Who else is reading my messages to you?

I have never been a Facebook user. I think that surprises a lot of people, but it’s true. I heard about Facebook around 10 years ago in the midst of an intercontinental move and a big career change. It sounded too much like the high school snobs invading my refuge of online communities, and so I didn’t pay any attention. When it caught on among pre-teen and post-fifties users, and everyone in between, we took a look and decide it was way too ugly to spend any time with. Then privacy concerns started to arise:

  • intensely personal stuff leaking out onto advertisers’ radar, or into public view
  • drastic revamps of data collection policies in quick succession
  • user-unfriendly opt-out mechanisms

A lot has changed, of course. Facebook hold-outs are the exception now, not the norm. Just so we’re clear: I’m not judging anyone. 1 It’s got broad appeal and usefulness for a lot of people, and I miss out on a fair amount of social info by staying away from it.

I am not TedMy Facebook abstinence may seem on the surface like just one step down the kooky road to technology paranoia. I’m interested in the technology of communication primarily, but secondarily uncertain about the implications of big companies and their privacy policies. And the recent purchase of WhatsApp by Facebook doesn’t leave me with a warm fuzzy feeling of trust that you and I are the only ones reading the messages we exchange.

What have I got to hide?

I am sure I don’t have any need to hide my communication from any foreign or domestic government agency. I’m not running a spy ring or acting as a go-between for any freedom fighters resistance movements, terrorist cells … um, dubious third parties. But I’m not sure I trust those big companies (Facebook, Google, Microsoft, Apple) and also smaller ones (Dropbox, LinkedIn, Xing, perhaps Twitter)

  1. to handle my data with MY best interests in mind, and
  2. to keep my stuff2 safe from external prying eyes

What’s in it for me?

Who benefits when their machines read my stuff? They suggest new professional contacts or funny tweeters to follow or car rental agencies for that next vacation we’re thinking about. To a rather limited extent, Clippy letterI guess that’s a perk for me. More often though, when I want more, I seek it out myself. I tend to get annoyed when a real, live person pigeon-holes me directly — I find such behavior by a machine intensely disturbing. But I think they stand to gain a lot a lot more than I do. Maybe that’s the cost of using those otherwise-free services. I read somewhere that when a profit-oriented company offers you a free product or service, YOU are the commodity being exchanged. At least Clippy gave you the option to tell him to take a hike. Buying a license to use that software resolves any qualms I might have about that.

What am I going to do about it?

I’m not turning into a recluse or a vigilante or an rms-accolyte (despite my choice of selfie above and the recent beard). But I am considering my choices of technology providers perhaps more carefully than I or others have in the past. Using Threema instead of WhatsApp is part of that.

I read a couple of good articles on this topic recently:

Threema keeps your short messages encrypted all the way from your mobile device (Android or iOS) to the recipient. It’s a tiny company making smart choices about the technology they use to ensure that. They can’t turn over your message contents to any other party (governmental or hacker), because they can’t.

  1. They don’t log them.
  2. Even though the messages temporarily reside on of their servers while awaiting retrieval by the recipient, they are in an encrypted state, and only the recipient can decrypt them.

Yeah, but what about email?

Another part of that security-conscious electronic communication is using email in an encrypted way. That’s much harder to implement: effective security is not simple, and vice versa. 4 While you can use Threema to send short text messages or videos or pictures from your phone (or iPod touch, though I haven’t tried that yet) à la WhatsApp, you can’t use it to send just any file securely. Encrypted email is a really good choice for that.

Other apps and services?

Skype (owned by Microsoft), Facetime (owned by Apple), Google Talk (owned by…you know), LinkedIn, Last.fm, Spotify also potentially capture stuff about me. And I have explicitly signed up for that. Do I mind? Yes, but not enough to not use their services. When it’s pure text, written by/to me, I see a bigger risk of invasion of my privacy than what could come of

“We noticed you like Led Zeppelin. How about this Allman Brothers Band playlist?”

If Facetime or Skype starts parsing my phone calls with my parents (is that even possible? Let’s ask Siri.), you can be sure I’ll find another way. I don’t use the other social networking services much. I peek in there every now and then to see if I’m missing something. So far, so good.

And the Regensblog? Twitter?

Those are intended for public consumption, but the content is supplied by the end user. 5 We’re conscientious about not revealing more about ourselves via those services than our comfort levels allow. So extra layers of technical security seem pretty useless there.

Does this mean I’m not going to use WhatsApp anymore?

Not really. It means I’m going to prefer other means — Threema for now, but if something better comes along, I’d consider that, too — but I’m not ready to cut myself off from the majority of WhatsApp users. The bottom line is that this topic doesn’t stick in everyone’s craw, but that doesn’t mean I want to lose touch with them. If you have my mobile phone number, you can still reach me on WhatsApp, but be prepared for me to suggest we keep it just between you and me.

What’s your take on all this?

Am I way off-base here? Idealistic beyond any realistic expectation? How have you managed to reconcile your own sense of privacy with the desire to stay in touch with friends and family? I would love to hear another perspective. Let’s chat. Right here, out in the open.

  1. Except Facebook, and similar companies with too much interest in my details, I guess. []
  2. What kind of stuff? Travel plans, insurance policies, bank statements — super boring stuff, unless you’re perpetrating identity fraud, right? []
  3. German for “Threema: an app to annoy the NSA” []
  4. Still, if you would like to exhange email with me and guarantee that no one else can read it — neither a governmental agency nor a hacker infiltrating a mail server — let me know that I am happy to help you set it up. It can work nearly seamlessly in email programs on Windows, Mac OS or Linux alongside plain old email traffic. For a lot of people, the big catch is that encryption is hard or impossible to implement on top of webmail systems like Gmail or Yahoo! mail, but the barrier to entry is much lower on stand-alone mail clients like Apple Mail, Microsoft Outlook or Mozilla Thunderbird. []
  5. It stings when you accidentally confuse a public tweet and a direct message, but an ID-10T error can happen to anyone. []

5 thoughts on “Who else is reading my messages to you?”

  1. shoreacres

    You’re not alone. I’m not on Facebook, either, and neither are many of my friends. I was on the service for about six weeks, but never used it. I left because of privacy concerns, as well as the fact that it could become an obvious time sink. I watched otherwise reasonable people checking their timelines every five minutes and thought, “If it happened to them, it could happen to me.”

    Beyond that, I never could answer the question, “What is the value of this service for me? I learned that line about “if it’s free, you’re the product”, and that was the end of that.

    I do use Gmail, but otherwise have gotten myself off all Google products. I’ve discovered that “likes” on youtube can substitute for a history if you’re not registered, but in a fit of Pleistocene-like pique, I started copying videos I really, really like to my hard drive, and keeping a file of their URLs.

    Otherwise? I’m on LinkedIn, and I’m about to delete that account. If I were in the business world, it might be worth while, but keeping up with professional varnishers isn’t very high on my list. And I am on Twitter, although I only tweet when I have a new post up on my blog — and sometimes I forget to do that. I’m not very good at self-promoting. ;)

    I will purchase things online, but I use a dedicated credit card backed up by an old, no longer active bank account. And I do all my bill-paying with little paper things called envelopes and stamps.

    Oh – and I’ve switched from Google search to Duckduckgo or Ixquick. Both are good enough for my purposes. The image databases aren’t as complete, but that’s a small issue.

    One last thing: I don’t text, and I don’t have a smart phone. My old flip phone will send a text or receive one, if need be, but there’s no web access and no geolocating capability. And no – I don’t use a GPS.

    Amazing that I can even get breakfast for myself, isn’t it? ;-)

    1. cliff1976

      Paper for bill-paying!? That was already passé by the time papascott moved to Germany. Without EFT in Germany, you’re stuck. But I’ve noticed that it still seems acceptable for the U.K. and perhaps France. Who else is still using paper checks — and I don’t mean cash, though that is a sort of bearer bond, right? — to transfer money around on a consumer level?

      I like duckduckgo.com for searching too. Ixquick is a new one for me, I’ll have to look into that.

  2. papascott

    Facebook is a pain in the ass, to be sure, but in our business we have know about it and know how it works. For one, our customers use it, so our brand markets on Facebook and we have to know how our money is being spent. For another, our employees use it, which can (and does) evolve into cases of mobbing or harassment (it’s the new way to take your work home with you!), which we have to follow up on when brought to our attention. So we have to at least dabble with FaceBook, plus we have a few casual contacts who are to be found only there.

    I do find the German reaction to WhatsApp amusing… several security vulnerabilities over the past months don’t faze them, but an announcement of a takeover by FaceBook makes it suddenly unsafe. Healthy skepticism is, well, healthy, but I don’t believe large firms are any more of less evil than small firms, or that FaceBook is any more evil than Google, Apple and co. Everyone is out there to make money.

    Would I trust Threema just because its independent Swiss co. maker says it’s secure? No, even if their model seems valid. I’d like to see some independent verification of their security model, which may be difficult for a closed-source mobile app. Maybe with their sudden growth their security model will come under scrutiny and be tested. It the meantime it’s worth trying.

    1. cliff1976

      Oh sure, in your line of work, you can’t afford Facebook Abstinence. I wonder how you, as an employer can/must get involved regarding employees’ well-being in online communities. Your involvement is clear when it happens on your premises or at off-site company events, but cripes — where does it end? Apparently not at the firewall.

      I don’t believe large firms are any more of less evil than small firms, or that FaceBook is any more evil than Google, Apple and co. Everyone is out there to make money.

      Yeah. Maybe it’s irrational, but my gut goes with the little guy more than big dogs on this one. Is Threema less evil than Facebook/Google/Apple/Microsoft? Maybe not. But the sheer amount of evil they could wreak has got to be less owing to their smaller market share. Sarah put in terms I like:

      It feels like Google has shifted from “Don’t be evil” to “Don’t seem evil.”

      Regarding Threema and OSS: I agree, independent verification gives me the best sense of security about their security. They had to choose between: going fully open-source, and risk copycatters swooping in, and staying closed-source with the prospect of independent verification costing a pile-o’-cash (to be paid via SEPA EFT, surely). Maybe after the Germans’ mistrust of Facebook has injected enough cash into Threema an independent security certification will be possible for that little 3-person company (which, by the way, is not the origin of the name) and those lingering security concerns — which I also share — will be put to rest.

      In the meantime though, the counter-measures to the AOLification of teh intarwebz in all its forms are little dots of hope for me that there are still options for those of us stopping to raise an eyebrow at the mainstream.

  3. cliff1976

    Looking to secure your email? Here are three ways, on three major OS platforms. These plugins make it so easy. I don’t get why more people aren’t using it as a matter of course. The only drawback I can see here compared to unsecured email is that your searches for old email content will only return hits based on the subject lines and sender and recipient addresses.

What's your take on it?