Skip to main content

Taking back control of our privacy from leaky messenger applications

(Image credit: Image Credit: David M G / Shutterstock)

Over the past year, conversations around personal data and privacy have been at the forefront of scandals, breaches, and bugs. Loss of trust and confidentiality is at its historical peak. Consumer concerns have pushed tech giants to increase their transparency and security efforts, and it has encouraged government leaders to pass legislation that addresses these concerns — but we, as individuals, have the power to truly regain our privacy.

It’s become the norm to compromise, or give up our privacy in order to connect with others on social media, browse the web, make purchases online, and more. If a social media service is free to use, the chances are that the price is access to the data and messages you key into it. The website, Bringing Privacy Back lists questionable policies, articles and news about many of the popular sites including Facebook, Google, Signal, Viber and others. All have had violation issues.

As consumers, we have a right to know where our data is going and how it’s being used. While we should remain conscious of what we agree to when we accept privacy policies, we should also have a choice to opt out of the widespread use of our own data. Businesses also have a responsibility to use consumer data responsibly and to keep this information safe.

Dude, where’s my data?

It should be normal for users to have control over their own data and decide what they are willing to give up, and this often is not the case. When we agree to trade our privacy in order to use a networking tool or file sharing service, we’re placing our trust in others to secure or handle that data as they see fit. Europe’s General Data Protection Regulation (GDPR) was a step in the right direction in giving consumers control over their data, but it’s not enough.

Since then, consumers have seen a multitude of privacy policy update notifications, and businesses are still trying to keep up in order to avoid fines. Republicans in the U.S. House Energy and Commerce Committee wrote to executives at Apple and Google this month to try to uncover, once and for all, the details of the corporations’ third-party access, data collection, and use of data, and whether smartphones collect location or audio data on consumers without their knowledge. California recently passed a similar bill to the GDPR, the Consumer Data Privacy Law, which is a major stepping stone for privacy regulation in the United States.

While both policies have great intentions for consumers, they are simply not enough. Less than two months after the GDPR went into effect, the European Consumer Organisation in Brussels (BEUC) reported that major corporations like Apple, Google, Facebook, and Amazon still fall short, in that they aren’t providing consumers with enough information about how they use their data and why they might need to collect it. The California regulation doesn’t go into effect until 2020, and it’s hard to tell whether businesses will be fully compliant when it hits.

Leaky applications

Another issue we face as consumers is that there are too many programs and applications that promise privacy or user control, but in reality, they all have backdoors that are prone to hacks, data retrieval, or software bugs. In the recent investigations of President Trump’s former campaign chairman, Paul Manafort and personal attorney Michael Cohen, the FBI easily retrieved multiple pages of messages and call logs from the encrypted communications platforms, WhatsApp and Signal.

What was supposed to be a secure way to communicate turned out to be another case of back doors and broken promises. Contrary to what we might think, WhatsApp allows manual and automated scheduled backups to iCloud, where files are no longer protected by the app’s end-to-end encryption. Manafort and Cohen were victims of the same blunder.

Signal, another widely used messenger application, recently had a bug in its system, in which messages didn’t actually delete when users opted in for the self-destructive messages feature. While both apps have been believed to be safe ways to communicate, we see that by design, they still had flaws.

The fact is, while many of these communication applications and social networking services that we use on a daily basis are “free,” they aren’t, because we are paying with our privacy. If you think that consumers are generally indifferent about their privacy or personal data, ask your colleague or boss for the passcode to unlock his or her phone, Google account, or Facebook page, or perhaps offer yours to someone else. Just because you haven’t done something wrong, or you’re not hiding anything, doesn’t make it right.

A new approach to secure messaging

What’s needed is a new approach to messaging applications:  apps and platforms that do not compromise privacy in exchange for the convenience of communication. For example, using Hybrid Virtual Key Management (HVKM) technology. This is when one unique half of the user’s encryption key is stored on their device, and the other half is stored on the Usecrypt server. Because half of the key is stored on the device, it’s impossible for a malicious party to access your data remotely. This means you can’t log into your Usecrypt account without the specific device you used to sign up. Therefore, if someone gets hold of your login details they can’t access your communications unless they also have your mobile device or computer.

Furthermore, users’ data should never be stored on the messaging platform’s servers:  this way, messages and call logs are impossible to restore once the user permanently deletes them. The app should also include features to allow users to check whether their device is under any kind of surveillance, or is currently being compromised.

We’re told it’s normal for someone to have access to our personal information, but it’s not. We don’t have to give up our privacy. It’s a basic human right, and it’s not in any way acceptable to enable others take our most personal information and sell it or share it to whomever they want, whenever they want, without proper consent.

We should fight for our liberty and fight for security. It’s time to take control of our own privacy, and it’s time for businesses and governments to step in and do everything they can to prioritise these human rights. 

Jakub Kokoszka, co-founder and managing director, Usecrypt
Image Credit: David M G / Shutterstock

Jakub Kokoszka is co-founder and managing director of Usecrypt, a secure communication technology and Warsaw-based privacy movement.