Private Messaging in the era of Open Data

Stumbling across “Secret Conversations” and critically eyeballing Encryption standards and User Data Surveillance methods

The current age technology has taken such a turn, that you may just address your concerns over a chat with a dear pal and the chat itself may have solutions to provide already.

Sound scary?
It definitely was for me! When this happened-

A few weeks ago, I was discussing with a friend over a phone call, about an idea he was working on, for his FinTech startup. It was just a few minutes after the call ended, that I came across an article on FB NewsFeed, describing a product very similar to the one he spoke about.

I happened to share this link with that friend over Facebook Messenger, expressing a mild surprise over the coincidence of the appearance of that link on my NewsFeed, and proceeded to add a little joke to that conversation (doubtful if anyone was listening!):

Original copyright — not for use

What blew me away, was the occurrence of this FB notification, a few hours later:

This wasn’t my first ‘1984’ moment on Social Media, but my ears did keep ringing with “Big Brother is watching you!”

So what are Secret Conversations, and how do you enable them?

“Secret Conversations” is Facebook’s answer to the world of “End-to-End Encryption” -enabled messaging apps, and was rolled out to users in phases, beginning July this year.

The Facebook newsroom announcement reads, “We’ve heard from you that there are times when you want additional safeguards — perhaps when discussing private information like an illness or a health issue with trusted friends and family, or sending financial information to an accountant.”

Facebook’s secret conversations work only from a single device per user, and will allow you to set a timer. The feature also doesn’t support “rich content like GIFs and videos, making payments, or other popular Messenger features”, and cannot be applied to group messages.

To enable this feature, go to FB Messenger, switch to your profile tab and scroll through the list to find “Secret Conversations”, and tap on the option. To have a secret conversation, follow the steps as provided here.

What’s the deal with End-to-End Encryption?

End-to-End Encryption (E2EE) is a method of secure communication, where the key to the encryption is known only to the sender and the recipient, and your message can neither be decrypted by the company, nor can third parties like the government, law-enforcement agencies, Internet service providers, cyber-criminals or hackers, read it or tamper with it.

Many messaging apps, (including Telegram, Threema, Line and more), have by now deployed E2EE, and most of them use “The Signal Protocol”, designed by Open Whisper Systems.

Open Whisper Systems’ own messaging app “Signal” offers text, group chat, and calls on Android, all with end-to-end encryption, and is also recommended by Edward Snowden — whistleblower, former NSA contractor, and one of the world’s best-known privacy experts.

While the 2013 NSA leaks by Edward Snowden may have turned the spotlight to privacy, it was the court battle between Apple and the FBI, that sparked the encryption war, in relation to unlocking an iPhone used by one of the San Bernardino shooters in 2015. Apple, which has used a form of end-to-end encryption in iMessage for years, refused to install a backdoor, underlining the integral values many large communications companies hold when it comes to personal data, security and encryption.

Facebook-owned WhatsApp, thereafter, rolled out full end-to-end encryption to its billion-plus users in April, just under two months from the San Bernardino case, followed by Viber adding protection to its 700 million users’ messages just weeks after WhatsApp.

Yet, not all these apps have the same approach.

While WhatsApp and iMessage, automatically encrypt every message (default encryption), FB Messenger and Google’s Allo have an opt-in feature that users need to manually turn on, to chat in a separate window secretly or in “incognito” mode.

Also, messages in FB Messenger, Snapchat and Allo, have a feature to enable a self-destruct timer. But even when these messages disappear from your phone, they are still stored on the company servers, encrypted. Snapchat stores these messages for 30 days, while Allo stores it indefinitely. In case of Signal, however, no communications are sent to their servers, making it impossible for anyone to trace the call or text back to you.

Why do all Messaging Apps not offer default encryption?

Before answering that, let’s see what happens to the messages written in non-E2EE mode. For non-secret conversations, Facebook Messenger has been using a partial-path encryption method. In this case, the message that you send is encrypted and transmitted over a secure network to Facebook servers where it is decrypted and stored in plain text, along with its encryption keys. From here, it is re-encrypted and sent to your recipient, where it is decrypted again.

Such is the case for many other messaging apps like Allo, that provide the opt-in feature and are not completely end-to-end-encrypted. This also means the messages here, will be perfectly accessible for spying with lawful requests or for usage in generating targeted ads, similar to message data in Gmail and Hangouts, and location data collected by Android.

A few months back, in spite of being fully end-to-end encrypted, WhatsApp announced its intent to share data with its parent company Facebook in order to draw in adverts to the platform. Third party companies will be able to send targeted messages directly to WhatsApp users should they accept the new terms and conditions.

In 2014, Facebook had announced that its users, “want to see ads that are more relevant to their interests.” This is being done by tracking their usage of websites and apps connected with FB accounts or through FB activity including messaging.

There’s no way to turn off this feature entirely unless you live in the US, Canada or Europe where you can register with the corresponding Digital Advertising Alliance to opt out of your device or browser.

Recently, there was a controversy around Google — “When Allo was announced at Google’s I/O conference earlier this year, the messaging app was presented as a step forward for privacy. Alongside the end-to-end-encrypted Incognito Mode, the Allo team talked about bold new message retention practices, storing messages only transiently rather than indefinitely. But with the release of the app today, Google is backing off on some of those features.”

Edward Snowden, criticized the app on Twitter saying:

Google’s reason for the shift in Allo, was to improve the virtual assistant features. By not encrypting chats end-to-end, Google would be able to run its artificial intelligence on conversations to better suggest replies, relevant Web search results, info on any planned or dynamic events, (and witty jokes), just as it does with its other products.

Privacy vs. AI vs. Surveillance

A bitter truth known is- “If You’re Not Paying For It, You Become The Product”. Practically every site gathers data in some form, for analytics, for business or to help improve the user experience. A large amount of data is used in targeted advertising for monetization in businesses. Data is also used in tailoring each internet experience as per users’ preferences, pick up on trends and improve services at certain locations. All the major networks use cookies, search queries and our personal profiles to determine what it is that we like and dislike, and then build our future browsing experiences around such details. Breaking news, warnings, alerts and notifications are fed to interested users, depending on their tastes and geographical location.

But this does add a potential point of vulnerability to the design, no matter how secure the company servers may be. A concern that comes to mind is how governments or law agencies could potentially use this information. For example, could they use Facebook to find the people opposed to their views and even manipulate their moods?

For a responsible individual, encrypting only parts of messages like sharing account details or sensitive/embarrassing content only makes it more prone for hackers and spies to know where to find such info. Encrypting all your communications not only protects yourself but others as well. It is vital for targeted or marginalized user groups, including journalists, activists, and survivors of domestic abuse. If they are the only people who encrypt, then their communications stick out like sore end-to-end encrypted thumbs. But if everyone encrypts as their automatic default, potential surveillance targets are harder to spot.

Some law enforcement officials have warned that the spread of end-to-end encryption could help criminals and terrorists “go dark” because companies cannot access the content of the encrypted communications even when faced with a warrant.

Civil liberties advocates and technology experts, on the other hand, have generally praised the expansion of end-to-end encryption in consumer devices as a step forward for users’ privacy and cyber-security.

With the rapid growth in AI, Big Data, and IOT, how much are you willing to trade your privacy in the hope of better benefits?

Thoughts? Put them in the comments below. If you liked this article, click the 💚 below.