Issue 62

Don't backup your conversations

This is a bit of a public service announcement: if you use any instant messenger (WhatsApp , iMessage, etc), whatever you do, do not enable automatic backups. If you need to back up your conversations, do it yourself. When prompted with a screen similar to the one below, click "No", "Never" or any other option in that vein.

Why? This is why:

Apple Inc dropped plans to let iPhone users fully encrypt backups of their  devices in the company’s iCloud service after the FBI complained that the move would harm investigations, six sources familiar with the matter told Reuters.

The tech giant’s reversal, about two years ago,  has not previously been reported. It shows how much Apple has been  willing to help U.S. law enforcement and intelligence agencies, despite  taking a harder line in high-profile legal disputes with the government  and casting itself as a defender of its customers’ information.

There's also this from last year:

Facebook-owned  instant messenger WhatsApp has admitted that it's storing unencrypted  backup data on Google Drive... the act of encrypting the data between  WhatsApp and Google is not part of the end-to-end encryption that the  company offers for its conversations.

If you believe  Facebook, WhatsApp is end-to-end encrypted (I certainly won't until it  reveals its source code). But what most people don't know is that if  you've enabled automatic backups - whether to Google Drive, Apple's  iCloud, whatever - they're exported in plain text and encrypted with the  company's private key, not yours. That effectively allows them to scan  your conversations, package them up with all the other information they  have about you, and sell it all to the highest bidder.

Or in the case of a government request, hand it over for free.

So  once again: if you must use the products offered by the FAANGs, don't  let them store your backups. Better yet, ditch them altogether. It's not  like there aren't plenty of open source, privacy-friendly alternatives  out there (Signal Messenger is a widely used alternative, with Riot a lesser known, decentralised option).

Enjoy the rest of this week's issue. Cheers,

— Justin


Other bits of interest

Google is evil

Last  week, Google began rolling out a new look for its search results on  desktop, which blurs the line between organic search results and the ads  that sit above them. In what appears to be something of a purposeful  dark pattern, the only thing differentiating ads and search results is a  small black-and-white “Ad” icon next to the former. It’s been formatted  to resemble the new favicons that now appear next to the search results  you care about. Early data collected by Digiday suggests that the  changes may already be causing people to click on more ads.

Look,  Google - or rather, Alphabet - is first and foremost an advertising  company. It sells the top few results on Google's search page to  companies in the hopes that you click through to their respective  websites rather than those dug up organically by the Google algorithm. I  don't have a problem with it improving how that process works; I  couldn't care less if every result was an advert. If people  don't like having adverts shoved down their throats then they can use  one of the many Google competitors out there, such as DuckDuckGo.

That or pressure Google into backtracking, which it has already done.

Learn more:

The European Union is off the mark, again

The  European Union is seeking a temporarily (3-5 year) ban of facial  recognition technology and many US States have already banned it. But as  Bruce Schneier writes, facial recognition is just one small piece of  the privacy puzzle:

[Facial recognition is] just one  identification technology among many. People can be identified at a  distance by their heart beat or by their gait, using a laser-based  system. Cameras are so good that they can read fingerprints and iris  patterns from meters away. And even without any of these technologies,  we can always be identified because our smartphones broadcast unique  numbers called MAC addresses. Other things identify us as well: our  phone numbers, our credit card numbers, the license plates on our cars.

Banning facial recognition is a knee-jerk reaction that does not  attempt to weigh the costs and benefits of the technology. We hear a lot  about the costs, but what about benefits such as finding missing  persons, identification (i.e. no need for keys), facilitating payments,  and so on? These bans do very little to eliminate the privacy costs of  the technology (instead of facial recognition companies will use the  next best means to surveil us) but they eliminate all of the potential  benefits.

Learn more:

That's all for now. If you enjoyed this issue, feel free to share it via email


Issue 62: Don't backup your conversations was compiled by Justin Pyvis and delivered on 28 January 2020. Feel free to send feedback, suggestions for future issues, ideas, insults, or pretty much anything that crosses your mind to their Keybase or Riot.im account.