Secure messaging: The importance of metadata-private messaging08 Oct 2020 | Enrique Pena
The rise of the data economy is driving enormous value by collecting, sharing, using and monetising data. It has already enabled the building of global digital empires whose services we happily use and benefit from every day, throughout our day. As technology advances and the use increases, we become more and more dependent on it. Our dependence, however, makes us more vulnerable to security threats. From internet browsing to search engines, social media and messengers - even state-sponsored mass-surveillance programs - many outlets are collecting sensitive information about their users and the communication between them. And more often than not, the users know nothing about it. The world has become more connected, collaborative, proactive, and so on, making privacy increasingly harder to maintain.
The data economy brought the idea of data privacy and data security into everybody’s consciousness, both of which have become leading topics in the media and among regulators as well. This change has motivated messaging developers to deploy publicly available, consumer-grade messaging with end-to-end encryption, which hides the content of the messages from anyone who might be monitoring the communication. This is a major development in the messenger market and of great benefit to consumers.
End-to-end encryption in messenger apps, however, does not always mean the metadata of the communication is protected. Anyone capable of tapping into the communication can theoretically gain access to collected metadata such as the timing of the conversation, who is chatting with whom, the conversations’ traffic volumes and the identities of the devices. Metadata is sometimes just as important as the sensitive content of the messages.
Intelligence organisations have a substantial interest in metadata, even for encrypted conversations, since it often makes the need for the actual content irrelevant. Metadata reveals a lot about the underlying content. As an example, by combining and analysing data points, government agents can deduce that just the existence of a conversation between two suspected criminals may be enough evidence to be considered actionable intelligence. If your adversaries are after your business secrets, they may be able to gain insight by accessing your metadata.
Data security and data privacy are often used interchangeably, but they are distinctly different. Data security protects data from compromise by external attackers and malicious insiders, while data privacy governs how data is collected, shared and used. In the case of messenger apps, the problem is not the protection of the conversations with encryption, the problem is the collection of metadata and whether data privacy is properly protected. Data security alone is not sufficient to ensure a messenger app is adequately protecting a user’s data privacy.
The secure handling of metadata is an essential component of the products and services offered by digital services providers. Metadata is any collected information that does not directly expose sensitive information but can be used to expose information about you. It is sometimes called ‘data about data’. It is in a form that cannot personally be identifiable to you. This due to the fact that the laws and regulations of many countries forbid the collection of personally identifiable information. Which leads to the question: If my metadata is not personally identifiable, does this not mean data privacy is properly protected?
The value of metadata comes from its potential to be refined into insights and knowledge about you - or for hackers, to learn what your organisation’s staff is collectively doing and when they are doing it. If you add consent, automation, algorithms and analysis to the recipe, and you have big data collecting enough information to develop a startlingly accurate picture of what you do and when you are doing it. Big data has the capacity to search, aggregate and cross-reference data sets (big or small) where ‘big’ refers to the economic worth of the data commodity. The end product, a detailed profile of you, is then sold to digital advertising companies that can use this information to do things like target advertising to you. There is a continuous intensification of effort to provide further refinement of your detailed profile using more and more sophisticated analytical tools and interconnected datasets.
Unfortunately, data privacy is often underestimated or passed over by IT and information security teams who routinely allow staff to use publicly available, consumer-grade messengers. Encryption alone is just simply not sufficient to ensure user or business privacy. It is essential to understand that security and privacy are two distinct things. As mentioned, security is about the safeguarding of data, whereas privacy is about safeguarding the user’s identity. Keep in mind that both are essential. Interestingly, you can have data protection without data privacy, but you cannot have data privacy without data protection. When privacy is enhanced, so is security.
Private communications over the internet continue to be a difficult problem. Even if messages are encrypted, it is hard to deliver them without revealing metadata about which pairs or groups of users are communicating or exchanging content. It is vital to start managing these risks now and making privacy a fundamental part of your organisation’s DNA. At Digital14, we can help you assure that the process you take in protecting your organisation’s communications has a holistic security and privacy approach.
We have developed the KATIM® Messenger application, a cross-platform chat, file-exchange, audio and video conference power tool, so that organisations can communicate with absolute certainty of privacy - it collects no metadata whatsoever. Contact us at Digital14 for a demo, and we can help you take steps to validate your secure communications assumptions and make enhancements to help ensure that trust can be maintained before it is broken.
Connect with us