Security vs Privacy – Why should you have to choose on messaging apps?

Secure messaging platforms aren’t necessarily private. Though the messages’ contents might be encrypted, or protected from unauthorized users, the apps can still collect other private information about the platform’s users and communications.

This collection of information about users’ data, known as metadata, is what sparked the historic Federal Trade Commission (FTC) penalty on Facebook in 2019. Now, Facebook is once again at the center of online privacy concerns. WhatsApp, acquired by Facebook in 2014, recently revealed that the app collects private information on its users including (but not limited to) their location information, purchase history, and contact lists. And, that information is being shared with Facebook.

In December, Apple rolled out its new privacy labels for Apps to help users understand what information each app collects and how the app uses that information. Now, users can easily see an app’s privacy. “It’s much quicker to read than a Privacy Policy or Terms of Service, increasing the likelihood people will actually use it,” says Sarah Scheffler, a 5th year PhD student in computer science and BUSec member. But, some companies that collect private information on their applications’ users, like WhatsApp, are upset with Apple’s change.

We asked two cybersecurity experts at the Hariri Institute about the privacy of “secure” messaging platforms like WhatsApp, and what messaging platforms they would recommend.

Ari Trachtenberg, Cyber Alliance member and Professor in Electrical & Computer Engineering, poses for a portrait.
Sarah Scheffler, a researcher in the BUSec group and PhD Candidate in Computer Science, poses for a portrait.

Q&A 

  1. What is the difference between data and metadata collection?

Scheffler: Data collection might be, for example, collecting the images you’ve taken on a smartphone.  Metadata collection would be collecting data *about* those images, like when or where they were taken.

Ari Trachtenberg, PhD, Cyber Alliance Member: Metadata can provide a lot of information about the data it is describing.  If I know who you are calling, when, and for how long, I can make a number of inferences about what you are saying on the call. ‘

  1. Is WhatsApp a secure and private communications platform? Why or why not?

Scheffler: It’s certainly fair to say WhatsApp is secure. WhatsApp is certainly more private than chat apps that don’t have any end-to-end encryption at all (most of them), and it’s a heck of a lot more private than Facebook’s other chat app, Messenger.  But at the end of the day, and especially with its recent changes, it’s moving farther and farther from privacy, keeping only the actual message content secret and tracking pretty much everything else.

Trachtenberg: WhatsApp has recently decided to collect and share information with its parent company, Facebook.  This is clearly very important to their business model, because they have threatened to stop service to the many users who disagree with this new policy.  Reading through their privacy policies, one can see that they automatically collect information about user activity and device information, and they also may get information about you from third parties.  This means that, even if your messages are encrypted, they may be able to track your activity (even outside of the app). 

  1. What should people look for when choosing a communications platform or app?

Scheffler: The actual functionality of all these messaging apps is pretty much identical.  So if that’s the case, why not go with one that maximizes your privacy?  It seems prudent to keep what feels like a private conversation actually private.  And that’s not even getting into actual threats people might face from not using private chat apps. 

Trachtenberg: I feel that the most important question to ask is “how is this platform or app making its money?”  Platforms are costly, requiring the dedicated work of many engineers, and it is important for users to understand just who is paying for those engineers and how.  Only in this manner can they make a more informed decision about the risks of participation.

  1. Are there any communications apps that you’d recommend? Any that you’d warn against?

Scheffler: Signal is great.  For video, Jitsi (though it has compatibility issues with Firefox, so I don’t personally use it often).

Trachtenberg: Since the WhatsApp privacy decision, I have discontinued the use of WhatsApp and moved toward Signal, a privacy-oriented app.  I have also stopped using Facebook and moved to MeWe, whose terms of service appear to be very privacy focused. 

Interview has been edited and condensed for clarity.

 

Interested in learning more about the transformational science happening at the Hariri Institute? Sign up for our newsletter here.