End-to-end Encryption (Messaging)

From SI410
Jump to: navigation, search
The logos of WhatsApp and Signal, two of the most prominent end-to-end encrypted messaging applications

End-to-End encryption (E2EE) is quickly being adopted by more messaging applications as users become more conscious of how secure their digital communications become. The cryptography of each application works differently, but the concept of E2EE is similar for each application. When two users begin a conversation on an E2EE application, a private/public key combination is generated; when messages are sent, the message is encrypted using the public key on the senders' device[1]. Now the encrypted packet can be sent to the server to be delivered to the recipient; only when the message reaches the recipient with the correct private key can the message be decrypted and read. Most End-to-End encrypted messaging applications claim that “Messages are end-to-end encrypted. No one outside of this chat, not even [messaging service], can read or listen to them, [2] ” each service has a different privacy policy that fundamentally changes the amount of privacy afforded to the users. There is little clarity given to the consumer on how secure their data is after it has reached the recipient and, for example, how each company deals with violations of their terms of service or if there are governmental requests for the information. This article seeks to provide information to potential users about the fine print contained within the privacy policy of the applications that promise to keep our messages and personal data safe.

Signal

Signal messenger was initially released on iOS in 2014 and Android in 2015 by Open Whisper Systems (OWS) after combining their existing technologies of RedPhone and Text Secure[3] Signal was the first free service to allow users to make end-to-end encrypted calls, something that would have cost ~4¢/minute on the next cheapest service in 2014.

Privacy Policies

From the outset, Open Whisper Systems was committed to keeping its users' information private and secure. The service was designed so that OWS could only see when a users’ account had been created, the phone number linked to the account, and when they had last connected to the Signal Servers [4] . Signal can offer privacy that other end-to-end encrypted messaging platforms cannot because it is built as an open-source project; collectively built by developers who are concerned about their privacy and will look for bugs and loopholes that are present within the service.

Governmental Pressures

OWS stood firm on their core values, and in October of 2016 when they received their first subpoena for data on one of their users[5] . The Federal Bureau of Investigation subpoenaed Signal for the records of two individuals who were using Signal as their main form of communication to run a crime ring. Signal did comply with the demand for information, but they were very limited in the information that they were able to provide. Signal only collects data on

  1. The phone number used to create the account,
  2. The time that the account was created and,
  3. The last time that the account was connected to the Signal Servers

Creation Of The Signal Technology Foundation

In 2018, Moxie Marlinspike and WhatsApp co-founder Brian Acton announced the formation of the Signal Technology Foundation, whose mission is "to support, accelerate, and broaden Signal's mission of making private communication accessible and ubiquitous"[6] . During this time the Signal Foundation continued on their mission of creating a more accessible private communication system by including support for more devices, still at no cost to the end user. As Signal continued to work on building a private communication system, it started to gain more traction, especially during the George Floyd and subsequent Black Lives Matters protests of 2020[7]. Protesters were worried about how the United States government and police forces would react, and they knew that Signal was time tested in not releasing user data. Organizers were concerned about the privacy policies of competing applications like WhatsApp because “WhatsApp is owned by Facebook, so it makes money off of who is talking to whom, when.” In addition to having the most secure privacy policy, Signal has other features that make it popular among people trying to avoid government oversight, like automatically blurring people's faces in photos.

Signal Protocol

The Signal Foundation (Open Whisper Systems at the time) created the Signal Protocol (formerly TextSecure protocol), an open-source, non-federated cryptographic standard used to encrypt all calls and texts within Signal. The signal protocol is constantly being upgraded to allow developers to incorporate more privacy features in the products they create, including sealed sender which encrypts everything except the address the message is supposed to arrive at, further protecting the users. Numerous closed-source applications have adopted the Signal Standard, including WhatsApp[8] , (some of) Google Rich Communication Services[9] , Facebook Messenger (secret conversations only) [10] , and Skype Private Conversations[11] . Despite private companies using the Signal Cryptographic Standard, they can choose how much metadata they wish to encrypt in the packet, allowing companies to collect more data on their users than what Signal does.

WhatsApp

WhatsApp is an encrypted messaging service that is now owned by Meta (parent company of Facebook). WhatsApp was originally launched in February 2009 as a free service that allowed users to share their statuses with friends; the company followed the principle, “No Ads! No Games! No Gimmicks! – Brian Acton”[12]. The service began to be revolutionized when, in June of 2009, Apple added Push Notification functionality to their iOS operating system. WhatsApp utilized push notifications to share with friends when someone’s status was updated, and this quickly turned into a pseudo-messaging service. With this new-found capability, WhatsApp 2.0 was released in August 2009 with the addition of instant messaging. At this point, WhatsApp transitioned to a $1 yearly subscription model to cover the costs of ad-free messaging and SMS verification [13]. The app gained traction with it’s instant messaging service and grew from 10 million monthly active users to 465 million from October 2010 thru February 2014 [14]. In February 2014, Facebook (now Meta) acquired WhatsApp for $19 billion[11]. This led to another change in the business model of WhatsApp. The messaging service became freeware, and some user data was shared with their parent company, including account phone number, name, statuses, and profile picture[11]. Once Facebook acquired WhatsApp, monthly active users skyrocketed until February 2016, when the app reached 1.00 billion active users [14]. With more than a billion active users, Facebook decided to fully encrypt the service using the Signal Protocol [13]. This change was due to reports of sensitive information being breached in one-on-one and group chats. In a statement from the WhatsApp when end-to-end encryption was released, they include that “every call you make, and every message, photo, video, file, and voice message you send, is end-to-end encrypted by default, including group chats,[15]” however they make no mention of encrypting other information sent between the users’ device and the company.

Privacy Policy

The WhatsApp privacy policy is very thorough and up front about the data that is collected on its users. WhatsApp uses the same encryption protocol as Signal, the Signal Protocol, but the information that is encrypted end-to-end is different [16]. WhatsApp is a Meta company, however they are the only company within Meta to have their own privacy policy. Within its own privacy policy, it states that they will collect[17]:

  1. The Phone Number associated with the account
  2. The contacts from the users contact book
  3. Profile information, including profile pictures, status messages, and other information the user chooses to provide
  4. Messages are saved on their servers until delivery (if the receiving user is offline) as well as metadata from the message packet, including size, timestamp, location sent/received
  5. Call Logs are saved and includes the metadata of who the call was between, duration, and timestamp
  6. Location Information is collected (if allowed by user) to provide location-based content and information

Third-Party Information

WhatsApp’s privacy policy allows for Third Parties to use WhatsApp and place cookies and other information on the users device. Though most cookies in WhatsApp are used to optimize the application, some are placed on the device by Meta to personalize and target Facebook advertisements [18]. Though it is difficult to learn exactly how much information is being passed from WhatsApp to Meta. In early 2023 Meta was fined ~$6 billion in Ireland for violations regarding the legality of mining personal data and how that information is used by Meta to target advertising. Both services have over 1 billion users each, and though WhatsApp can’t read the messages sent between its users, it can still build a massive social network and build connections about a relationship you have with a friend on both platforms or even offer location-based advertising if location services are enabled by the user[19].

Ethical Concerns

Throughout WhatsApp, users are constantly told “Messages and calls are end-to-end encrypted. No one outside of this chat, not even WhatsApp, can read or listen to them.” However, this is not always the case. Within WhatsApp’s terms of service it talks about acceptable use of the platform and what the process is to report inappropriate behavior[17]. If a user’s activity is reported by another user, WhatsApp reserves the right to access the messages stored on the reported users phone and read the messages to see if they violate the usage agreement. There is little clarity on how long WhatsApp/Meta will store the information or how deep into chat histories they will go during the reporting process. WhatsApp is the number one message app in >63 countries globally[20], as of April 2022 has 2.25 billion users who all count on their conversations only being shared between the intended audience [14]. WhatsApp fails to be up front with their users about this policy, and actually actively ignores it throughout all of their marketing. WhatsApp marketing is focused on ease of use and privacy, the homepage of their website says at least 5 times that users can “Speak Freely: With end-to-end encryption, your personal messages and calls are secured. Only you and the person you're talking to can read or listen to them, and nobody in between, not even WhatsApp.[21]” WhatsApp is delivering a false sense of privacy, and though there are finite circumstances where this advertising is false, many users most likely have no idea that there is a possibility of their private messages being read by WhatsApp/Meta.

Governmental Pressures

WhatsApp doesn’t disclose what information they share with the government when subpoenaed, but they note in their terms and conditions that there is a process the government can use to request a users’ records[22]. There is no publicly available record of the information that shows that WhatsApp is able to provide message contents to the authorities’ (post-2016 when end-to-end encryption was added), however through reporting and research done by Forbes, they found that WhatsApp/Meta were providing authorities’ with all of the information they collect on their users, including the metadata of each message.

iMessage

iMessage is a proprietary message service provided by Apple to their macOS and iOS users launched in 2011 [23]. iMessage works within the default iOS messaging app in tandem with SMS/MMS, dynamically switching between the two systems if a device is not connected to the internet or is an incompatible device. iMessage is part of Apple’s closed ecosystem of apps and devices, so it is only compatible with other Apple devices, however it is utilized by most Apple users because of how seamlessly it works with standard SMS that is used for non-Apple devices. Each message sent through the iMessage service is end-to-end encrypted through keys that are only stored on the client devices, Apple never sees the keys or is able to decrypt them. However, by default, iMessages will resend as an unencrypted SMS/MMS if the recipients’ phone is not connected to the iMessage server[24]. This poses security vulnerabilities because it is not certain that the message will reach the recipient in its encrypted form.

Privacy Policy

Apple is a company that prides itself on its commitment to its customers privacy, their tagline “Privacy. That’s iPhone” seeks to demonstrate how they are unlike other Silicon Valley companies[25]; creating products and services that don’t treat their users as the product. iMessage falls within the scope of the general Apple privacy policy, which is very transparent about the information that is collected and the ways that Apple (not third party apps) will use its users information. Apple’s privacy policy also denotes the difference between personally identifiable information and the information it collects in aggregate. Personally identifiable information is defined as[26]:

  1. Apple ID account information like the users email, registered Apple devices, and age
  2. Device Information like the serial number and browser used
  3. User provided contact information
  4. Payment information that is supplied to the App Store or iCloud
  5. Transaction Information including billing address and method of payment
  6. Fraud Prevention Information – defined as ‘data used to help identify and prevent fraud, including a device trust score’ which is based off of common usage habits and device security setup[26]
  7. Location Information used to support Find My and other Opt-In services
  8. Health, Fitness, Financial, Government ID, and other User Provided Information

Apple may receive data from other sources like:

  1. Indivduals who have shared content with user or sent another user a gift
  2. At the User’s Direction if the user decides to link an account to their Apple ID or with the users cellular provider
  3. Apple’s Security Partners who may validate the information provided when creating their Apple ID or while setting Apple Wallet

Apple promises to retain its users information for only as long as is necessary to optimize its services, process transactions, personalize services (if opted in), and create a security and fraud profile. By default, iMessages are not saved by Apple; once delivered to the users device the message is deleted from Apple’s servers. Though Apple is unable to read the contents of the message itself, they do collect the metadata from each message including the timestamp of the message, sender and recipient address, device type, and operating system of the senders message[27]. At the time Whittaker’s article was published, Apple was indefinitely storing information and it was difficult for the average consumer to retrieve a copy of all the information Apple had about them. However since the pass of the General Data Protection Regulation (GDPR) in the European Union, Apple has added a section to their website that allows users to download and delete all or selected portions of their information from Apple’s servers[28].

Governmental Pressure

In Apple’s Privacy Policy, it states that a users personal data will be used to “comply with a lawful government request.” [26] In 2020, following the mass shooting in San Bernadino, California, the US government asked Apple to help unlock the iPhone of the shooter[29]. Apple refused to create a “backdoor” to user data on device, but they did provide the information that was stored in iCloud. This included iMessages stored in iCloud. Though Apple does not store iMessage data by default, users have the option to sync their messages to iCloud to have them sync seamlessly with their other Apple devices. This information is saved and encrypted on Apple’s servers, but Apple does reserve the right to access this information when subpoenaed.

Ethical Concerns

Many users are unaware of the backdoor and the possibility of their information being shared with law enforcement. Though iMessage is not often thought to be the best place for sensitive information, Apple doesn’t alert users, in an easy-to-read format, that storing their messages in iCloud will put them at risk of being read by law enforcement. Because of how Apple portrays its own stance on privacy on its platform, it wouldn’t be out of line for users to assume that it also applied to iCloud services.

References

  1. IBM. (2022). What is encryption? Data Encryption defined. IBM. Retrieved January 24, 2023, from https://www.ibm.com/topics/encryption
  2. WhatsApp Help Center. (2021). About end-to-end encryption: WhatsApp help center. About end-to-end encryption. Retrieved January 24, 2023, from https://faq.whatsapp.com/820124435853543/?locale=en_US
  3. Greenberg, A. (2014, July 29). Your iPhone Can Finally Make Free, Encrypted Calls. Wired. Retrieved January 24, 2023, from https://www.wired.com/2014/07/free-encrypted-calling-finally-comes-to-the-iphone/
  4. Delima, D. (2022, July 21). Big Brother: Recent subpoena response reveals exactly how much data Signal collects about you. Hindustan Times. Retrieved January 24, 2023, from https://tech.hindustantimes.com/mobile/news/recent-court-filing-reveals-exactly-how-much-data-signal-collects-about-you-71619595504148.html
  5. Signal Foundation (2016, October 4). Grand jury subpoena for Signal user data, Eastern District of Virginia. Signal. Retrieved January 24, 2023, from https://signal.org/bigbrother/eastern-virginia-grand-jury/
  6. Marlinspike, M. (2018, February 21). Signal Foundation. Signal. Retrieved January 26, 2023, from https://signal.org/blog/signal-foundation/
  7. Nierenberg, A. (2020, June 11). Signal Downloads Are Way Up Since the Protests Began. Retrieved January 26, 2023, from https://signal.org/blog/signal-foundation/
  8. Marlinspike, M. (2016, April 5). Google is rolling out end-to-end encryption for RCS in Android Messages beta. Signal. Retrieved January 26, 2023, from https://signal.org/blog/whatsapp-complete/
  9. Bohn, D. (2020, November 19). Google is rolling out end-to-end encryption for RCS in Android Messages beta. Retrieved January 26, 2023, from https://www.theverge.com/2020/11/19/21574451/android-rcs-encryption-message-end-to-end-betasp
  10. Meta (n.d.). End-to-end encryption. Facebook Messenger Support. Retrieved January 26, 2023, from https://www.facebook.com/help/messenger-app/1084673321594605/?helpref=breadcrumb
  11. 11.0 11.1 11.2 Skype Support (n.d.). What are Skype Private Conversations? Retrieved January 26, 2023, from https://support.skype.com/en/faq/FA34824/what-are-skype-private-conversations
  12. Pahwa, A. (2022, August 3). The History Of WhatsApp. Retrieved February 8, 2023, from https://www.feedough.com/history-of-whatsapp/
  13. 13.0 13.1 Issac, M. (2016, May 5). WhatsApp Introduces End-to-End Encryption. Retrieved February 8, 2023, from https://www.nytimes.com/2016/04/06/technology/whatsapp-messaging-service-introduces-full-encryption.html
  14. 14.0 14.1 14.2 Ruby, D. (2023, February 1). Whatsapp Statistics 2023 — How Many People Use Whatsapp. Demand Sage. Retrieved February 8, 2023, from https://www.demandsage.com/whatsapp-statistics/
  15. WhatsApp Support (2016, April 5). Whatsapp Statistics 2023 — How Many People Use Whatsapp. WhatsApp. Retrieved February 8, 2023, from https://blog.whatsapp.com/end-to-end-encryption
  16. Roberts, D. (2022, August 10). WhatsApp Encryption: What It Is and How to Use It. Lifewire. Retrieved February 8, 2023, from https://www.lifewire.com/encryption-in-whatsapp-4795812#:~:text=WhatsApp%20uses%20Signal%20Protocol%20developed,individuals%20can%20access%20the%20data.
  17. 17.0 17.1 WhatsApp (2022, August 10). WhatsApp Privacy Policy. WhatsApp Legal. Retrieved February 8, 2023, from https://www.whatsapp.com/legal/privacy-policy
  18. WhatsApp (2023, January 19). Meta's WhatsApp fined 5.5 mln euro by lead EU privacy regulator. Reuters. Retrieved February 8, 2023, from https://www.reuters.com/technology/metas-whatsapp-fined-55-mln-euro-by-lead-eu-privacy-regulator-2023-01-19/
  19. Lomas, N. (2016, August 25). WhatsApp to share user data with Facebook for ad targeting — Here’s how to opt out. Tech Crunch. Retrieved February 8, 2023, from https://techcrunch.com/2016/08/25/whatsapp-to-share-user-data-with-facebook-for-ad-targeting-heres-how-to-opt-out/
  20. March, L. (2023, February 2). Most Popular Messaging Apps Worldwide 2023. Similar Web. Retrieved February 8, 2023, from https://www.similarweb.com/blog/research/market-research/worldwide-messaging-apps/#:~:text=The%20top%20three%20messaging%20apps%20of%202023,-There's%20been%20no&text=WhatsApp%3A%20Ranks%20number%201%20in,place%2C%20the%20same%20as%202022.
  21. whatsapp.com
  22. Lomas, N. (2017, February 22). Forget About Backdoors, This Is The Data WhatsApp Actually Hands To Cops. Forbes. Retrieved February 8, 2023, from https://www.forbes.com/sites/thomasbrewster/2017/01/22/whatsapp-facebook-backdoor-government-data-request/?sh=78f2bbd21030
  23. Stringfellow, A. (2022, June 15). What is iMessage and How Does It Work? Magic Bell. Retrieved February 8, 2023, from https://www.magicbell.com/blog/what-is-imessage-and-how-does-it-work
  24. Brown, D. (2022, June 6). How Encryption Works on Apple’s iMessage, WhatsApp, Telegram and Other Messaging Apps. The Wall Street Journal. Retrieved February 8, 2023, from https://www.wsj.com/articles/encryption-apps-apple-imessage-meta-whatsapp-telegram-11654293068
  25. Wurthele, M. (2019, March 14). 'Privacy. That's iPhone' ad campaign launches, highlights Apple's stance on user protection. Apple Insider. Retrieved February 8, 2023, from https://appleinsider.com/articles/19/03/14/privacy-thats-iphone-ad-campaign-launches-highlights-apples-stance-on-user-protection
  26. 26.0 26.1 26.2 Apple Inc (2022, December 22). Apple Privacy Policy. Privacy | Apple. Retrieved February 8, 2023, from privacy.apple.com/legal
  27. Whittaker, Z. (2018, May 24). I asked Apple for all my data. Here's what was sent back. ZD Net. Retrieved February 8, 2023, from https://www.zdnet.com/article/apple-data-collection-stored-request/
  28. Russell, J. (2018, May 23). Apple introduces new privacy portal to comply with GDPR. Tech Crunch. Retrieved February 8, 2023, from https://techcrunch.com/2018/05/23/apple-introduces-new-privacy-portal-to-comply-with-gdpr/
  29. Gallagher, W. (2020, January 21). What Apple surrenders to law enforcement when issued a subpoena. Apple Insider. Retrieved February 8, 2023, from https://appleinsider.com/articles/20/01/21/what-apple-surrenders-to-law-enforcement-when-issued-a-subpoena
Retrieved from "http://si410wiki.sites.uofmhosting.net/index.php?title=End-to-end_Encryption_(Messaging)&oldid=115696"