Contact discovery: Finding friends without foes
August 09, 2021 / Alex LintonPrivacy
Messaging platforms aren’t useful if there’s nobody there to read your message. That holds true for every single piece of communication technology, whether it’s smoke signals, telephones, or Session. The social network rules all. The more people you know using an app, the more likely you are to use it. This is a well established fact in the tech world, and everyone is tweaking and designing their apps and services to try and hitch their wagon to the fabled network effect.
Generally, the network effect is spoken about in positive terms —the network effect can help you grow, the network effect is key to user retention, the network effect is how unicorns are born—but there is another, darker side of the network effect coin. The network effect helps concentrate more and more value into apps as they grow. More users, more value. But there’s a tipping point where an app becomes so large, so massive, that it creates a gravitational pull which prevents users from leaving. This is one of the biggest reasons people don’t move across to privacy-focused alternatives — they’d be leaving behind all the people they want to interact with, and that’s too much of a sacrifice. Everyone knows someone who still uses WhatsApp because ‘everyone is on it’. It’s the flip side of the network effect that ends up stopping better versions of established services falling flat on their face. When it’s working for you, the network effect can make your app grow faster than any advertisement, endorsement, or innovation. When it’s working against you, the network effect can banish your app to the shadowy depths of the app store.
The early days: Pseudonymous chat rooms
As the internet started becoming a tool for direct communication in the 1990s, it was IRC chat rooms, AOL instant messenger, and email that sprung into life. People would trade details with others they knew in real life, or just chat with anonymous internet strangers. In chat rooms, people were known by internet handles that were disconnected from their real identities. You weren’t Jane Smith from Skaneateles, New York, you were [email protected].
At the time, the internet was a much smaller place. It was full of some people you knew in real life, and a lot of people who you’d never know outside of cyberspace. Most of the time, people’s real-life social circle was wider than their pool of ‘online’ friends, you might have a few friends you’d login and chat with on MSN messenger, but that person you met at a party one time wasn’t sliding into your DMs. People had their real-life identity, and their online identity. It worked well for a while, but as the internet became a core part of our personal and professional lives, people’s real-life and online identities were funnelled into the same pot.
The social network: Public posting and online sharing
As Facebook, Twitter, and Instagram became social media goliaths, the real/online merger became unavoidable. People signed up to Facebook with their real names. Posted pictures of themselves on Instagram. If you didn’t, how would people find you?
As sharing your real identity online became more normal, hiding it became more suspicious. Signing up to sites with your name and a picture became completely commonplace. That [email protected] email became [email protected]. The real/online convergence made it easy to make online connections with every single person in your social circle. Add someone you met once, or even just a friend of a friend. LinkedIn replaced the rolodex. Phone books were replaced with ‘DMs open’.
On Facebook, you could look people up by name, check who your friends were friends with, and it suggested ‘people you may know’. Finding your friends was easy, and it was the key to the success of the platform. As people’s Facebook friend counts ballooned into the thousands, Facebook’s power grew. People were locked in. By the time the 2010s rolled around, a new online etiquette had become well established: identify yourself when you’re chatting, interacting, and existing in online spaces.
Although high discoverability propelled Facebook to the top of the social media mountain, eventually people started taking note of the privacy issues associated with making it so easy to find other users. Facebook and other social media sites soon started rolling out privacy settings that allowed people to control who could find them, who could see their posts, and what content they saw. These kinds of settings proved super popular, and nowadays the average person has at least some of the privacy settings enabled on their social media accounts.
Of course, this chills the network effect that made Facebook and other services like it so popular in the first place — and new players joining the game have to play using hamstrung discoverability.
The phone number: Tapping into contacts
The age-old phone number has become the diamond standard for identification on social media applications. Most apps use phone numbers to confirm your identity, secure your account, prevent fraudulent accounts, and help you find people you know. That’s a whole lot of identity for one string of numbers. As more and more apps require you to sign up with your name and phone number, countless databases around the world end up linking your real-world identity with your phone number. This is why you’re bombarded with permission requests for your phone contacts every time you download a new app, and it’s often how apps suggest friends or people you might know.
Your phone number is recorded by things like Twitter, government services, event and location check-ins, and even supposedly private messengers. But using a low-velocity piece of identifying information like a phone number for contact discovery has a whole bunch of negative privacy implications.
There is nothing private or anonymous about a phone number. Nowadays, countries around the world are going to great lengths to make sure phone numbers are closely linked to people’s identities. This reduces digital privacy, and makes it much harder to navigate the online world with any anonymity. Registries and telecommunication regulations are becoming super common all around the world. In June 2021, the Senate of the Republic of Mexico passed a decree which requires citizens surrender bevy of personal information in order to activate a phone number.
Similar registries are being created all over the world by both public and private institutions, and working out which phone number belongs to who is trivial for most big tech companies or governments.
Research published in 2021 showed crawling attacks are not only possible, but viable against major messengers which rely on phone numbers for contact discovery. The study completed an analysis of phone numbers linked to WhatsApp, Signal, and Telegram. Using minimal resources, the researchers were able to check all 505 million phone numbers in the United States for Signal registration. They were also able to cross-reference these registrations with the other services (WhatsApp and Telegram) to check for other personal information like profile pictures, ‘About’ text, and statuses.
To make matters worse, once you have created this database of Signal users, you can continually re-query the phone number list in order to check if new numbers are registering, as well as an approximate time period they would have created an account.
All this is a really long way of explaining that phone numbers are a familiar, comfortable, and terribly non-private way of getting in touch with your friends. If you’re looking for something private, and it asks for your phone number…well, that’s a pretty clear sign it’s not private.
The Session ID: A cryptographic contact solution
For an app to be private, it needs to have private contact discovery. Phone numbers are a catastrophe. Using people’s real names is obviously not a winning strategy either. Using pseudonyms can help, and gives people the ability to choose whether they want to de-anonymise themselves for simpler discovery (by using their real name, for example, as their handle).
However, we can go a step further than simple pseudonyms. Session uses Session IDs for contact discovery. Session IDs are the public half of a public/private key pair. This can be created any time, any where, all on the device running the app. Public key cryptography is also the basis of Session’s end-to-end encryption system. Using someone else’s Session ID (public key), you can encrypt and send messages that only they can decrypt. Specifically, Session uses the Ed25119 signature scheme, which can be easily executed by any modern phone or computer — so nobody can control when you’re able to create a Session ID. When you’re using a Session ID, you can’t be censored, SIM swapped, or tampered with in any way.
This also means that, if you want to change your Session ID, you can make a new one (instantly) whenever you want. If your ID is compromised for any reason, you can delete it and move on to a brand new one without any association with either your old Session ID or your real identity. This gives Session IDs a huge advantage for high-risk users like journalists, activists, and other human rights defenders — who are being targeted more and more with each passing day.
The way forward
Of course, Session IDs tick all the boxes in terms of security and privacy, but they don’t have the same contact discovery sparkle that using names or phone numbers has. As the world becomes more and more tech literate, this might not be as big of a problem. But on the other hand, as people grow up with more and more polished tech, tolerance for things like Session IDs might become lower. However, we’ve built a system to allow people to look each other up using simple nicknames instead of long Session IDs — all while maintaining all the privacy and security benefits anyone could ask for. Phew. That was a long explanation. But it goes to show how much thought is put into every aspect of modern messenger design. The threats people face in the digital world can be extremely complex, so often the solutions are, too.
Anonymity and online dating
June 27, 2022 / Alex Linton
Familiar faces: Has facial recognition tech gone too far?
June 14, 2022 / Wesley Sukh
Session ID vs phone numbers
June 08, 2022 / Alex Linton
Human rights in the digital age: Why you should join us at RightsCon
June 01, 2022 / Wesley Sukh
The cost of Musk's war on spam
May 26, 2022 / Wesley Sukh
Behind the scenes: Session network and client update
May 19, 2022 / Kee Jefferys