Decoding Privacy/Security of Social Media Applications

If we run a mobile app that collects personal information from us then that app needs a privacy policy to comply with legislation around the world. Even if that app doesn't directly collect personal data, it may still need a privacy policy if it utilizes a third-party tool like Google Analytics to collect data on its behalf. Personal data can take many forms which can include the user's name, email address, telephone number, or physical address. There can also be less obvious types of data like IP addresses, log data, and information collected through cookies.

There are many privacy laws around the world that set forth requirements if an app collects or uses personal data. The United States is one of the few countries without a policy at the national or federal level mandating a privacy policy. However, the California Online Privacy Protection Act (CalOPPA) states “if your app or website collects personally identifiable data from residents of the state of California, you must have a Privacy Policy.” Given that it is most likely that your website/app could be used by a resident of California regardless of where you are in the world, CalOPPA ends up having a wide reach.

Introduced in 2018, the European Union's General Data Protection Regulation (GDPR) is one of the strongest laws to protect the personal information of individuals and also has a global reach.

Decoding Privacy/Security

A recent announcement by WhatsApp was about a new privacy policy that would see a change in how its parent company, Facebook, collects data from its 2-billion user accounts. WhatsApp’s new privacy policy hints that the app will collect a lot of data, and it will be shared with Facebook, which doesn’t have a good track record of handling user data. Due to privacy concerns, this has resulted in a surge of downloads of alternative communication apps.

1. WhatsApp - The app collects a lot of user data including device ID, usage data of how we use the app, our payment history on the app, location, contact information, diagnostics of the app, advertising data, and user content data. The overall change in WhatsApp’s new privacy policy is about the data which will now be shared with Facebook and other Facebook companies. This data can be used by Facebook for more targeted advertising or for selling it to other companies/businesses.

Without end-to-end encryption in WhatsApp, your message may be encrypted while it’s being transmitted to the server, but the server might be able to read it. For example, some service providers might do this to generate ads that are more specific to a user. WhatsApp uses the Signal protocol (formerly known as the TextSecure Protocol) for encryption, which uses a combination of asymmetric and symmetric key cryptographic algorithms. It is a non-federated cryptographic protocol that can be used to provide end-to-end encryption for voice calls, video calls, and instant messaging conversations. The protocol was developed by Open Whisper Systems in 2013 and was first introduced in the open-source TextSecure app, which later became Signal. The protocol combines the Double Ratchet algorithm, prekeys, and a triple Elliptic-curve Diffie–Hellman (3-DH) handshake, and uses Curve25519, AES-256, and HMAC-SHA256 as primitives. The Signal protocol uses a ratchet system that changes the key after every message. When someone sends a message to contact over an app using the Signal protocol, the app combines the temporary and permanent pairs of public and private keys for both users to create a shared secret key that's used to encrypt and decrypt that message. Since generating this secret key requires access to the users' private keys, it exists only on their two devices. And the Signal protocol's system of temporary keys—which it constantly replenishes for each user—allows it to generate a new shared key after every message.

2. Signal - It has emerged as one of the top alternatives to WhatsApp recently, with WhatsApp's updated privacy policy causing outrage on the Internet. Signal is an encrypted app that lets you send messages and make calls via the Internet. Its developers claim that Signal doesn’t collect any data linked to the user and the only personal data it stores and collects is the user’s phone number, and it makes no attempt to link that to your identity. Therefore, it means that Signal doesn’t have any access to your personal data and hence, it can’t use any information for targeted advertising or for selling it to other companies/businesses.

Signal also uses end-to-end encryption for communication between its users. One should note that Signal's encryption algorithm isn't proprietary or even unique. The encryption software used by Signal is open-source (and used by other messaging apps, including WhatsApp) and available for download on GitHub. This actually allows Signal to be more secure because the open-source software is subject to public scrutiny by developers and security experts.

3. Facebook Messenger - Facebook Messenger which is Facebook’s in-built messaging service, collects more details from the users. While WhatsApp claims to identify the approximate location of the users, Facebook Messenger collects the exact location. It even reads into their browsing and search history which is why Facebook users often get ads related to products they might have searched for or bought recently. The data collected by Facebook Messenger includes precise location, coarse location, physical address, email address, name, phone number, other user contact info, contacts, photos or videos, gameplay content, other user content, search history, browsing history, user id, device id, third-party advertising, purchase history, financial info, product interaction, advertising data, other usage data, crash data, performance data, other diagnostic data, other data types, advertising or marketing, health, fitness, payment info, sensitive info, product personalization, credit info, other financial info, emails or text messages.

In the case of Facebook Messenger, by default, the messages shared between the users aren't protected by end-to-end encryption which means that Facebook, law enforcement, and hackers all have potential access to the content of your communication. To use end-to-end encryption the users have to go out of their way and enable the Secret Conversations feature provided by Facebook. Secret Conversations feature also uses Signal Protocol for encryption of messages.

4. iMessage - iMessage is an Apple service that sends messages over Wi-Fi or cellular connections to other iOS devices, iPad devices, Mac computers, and Apple Watches. As compared to WhatsApp and Facebook Messenger, iMessage collects a lot less user data. That data includes email address, phone number, search history, and device ID. Apple claims that it uses this data to operate and improve Apple’s products and services.

Apple’s iMessage also provides end-to-end encryption, but one should note that this feature is available only for the Apple user community and as iMessage users can also message beyond that community, and sometimes a data network may not be available, in that case, iMessage can revert to SMS when needed and when it does so, there is no end-to-end encryption. Also, unlike other popular messaging apps iMessage doesn’t use Signal protocol, and it is believed that it doesn't offer perfect forward secrecy.

5. Telegram - Telegram is a freeware, cross-platform, cloud-based instant messaging software and application service. The service also provides end-to-end encrypted video calling, VoIP, file sharing, and some other features. After WhatsApp’s new privacy policy, Telegram has also become one of the alternatives people are looking at for switching from WhatsApp. It also collects a lot less data than WhatsApp and Facebook Messenger and the limited data that it collects include contact info, contacts, and user ID. Telegram mentions that it can share our personal data with other Telegram users, Telegram’s group companies, and law enforcement authorities.

Just like Facebook Messenger, by default, Telegram also doesn’t encrypt messages shared between the users. It provides a feature called Secret Chat for users who want their conversation to be encrypted and secured. Messages in Secret Chats use client-client encryption, while Cloud Chats use client-server/server-client encryption and are stored encrypted in the Telegram Cloud. Telegram uses MTProto protocol for encryption of messages in Secret Chats. When a secret chat is created, the participating devices exchange encryption keys using the so-called Diffie-Hellman key exchange.

6. Snapchat. Snapchat is a popular messaging app that lets users exchange pictures and videos that are meant to disappear after they're viewed. Snapchat’s privacy policy states that it collects 3 basic categories of information:

1. Information we choose to give them such as our username, a password, email address, our phone number, and date of birth;

2. The information they get when we use their services such as usage info, content info, device info, device phone book, camera and photos, location info, cookies, and log info;

3. The information they get from third parties. The terms say that Snapchat does not sell personal information to third parties, but the terms do state that Snapchat and third-party partners may place advertising on the services.

Snapchat provides end-to-end encryption as well, but one should note that this encryption is only for the photos shared between its users. Text messages and other messages sent on Snapchat aren’t protected by the same encryption.

Conclusion

With social media’s unparalleled popularity, they have evolved from platforms for social communication and news dissemination, to indispensable tools for professional networking, social recommendations, marketing, and online content distribution. Because of their scale, complexity, and heterogeneity, many technical and social challenges in online social networks must be taken into consideration. It has been widely recognized that security and privacy are critical issues in online social networks. This special issue focuses on how researchers, scholars, and practitioners are collaborating to address security and privacy research challenges.

Every social media application offers a varied set of security features and has a different policy on how they collect and use the user’s personal data. It depends on the users how much they are willing to give up their personal information or whether they are ready if someone ends up reading our personal messages knowingly or unknowingly.

References

• https://www.privacypolicies.com/blog/mobile-apps-privacy-policy/

• https://www.newyorker.com/magazine/2018/06/18/why-do-we-care-so-much-about-privacy

• https://www.iol.co.za/technology/mobile/whatsapp-vs-telegram-vs-signal-comparing-privacy-policies--82fcb7b7-fe8d-496a-846c-3baaba58eef2

• https://www.indiatoday.in/technology/talking-points/story/moved-to-signal-good-now-take-a-look-at-facebook-instagram-and-chrome-on-your-phone-1758293-2021-01-12

• https://support.apple.com/en-in/HT209110

• https://telegram.org/privacy

• https://snap.com/en-US/privacy/privacy-policy

• https://privacy.commonsense.org/privacy-report/Snapchat

• https://faq.whatsapp.com/general/security-and-privacy/end-to-end-encryption/?lang=en

• https://www.businessinsider.in/tech/how-to/is-signal-secure-how-the-encrypted-messaging-app-compares-to-other-apps-on-privacy-protection/articleshow/78707122.cms

• https://support.apple.com/en-us/HT207006

• https://core.telegram.org/api/end-to-end

• https://www.linkedin.com/pulse/how-whatsapp-uses-end-encryption-ashish-bijawat/

• https://en.wikipedia.org/wiki/Signal_Protocol

• https://www.wired.com/story/signal-encryption-protocol-hacker-lexicon/

Uday is a research analyst at Copperpod. He has a Bachelor's degree in Electronics and Communication Engineering. His interest areas are Microcontrollers, IoT, Semiconductors, and Memory Devices.