1socialI was watching The Social Dilemma on Netflix earlier this month and highly recommend it. The quintessence of the film is that today’s technology that connects us also monetizes us - or even controls us – with frightening consequences.  Although we are aware of that already – and in general the fact that nothing is for free on the internet - we still do not want to face the truth.

Tristan Harris, who started the Center for Humane Technology, together with Aza Raskin and Randy Fernando, makes the situation we are in pretty clear by explaining that “it is not about the technology being the existential threat, but the technology’s ability to bring out the worst in society.” The movement calls for critical thinking and questioning the use of social media platforms by pointing out that they are designed to manipulate its users.

Unfortunately, we tend to ignore the consequences as good as we can or are accepting them out of convenience. But what has been most disturbing while watching the film is finding out how far Facebook & Co go to monetize their users.
“If the product is free, you’re the product”, Tristan Harris highlights, and while most people are aware that they’re being mined for data when using social media platforms, it’s shocking to hear how deep the probe goes. Legally, without hacking, personal information and individual preferences are revealed that can be used for behavioral predictions and manipulation.

Check privacy settings

While the film focuses on social media platforms, researchers from the University of Darmstadt and the University of Würzburg warn that popular mobile messengers, such as WhatsApp, disclose personal data through contact discovery services that make it possible to find contacts using telephone numbers from the personal address book. According to the German experts, methods that are currently used to establish contacts pose a massive threat to the privacy of well over a billion users. By means of very few resources, the team was able to carry out workable crawl attacks on the popular messengers WhatsApp, Signal and Telegram. The experiments show that malicious users or hackers can collect sensitive data on a large scale and without significant restrictions by requesting random telephone numbers from contact discovery services.

For their study, the researchers queried 10% of all cell phone numbers in the US for WhatsApp and 100% for Signal. In this way they were able to collect personal (meta) data, as they are usually stored in the user profiles of the messenger, including profile pictures, usernames, status texts and the "last online" time. The analyzed data also revealed interesting statistics about user behavior, such as the fact that only very few users change the standard privacy settings - which are not at all privacy-friendly for most messengers.

It is all about the attack strategy

According to the German research, around 50% of WhatsApp users in the US alone have a public profile picture and 90% have a public info text. Interestingly, 40% of all those registered with Signal also use WhatsApp and half of them have a public profile picture there. Obviously, tracking such data over time can help attackers create accurate behavior models.

If the data is compared with social networks and other public data sources, third parties can also create detailed profiles and use them, for instance, for scams. Regarding Telegram, the researchers found that the contact discovery service also reveals sensitive information, such as users’ phone numbers that are not registered with the service.

The information that can be revealed during contact identification and collected via crawling attacks depend on the service provider and the privacy settings selected: e.g. WhatsApp and Telegram transfer the user's complete address book to the appropriate server, while privacy-protecting messengers like Signal only transmit short cryptographic hash values of phone numbers or rely on trustworthy hardware.

Anyway, the German research teams showed that with the help of new and optimized attack strategies it is still possible to infer the associated phone numbers from the hash values in milliseconds. Even more disturbing is the fact that since there are no significant hurdles to registering with such messengers, third parties can create a large number of accounts and search the user databases of a messenger for information by requesting data for random telephone numbers.

This all sounds a bit frightening since the dilemma we are in is getting clear: we want to use services that connect us with others but demand absolute privacy.  Well, there is so silver bullet, yet. Just stay alert and mindful when making use of digital services.

By Daniela La Marca