Is the Signal Private Messenger app supporting its user’s privacy?

Since starting this privacy blog, I’ve become more aware of ways privacy can be threatened. One vulnerability is through apps that require smartphone features that are not necessary for the proper functioning of the app itself.

I was looking at the Signal messaging app by Open Whisper Systems. It is mentioned by the Library Freedom Project as beneficial. When I installed it on my Android smartphone I noticed and found troubling that it requires access to almost every feature of my phone when it is installed.

I’m not sure I would recommend it as being helpful for privacy when it requires access to each of these:  Device & app history, Identity, Calendar, Contacts, Location, SMS, Phone, Photos/Media/Files and the Camera. I’m not sure whether there are any Android features that it does not need access to.

I can’t imagine that it requires all of those features to function properly and all of them can give highly sensitive information to the app’s owners.

I decided to reevaluate whether Signal should actually be recommended. Since it has unnecessary and unexplained access to so many parts of a smartphone’s capabilities, I decided to uninstall it. Without the LFP recommendation, I would never have installed it to begin with.

The recommendation and its marketing are solely based on the feature that Signal allows you to send private and encrypted messages. However, these access demands make me doubt that it has a net positive effect on user privacy.

Marco Polo Video Walkie Talkie and Privacy

 Recent I got an invitation to install an app for my phone from a person in my contact list that I rarely interact with. The app sent this message “Hey get on this so we can chat marcopolo70.me/[omitted]”

I was hesitant to install the app because I don’t really like video chat. I decided to check it out the next day anyways. When I went to install it I looked at the information the app wanted access which included SMS,  contact list, photos and SD card.

Being more conservative I decided to not install it. I didn’t want an app that could send texts and read my contact list. After deciding to ignore the app. I looked at some reviews  and saw that once installed, the app sends messages just like the one I received to a random set of contacts.

That makes it viral because it can replicate by sending it to others who can expand the installed base. By using social engineering it is able spread itself exponentially without needing to take advantage of any technological flaws to spread automatically. It effectively works like a digital chain letter without the participants being aware of that.

However there is another pernicious effect of the app which is that the link it sent me was personalized and pointed to a web page.  This let the owners if the app to verify my phone number as a valid cell number without my permission  or ability to evaluate the privacy policy or review the qualities of the app. This information is really valuable and can be sold for legal (our illegal) activities. In addition the owner learns the model of phone,  version of OS and other technical information that allows access to any real security flaws (known or day zero) of the victim’s phone.

The domain contact for marcopolo70.com is “BORTNIK BORTNIK” associated with a business “EVERY1X1” It’s has been registered for only 26 days. The remainder of the domain information including full contact information for the registrant is available at http://servicehostnet.com/domain/marcopolo70.com#reg-metadata The domain marcopolo70.me is harder to get information about the registration so I’m not sure the exact details but it’s obviously linked to the same organization.

It’s pretty clear that these violate the domain registrar’s enom.com and the Montenrgro (.me) terms of service but I haven’t heard if either of then have taken action. (But they haven’t had much time to react either.)

From a fair information practices point of view it blows then out of the water. There is no notice or awareness of the owners practices,  no consent or choice,  no access or participation and no security or integrity of their handling of the information. In fact there is the exact opposite of all of them.

As far as the app and website violating US or EU laws, that’s probably easy to determine but I’m not sure the procedure of reporting that at the moment. I won’t have access to a desktop computer for a few days.

Edit: every1x1 also owns marcopolo54.org and marcopolo66.org and apparently every other marcopoloXX