Our conversations are one of the richest sources of personal data. And let’s have no illusions – brands, corporations or governments are greedy for it.
There are multiple messaging applications that we use every day. As long as they compete with each other to offer us new features, advanced design, or smoother interface, they also make us trade our privacy for their services.
Why does privacy matter?
Confidential data has always been a means of the bargain. But since we all live in a digital world, it became one of the most valuable currencies. The more it holds, the bigger value it gets.
Sponsored
Since we humans are social beings, communication with other people is essential for us. This is why we voluntarily share information about ourselves online. However, each of us also has things to hide.
There are dozens of things that we share with our spouses, best friends, therapists or lawyers in private online conversations. They certainly are not supposed for the rest of the world to learn.
Control
There are serious reasons why our privacy matters. One of them is our behavior. It changes dramatically when we know we are being watched. We become more conformist and compliant with rules in order not to be shamed. Surveillance is a long known way of control.
Blackmail
Online conversation can hold a lot of private material. When lost and published it can undermine your reputation. Thus it can simply be used to blackmail you.
Frauds
Even seemingly innocent data can be interesting and valuable. The unauthorized party can use your private information or just pieces of it to steal your identity. Personal details that fall into the wrong hands, can be used for frauds and financial crimes like money laundering.
The internet is not a safe place today. Like any other currency, our digital data can be stolen. However, more often we easily give them away by ourselves. Unintentionally and also willingly, as an exchange for a fast, convenient, and simple way of communication.
Why do messaging apps collect our data?
You may already have heard the recent news from WhatsApp. The world’s most used messaging app with over 2 billion active users updated its privacy policy on January 4, 2020.
This means the WhatsApp users (outside the EU and UK) will be left with a little choice to quit sharing their private data with Facebook from February 8, 2020. The social network giant has been a parent company of Whatsapp since 2014.
Our messages on WhatsApp are encrypted and Facebook will not be able to access them directly. However, this doesn’t mean its hands are off the other data that stream from the app.
The information which the messaging app shares with Facebook includes our account registration information, transaction data, service-related information, information on how you interact with others, mobile device information or your IP address.
The value of big data
The pieces of metadata like the mobile device model or what time did we share a message might seem of little value. But they get one when they come into context. Or into big data.
Big data gives us the ability to discover patterns and trends of our data. A huge amount of structured and unstructured data can be analyzed for insights on our habits, behavior, preferences, beliefs, and, well, secrets.
The ones that store enormous amounts of user information hold a massive power of control in their hands. Speaking metaphorically, they have a weapon.
Corporations like Facebook can create psychological profiles and target them. They are free to manipulate our opinions, political choices, and thus lead to political changes and social unrest. This is exactly what Cambridge Analytica did with Facebook’s big data months before the 2016 US presidential election and Brexit referendum.
The value of metadata
On a smaller scale, even the single pieces of our metadata can be a goldmine for bad actors. Applications that collect device-specific data like IMSI (International Mobile Subscriber Identity) associated with the SIM card, can identify, track, and locate users even if they change physical devices.
No matter what type of data is collected, any information transferred from a user’s device without his knowledge or consent violates the user’s privacy. Especially if these data are later exposed to third parties.
Even the smallest units of metadata can potentially be sensitive and used for further attacks by cybercriminals. For example for phone calls and text messaging interception.
Which app collects what?
A month ago Apple officially applied app privacy labels. Since then all applications available on the App Store are required to disclose what user data they collect. New privacy labels also give the ability to see how each of the applications collects private data.
Facebook Messenger
The new policy revealed that major messaging app Facebook Messenger collects enormous amounts of private data. It is an indisputable leader there compared to its competitors. Here is what data Facebook Messenger tracks:
- Contact data (name, email, phone number, physical address, contacts of other users)
- Identification data (user ID and device ID)
- Content (photos, videos, emails, text messages, audio data, gameplay data)
- Browsing and search history
- Purchase history
- Payment data
- Location data
- Device diagnostics (performance and other data)
- Health and fitness data
- Product interaction
Customer support
WhatsApp is the second biggest user data collector among messaging applications, which tracks:
- Identification data (user ID and device ID)
- Contact data (phone number, email address, contacts)
- Content
- Purchase history
- Payment information
- Device diagnostics (performance and other data)
- Customer Support
- Product Interaction
Moreover, it has been sharing user metadata with Facebook since 2016 when the major updates on its term of use and privacy policy were implemented. The shared information included the phone number, an app using habits, device info (IP address, operating system, browser, battery data, mobile network, language, timezone), location, and payment data.
iMessage
- Contact data (phone number, email address)
- Search history
- Identification data (device ID)
Telegram
- Contact data (phone number, contacts)
- Identity data
Signal
- Contact data (phone number)
After the latest WhatsApp policy update announcements, millions of users turned to seek more private messaging app options. Signal downloads skyrocketed by 4,200% in a single week.
Both Signal and Telegram became the most downloaded applications on the App Store and Google Play this Monday. Telegram exceeded 500 million active users worldwide.
Despite these facts, the question still lingers: are any of the private messaging applications really a remedy for data leakage? And can we be truly sure that its content will not be revealed by a third party?
Is the content really safe?
The content of our messages on the above mentioned apps is protected (or supported in Telegram’s case) by end-to-end encryption.
This means that the message is encrypted as soon as it is sent. It remains unreadable and protected until it reaches the receiver’s device. When opened, the message is instantly decrypted.
However, no conversation shared between devices is 100% safe, says McAfee, a global computer security software firm.
According to it, encryption and decryption do not protect the messages from the risk of being read. This may happen if the devices are hacked or infected by spyware. Protecting end-to-end encryption requires the protection of devices first.
In addition, the device’s cloud backup option is another risk factor. Some messaging apps (iMessage) synchronize with and store data using their own cloud services. And the end-to-end encryption standard is not always supported by cloud service providers. In Apple’s case, access to all the users’ data backups is only protected with Apple ID.
Some messaging apps do not synchronize with the clouds, but users’ devices do. And thus the sensitive message content can still be at risk of ending up there. As it is known, Signal is the only option that does not support its data backups.
Signal’s code cracked
However, Israel’s phone-hacking company Cellebrite managed to break into the Signal messaging app last month. The company cooperates with law enforcement agencies around the globe and offers technologies to access data of any device in their possession.
According to their blog post, Cellebrite managed to decode Signal app decryption and access the data. It even provided a detailed explanation on how it cracked the code, saying it was not an easy task though.
In conclusion
The levels of security range in various messaging applications. All of them use end-to-end encryption while messages are in transit, or at least offer such an option. However, their content can still be leaked from the servers or accessed by hacking into devices.
End-to-end encryption does not protect the fact of communicating and your metadata, which is also revealing enough. So, when it comes to evaluating privacy messaging apps, the biggest question is our specific needs and what for do we use them.
