WhatsApp and the fig leaf

A few days ago Facebook owned WhatsApp started pushing their users this pop-up message:

I read the entire new terms and conditions which, besides being boring, is unclear. I live in the EU, liking it or not, in EU there's a legal enforcement obeying (when the Countries do their job) to the GDPR framework. Matching the new T&C against the GDPR, there seems to be little to no adherence to the GDPR requirements, especially:

• Legal entities involved in the "sharing of data" are not explicitly identified.
• What data are exactly shared, is not declared.
• For what exact purpose these data are collected and shared, is not declared.
• For how long these data are withhold is not declared
• The "Right to be forgotten" isn't mentioned, and how the user can exercise the right, is not declared

Hence, I resolved to replace WhatsApp.

The most obvious alternatives appeared to be Jami, Signal and Telegram. Telegram is a proprietary platform developed by a Russian company, and there's no access to source code. Therefore there isn't much to tell about, besides the fact that, probably, they don't share data with the Facebook ecosystem.

Then I delve into Jami and Signal to have a better understanding. Let's start with Signal.

Signal

First good thing, it is open source, and the source code is available to anyone to look at on github (see links below). Anyone can create a Signal node by installing a Signal Server and become part of the network infrastructure underpinning Signal messaging platform. This is also good. So let's see what are the requirement for such server to be installed:

Here there's something a bit disturbing:

• Signal itself, is entirely relaying on proprietary technologies.
• Signal is open source, but, the technologies it uses are closed source.
• The technologies (Google, Amazon WS, Google Firebase, Twilio, Amazon S3) it uses are well known for harvesting metadata and making good business by selling these metadata to third-parties.

Particularly disturbing is the use of Amazon SQS for the CDS service (Contact Discovery Service), the services that discovers when some other of your contacts is on Signal. You might have noticed that you receive a notification when one of your contacts joins Signal, and also, Signal knows if any of your contacts is already on Signal and they appear among the "signal" contacts and you can send Signal messages to them.

About the Amazon service used by Signal to provide this service, Amazon tells:

"Amazon SQS is a message queue service used by distributed applications to exchange messages through a polling model, and can be used to decouple sending and receiving components."?

[...]

"Amazon SQS stores all message queues and messages within a single, highly-available AWS region with multiple redundant Availability Zones (AZs), so that no single computer, network, or AZ failure can make messages inaccessible. For more information, see?Regions and Availability Zones?in the?Amazon Relational Database Service User Guide."

Amazon employs Server-Side encryption, and they tell us:

"Q: What are the benefits of server-side encryption (SSE) for Amazon SQS?

Server-side encryption (SSE) lets you transmit sensitive data in encrypted queues. SSE protects the contents of messages in Amazon SQS queues using keys managed in the?AWS Key Management Service (AWS KMS). SSE encrypts messages as soon as Amazon SQS receives them. The messages are stored in encrypted form and Amazon SQS decrypts messages only when they are sent to an authorized consumer."

Therefore Amazon itself, apparently, cannot access the content that is transmitted through the SQS, meaning, your sensitive information, your contacts list. So far seems good...

Let's look at the Google Firebase. It is used by the Signal App accordingly to this schema:

https://developers.google.com/terms/

Firebase is used by many android apps to "wake up" the smartphone and show the notifications of incoming messages. In the lengthily Terms&Conditions, there is a note, that claims that "you don't acquire ownership of the content that is passed through this service".

If any sensitive information is sent through the Firebase API, its content, is owned by Google. Not Signal, nor the user, but Google. The much sought after user's metadata...

But..., Signal claims that they also encrypt the user metadata, and send any identifier of the sender and recipient, already encrypted to the API they use:

https://signal.org/blog/sealed-sender/

About the sensitive information, Signal claims, even a Court Order cannot let them disclose them, because, they don't have them:

It seems safe to say that Signal does a good job in terms of transparency and an effort to actually maintain users privacy. Their reliance on private technologies thou, might expose the platform to vulnerabilities, such as being shut down if they support, let's say for instance, Donald Trump, and as Signal says, it's a work in progress.

JAMI

Let's look into Jami. Jami is different and interesting in many ways. First of all, they make many bold claims on their web page:

The most attractive claims here are "distributed", the "GNU Foundation" logo, "Autonomous" and "Anonymous". Let's see:

• Distributed: implies that there's no centralized infrastructure, but that the App works from phone-to-phone directly, which makes it impossible to even catch metadata.
• GNU Foundation: means that it is open-source, and its source code can be reviewed and audited, and also that uses open source components only (we will see later...).
• Autonomous: means that it is running without a centralized infrastructure, it doesn't relay on a single authority, and cannot be shut down by anyone (Donald Trump Twitter, Facebook and YouTube accounts anyone?).
• Anonymous: users cannot be identified and the App doesn't use metadata. There's a lot of fuss around metadata. By the US law as it so stands, metadata belong to the Company providing the service. Metadata are all the data necessary to making the service happen (in the case of a messaging App, the identifier of the sender - phone number - the identifier of the recipient - phone number - and the timestamp of the event). If you believe these info are not sensitive... you might ask what the wife of a man thinks of the message her husband sends to his ex girlfriend every time he goes to the five-a-side football match on Wednesday evening at 6pm. She might have a different opinion about the importance and privacy of metadata.

But... on Jami forum there's a debate about an August version of JAMI App, using the same notification service as Signal:

The issue here is that JAMI uses the GNU Foundation Logo, which means they shouldn't use any "unwanted stuff", like the Google Firebase service to push notifications to the users.

In the debate there's reply that clarifies something very important:

Google Firebase is the ONLY WAY to wake up an Android Smartphone and show notifications. Therefore, there's a "vendor lock", in this case Google's Android, that forces developers to use Google's Firebase to push notifications to Android Phones.

Conclusions

First conclusion, the cumbersome WhatsApp move to ask BILLIONS of users to accept new T&C has sparked a worldwide privacy awareness movement that has led some 60 million users to switch messaging App. Well done Facebook! No one could have done better awareness job!

Then, to cut this long story short, there are three approaches here:

1. I don't care at all
2. I do care a lot
3. I do all that I can

Option 1. you have given up because you have already an account with all possible social media, you have hundreds of apps on your smartphone and you have given all possible permissions to apps to collect your data, and you have done so for years. Therefore there is out there a "digital avatar" of you that is private property and owned by Big Tech and they can profile you even better than you know about yourself, and sell these information to whomever you don't even know.

Option 2. you either want to hide something (which is perfectly legal) or you simply know the difference in between private and public, what's private is yours and what's public is theirs. If you want to keep your data truly private you have little choice: don't use a smartphone. Full-stop (this is the reason why some billionairs use a 10€ phone).

Option 3. you are not an ascetic and you need your smartphone for a number of crucial activities in your private and professional life. You are aware that both Apple and Google collect a monstrous gigantic amount of data from your smartphone 24/7/365 (to the point that you cannot remove the battery from your phone anymore), but at least you want to have as much control as possible. You have some options here. To use an App like JAMI or Signal helps. You can also use a de-googled phone by installing LineageOS in place of the stock Android (you cannot do this with Apple). Or giving up a number of features, use a Linux Phone. Of course, you must not have Facebook, Twitter, Instagram whatsoever installed...

Let me know your approach and thought below in the comments.