.

Both the above protocols do the end-to-end encryption, which makes sure that the message sent is encrypted at the source and only the final recipient will be able to decrypt it.

Both protocols have been vetted by globally acclaimed security gurus and researchers. Signal protocol was passed with glowing reviews where MTProto was given with three theoretical flaws in it. I will be adding the link to the research paper in footer.

The obvious next question would be, if FB Messenger, WhatsApp and Allo are using the same Signal protocol, what is the significance or advantage of switching to Signal?

The above said chat systems does not enable end-to-end encryption by default, except WhatsApp. It is done only in certain scenarios. Eg: For FB Messenger, E2E encryption is enabled only when secret conversation is enabled; incognito mode for Allo.

There is a reason why it is not a good idea to stick with WhatsApp. This dilemma leads us back to the first concern – “Data Collection”.

Data Collection, again

End-to-end encryption does not limit the service providers from collecting usage data. Just that we do not usually read the privacy policies of software that we are using.

WhatsApp’s privacy policy says it will collect:

  1. Usage and log information
  2. Transactional information
  3. Device and connection information
  4. Cookies
  5. Status information

One of the main purpose of collecting all these information is to push targeted advertisements down the user’s throat. Not to mention, WhatsApp is a Facebook owned company. And Facebook got owned by Cambridge Analytica type of companies. Hence, WhatsApp usage is feeding those evil companies who are trying to undermine the novel idea of Democracy. (Personally, I would not do be excited in doing that.)

Facebook (and Messenger) collects one of the most extensive set of data from its users. To say the minimum, visit: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen and select “Your Categories” under “Your information” section. (For mobile app users, go to settings à Account settings à Ads). You will be amazed to see that, facebook has almost all granular information about you – Whether you stay with your family or away, are you interested in photography, what phones/devices you use/own… and what not!

Allo is from google, and for ages, all netizens have sold their souls to Google. Google reads, analyses and stores all messages coming in and going out of your devices. Again quoting Snowden: click here.

Telegram does not store any metadata in their servers. But, the messages and media files sent across using the software is stored in their servers.

Signal Messenger, unlike other software, retains only a couple of information with their servers: user’s phone number and when they were last logged into the server. The chat/transaction time is not stored in the server. Instead, only the date is saved.

Hence, I rest my case. I don’t know what will happen to Signal tomorrow. But as of today, with given information and resources, Signal sounds to be most trustable instant messaging system.

Download for your device from this site: https://signal.org/

Edward Snowden on Signal
Edward Snowden on Signal

Privacy Does matter; whoever it is

 

Further reads:

http://cs.au.dk/~jakjak/master-thesis.pdf

https://www.theverge.com/2016/9/21/12994362/allo-privacy-message-logs-google

 

Facebook’s Cambridge Analytica Debacle: Why This Data-Privacy Storm Is Different, And What’s Next

 

 

Leave a Reply

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: