The importance of metadata in a new world without digital privacy and what to do about it.
The media seems to have been caught by surprise with recent reporting that the FBI had access to private chats and calls that were supposedly protected by free encryption apps like Signal and Telegram. It seems Mr James Wolfe, a senior intelligence official with decades of experience, is just as clueless as the rest of the population when it comes to digital surveillance and the distinction between privacy and security. Surprisingly for a seasoned intelligence professional – he is a bureaucrat and not an operative but he should have known better – Mr. Wolfe forgot the cardinal rule that there are no free lunches. He believed the media narrative that Signal is bulletproof and not even governments could access Signal protected communications.
Let’s clear up a common misconception. Privacy and security are not interchangeable synonyms. Something can be secure, in the sense that properly implemented encryption cannot be broken and thus the content of communications are safe from prying eyes, but not private since you are still broadcasting to the world that you are communicating with person X from location Y for Z amount of minutes. This is the model used by Signal and all the other similar free apps, where you’re forced to register with your real phone number, essentially creating a treasure trove of sensitive metadata sitting on US hosted servers….
Researchers in cybersecurity have uncovered problems in these platforms. Markus Vervier from X41 D-Sec GmbH and Jean-Philippe Aumasson from Kudelski Security have exposed weaknesses in app Signal last year, one allowing an attacker to append duplicates of data from encrypted attachments and crash the app. The flaws were swiftly fixed by Open Whisper Systems, the software developers of Signal, and were far from catastrophic, even before the patches. The challenge is that the issue was not solved and Vervier and Aumasson told journalists from FORBES they may have found some fresh issues in the actual cryptography of Signal, which they plan to reveal at Amsterdam’s Hack In The Box conference. Vervier couldn’t reveal the full details and stated that: “We are currently triaging [the] possible flaws in cryptographic components.”
So what of WhatsApp cybersecurity then? Whilst their message content should have a similar level of security as Signal due to the sharing of Open Whisper Systems’ protocol, there’s a slightly different kind of risk for users of the major global platform and now so private Facebook-owned app: the Department of Justice could and can subpoena WhatsApp and track who a user is contacting, when and how.
As recently reported in research from FORBES, the US government has repeatedly used what are known as pen trap devices to look at user suspects’ inside of WhatsApp platform behavior. So even if users couldn’t get the message content they can still reach it. If the Trump administration and new challenging regime starts cracking down on leakers, as the US President continuous tweets suggest it might, pen trap orders that could de-anonymize leakers. The app Signal, meanwhile, is known to have received only one request for user data from government; it is said the management told the FBI it could only provide the time of account creation and the last time it connected to Signal servers. Whilst Signal app at the moment doesn’t store data like contacts and call records, WhatsApp on the contrary keeps such information for an “undefined” period of time and now even shares snippets of metadata with Facebook where (and if they get it) users agree.
As for Telegram, a technology platform that most of the tech blockchain, crypto industry uses, it has some shortcomings. In one hand that means it’s more difficult to recommend and has more invisible subjects than other comms apps. For starters, Telegram version of end-to-end cryptography, which it calls client-client encryption, isn’t switched on by default, this is a big issue as it has to be turned on with the secret chat feature. Hackers in various occasions have also successfully exposed Telegram.
In August 2016, researchers revealed a weakness in the Telegram app set up, when cyber attackers in Iran managed to steal messages of certain accounts, particularly in the ones where they could intercept Telegram messages for setting up an account on a new phone. The hackers also managed to exploit an issue in Telegram to uncover 15 million Iranian phone numbers using the app. In 2015, a security expert known only as The Grugq criticized the app for its “wonky homebrew encryption.” Having said that, so far no one has yet publicly broken their cryptography.
What is metadata ? Metadata -a set of data that describes and gives information about other data – is a huge problem. Many distinct types of metadata exist, among these we can highlight descriptive metadata, structural metadata, administrative metadata, reference metadata and statistical metadata that none of these apps address and can betray your privacy in ways that regular people that have never seen traffic analysis do not comprehend. Metadata leaks information about who is talking to whom, from where, for how long and how often. In fact these apps (with WhatsApp being the worst of the bunch) actually make the problem worse because they actively collect your metadata and request privacy unfriendly permissions that should ring alarm bells.
They upload your address book to their cloud, ask for access to GPS location and to regular SMS, phone call history and calendar, don’t provide any means of confirming the app you downloaded from Google Store hasn’t been tampered with (aka binary integrity), have no protections or warnings against malware, don’t encrypt their data at rest separately (message and call history), and finally they backup your data to Apple and Google’s clouds. Add to that the fact they are typically run on US servers and thus subject to legal and unofficial pressure to cough up information on their users, and you have the makings of a potentially secure (again, assuming the encryption is sound and the version you installed from the app store faithfully represents the source code as published on the internet and hasn’t been tampered with) but definitely not private service.
Nonetheless, any service that runs on the internet always leaks some metadata, no matter how minimized it may be.
Designing and implementing a truly secure AND private communications service is very hard to do correctly and is not merely a technological problem. It is also about system design choices , as well as choice of jurisdictions and full transparency to clients.
The only work around to prevent metadata leakage is to create a new private insftratucture sitting atop the existing internet. And ideally find a distributed ledger technology solution on blockchain!
Henrique is a former intelligence officer and whitehat hacker with extensive experience in surveillance and counter-surveillance. He is co-founder and CEO of Swiss based Privus and Maltese based Privum, designing bulletproof cyber-security solutions to protect privacy in the Digital Age.