Decoding Privacy/Security of Social Media Applications
Introduced in 2018, the European Union's General Data Protection Regulation (GDPR) is one of the strongest laws to protect the personal information of individuals and also has a global reach.
Without end-to-end encryption in WhatsApp, your message may be encrypted while it’s being transmitted to the server, but the server might be able to read it. For example, some service providers might do this to generate ads that are more specific to a user. WhatsApp uses the Signal protocol (formerly known as the TextSecure Protocol) for encryption, which uses a combination of asymmetric and symmetric key cryptographic algorithms. It is a non-federated cryptographic protocol that can be used to provide end-to-end encryption for voice calls, video calls, and instant messaging conversations. The protocol was developed by Open Whisper Systems in 2013 and was first introduced in the open-source TextSecure app, which later became Signal. The protocol combines the Double Ratchet algorithm, prekeys, and a triple Elliptic-curve Diffie–Hellman (3-DH) handshake, and uses Curve25519, AES-256, and HMAC-SHA256 as primitives. The Signal protocol uses a ratchet system that changes the key after every message. When someone sends a message to contact over an app using the Signal protocol, the app combines the temporary and permanent pairs of public and private keys for both users to create a shared secret key that's used to encrypt and decrypt that message. Since generating this secret key requires access to the users' private keys, it exists only on their two devices. And the Signal protocol's system of temporary keys—which it constantly replenishes for each user—allows it to generate a new shared key after every message.
Signal also uses end-to-end encryption for communication between its users. One should note that Signal's encryption algorithm isn't proprietary or even unique. The encryption software used by Signal is open-source (and used by other messaging apps, including WhatsApp) and available for download on GitHub. This actually allows Signal to be more secure because the open-source software is subject to public scrutiny by developers and security experts.
3. Facebook Messenger - Facebook Messenger which is Facebook’s in-built messaging service, collects more details from the users. While WhatsApp claims to identify the approximate location of the users, Facebook Messenger collects the exact location. It even reads into their browsing and search history which is why Facebook users often get ads related to products they might have searched for or bought recently. The data collected by Facebook Messenger includes precise location, coarse location, physical address, email address, name, phone number, other user contact info, contacts, photos or videos, gameplay content, other user content, search history, browsing history, user id, device id, third-party advertising, purchase history, financial info, product interaction, advertising data, other usage data, crash data, performance data, other diagnostic data, other data types, advertising or marketing, health, fitness, payment info, sensitive info, product personalization, credit info, other financial info, emails or text messages.
In the case of Facebook Messenger, by default, the messages shared between the users aren't protected by end-to-end encryption which means that Facebook, law enforcement, and hackers all have potential access to the content of your communication. To use end-to-end encryption the users have to go out of their way and enable the Secret Conversations feature provided by Facebook. Secret Conversations feature also uses Signal Protocol for encryption of messages.
4. iMessage - iMessage is an Apple service that sends messages over Wi-Fi or cellular connections to other iOS devices, iPad devices, Mac computers, and Apple Watches. As compared to WhatsApp and Facebook Messenger, iMessage collects a lot less user data. That data includes email address, phone number, search history, and device ID. Apple claims that it uses this data to operate and improve Apple’s products and services.
Apple’s iMessage also provides end-to-end encryption, but one should note that this feature is available only for the Apple user community and as iMessage users can also message beyond that community, and sometimes a data network may not be available, in that case, iMessage can revert to SMS when needed and when it does so, there is no end-to-end encryption. Also, unlike other popular messaging apps iMessage doesn’t use Signal protocol, and it is believed that it doesn't offer perfect forward secrecy.
Just like Facebook Messenger, by default, Telegram also doesn’t encrypt messages shared between the users. It provides a feature called Secret Chat for users who want their conversation to be encrypted and secured. Messages in Secret Chats use client-client encryption, while Cloud Chats use client-server/server-client encryption and are stored encrypted in the Telegram Cloud. Telegram uses MTProto protocol for encryption of messages in Secret Chats. When a secret chat is created, the participating devices exchange encryption keys using the so-called Diffie-Hellman key exchange.
Information we choose to give them such as our username, a password, email address, our phone number, and date of birth;
The information they get when we use their services such as usage info, content info, device info, device phone book, camera and photos, location info, cookies, and log info;
The information they get from third parties. The terms say that Snapchat does not sell personal information to third parties, but the terms do state that Snapchat and third-party partners may place advertising on the services.
Snapchat provides end-to-end encryption as well, but one should note that this encryption is only for the photos shared between its users. Text messages and other messages sent on Snapchat aren’t protected by the same encryption.
With social media’s unparalleled popularity, they have evolved from platforms for social communication and news dissemination, to indispensable tools for professional networking, social recommendations, marketing, and online content distribution. Because of their scale, complexity, and heterogeneity, many technical and social challenges in online social networks must be taken into consideration. It has been widely recognized that security and privacy are critical issues in online social networks. This special issue focuses on how researchers, scholars, and practitioners are collaborating to address security and privacy research challenges.
Every social media application offers a varied set of security features and has a different policy on how they collect and use the user’s personal data. It depends on the users how much they are willing to give up their personal information or whether they are ready if someone ends up reading our personal messages knowingly or unknowingly.
Uday is a research analyst at Copperpod. He has a Bachelor's degree in Electronics and Communication Engineering. His interest areas are Microcontrollers, IoT, Semiconductors, and Memory Devices.