A Black-Box Privacy Analysis of Messaging Service Providers' Chat Message Processing
Authors: Robin Kirchner (Technische Universität Braunschweig), Simon Koch (Technische Universität Braunschweig), Noah Kamangar (Technische Universität Braunschweig), David Klein (Technische Universität Braunschweig), Martin Johns (Technische Universität Braunschweig)
Volume: 2024
Issue: 3
Pages: 674–691
DOI: https://doi.org/10.56553/popets-2024-0099
Abstract: Online messaging has rapidly emerged as today's primary communication platform, extending from personal, to business and even to government channels. But can these services be trusted to maintain the privacy of your communication? This paper addresses this question by evaluating 105 different online messaging platforms. Utilizing “honey” messages and active HTTP(S) , WebSocket, and WebRTC traffic monitoring, along with continuous observation of honey token access, we determine which messaging services process user messages beyond mere transmission. We conduct a large-scale honey token-based study on 69 popular web and 36 mobile messaging applications. Our findings reveal that 34 % of messaging services show capabilities of server-side message analysis. Seven of these messengers evidently conduct an extended analysis of the messages, reusing the results hours to an observed maximum of a month after the chat concluded. This shows that one cannot automatically expect the same confidentiality when chatting via messengers compared to in-person communication.
Keywords: Messenger privacy, privacy assessment, honey tokens
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.