Documentation of the privacy impact of contact and message syncing

[devurandom]

Is there any documentation of the privacy impact of contact and message syncing?

Specifically, I would like to know:

• Where are my contacts stored and in which form?
• What kind of knowledge does Whisper Systems have about my list of contacts?
• The same questions also apply to messages.

[kstrel]

This issue is probably going to get closed, because questions like this belong to one of these places
Support Forum: http://support.whispersystems.org/
Mailinglist: https://lists.riseup.net/www/arc/whispersystems

Whisper Systems knows the phone numbers of your contacts (or their hashes) simply because your phone sends them to the server periodically to let you know who of your firends uses Signal. Your contacts are not stored on the server though. Obviously they have to be stored on your phone and desktop otherwise you wouldnt be able to reach your contacts. The sync between the Desktop and the Phone is performed in an end to end encrypted way so no additional information is shared with the server. Here is a mail from moxie regarding this question https://lists.riseup.net/www/arc/whispersystems/2015-12/msg00007.html .

Whisper Systems never sees the content of your messages because they are always end to end encrypted. When you have the Desktop version it communicates with your phone in an end to end encrypted way.

@riyapenn It would be nice to have the official answers to these questions in the "Desktop" and "Security" sections of the support forum.

[devurandom]

Thanks for that explanation!

In case you write an official FAQ entry for this, maybe mention that Whisper Systems does not store one hash for each contact, but the set bits of a Bloom filter - so technically it's k hashes per contact. If it is still true that you use the Bloom filter technique, which I read quite some while ago... In any case it should be sufficiently hard for Whisper Systems or any adversary party to calculate the phone numbers of my contacts (both those using Signal and those who don't) from the hashes Signal sends them.

When sending messages, the Whisper Systems server knows that it has to send messages for me to two endpoints (desktop and mobile)? And when I send a message from my mobile, this Signal adds an additional destination address, so that it also will be sent to the desktop client? Thus Whisper Systems does not store the message history, not even in e2e encrypted form?

[TheBlueMatt]

No, WS does NOT see your list of contacts. It only sees the number of the individual you are sending a message to when you send it.

On December 6, 2015 11:01:51 PM GMT+08:00, Kirill Streltsov notifications@github.com wrote:

This issue is probably going to get closed, because questions like this
belong to one of these places
Support Forum: http://support.whispersystems.org/
Mailinglist: https://lists.riseup.net/www/arc/whispersystems

Whisper Systems knows the phone numbers of your contacts (or their
hashes) simply because your phone sends them to the server periodically
to let you know who of your firends uses Signal. Your contacts are not
stored on the server though. Obviously they have to be stored on your
phone and desktop otherwise you wouldnt be able to reach your contacts.
The sync between the Desktop and the Phone is performed in an end to
end encrypted way so no additional information is shared with the
server. Here is a mail from moxie regarding this question
https://lists.riseup.net/www/arc/whispersystems/2015-12/msg00007.html .

Whisper Systems never sees the content of your messages because they
are always end to end encrypted. When you have the Desktop version it
communicates with your phone in an end to end encrypted way.

@riyapenn It would be nice to have the official answers to these
questions in the "Desktop" and "Security" sections of the support
forum.

---

Reply to this email directly or view it on GitHub:
#459 (comment)

[liliakai]

The best place to ask questions is http://support.whispersystems.org/