Myth #16: End-to-end encrypted messaging means that pure privacy is protected.
Myth: In an era where privacy is under a constant threat from state and non-state actors, people rely on end-to-end encrypted communication. Popular services such as WhatsApp, iMessage, or Telegram promise to protect our privacy and reassure us that our interactions are “secured from falling into the wrong hands”.
Busted: End-to-end encryption (E2EE) is a strong promise which gives the user (and their peers) a false sense of security and privacy. While E2EE in itself is a great security paradigm, it is probably less obvious to users that the transmission of encrypted messages is not all but one part of the privacy equation. While law enforcement agencies or companies such as the NSO Group actively seek to exploit endpoint vulnerabilities, privacy is further undermined by incautious user behaviour (i.e. unprotected devices; unencrypted backups) and bad app designs (i.e. storing messages decrypted). (#45)
Here is one less obvious threat model: Have you ever used WhatsApp, Telegram, or iMessage to share an online news article, a Facebook post, or any website link in general? Have you ever wondered about the rendered preview of the content that you are sharing? Usually, it’s an unobtrusive element, displaying the title, a teaser, the URL, and a thumbnail.
Well, this is indeed external content and your messaging app just fetched it from a remote server – without asking you for permission, masking your identity from a third party, and usually without offering you an opt-out. While link preview might appear convenient, it is a non-trivial threat to your privacy and to the privacy of the target of your encrypted message.
The most basic threat is that the link preview reveals your public IP address and your application’s User-Agent to a third party (the content’s host). While desktop email clients usually warn you when there is remote content, mobile messaging apps strangely don’t. If you are merely one among millions of visitors of a website, this might not bother you. However, if you are an investigative journalist or a queer activist who is being targeted by a phishing campaign, you might conclude that your privacy has just been violated and that you have been invisibly put at risk by your messaging app.
There are several harmful scenarios where an actor with access to a server’s logfile or an authoritarian regime capable ofmonitoring the network traffic can turn the link preview feature into a tool of targeted surveillance. How this can be done, has been shown by Justin Seitz (2019), who has documented the behaviour of various messaging apps for the investigative platform Bellingcat.
Truth: The link preview feature in popular end-to-end encrypted messaging apps such as WhatsApp, Telegram, or iMessage discloses your and your peer’s identity to a third party. This is an even bigger problem for messaging tools without E2EE, such as Instagram or Slack. Malign actors can turn this privacy violation into a surveillance and tracking tool.
Source: Justin Seitz, How To Blow Your Online Cover With URL Previews, Bellingcat (2019), https://www.bellingcat.com/resources/how-tos/2019/01/04/how-to-blow-your-online-cover-with-url-previews; Justin Wu and Daniel Zappala, When is a Tree Really a Truck? Exploring Mental Models of Encryption, Fourteenth Symposium on Usable Privacy and Security, SOUPS (2018), https://www.usenix.org/conference/soups2018/presentation/wu.