News articles

The Hackers and Me: Messaging Services

Gossip among friends or rich booty for data mining? TUW security expert Martina Lindorfer has the answers.

Graffito with speech bubble "BLAW BLAW BLAW" and inscription of the series "The Hackers and me"

1 of 2 images or videos

Martina Lindorfer with crossed hands and black dress at a TUW-corridor.

© TU Wien, Tibelia Kuratan

1 of 2 images or videos

Martina Lindorfer

Whatsapp, Telegram, Facebook Messenger, Signal and many others. For most smartphone users, messaging services are a frequently used, daily companion. Market leader Whatsapp alone holds at 2 billion users worldwide. However, messaging services have come under fire as greedy data octopuses. In this interview, TUW expert Martina Lindorfer explains which of our data is of interest to providers and which services are secure:


How many people use messaging services worldwide and in Austria? And which services are the most widely used here?

Martina Lindorfer: Hard to say, but according to Statista, opens an external URL in a new window, in Austria "WhatsApp has almost a larger user base than all other messenger services combined." (as of September 2021). But the use of messaging services has vast dimensions: The three largest messaging services alone are used by 4 billion people worldwide (see more, opens an external URL in a new window).


Do people tend to choose user-friendliness over data security?

ML: Unfortunately, user-friendliness and convenience typically trump security and privacy. In the case of messengers even more so than in other apps. The most important factor here is peer-pressure, and people typically don't have much choice in the messengers they are using to communicate with friends and family, or at school/ or work.


Do you use messaging services yourself? If so, which one do you trust and why?

ML: I probably use every messaging service under the sun, on the one hand Signal/WhatsAapp/Facebook Messenger because it is the main way to stay in touch with friends all over the world. On the other hand, we use Slack/Mattermost/Matrix/Skype for our research collaborations with other universities. The ones I trust the most are Signal and Mattermost, because their code is open source and available for anyone to inspect for backdoors and security vulnerabilities.


Now the reverse question: Wwhich service would you not trust at all?

ML: I wouldn’t trust Aany service provided by a company that is in the advertisement business. The reason why they provide these services for free is to analyze your messages to build even more detailed profiles of you. But it is hard to get around these services completely as I already mentioned. 


Could you please give us a more detailed insight into what data is spied on and what it is used for?

ML: Companies are interested in the message content for data mining and profiling purposes. We also see a disturbing trend in so-called stalkerware, opens an external URL in a new window, which are apps that allow people to secretly spy on someone by reading chat messages etc. These kinds of apps are also often branded as child-protection software for parents to monitor their children's messages, but are also used by people in abusive relationships for example.
Technically, also any "middleman" part of the conversation could read the messages unless they are encrypted, such as your Iinternet provider, or someone in the same WiFi as you (at home, in the coffee shop, at school, etc.).
Our chats of course also have value for law enforcement. This is also why there are recurring discussions about encryption backdoors, so they can surveil targets. But in my professional opinion, breaking encryption only harms the general public, the (cyber)criminals that these policies are supposedly targeting will always find other (more secure) ways to communicate.
Finally, what is important to note here is that it's not always about the content of our chats: the metadata, essentially not the content of the messages itself but just the fact that messages have been sent: who is communication with whom and when, also has a lot of value in itself for building a graph of our social network and habits.


Telegram is suspected of being controlled by Russian interests. Rightly so? And how does political influence via messaging services work anyway?

ML: Different countries have different laws and regulations, and there is always the risk that political influence will be abused to gain access to unencrypted messages at a large scale. Messaging services can also be abused for political surveillance, for example in the case of WeChat, opens an external URL in a new window even messages for users outside of China are used to build their censorship system.


What do you think: Will we continue to find out about political and other scandals in the future because chat logs like those of the resigned ÖBAG chairman Thomas Schmid are revealed, or is that history because there are already reliable functions for deleting chats?

ML: I don't think that those leaks will stop anytime soon. A messenger is only as secure as the device it is running on, and as long as there are potential vulnerabilities in the operating system that can be exploited to backdoor the device, attackers can gain access to messages as well. Also, in the case of Thomas Schmid, he actually deleted the chats in the messenger app, but the reason why they became public was that he forgot to delete the backup as well. Of course, backups are a great security practice, but in this case lead to the leak of the chat history.


Martina Lindorfer is a tenure-track assistant professor at TU Wien, which she joined at the end of 2018, and a key researcher at SBA Research, opens an external URL in a new window, the largest research center in Austria which exclusively addresses information security.  She received her PhD from TU Wien in 2016 and spent two years as a postdoctoral researcher (postdoc) at the University of California, opens an external URL in a new window, Santa Barbara. Her research focuses on systems security and privacy, with a special interest in automated static and dynamic analysis techniques for the large-scale analysis of applications for malicious behavior, security vulnerabilities, and privacy leaks. She is also passionate about increasing diversity in computer science as part of the Women in Informatics, opens an external URL in a new window initiatives. Her research and outreach activities have been recognized with the ERCIM Cor Baayen Young Researcher Award, opens an external URL in a new window, the ACM CyberW, opens an external URL in a new window Early Career Award for Women in Cybersecurity Research , as well as the Hedy Lamarr Award, opens an external URL in a new window from the City of Vienna. 
Follow Martina Lindorfer on Twitter @lindorferin, opens an external URL in a new window