Hacker News new | comments | show | ask | jobs | submit login

The title for this post should be changed to "a piece of the wire messenger server code open sourced." Most of the source is not open source, you can't run your own.

Also, holy shit they're storing a lot of information about their users:

* All of your contacts.

* Unencrypted profile information for everyone.

* Every active conversation you have.

* Every archived conversation you have.

* The frequency that you communicate with your contacts ('top contacts').

* Every group that you're in.

* The unencrypted titles and avatars of everyone's groups.

Wonder what will be in the rest of the database schema if they open source it.




So I checked if this matches their privacy whitepaper [0] that claims to list what they store. It almost does, with one notable exception and one minor one.

* All of your contacts.

Wire contacts, they only store non-wire contacts in a hashed form, and there's an opt out for non-wire contacts.

* Unencrypted profile

(Isn't this just profile picture (which is shown to people you haven't connected with), and name anyways?) They do say so in the privacy policy.

* Every active conversation you have.

Specifically they claim to store:

Who/when it was created, who is involved (which seems critical to be able to route messages), and conversation name

* Every archived conversation you have.

I assume they store the same as for non-archived conversations, seems necessary to be able to add new devices.

* The frequency that you communicate with your contacts ('top contacts').

Ya... that's not listed as far as I can tell. Arguably "aggregated usage statistics"... but it's not really aggregated.

* Every group that you're in.

This is the same as conversations... they clearly need to know this to route messages.

* The unencrypted titles and avatars of everyone's groups.

Titles is listed. Avatars of groups isn't... seems like a minor oversight though given that they're like a profile picture, and profile pictures are publicly available.

[0] https://wire.com/resource/Wire%20Privacy%20Whitepaper/downlo...


> So I checked if this matches their privacy whitepaper [0] that claims to list what they store. It almost does, with one notable exception and one minor one.

Maybe it's good that they've documented this somewhere, but I don't think most Wire users read white papers. I'm a dev and I was surprised. Their outward facing marketing didn't lead me to think they track all my contacts and the state of every conversation I am having. It very clearly suggests the total opposite.

They need to do much better than this if they want people to think they take security/privacy seriously.

>> * Every group that you're in.

> This is the same as conversations... they clearly need to know this to route messages.

Why? That's not true for Signal from what I can tell.


> Maybe it's good that they've documented this somewhere, but I don't think most Wire users read white papers.

In the sense of "most users don't read privacy policies", sure.

It's pretty clearly linked in their privacy policy as "this is where you should go for information", I know I'm not the only wire user who read it before installing it.

> Why? That's not true for Signal from what I can tell.

Ya... I think I overstated it. It's the easiest way to route messages but it's not the only way.


Why do they need to know active conversations to route? Every time you send a message it should contain the needed info.


Sounds like the amount of information a typical web forum stores about its users private messages.

I am not saying if this is good or bad in general, but just... I could live with it in 2005 when Vbulletin was all the rage, and I can live with it now.

Also, other chat clients like Skype, Paltalk, Yahoo Messenger, Facebook Messenger also store this information---its kind of a requirement to do any kind of search over previous messages, and allow people to find their contacts or talk to random unacquainted individuals.

Maybe this is a big negative for Wire if their PR basically touts "security" and "encryption", when the reality is they want to be secure against middlemen only.


I've

I don't know much about security so I really have no constructive criticism, obviously, one can easily make lots of investigative inferences from the information Wire collects and that is troubling enough.

If I understand correctly signal stores only metadata. My question whats the format of the metadata what kind of information does it retain. Is it anywhere close to what Wire is storing?

I would appreciate clarifications on this.


Signal service doesn't store message routing meta data nor what groups you are in.

In response to a subpoena for specific user's data:

"the only information we can produce in response to a request like this is the date and time a user registered with Signal and the last date of a user's connectivity to the Signal service."

https://whispersystems.org/bigbrother/




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: