Private messengers: what can they really see?

in hive-172186 •  4 years ago 

This article aims to provide a fair and thorough comparison of the current private messaging apps in terms of their privacy, security, and anonymity. However, it must be abundantly clear that this post is written by me. I strongly encourage you to read, do your own due diligence, and correct me if we am wrong.

†For the purposes of simplicity for the average reader, anonymity will be defined as a complete dissociation of one's chat identity and their true identity.

WhatsApp
What can WhatsApp servers see?
All the metadata, but none of the content. They can see your profile picture, who you talk to, and when. They can see who is a member of a given private group, the group icon, the group name, and which members are the administrators of said group. But your messages, pictures, attachments, status updates and calls are all end-to-end encrypted.

However, it is very important to note that the end-to-end encryption of WhatsApp messages has been repeatedly compromised through unencrypted Google or iCloud backups. Although these backups are technically optionally, they are repeatedly suggested to the user with a coercive user interface. Even if you do not enable these backups, there is a good chance your conversation partner did, which compromises the integrity of the end-to-end encryption for both of you.

Is WhatsApp anonymous?
No. You are required to provide your phone number — which, in many parts of the world, is synonymous with providing your government-issued ID. In addition, WhatsApp logs your IP address and directly associates it with your chat identity.

Is WhatsApp easy to shut down?
Not really, given the scale of Facebook and the nature of public corporations. However, it is very likely that WhatsApp could be forced to include a backdoor into their clients. There would be no way around this, as the clients are all proprietary. With all other messaging apps in this list, one could simply download the code prior to the backdoor, build it, and run that version of the client which still correctly encrypts the messages. Decentralized messaging architectures such as Status or Matrix would be even more resilient against such coercion, as there would be no central servers to shut down.

Matrix
What can federated Matrix servers see?
All the metadata, but none of the content. They can see your profile picture, your private room aliases, your device names, who you talk to, and when. They can see who is a member of a given private room, the room icon, the room name, and which members are the administrators of said room. They can see who talks and when in private rooms. But your messages, pictures and files are all end-to-end encrypted by default.

Although some homeserver implementations have stopped storing this metadata by default, all homeservers still have the technical ability to access it. Some of these metadata issues may be resolved with the latest developments in P2P Matrix, but it is unclear as to whether or not this will be effective in regards to room metadata such as membership or administrator privileges.

It should be noted that the relative ease of hosting your own Matrix server diminishes the value of any metadata leaks. If all of your contacts use a Matrix server that you trust (which could be one that you host), it doesn't matter if the server can see this metadata. However, in practice, most people just use someone else's server (such as the matrix.org one).

Is Matrix anonymous?
Kinda. If you trust the federated homeserver you are connected to not to disclose your IP address, you are anonymous. If not, you are not anonymous, as the homeserver you connect to will be able to directly associate your chat identity and IP.

Although it technically is possible to host a Matrix homeserver as an anonymous Tor onion service, it is highly impractical to do so as the process has yet to be streamlined.

Is Matrix easy to shut down?
No. It would be practically impossible to entirely shut Matrix down. The Matrix Foundation cannot shut down Matrix. However, significant damage could be done given the current points of centralization. First, if the matrix.org homeserver were to be shut down, it would massively disrupt the ecosystem given the large portion of users that depend upon it. And second, all Matrix homeservers currently depend upon centralized ICANN domains. Both of these issues may be remediated by P2P Matrix down the line.

Threema
What can Threema servers see?
Some of the metadata, and none of the content. They can see who you talk to, and when, and they can trivially infer group membership as their servers have access to sender/recipient metadata. But your messages, pictures, attachments, profile pictures and calls are all end-to-end encrypted.

Is Threema anonymous?
Kinda. If you trust Threema to not to disclose your IP address, you are anonymous. If not, you are not anonymous, as Threema has the ability to directly associate your chat identity and IP (but they probably don't do this).

Is Threema easy to shut down?
If you don't have any faith in the Swiss government, the answer is yes. If you do, the answer is probably not. Threema is the sole operator of the Threema servers, and they are based in Switzerland. There is no federation, and there is no peer-to-peer architecture. If Threema is legally compelled to shut down their servers, that's it. All forms of communication through Threema would immediately halt. In addition, given the centralized nature of their server architecture, Threema themselves could shut down Threema.

Comparison-table-02.2021-3 (1).jpg

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!