Mobile messengers such as WhatsApp and Signal allow their users to contact anyone in their address books who also uses the service. To that end the users’ address books are matched with the service provider’s database. However, current methods usually involve sending the complete address book to the service provider. As a result, service providers obtain not only data of individuals who have explicitly consented to have their data processed, but users who have not installed the messenger application in question are also affected. This leads to serious breaches in privacy for billions of end-users worldwide.
New methods of contact tracing
“With ContactGuard, we provide a new generation of cryptographic protocols that are more efficient than all existing approaches. Security is still guaranteed even if the software and hardware are manipulated by hackers,” explains Christian Rechberger. The cybersecurity expert is a professor at the Institute for Applied Information Processing and Communication Technology at Graz University of Technology, as well as the Research Manager of Area Data Security at Know-Center.
By means of intersection calculations, ContactGuard identifies all common contacts between the service provider and those who use the messenger service. The service provider’s encrypted database is stored on the users’ cell phone, where the address book entries are encrypted with the service provider’s secret key that the users cannot see. Conversely, the service provider does not receive any information about the user’s address book entries. The two-way data encryption does not reveal any further information or sensitive data from the address books.
To date, a great deal of data has to be exchanged between the mobile device and the service provider for contact matching, which is particularly problematic for mobile phones with limited data volumes. To keep additional computing and communication overhead low, ContactGuard uses new compression techniques and optimized encryption methods. Additional efficiency is promised by modern security chips, which are present in the vast majority of smartphones that came onto the market within the past seven years. Compared to older chip generations, these chips speed up cryptographic calculations by a factor of 35. Prototype tests have shown that data matching is within a tolerable time frame even for 100 million data records.
Protecting sensitive contact data
With previous methods of contact tracing, an additional risk for users is that sensitive relationships between persons become known. Examples of this are contacts with medical specialists or lawyers, or the need for journalists to protect informant contacts.
ContactGuard allows users to mark contacts or contact groups as “sensitive” by simply checking a box. No messenger can get access to these contacts. Even third-party applications cannot access them. “This also protects sensitive contacts from messengers that have not integrated our encryption protocols yet,” explains Rechberger.
Protection for businesses
Employees are also increasingly using private electronic devices such as smartphones and tablets in the company context. Even if employees use mobile messenger services only privately and not for business purposes, this may be problematic for companies since the services access a mixture of private and business contacts indiscriminately and process them without sufficient protection.
ContactGuard effectively helps to comply with the General Data Protection Regulation (GDPR) in the enterprise environment by making it easy to hide contacts from messengers and making non-registered numbers invisible to service providers in the first place. In the future, this will make it easier for companies to allow their employees to use personal devices and messenger services in the business environment. This increases employee satisfaction and prevents severe penalties for companies.