Issue 62

Don't backup your conversations

Delivered on 28 January 2020 by Justin Pyvis. About a 4 min read.

This is a bit of a public service announcement: if you use any instant messenger (WhatsApp, iMessage, etc), whatever you do, do not enable automatic backups. If you need to back up your conversations, do it yourself. When prompted with a screen similar to the one below, click "No", "Never" or any other option in that vein.

Why? This is why:

Apple Inc dropped plans to let iPhone users fully encrypt backups of their devices in the company’s iCloud service after the FBI complained that the move would harm investigations, six sources familiar with the matter told Reuters.

The tech giant’s reversal, about two years ago, has not previously been reported. It shows how much Apple has been willing to help U.S. law enforcement and intelligence agencies, despite taking a harder line in high-profile legal disputes with the government and casting itself as a defender of its customers’ information.

There's also this from last year:

Facebook-owned instant messenger WhatsApp has admitted that it's storing unencrypted backup data on Google Drive... the act of encrypting the data between WhatsApp and Google is not part of the end-to-end encryption that the company offers for its conversations.

If you believe Facebook, WhatsApp is end-to-end encrypted (I certainly won't until it reveals its source code). But what most people don't know is that if you've enabled automatic backups - whether to Google Drive, Apple's iCloud, whatever - they're exported in plain text and encrypted with the company's private key, not yours. That effectively allows them to scan your conversations, package them up with all the other information they have about you, and sell it all to the highest bidder.

Or in the case of a government request, hand it over for free.

So once again: if you must use the products offered by the FAANGs, don't let them store your backups. Better yet, ditch them altogether. It's not like there aren't plenty of open source, privacy-friendly alternatives out there (Signal Messengeris a widely used alternative, with Riot a lesser known, decentralised option).

Enjoy the rest of this week's issue. Cheers,

— Justin

Other bits of interest

Google is evil

Last week, Google began rolling out a new look for its search results on desktop, which blurs the line between organic search results and the ads that sit above them. In what appears to be something of a purposeful dark pattern, the only thing differentiating ads and search results is a small black-and-white “Ad” icon next to the former. It’s been formatted to resemble the new favicons that now appear next to the search results you care about. Early data collected by Digiday suggests that the changes may already be causing people to click on more ads.

Look, Google - or rather, Alphabet - is first and foremost an advertising company. It sells the top few results on Google's search page to companies in the hopes that you click through to their respective websites rather than those dug up organically by the Google algorithm. I don't have a problem with it improving how that process works; I couldn't care less if every result was an advert. If people don't like having adverts shoved down their throats then they can use one of the many Google competitors out there, such as DuckDuckGo.

That or pressure Google into backtracking, which it has already done.

Learn more:

The European Union is off the mark, again

The European Union is seeking a temporarily (3-5 year) ban of facial recognition technology and many US States have already banned it. But as Bruce Schneier writes, facial recognition is just one small piece of the privacy puzzle:

[Facial recognition is] just one identification technology among many. People can be identified at a distance by their heart beat or by their gait, using a laser-based system. Cameras are so good that they can read fingerprints and iris patterns from meters away. And even without any of these technologies, we can always be identified because our smartphones broadcast unique numbers called MAC addresses. Other things identify us as well: our phone numbers, our credit card numbers, the license plates on our cars.

Banning facial recognition is a knee-jerk reaction that does not attempt to weigh the costs and benefits of the technology. We hear a lot about the costs, but what about benefits such as finding missing persons, identification (i.e. no need for keys), facilitating payments, and so on? These bans do very little to eliminate the privacy costs of the technology (instead of facial recognition companies will use the next best means to surveil us) but they eliminate all of the potential benefits.

Learn more:

Issue 62: Don't backup your conversations was compiled by Justin Pyvis and delivered on 28 January 2020.