How SKY ECC Secures your Contact List

One of the most neglected aspects of a secure communications app is the contact list. Your contact list reveals a lot of information about someone. It show who you’re connected to and who you communicate with, either of which can be exploited in a number of ways to undermine your privacy or security.

This article shows you all the ways SKY ECC secures your contact list by looking at:

  • SKY ECC ID practices
  • Managing your contact list
  • Changing contact names
  • Contact list storage

Explore these points to learn how and why we’ve secured them, and see how they fit into the larger ecosystem needed for a truly secure phone.

SKY ECC IDs: First layer of defense

How SKY ECC IDs, the usernames of SKY ECC users, are created is the first step in how your contacts, and you, are secured. They work like this:

  • Every SKY ECC ID is a randomly generated, unique 6-character identifier.
  • No personally identifiable information is ever associated with any SKY ECC ID. Absolutely nothing about it, or connected to it, will reveal who the user is.

These two facts are the first steps in how anyone can use SKY ECC anonymously if they want to. There are no phone numbers, names, or any other information to compromise the identity of any user via their user ID, or any other records kept by SKY ECC—because we keep no records with personally identifiable information.

Why SKY ECC doesn’t use phone numbers

Many “secure” messaging apps get this part wrong. The worst case of this is that they allow users to search for people based on contacts in other apps or your phone’s contact list. This is very convenient, but this doesn’t help you, or who you talk to, remain private.

Why is this really a problem? Several reasons:

  • People can see your chat and definitively link your phone number to you. You can use an alias all you want on an app like Signal, but it’s been proven to not be a secure way of protecting your identity. Your phone number is displayed everywhere and it will get traced to you, right State Rep. Matt Shea?
  • Those who don’t know you can find your number and add you to group chats. This seems harmless until someone adds you to a group chat without your consent, you ignore it, but there’s your identity on a group about criminal acts.
  • Being in a group chat with a bunch of people you don’t know exposes you to personal attacks. Your phone number, when registered with your phone company, is connected to a lot of information—like your address. A less nefarious issue is finding your number on spam call lists or, much worse, being contacted directly by a stalker.

These issues make any chat app insecure right away. SKY ECC was built so that we don’t know the phone numbers connected to the dedicated SKY ECC devices our users are using.

How your contact list is managed

Managing your contact list properly is next to impossible with so many chat apps using phone numbers as the way that users are identified. SKY ECC uses a few tactics to help you manage contacts properly:

  • Users directly control who can message them before a message is sent. Every SKY ECC user must authorize each contact request sent to them before any message can be sent. See a request from someone you don’t know, or don’t trust based on the note field which comes with the request? Manage your contact list by not approving that user. You cannot be discovered on any Sky server through your SKY ECC ID. Your name isn’t associated with your ECC ID anywhere. This means that no one can go searching for your ECC ID and find you to send unsolicited messages. This is vastly different from directly linking your account to your contact list.
  • The only way to contact another user is to get their ID from another user who already knows it, or for you to give it to them personally. This one-to-one sharing vastly minimizes spam.

Those are the basics of how you build your contact list, but here’s how you protect it:

  • Any contact on your approved list can be deleted, or deleted and blocked. This has to be a standard feature of any decent messaging app, and SKY ECC certainly has it.
  • Your SKY ECC agent can create a whitelist of people on your network who are able to contact you. This makes it so you know that every single person contacting you is in your approved network—and no one else. A blacklist is created of everyone who isn’t able to contact you, namely everyone on SKY ECC who isn’t on your whitelist! Don’t worry, these lists can be changed as needed.

Proper management of a contact list is about blocking and restricting as much as it’s about building. There are celebrities with tens of thousands of fans who would love to get their ECC ID somehow and contact them, but if their network has already been restricted they can’t possibly contact them, not even if this happened (Rob Kardashian leaked his sister Kylie’s phone number) with their ECC ID instead of their phone number:

They could say “Kylie’s SKY ECC ID 475289 I ain’t hacked either this is rob dog lol” and it wouldn’t matter if Kylie had set up a restricted network where only certain SKY ECC IDs could contact her. Building a network you trust is hard, but building a network you don’t have to trust because it’s restricted is even better.

Chats disappearing as part of contact list management

Having chats stored forever can be a contact list issue. Chat services with backups stored indefinitely on a cloud server can make it possible for chats you’ve deleted, and people you’ve disassociated yourself from, to remain a part of your network:

  1. You add someone to your contact list and chat with them.
  2. During the conversation you come across information about this person which prompts you to not want to associate with them any further.
  3. You delete and block them from your contacts.

If you’re on SKY ECC that’s the end of it. The chat is deleted from your phone, it’s not on a server, and that person is no longer on your contact list. With apps that store chat backups in the cloud, that person is forever associated with you as someone who was on your contact list that you interacted with.

Custom contact names

One of the easiest hacks in the world for discovering contacts is by looking over someone’s shoulder when they have their phone out, or by taking their phone out of their hand when it’s unlocked.

Here’s my SKY ECC contact list with work contacts where I’ve changed the names to ones which are similar for illustration purposes:

You can’t really tell who any of them actually are at a glance, but someone who knew me could, with some guessing, possibly ascertain who they are based on these names. How to get around this is shown below:

These names make it much more difficult to figure out who I have on my contact list, but I know exactly who they are. Someone who takes my phone would have a much harder time figuring out who each contact is, while someone looking over my shoulder (with a camera, perhaps) isn’t going to get any information useful to them.

Securing a contact list is about more than securing the numbers, it’s about securing every single aspect of how the data is stored, even locally on your phone, and names are part of it. If the real names of the people on my contact list were displayed at all times it would be much easier for an attacker to know who to target; think of it as superhero secret identities for your phone.

SKY ECC and directory servers

Here’s a sentence over on our Features page which warrants further explanation:

You manage your own contact list, not a directory server.

This means that no data about you is stored on our, or any other, server in a searchable manner. This data is yours, so you manage it yourself with your device, we don’t manage it for you on a server in a way that could lead to data compromises. This has the benefits of:

  • There is no way for someone with access to a server to find your ID to contact you. This is both for your own privacy from those you don’t want to talk to, and to protect you from outright spam.
  • If we used a directory server based on the old model of phone numbers, anyone who has ever had your phone number could be notified of you being on a new communications platform. They could contact you before you could block them. No one is notified of you joining SKY ECC because we’re not built that way.

Directory servers filled with contact information are another one of those things which are really convenient for users, and are also really convenient for hackers to steal data from. With privacy and security in a zero-trust model being the most important aspects of SKY ECC, we knew that we couldn’t use a directory server the same way as other apps.

This is a very real issue as over 419 million phone numbers were exposed in September 2019 thanks to a bad directory server Facebook owned. This dwarfed what was thought to be a terrible breach of 49 million Instagram (owned by Facebook) users back in May 2019.

As was brought up in the video above, having your phone number leaked by a directory server has worse consequences than getting spam or harassing phone calls as it can also lead to spoofing phone numbers for two-factor authentication, and can be used in SIMjacking attacks. Not using a directory server may seem like a small thing, but it has major consequences—so we don’t do it.

What if I lose my contact list?

Are you wondering what happens if you lose your device or have to reset your SKY ECC ID? Do you lose everyone on your contact list and have to build it all over again? 

No! 

We have created a workaround for this where the SKY ECC IDs of your contacts are stored on our servers—with absolutely no personally identifiable information attached (because we never have it)—so when you set up a new device your contacts are automatically reloaded for you.

This contact list is only able to be associated with your unique SKY ECC ID, so that data is not stored in any searchable manner. It is still only SKY ECC IDs as well—with no personally identifiable information—so even if someone were to get hold of it the list it would mean nothing, and it would mean nothing on several levels because of how we protect our servers:

  1. Absolutely everything on a SKY ECC server is encrypted by our proprietary 521-bit ECC, including the contact lists.
  2. All of our servers are behind several firewalls.
  3. Every server is protected against intrusions.

This is in stark contrast to Facebook’s practice above of storing personal data on a server with no password protections, which is completely unacceptable. Our strategy of ever-increasing layers of security keeps your contact list—and therefore you—private and secure.

You deserve secure and controlled contact lists

Securing a contact list is often the last consideration for “secure” communication apps you’ll find on the app stores of the world. This is because they want to do everything they can to get you talking on their networks with people you already know on the network. They do this because: 

  • Creating open contact lists on their directory servers allows you to search for contacts already on the app, while also providing you with a backup if you switch devices. 
  • This is convenient for both you and the app provider, but it is awful for privacy and security.

Anyone trying to minimize these two issues is doing you a disservice if you truly value security and privacy at the uppermost levels.

How SKY ECC manages contact lists

We created SKY ECC knowing that we had to do better, and we did by taking these precautions with building and managing contact lists:

  1. SKY ECC IDs are randomly generated and not attached to your personal information, making it impossible for people to message you without them personally being given your ID number.
  2. You control your contact list. There are whitelists of those who can contact you and blacklists of those who cannot.
  3. All chats disappear, which is another aspect of contact management.
  4. You can create custom contact names to fend against direct observation tactics which steal contact list information.
  5. Contact lists are not stored on searchable directory servers. All backup contact lists are on our secure servers and are only linked directly to your account, making them unsearchable.

Doing one, or a few, of these would vastly increase the contact list security of every major free app out there, but SKY ECC does them all. This is another aspect of our secure phone ecosystem, and we hope you’ll contact us today to learn how SKY ECC can help you and your organization.