ITsecurity
twitter facebook rss

Is WIRE a threat to Privacy?

Posted by on December 4, 2014.

This week saw the launch of Skype Co-Founder Janus Friis’ new social communications application, WIRE.  There has been a great deal of noise about it in the press which is to be expected given Friis’ pedigree.  One of the points being made is that WIRE is based in Switzerland and complies with EU privacy laws, so obviously it piqued my interest and I went to have a look – my investigation left me with far more concerns than I would have liked – my first stop was their privacy policy which reads:

Our Privacy Policy is transparent about the data we collect from you and what we do and don’t do with it.

But actually it isn’t – they don’t tell you what data they collect at all nor how they store it. Furthermore they state in the same privacy policy:

We do not rent or sell your personal data or the content from your conversations with anyone. Furthermore, we do not share this information, except in limited circumstances related to enforcing our Terms of Use policies and to our compliance with the law.

This would at least seem to suggest that they store and are able to read the content of their users communications and media – in order to determine whether or not it breaches their Terms of Use policies, it stands to reason they must be able to access those messages (which means they store them) and they must be able to access them in plain text (which means they either store them unencrypted, or they encrypt them but have the keys).  This is deeply worrying – as any modern communications service should encrypt the data at the client side and have some method of key exchange between the sender and recipient (at the very least) – they certainly should not be in a position to read your messages to other people or view your media.

But what makes me particularly annoyed is this part of their privacy policy:

We are based in Europe, your personal information is collected, stored, used and shared in accordance with European laws.

Now I am all for companies using privacy as a competitive differentiator, in fact I advise companies to do so on a day to day basis – but it has to be backed up with real information about data collection, storage and processing – simply saying you are based in Europe and comply with European laws is not enough – there are many problems with European privacy laws which is exactly why they are currently being re-written from the ground up.

So I decided to look at their security FAQ in the support section of the web site – surely they mention encryption there?

Are messages and calls encrypted?

Yes. Wire uses end-to-end encryption for all its voice calls, and encryption to and from its data centers for all its messages and media.

Hang on, so they know what End-to-End encryption is because they mention it explicitly with regards to voice calls, but they suspiciously don’t use the term with regards to messages and media – this is not a typo, this is deliberately misleading and seems to support my concerns that messages and media are not encrypted on the server.  Also in the security section of their Support page I found this:

Who can see the messages that I send?

Your messages and conversation history can only be seen by you and the people in those conversations.

Now this is completely out of sync with their privacy policy, because if they are unable to read the messages – how are they able to determine whether or not they are in breach of their terms – and how would they be able to share them with law enforcement?  Either their support page is telling porkies about who can see the messages (and they forgot to mention they can too) or their Privacy Policy is incorrect (or unclear at best if I am going to be generous).  Again in the security section:

What does Wire do with my personal information?

We treat it the way we want our personal information to be treated – confidentially. We do not rent or sell your personal data or the content from your conversations with anyone. We also do not use your personal data or the content from your conversations for advertising or marketing purposes.

The wording here is seems very deliberate – note they say they treat your personal information “confidentially” but there is no mention of message content?  Only in the next sentence with regards to commercialisation do they include message content with personal data.  This is an explicit statement and should be interpreted as meaning they don’t treat your messages confidentially and have access to them.

Now it could be that WIRE have just rushed this to launch and haven’t taken enough time on their support pages and privacy policy (which is woefully vague to say the least) but it is hard to believe that such an experienced team probably with their own internal lawyers, would have made such a bad job of their legal obligations.  Furthermore, WIRE are not responding to any comments on these issues which begs the question, what are they trying to hide?

As a result I can only recommend and fiercely so, that people should avoid WIRE completely until these very worrying questions are answered.  If I were to provide a scale for privacy threats, WIRE would currently be ringing bells and flashing lights.

 

2 thoughts on “Is WIRE a threat to Privacy?

  1. I think they already threw some sand in your eyes there, buddy. The T&C reads: “We are based in Europe, your personal information is collected, stored, used and shared in accordance with European laws.”

    Well, if they’re based in Switzerland, that will primarily mean Swiss law, which is a ‘European law’ in that Switzerland is in Europe. But as Switzerland is not in the EU, their laws are not by definition ‘EU laws’. You go from European law to EU law – but what if they’re based in Switzerland *because* they’re not EU?

    I know next to nothing about Swiss law – except that it tends to track EU law in many ways. But there might very well be significant differences.

    • Alexander Hanff on said:

      I changed the reference from EU Laws to European law just to clarify, you are correct they are different and it is another point of obfuscation in their privacy policy.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Alexander Hanff, Expert Views, News_privacy | Tags: , , , , , , , ,