January 28th is Data Privacy Day, and privacy experts from all fields are sharing their insights. Our specialty at SKY ECC—since we have the world’s most secure messaging platform—is protecting not just your messages, but all the data you exchange during conversations.
Private chats this Data Privacy Day
This article summarizes what private chat apps have to do in order for users to truly own their privacy. The bullet points below can jump you to a section which interests you.
- Encryption privacy concerns
- Metadata privacy
- Private sign-up options
- Self-destructing messages privacy
- Keeping contact lists private
- Privacy for devices
- Device management strategies
- Network privacy
- Server privacy needs
Data privacy through app features
End-to-end encryption is the bare minimum for private chats. It protects your messages from being read by eavesdroppers while the messages move across the internet from you to the people you’re chatting with. Bad actors have a multitude of ways to intercept data as it’s being sent, and many of these tactics aren’t difficult to do. Not only are many hacker apps available for purchase on the dark web, but bad actors can also take tools meant for legitimate purposes—like testing network security—and use them for criminal acts.
The current standard for most chat apps is 256-bit AES, which, while good, is slowly being replaced by more advanced, stronger encryption algorithms. The current top-of-the-line encryption is 521-bit elliptic-curve Diffie-Hellman cryptography. Some encryption is under danger of being cracked by quantum computing in the next decade or two, and it can still be damaging if messages that must be private right now come out even years later. 521-bit ECC is an advanced cryptographic protocol which secures users against threats we know of now, and will still be secure many years from now.521-bit ECC is the current top-of-the-line #encryption available to protect your #onlineprivacy. #PrivacyAware Click To Tweet
One of the most valuable pieces of data that bad actors can gather is message metadata as it shows who you contact, how often, where you were when you did so, and more. Completely protecting metadata is difficult, apps and networks require a minimal amount of metadata in order to send and receive messages and function properly—like having the sender and receiver of a letter on the outside of an envelope. Collect enough letters and you will have a lot of data even without the messages inside them.
Metadata can show patterns that are easy for anyone to figure out. For example, metadata can show that you called a divorce lawyer from a shelter for victims of abuse, you then called your mother, and metadata from later calls show that you were in the area of your mother’s house. You don’t need the actual messages exchanged between the parties for a fairly accurate reading of what’s going on in that sequence.
There are many ways for sign-ups to lack any sort of privacy, such as tracking an app back to who paid for it, finding the email used at sign up, tracking IP addresses, or simply using the phone number the messaging app works through (a problem Telegram has) can ruin privacy and anonymity very quickly.
Anonymous chat is essential for true privacy. Anonymity takes many forms, but it always starts during the sign-up process when most people are made to share personal data in order to get the app. Allowing users to sign up without emails or phone numbers, and with any name they choose, and using randomly assigned identifiers, is how sign ups can be private.
What do you think is more secure; a letter which is read and then burned immediately, or a letter which is read and then put in a locked drawer? A lock can be picked, a drawer could be left open, but a burned letter is a burned letter. The better approach to old messages is to burn the “letter”. The most secure and private messaging apps support self-destructing messages feature.
There are apps which claim privacy on encrypted servers, but it’s always more private for the data to not exist in any digital form than for it to exist at all. Some apps will allow the sender to set messages to self-destruct within 30 seconds of being read, others set a default of all messages being deleted after a certain number of days for all users. Both make it impossible for someone to come back later to “open” the locked drawer of encryption or the app itself.
You’re not private if you’re being spammed by anyone who knows your phone number. People complain about spam on Viber, WhatsApp, and other “social” messaging apps. Worse is spam which drops malicious files into devices, such as what happened to Jeff Bezos. He was sent a spam message sent to him contained a video with malicious code in it that stole data off his phone.
Apps need to use contact security features that make it impossible to connect a number with a name. You also need features to proactively block those you don’t want messaging you by creating a user whitelist, and then requiring approval from anyone not on that list before messages can be sent.
Data privacy through hardware
Securing the device you’re installing your app on is what so many chat apps you can download from an app store get wrong. Without a secure device with tamper-resistant chips, and the app in a separate container, you can never be sure your chats are 100% private. One supply chain attack—which inserts malware in the phone at the factory—ruins every aspect of privacy built into an app without those tamper-resistant chips.
There is always a problem with other apps drawing data from anything saved on your phone. Worse is the existence of keyloggers and stalkerware which can steal endless amounts of data from you without ever being detected. With so much focus on apps themselves, devices need attention for privacy as well. This can include disabling GPS, cameras, and even microphones which can all be used to track users if the right malware is installed.
Lose your device? Being able to lock or wipe it remotely is a way to keep your conversations private and protect all the other private data you have on your phone. Given enough time, a hacker can pull data out of nearly any phone—locked or not. If you wipe the data—preventing hackers from having that time—your privacy is protected.
An even more notorious issue lately is the easiest hack of all: to steal a phone right out of someone’s hand while it’s unlocked. A reporter found out the hard way that attackers will stalk you and wait for this moment. They can then extract the data at their leisure as easily as using any other phone, but the reporter would have been safe if she had device management with remote locking or wiping.A reporter had her #dataprivacy ruined when one thief stole her unlocked phone from her hand—defeating all of her #encryption and passcodes! Click To Tweet
The problem with networks—cellular data, wifi, and the internet as a whole—is that everyone has to use them, but hardly anyone can secure or control them on their own. Networks are built and controlled by a number of private and public companies, all of which have different interests in whether or not they actually want to protect your privacy. Any vulnerability in these systems leads to all of the data being shared across it being vulnerable.
A hack that has been around for decades involves Signaling System No. 7 which connects mobile networks. This vulnerability allows bad actors to read messages, hear calls, and take over the devices of anyone using targeted cell networks. You have to be sure to encrypt messages to get around this, and other, network security issues as the networks themselves are not protecting your data. SKY ECC has a functional workaround below.
Having a backup of everything you say on a chat app seems like a good idea, but message backups stored anywhere is a large risk. You often hear people say their messages are stored “in the cloud”, but that “cloud” is just a nickname for a server which is as hackable as any other server. There’s no magically secured “cloud” here, just more hackable tech.
Even worse. WhatsApp, which uses end-to-end encryption, stores your chat backups in plain text. This destroys the end-to-end encryption protections since attackers know that they can go after the weak server, and read everything there plain as day, rather than try to attack the strong encryption or the secured device. Weighing the importance of using servers for storage of private data, rather than directly controlling it yourself on your device, is a consideration for everyone who wants to be private.
Other data privacy points
The nine points above may seem complicated, but they’re not even the entirety of data privacy in the context of digital communications. There are still:
- Push notification data privacy considerations
- Brute force and password problems
- Issues with biometrics as a security method
- Operating system issues, including kernel rollback protections
If you’d like to learn more, subscribe to our newsletter for monthly updates on all things mobile data privacy. We’ll include articles published here, as well as those from the leading experts on mobile data privacy.
Lessons for every Data Privacy Day
Each of the different aspects of communication privacy discussed above impact your privacy every single day. This includes messaging apps, phones calls you make, and even any browsing you do on mobile devices.
Every Data Privacy Day is an important moment for you to think about your privacy—online and otherwise:
- If you’re in a vulnerable business you should look for a secure platform for your communications.
- Those undertaking secure tasks as part of their job need the utmost privacy for their data.
We all deserve data privacy, and we can have it by being educated on the issues, making the right choices for the apps we use, and making sure that stay informed on new developments as they happen. Every day is Data Privacy Day here at SKY GLOBAL, and we hope you adopt that same mindset.