Wednesday, April 22, 2020
As part of project by Free Press Unlimited for a mobile version of Publeaks, the Centre for Innovation at Leiden University conducted research into the metadata risks surrounding the use of communication platforms such as WhatsApp, Signal and Facebook Messenger.

In Secure Communications Networks, the researchers set out a method for assessing these apps based on how they collect and produce metadata. Read more about the study and find the whole report here. We asked Free Press Unlimited information security and technology officer Hisham Almiraat, who reviewed the study, why metadata matters.

Why is it important for all of us to know more about metadata in communications apps?

Almiraat: When you communicate through instant communications apps such as WhatsApp, Signal and Facebook Messenger, it’s almost like sending a letter inside an envelope. Only you and your recipient can see the content of your message. But in order for the message to be delivered, some information, like its destination, needs to be put on the outside of the envelope, where it can be potentially visible to anyone. That’s what metadata is.

Some companies collect more information than is strictly necessary, for example for reasons related to their business model. This is not necessarily ill intentioned, but it’s important for users to know what kind of information they give away when they talk to someone through such apps.

This research is linked to Publeaks Mobile. How can it benefit journalists who work with whistleblowers?

Almiraat: Investigative journalists who want to provide an easy way for people to reach out to them, without potentially giving away their identity, can face a dilemma. WhatsApp is very commonly used and easily accessible. It’s also a very solid and secure service if you want to protect the content of your messaging. But it’s not such a good service when it comes to metadata. It collects metadata about, for example, the phone number used and the operating system on the phone.

An engineer working for, say, Facebook (the parent company of WhatsApp) with access to this data could potentially connect the dots and identify someone. Because Facebook is based in the US and falls under US jurisdiction, the FBI, or any other US law enforcement agency, might, with a proper warrant, be able to force the company to hand over information about users. If a journalist feels this could compromise the security of their source, they should consider using a different communications app, like Signal, which encrypts its metadata.

Many of us are currently working from home due to Covid-19, and are extra reliant on online communications apps. Is there anything we need to keep in mind when we organise videoconferences with our co-workers?

Almiraat: When UK Prime Minister Boris Johnson tweeted a picture of his cabinet meeting using videoconferencing tool Zoom, it created a lot of fuss. A lot of people started asking how safe is it to use such apps. Right now, Zoom does not use end-to-end encryption, meaning that a third party could potentially listen in. Zoom has promised to solve the problem, but it should make you wary.

If you’re going to an online pub quiz, there’s no issue with using Zoom. If it’s a serious conversation, be circumspect about what you say if you use Zoom. If the meeting is confidential, you could consider switching to Jitsi, which might be less user-friendly or less performant than Zoom but because it is open source anyone can host it themselves which removes the risk of any third party accessing your calls.