![]() When building Wickr Messenger we made a conscious decision to prioritize anonymity and understood the cost of this decision. It is a legitimate trade-off to make when network expansion trumps privacy. Ease of contact discovery is certainly preferred when the priority is to grow your user base. Many of the most widely used messaging platforms - secure or not - have made product decisions that drive users, intentionally or unknowingly, to not seek anonymity. In fact, this is where the road forks for every privacy-aware system or product. No network can have both perfect privacy and fully assisted contact discovery. Moreover, it is easy for phone service providers to link phone numbers to the unique IMEI number of the phone currently using the number so just buying and using a fresh phone number alone may still not be enough to decouple one’s real world identity from a phone number. Phone numbers and their owners may be publicly indexed on the web or in phone books. For example, requiring phone numbers as IDs can be detrimental for the anonymity of users whose real world identities are tied to their phone numbers.Īs we know, in many countries anonymous phone numbers are simply not available for purchase. The enumeration attacks can become a real concern if IDs are not thoroughly decoupled from any de-anonymizing information. Thus any network is faced with a trade-off between usability and the anonymity of its users, often expressed through a policy governing what can be used as an account ID. In fact, even without assisted contact discovery other techniques may be available to an attacker so he/she can enumerate IDs with associated accounts. More privacy-aware systems only allow users to upload a one-way hash of each contact’s ID rather than send the ID in the clear.Īn inherent downside to assisted contact discovery is that it enables an attacker to enumerate IDs by creating an address book with a list of potential IDs and joining the network to find matching accounts. Yet, revealing user contacts to the network’s server is bad from a privacy standpoint. ![]() Most social networks also allow users to automatically check which of their known contacts already have accounts on the network. ![]() The idea being that a new user perhaps already has that information for their closest contacts, so why not make it easy to populate one’s address book within the app? To facilitate this somewhat arduous procedure, networks often opt for linking user IDs to pre-existing identifying information such as emails or phone numbers. When a user joins a social network one of her first tasks is to build a contact list. maintaining user privacy and trade-offs this conflict imposes and 2) how Wickr navigates this conflict when making its design choices in both Wickr Messenger and our business products. I’d like to run through some of the points made in various blog posts and comment threads to help our users and public at large understand a couple of things: 1) the inherent conflict between helping users with contact discovery vs. We have been following with interest an ongoing conversation about Signal’s design choice for contact discovery.
0 Comments
Leave a Reply. |