Also, holy shit they're storing a lot of information about their users:
* All of your contacts.
* Unencrypted profile information for everyone.
* Every active conversation you have.
* Every archived conversation you have.
* The frequency that you communicate with your contacts ('top contacts').
* Every group that you're in.
* The unencrypted titles and avatars of everyone's groups.
Wonder what will be in the rest of the database schema if they open source it.
Wire contacts, they only store non-wire contacts in a hashed form, and there's an opt out for non-wire contacts.
* Unencrypted profile
Specifically they claim to store:
Who/when it was created, who is involved (which seems critical to be able to route messages), and conversation name
I assume they store the same as for non-archived conversations, seems necessary to be able to add new devices.
Ya... that's not listed as far as I can tell. Arguably "aggregated usage statistics"... but it's not really aggregated.
This is the same as conversations... they clearly need to know this to route messages.
Titles is listed. Avatars of groups isn't... seems like a minor oversight though given that they're like a profile picture, and profile pictures are publicly available.
Maybe it's good that they've documented this somewhere, but I don't think most Wire users read white papers. I'm a dev and I was surprised. Their outward facing marketing didn't lead me to think they track all my contacts and the state of every conversation I am having. It very clearly suggests the total opposite.
They need to do much better than this if they want people to think they take security/privacy seriously.
>> * Every group that you're in.
> This is the same as conversations... they clearly need to know this to route messages.
Why? That's not true for Signal from what I can tell.
In the sense of "most users don't read privacy policies", sure.
> Why? That's not true for Signal from what I can tell.
Ya... I think I overstated it. It's the easiest way to route messages but it's not the only way.
I am not saying if this is good or bad in general, but just... I could live with it in 2005 when Vbulletin was all the rage, and I can live with it now.
Also, other chat clients like Skype, Paltalk, Yahoo Messenger, Facebook Messenger also store this information---its kind of a requirement to do any kind of search over previous messages, and allow people to find their contacts or talk to random unacquainted individuals.
Maybe this is a big negative for Wire if their PR basically touts "security" and "encryption", when the reality is they want to be secure against middlemen only.
I don't know much about security so I really have no constructive criticism, obviously, one can easily make lots of investigative inferences from the information Wire collects and that is troubling enough.
If I understand correctly signal stores only metadata. My question whats the format of the metadata what kind of information does it retain. Is it anywhere close to what Wire is storing?
I would appreciate clarifications on this.
In response to a subpoena for specific user's data:
"the only information we can produce in response to a request like this is the date and time a user registered with Signal and the last date of a user's connectivity to the Signal service."