Improve privacy of contact discovery #1299
Comments
|
Thanks @generalmanager but this seems like a better discussion for the mailing list than a GitHub issue. |
|
@moxie0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I've been reading a lot of blog posts, reviews and user feedback about
TS lately.
At least in Europe many people really aren't comfortable with the fact
that it's currently not possible to opt out of uploading all phone
numbers to the TS server, myself included.
This is also not something only the crypto nerds (I mean that in a very
positive way!) complain about, but also many average users. Probably
because it's one of the few things they really understand in the
difficult landscape of privacy and security. And especially the
uninformed are very anxious when they are asked to give all their
contacts away. They wouldn't give their own number to any stranger on
the streets and now they are supposed to give some strangers on the
internet all of their friends numbers? The internet is the place where
all the russian cybercriminals steal their money and evil smartphone
apps are the way they get the TANs for the banking accounts, right?
This argument is typically used in conjunction with something along the
lines of "they are using US(=NSA) servers, oh no!".
The second complaint may not be of any factual difference for the safety
of the messages in a good crypto system, but that doesn't matter. It's
repeated over and over again in blogs and reviews.
Allowing users to opt-out is one of the easier things we can do to make
privacy-aware users happy (and kill the US-server argument once and for
all).
I am aware of https://whispersystems.org/blog/contact-discovery/ and
#692 and would like
to discuss the possibilities we have to increase the privacy of the TS
contact discovery process.
It appears that we are currently waiting for the silver bullet to be
discovered, which probably won't happen any time soon.
Below I listed the simplest solutions I could think of, which appear not
to be overly complex to implement, but still give a good balance between
effort and privacy. If you have other/better proposals, I'm all ears!
based on the country code of the contacts. Realistically most people
don't have contacts from more than 1-3 countries. It's a little less
private and people with contacts from India, China and the US won't be
much better off data volume wise, but most users will.
settings menu. This would be typically only used if the user knows the
contact to be registered. This doesn't leak any information about
unregistered users to the server and is basically what Threema does iirc.
If we end up using 1. or 2., updates could be provided with tiny
daily/hourly builds. This way the client only needs to know the
global/server time + age of his database and can grab only the updates
he's missing.
If somebody needs to try push messages with the friend that just
installed TS, because he told him about this great and secure app, we
simply allow the user to do the manual upgrade from 3.
The privacy-minded users will sacrifice the 40MB+ volume or do it when
they are on wifi. I know dozens of people who downloaded gigabytes of
OSM maps for OsmAnd.
When other identifiers like emails will be allowed
(#1085) we are
obviously in for another ride. The easiest solution would probably be
#1259 and allowing
the user to enter the identifier manually if they aren't in the same
location.
Email addresses could be imported from the Android address book and
upgraded via 3. tough.
The preferred "privacy friendly" setting should be preselected if
#838 will be
implemented.
Thanks for taking the time to read this, I'll appreciate all input!
The text was updated successfully, but these errors were encountered: