the end-to-end encryption con game
Every now and then we hear buzzing in the news about some egregious big tech privacy infringement. We then also sea and hear all about the new steps the apps we use are taking to further protect our privacy. Most of us then weigh the concerns and concede without actually understanding the problem.
Lets start with the basic question
What information can apps, websites and operating systems have access to?
Lets try delving into WhatsApp as they recently have been under flak.
Every WhatsApp user encounters a statement like “this personal message has end-to-end encryption.” Which means that WhatsApp or anyone else shouldn’t to able to decipher this message once it leaves your phone. We can trust that Facebook cannot read WhatsApp messages on its server even if they store them until the recipient is connected[1].
This is not the con game.
What they don’t mention in their privacy policy is the in-app permissions about media and sensors. I’m referring to permissions which popup and ask you the first time you use it. I’m also referring to the data your OS shares with Facebook outside the app ecosystem.
https://android.stackexchange.com/questions/71802/help-understanding-whatsapps-permissions
This StackExchange article is over five years old. However you see a pattern of frequent permission changes and difficulty to pin down when and how the app accesses media or sensors.
How does BIG-Tech use this data?
Lets go through some of the permissions listed for WhatsApp
your social media profile — any specific details you mention therelocation and time — where and when you were at a placePhotos/Media/Files — hopefully they only use it for what they saycontacts — they might share this within their ad algorithms camera — hopefully they only use it for when they saymicrophone — hopefully… see this and this. sounds uncleargyroscope/accelerometer — can determine when you are walking, sitting or drivinglight sensor — is phone in pocket or against your head etc
So do they directly or indirectly use these sensors when you don’t expect?
Facebook may not have to admit the answer to this because google-play-services collects much of this information and shares it in different ways. The answer is that we can’t really prove it one way or the other. Also if they aren’t today theres nothing stopping them from doing so one day.
How they get away with it?
We can see from other cases large tech companies usually have each others back on these issues. (How the Parler app gets booted from AWS and then all the different app stores) (they dont seem to like competition)
So the alternatives
Telegram is a privacy focused instant messaging platform with some 500 million users. Although the app feels like top social networking it’s CEO does not intend to monetize by utilizing user data[2]. Its mobile apps are opensource so we can know exactly how it uses your phone data. This also allows to assess the strength of the end-to-end encryption.
How to keep your telegram private and secure?Use the settings to control who can see your photo, groups/channels or phone number. You can make your account name an alias and have your real name within your profile which can only be seen by your friends.
What you are trading for Privacy?
When using WhatsApp and similar social media you forced adhere to political and moral standards of silicon valley. As much as you hate it they do fairly well protecting you from scams, harassment and other criminal activities. When using an alternative you should be ready to be your own filter.
It may not be considered safe for children without careful supervision. There are versions of the app available which allow parents to monitor their children’s messages and contacts[3].
If you wish to learn more about underlying technologies we encounter daily read this book by David Clinton.
If you are looking for encryption with your devices consider taking this VPN course from Manning Publications.