Messenger Security, Trust, & Infrastructures » Nikolaus Poechhacker

Digiones : /dev/random

Now it happened – I had to install WhatsApp. I opposed the idea of using this app for a long time now, but it is the only communication channel to a new community I just “entered”. And so I complained and then complied. However, installing yet another messenger triggers many different questions in regard to that little piece of software on my phone. And I was especially wondering about the values inscribed in a communication system … especially one I so long opposed.

WhatsApp is now secure. But what does that actually mean?

While I had many arguments about of WhatsApp it was often brought up that the messenger is now secure. And yes: WhatsApp has end-to-end encryption that is based on the signal protocol – which is pretty secure. So we can assume that WhatsApp is reasonably secure and that it is hard or impossible to read exchanged messages. However, WhatsApp was not primarily designed for security, but for usability. Encryption became an important issue after the messenger was already well established – as the market demanded such a feature. In addition, WhatsApp comes with its very own definition of security.

When Facebook bought WhatsApp (as it was threatening the dominance of Facebook), it had to promise not to merge WhatsApp data with other Facebook services – at least for two years. Yet, why is this such a big deal? No-one, not even Facebook should be able to read the information sent over their services, as it is encrypted. Well – that’s true, but they do not really need to read your messages to learn a lot about you. Or, as we know since 2013: it’s all about the metadata (see also: https://youtu.be/k8lJ85pfb_E?t=1m40s ). And WhatsApp (as well as Telegram, btw) is collecting a lot of them. So while these applications are secure in a cryptographic sense, they are not really privacy friendly in their metadata collection.

Open Whisper Systems (the signal people) on the other hand are collecting hardly any data. Only the timestamps of registration and last connection to the service are saved. So, practically there are no metadata to analyse. What does this mean? Security is here defined much more broadly than just encryption. And this is also where the discussion about WhatsApp falls short. The question of security also needs to address the question, against what you want to be secured. And the answer to this question is very different when looking at WhatsApp and Signal. The former secures you against intercepting your messages – while the latter also provides you with an extended kind of privacy – by not creating activity protocols.

Data from our communication infrastructures are increasingly used for law enforcement and bulk surveillance. As a result we now rely increasingly on technical fixes on the one hand and community driven infrastructures on the other for private communication.

A reason why we have these discussions can be read as a sign that we have no established and trusted institutions in our digital societies. In the good old analogue times we trusted the postal infrastructures to enable secrecy and institutional processes to protect the integrity of our communication channels more than other communication infrastructures, e.g. house internal messaging system. Yet, it seems that this trust in central communication infrastructures has been lost in the translation. Facebook is well known for (mis-)using the data of its users. At the same time data from our communication infrastructures are increasingly used for law enforcement and bulk surveillance. As a result we now rely increasingly on technical fixes on the one hand and community driven infrastructures on the other for private communication. While encryption protects you against distrust in the underlying infrastructures, i.e. your ISP or layer one to four (or five – depending on the application), Alice and Bob still have to trust the centralized services of Signal to not collect their metadata. Yet, the trust in infrastructures can no longer be assumed, but is the result of diverse societal negotiations. For example, when Snowden recommended the Signal app, Open Whisper Systems gained a lot of social capital and therefore trust from the community in its service as a reliable communication infrastructure.

What can we learn from that? First, when we raise questions about inscribed values and how trust is distributed in messenger systems, we always have to take into account the whole communication infrastructure behind the app. Second, the liberal state is no longer (seen as) a provider for trusted communication infrastructures but is more often than not perceived as part of the problem rather than the solution. This fosters the creation of alternatives infrastructures, mostly driven by the hacker community. As a result, this creates a tension between security demands and social integration (remember? I installed WhatsApp because it was the only communication channel to a certain community). While the GDPR is definitively a step in the right direction, it does not address the fact that secure and trusted communication infrastructures are increasingly provided by the community – something that the state used to do back in the ancient times before the Internet.

This is post was originally published on the Digital Media Lab blog.