Month: January 2011

In the context of the latest protest in the Middle East, we hear of governments launching man in the middle attacks against social network services — for example, we hear of JavaScript code injection on Facebook in Tunisia.

Many of us are quick to point at SSL as the defense of choice.

Alas, SSL is only as secure as the CAs you trust, and so this is the right time to recall Chris Soghoian’s and Sid Stamm’s work on certified lies (according to Soghoian and Stamm, Tunisia was (is?) one of the governments implicitly trusted by IE!), and the EFF’s SSL observatory.

Many — too many! — parties are trusted by today’s browsers, and the assumption that any particular government isn’t able to intercept your traffic just because the browser’s SSL indicators show up is, unfortunately, not always warranted.

If you’re following TechCrunch at all, then you’ll have seen its coverage of the Viber iPhone app: Another VOIP solution, reputedly with extremely good voice quality, using phone numbers as identifiers. 

When you start the viber app, it’ll actually transmit all mobile phone numbers in your address book to the service, and match them to other Viber users.  You’re then given a menu that shows you those entries in your address books who correspond to Viber users.  All very intuitive and nice, and a great user experience. Who wants five different phone books that aren’t in synch?

But, of course, there are a few questions to be asked here: What does Viber do with those data?  Am I signing up my colleagues and friends for free telephone harrassment? What if I change my mind and move on? What’s the business model? (apparently, spending VC money and coming up with value added services later)

Cue the viber privacy policy.  It’s pleasantly short, doesn’t come in unreadable gray small print, and sounds fairly reasonable as far as the use of the address book data is concerned.  That’s all very good.

But then there’s this: “Viber also maintains call and connection logs to the system. These logs contain your internal Viber identification which is a combination of your account identification (i.e., your phone number) and Apple Unique Device Identification (“UDID”) or Android Device ID. All call and connection logs are maintained indefinitely.”  Traffic data retention, here we come.

The lessons?

At least two come to mind.  The first one is that, as network applications offer useful services based on highly private data (like my address book), they need to be extremely clear about the implications. When I first tried Viber, it didn’t tell me anything about the way in which those data would be used. While Viber’s privacy policy is fairly reasonable as far as the contact data are concerned, I needed to search for it online. I shouldn’t have to, the app should be clear right away about what it promises (or doesn’t promise).

The second one relatest to data retention. NGOs like EDRI are rightly upset at EU plans at long-term and broad telecommuniations data retention. But what does this particular game look like with VOIP companies? Some players, like Google Voice, give users a lot of control, and (beyond that) make sure they anonymize call data that they keep for their own purposes. Some players (like Skype, or Apple with FaceTime) are less than clear on what happens to call histories.  Yet others, like Viber, retain your communication behavior indefinitely, without any anonymization, but at least tell their users, if they know where to look.

It’s a shame that, as users of these services, we can’t just assume that call histories will be treated as the highly sensitive data they are.  It’s also a shame that we apparently can’t even expect to be told up front (and outside a policy document — even a well-written one) what the VoIP service providers will do with those data.  That needs to change.