Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label End To End Encryption. Show all posts
State Surveillance
Cyber Governance data localization Digital Sovereignty End To End Encryption Messaging Security Network Control Privacy State Surveillance

Russia promotes Max platform as questions grow over user data security


 

Russian daily communication has been disrupted in recent weeks, as familiar digital channels are experiencing problems under mounting regulatory pressure, disrupting the rhythms of everyday communication. 

What appears at first glance to be a technical inconvenience is in fact a deliberate realignment of the country's information ecosystem that has been going on for several years. A domestically developed alternative known as Max has been elevated by authorities in parallel to globally embedded messaging platforms such as WhatsApp and Telegram, while authorities restrict access to these platforms. 

There is no subtlety or incident in the shift. It is an assertive attempt to redefine the boundaries of digital interaction within the state's sphere of influence. Millions of users are directed towards a platform that remains closely aligned with Kremlin interests in terms of architecture and governance.

With Max, introduced in 2025 by VK, the platform becomes much more than just a conventional messaging platform, marking a significant escalation in this strategy. By consolidating communication tools with state-linked utilities, such as access to government services, financial transactions, and the development of a digital identity framework, it provides the functionality of an integrated digital ecosystem.

Despite bearing structural similarities to WeChat, the implementation is in line with Moscow's long-standing pursuit of technological autonomy. Although adoption is a voluntary process, infrastructure incentives and regulatory constraints have combined to create conditions in which disengagement has become increasingly difficult.

A secure and sovereign alternative has been framed by endorsements from Vladimir Putin, reinforcing the policy direction, as noted by internet governance scholar Marielle Wijermars, that has culminated efforts to reconfigure the nation's internet architecture toward tighter state oversight. 

As part of the transition, technical integration and controlled accessibility are being implemented. Max has been pre-installed on numerous domestically sold consumer devices since September, reducing entry barriers while subtly standardizing its presence. 

A number of features are included in the interface, including private messaging, broadcast channels, and user engagement, which minimize friction for new users as it mimics established platforms. However, its differentiation lies in its privileged network status: by being included on Russia's approved "white list," the company ensures uninterrupted connectivity during periodic connectivity restrictions, which authorities attribute to defensive measures against external threats. 

Furthermore, geopolitical considerations also play a role, as initial restrictions on Russian and Belarusian SIM cards have been expanded selectively to a limited group of countries who are considered politically aligned. 

Although the platform has been widely distributed in countries such as the European Union and Ukraine, these markets are notably absent, even as the platform becomes enmeshed in larger information dynamics, including its perceived role as a means of countering rival cross-border coordination applications such as Telegram and WhatsApp. 

Russia itself continues to receive uneven receptions, suggesting an increasing divide between state-driven digital consolidation and a population long accustomed to more open communication systems. As a result of this transition, established communication patterns are disrupted, which has already begun to affect professionals who rely on continuity and reliability as part of their workflows. 

Before routine connectivity began to fail without warning, Marina, a freelance copywriter based in Tula, had been relying on WhatsApp for both client interactions and personal exchanges. There has also been little success in shifting conversations to Telegram, reflecting a broader trend experienced by millions as Roskomnadzor imposed restrictions on voice and messaging functions across the country's most widely used platforms in mid-August. 

There have been concerns about the timing of these limitations, which coincide with the rapid deployment of the state-backed Max ecosystem. With WhatsApp's user base estimated at approximately 97 million, and Telegram's user base estimated at 90 million, this disruption goes far beyond inconvenience, reaching into the foundations of social and economic interaction on a daily basis. 

These platforms have been providing informal digital backbones for many years, facilitating everything from family coordination and residential management groups to hyperlocal commerce in areas lacking conventional internet access. For example, message applications often serve as a substitute for broader digital infrastructure in remote parts of the Russian Far East, enabling services such as ride coordination and small-scale transactions as well as information sharing within the community. 

In addition to implementing end-to-end encryption, both platforms have also implemented security architectures that prevent intermediaries, including service providers, from gaining access to communications' contents. 

Russian authorities assert that the restrictions are justified by compliance failures, particularly the refusal to localize user data within national borders, along with concerns over fraud. Based on available financial sector data, however, most scams remain perpetrated through traditional mobile networks rather than encrypted applications, according to data available to the financial sector. 

Analysts and segments of the public view these measures as part of a broader effort to improve visibility into interpersonal networks and information flows, with a less technical but more strategic interpretation.

According to Marina, who requested anonymity due to concerns about possible consequences, the shift is not simply one of technology, but one of social space narrowing, with the ability to maintain connections outside of state-mediated channels gradually becoming increasingly restricted. 

Through regulatory pressure as well as institutional dependency, Max is being reinforced within everyday workflows. 

To maintain access to essential services, individuals across sectors report a growing requirement for the platform. In her experience, Irina describes being forced to utilize Max to communicate with her children's school communications and navigate the Gosuslugi, where patient appointments are increasingly coordinated. 

Across corporate and educational environments, similar patterns are emerging as employers and schools standardize their internal communication platforms. The public visibility of Max is also increasing as celebrities and digital influencers migrate their content ecosystems to Max, enhancing its normalization, parallel to this structural push. 

According to analysts such as Dmitry Zakharchenko, the campaign has been unusually strong, comparing it to the centrally orchestrated messaging efforts of earlier eras, which has nonetheless been able to accelerate adoption to approximately 100 million users within a short period of time. 

In terms of technical characteristics, the platform represents a broader trajectory of Russia's "sovereign internet" initiative, which prioritizes control over data flows and infrastructure over international interoperability. As opposed to Telegram and WhatsApp, Max does not utilize end-to-end encryption technology, and its data governance framework requires that all user information be stored on domestic servers, thereby making it subject to the jurisdiction of government regulators and security agencies. 

Many users express only a limited level of concern, regarding compliance as inconsequential when there is no perceived risk. However, others have sought alternatives, including IMO, or have refused to adopt Max altogether. However, this resistance appears to be increasingly constrained as Max's structural integration into critical services increases.

Even among skeptics, prevailing sentiment indicates that participation may soon become unavoidable as the country's digital environment narrows toward a state-defined center of gravity. For policymakers, technologists, and civil society observers, Max's trajectory provides a valuable example of how digital sovereignty and user autonomy are evolving in an increasingly dynamic environment. 

By rapidly integrating the platform into essential services, people can see how infrastructure can be a subtly effective tool for shaping behavioral compliance, particularly when alternatives are systematically restricted. As a result, centralized control over communication ecosystems raises further concerns regarding transparency, data governance, and long-term consequences. 

Russia is likely to continue to grapple with a defining tension as they advance this model in order to balance national security objectives with individual privacy rights. This type of system will ultimately be determined by the level of state enforcement as well as the level of trust among users, the resilience of alternative networks, and the worldwide response to fragmented digital environments.
Read more »
Privacy
encrypted messaging apps End To End Encryption Instagram Law Enforcement Meta Privacy

Meta to Discontinue End-to-End Encrypted Chats on Instagram Come May 2026

 



Meta Platforms has confirmed that it will remove support for end-to-end encrypted messaging in Instagram direct messages beginning May 8, 2026. After this date, conversations that previously relied on this encryption feature will no longer be protected by the same privacy mechanism.

According to guidance published in the platform’s support documentation, users whose conversations are affected will receive instructions explaining how to download messages or media files they want to retain. In some situations, individuals may also need to install the latest version of the Instagram application before they can export their chat history.  

When asked about the decision, Meta stated that encrypted messaging on Instagram saw limited adoption. The company explained that only a small percentage of users chose to enable end-to-end encryption within Instagram direct messages. Meta also pointed out that people who want encrypted communication can still use the feature on WhatsApp, where end-to-end encryption is already widely used.


How Instagram Encryption Was Introduced

Instagram’s encrypted messaging capability was originally introduced as part of a broader push by Meta to transform its messaging ecosystem. In 2021, Meta CEO Mark Zuckerberg outlined a “privacy-focused” strategy for social networking that aimed to shift communication toward private and secure messaging environments. 

Within that initiative, Meta began experimenting with encrypted direct messages on Instagram. However, the feature never became the default setting for users. Instead, it remained an optional capability available only in certain regions and had to be manually activated within specific conversations.

The tool also gained relevance during geopolitical tensions. Shortly after the outbreak of the Russia-Ukraine conflict in early 2022, Meta expanded access to encrypted direct messages for adult users in both Russia and Ukraine. The company said the move was intended to provide safer communication channels during the early phase of the war.


Industry Debate Over Encrypted Messaging

The decision to discontinue Instagram’s encrypted chats comes amid a broader debate in the technology sector about whether strong encryption improves or complicates online safety.

Recently, the social media platform TikTok said it currently has no plans to introduce end-to-end encryption for its messaging system. The company told the BBC that such technology could reduce its ability to monitor harmful activity and protect younger users from abuse.

End-to-end encryption is widely regarded by cybersecurity experts as one of the strongest ways to secure digital communication. When this technology is used, messages are encrypted on the sender’s device and can only be decrypted by the recipient. This means that even the platform hosting the conversation cannot read the message contents during transmission. 

Because of this design, encrypted systems can protect users from surveillance, data interception, or unauthorized access by third parties. Many messaging services, including WhatsApp and Signal, rely on similar encryption models to secure billions of conversations globally.


Law Enforcement Concerns

Despite its privacy advantages, encryption has long been controversial among law enforcement agencies and child-safety advocates. Critics argue that encrypted messaging makes it harder for technology companies to detect criminal behavior such as terrorism recruitment or the distribution of child sexual abuse material.

Authorities describe this challenge as the “Going Dark” problem, referring to situations where investigators cannot access message content even when they obtain legal warrants. Policymakers have repeatedly warned that widespread encryption could reduce the ability of platforms to cooperate with criminal investigations.

Internal documents previously reported by Reuters indicated that some Meta executives had raised similar concerns internally. In discussions dating back to 2019, company officials warned that widespread encryption could limit the company’s ability to identify and report illegal activity to law enforcement authorities. 


Regulatory Pressure and Future Policy

The global policy debate around encryption is still evolving and charting new courses. The European Commission is expected to release a technology roadmap on encryption later this year. The initiative aims to explore ways to allow lawful access to encrypted data for investigators while preserving cybersecurity protections and civil liberties.


A Changing Messaging Strategy

Meta’s decision to remove encrypted messaging from Instagram highlights the complex trade-offs technology companies face when balancing privacy protections with safety monitoring and regulatory expectations.

While encryption remains a cornerstone of messaging on WhatsApp and has expanded across other platforms, the rollback on Instagram suggests that adoption rates, platform design, and policy pressures can influence whether such security features remain viable.

For Instagram users who relied on encrypted chats, the upcoming change means reviewing conversations before May 2026 and exporting any information they wish to keep before the feature is officially retired.

Read more »
Zero Day Exploits
Cyber Reconnaissance End To End Encryption Metadata Exposure Mobile Spyware Privacy Risks Vulnerabilites and Exploits WhatsApp Security Zero Day Exploits

WhatsApp Bug Leads to Exposure of User Metadata

 


The Meta organization has begun to address a number of vulnerabilities in WhatsApp that expose sensitive user information. These vulnerabilities indicate that, even when platforms are encrypted, they can inadvertently reveal critical device details. 

The vulnerabilities are caused by the messaging service's multi-device architecture, which allows subtle implementation differences to reveal whether the user is using an Android or an iOS device, while still maintaining end-to-end encryption for message content. 

According to security researchers, this type of capability, which helps identify or identify operating systems by their fingerprints, is of particular value to advanced threat actors. These actors often choose WhatsApp-with its more than three billion active users per month-as their preferred channel for delivering advanced spyware to their customers.

It was discovered that attackers are able to exploit zero-day flaws that allow them to passively query WhatsApp servers for cryptographical session details without being able to interact with the victim, using variations in key identifiers, such as Signed Pre-Keys and One-Time Pre-Keys, in order to determine the target platform. 

By utilizing this intelligence, adversaries can tailor exploits to the specific needs of their victims, deploying Android-specific malware only to compatible devices, while avoiding detection by others, emphasizing the difficulties in masking metadata signatures even within encrypted communication ecosystems despite this intelligence.

It has been warned that threat actors who abuse WhatsApp as an attack vector may be able to passively query WhatsApp's servers for encryption-related content, which would allow them to obtain information regarding devices without the need for user interaction. With this capability, adversaries can accurately determine the operating system of a victim, with recent findings suggesting that subtle differences in key ID generation can be used to reliably differentiate between Android and iOS devices. 

APT operations that are targeted at advanced persistent threats (APTs) often involve the deployment of zero-day exploits tailored to specific platforms. However, deploying these exploits to inappropriate devices can not only result in the failure of the attack, but may expose highly sensitive attack infrastructure worth millions of dollars. 

 Furthermore, the study concluded that there may also be a risk of data theft, as it estimated that data linked to at least 3.5 billion registered phone numbers could possibly be accessed, a number that may include inactive or recycled accounts as well. 

Besides cryptographic identifiers, the accessible information included phone numbers, timestamps, “About” field text, profile photos, and public encryption keys, which prompted researchers to warn against the possibility that, in the wrong hands, this dataset could have led to one of the largest data leaks ever documented in human history. 

Among the most concerning findings of the study was the fact that more than half of the accounts displayed photos, with a majority displaying identifiable faces. There is a strong possibility that this will lead to large-scale abuse, such as reverse phonebook services using facial recognition technology.

It was pointed out by Gabriel Gegenhuber, the study's lead author, that the systems should not be allowed to handle such a large number of rapid queries from a single source as they might otherwise. He pointed out that Meta tightened the rate limiting on WhatsApp's web client in October 2025 after the problem had been reported through the company's bug bounty program earlier that year, which led to a change in rate limits on WhatsApp's web client. 

It has been determined by further technical analysis that attackers can obtain detailed insights about a user's WhatsApp environment by exploiting predictable patterns in the application's encryption key identifiers that give detailed insight into a user's environment. 

Research recently demonstrated the possibility of tracing the primary device of a user, identifying the operating system of each linked device, estimating the relative age of each connected device, and determining whether WhatsApp is accessed through a mobile application or a desktop web client, based on if WhatsApp is accessed through either app. 

A number of conclusions were drawn from the history of deterministic values assigned to certain encryption key IDs that have effectively served as device fingerprints for decades. It is Tal Be'ery, co-founder and chief technology officer of Zengo cryptocurrency wallet, who was one of the researchers leading this research, who, along with other experts, shared their findings with Meta. 

As early reports indicated little response from the company, Be'ery observed later that the company began to mitigate the issue by introducing a randomization system for key ID values, specifically on Android devices, which seemed to have worked. He was able to confirm that these changes represent progress when he used a non-public fingerprinting tool to test the system, even though the technique was only partially effective. 

An article by Be'ery published recently and a demonstration that followed showed that attackers are still able to distinguish Android and iPhone devices based on One-Time Pre-Key identifiers with a high degree of confidence. 

It is cited in the article that the iPhone's initial values are low with gradual increments as opposed to Android's broader, randomized range, which is much larger. However, he acknowledged that Meta had recognized the issue as a legitimate security and privacy concern and welcomed the steps taken to reduce its impact despite these limitations.

It is important to emphasize, therefore, that the study highlights WhatsApp metadata exposed to the outside world is not a theoretical worry, but a real security risk with wide-ranging consequences. When advanced attacks take place, metadata plays a key role in reconnaissance, providing adversaries with the ability to identify targets, differentiate between iOS and Android environments, select compatible exploits, and reduce the number of unsuccessful intrusion attempts, thereby allowing them to succeed with social engineering, spear-phishing, and exploit chain attacks as a whole.

In a large-scale scenario, such data can be fed into OSINT applications and AI-driven profiling tools, which allows for significant cost reduction on the selection of targets while also enhancing the precision of malicious operations when applied at scale. Moreover, researchers warned of the dangers associated with public profiles photos, stating that by being able to tie facial images to phone numbers on a mass scale, specialists might be able to create facial recognition-based reverse phonebook services based on the ability to link facial recognition to phone numbers.

A significant portion of these risks may be magnified for those with a high exposure rate or who are in regulated environments, such as journalists, activists, and professionals who perform sensitive tasks, where metadata correlation may result in physical or personal harm. 

It was learned from the study that millions of accounts are registered in jurisdictions where WhatsApp has been banned officially, raising concerns that using WhatsApp in these regions may have legal and/or persecutorial repercussions. It is important to note that this study highlights the structural problems that WhatsApp's centralized architecture creates, resulting in a single point of failure that affects billions of users, limits independent oversight, and leaves individuals with little control over their data. 

As a result, the research highlights a number of structural issues inherent in WhatsApp’s centralized architecture. A number of researchers recommend that users should take practical steps in order to reduce exposure until deeper structural safeguards are implemented or alternative platforms are adopted. 

Some of those steps include restricting profile photo visibility, minimizing personal details in public fields, avoiding identifiable images when appropriate, reviewing connected devices, limiting data synchronization, and utilizing more privacy-preserving messaging services for sensitive communication, just to name a few.

In sum, the findings of the research suggest that there is a widening gap between the protections users expect from encrypted messaging platforms and the less visible risks related to metadata leaks. It is evident from Meta’s recent mitigation efforts that the issue has been acknowledged, but that the persistance of device fingerprinting techniques illustrates that large and globally scaled systems can be difficult to completely eradicate side-channel signals. 

The fact remains that even limited metadata leakage on a platform that functions as a primary communication channel for governments, businesses, and civil society organizations alike may have outsized consequences if it is aggregated or exploited by capable adversaries. 

It is also important to recognize that encryption alone is not sufficient to guarantee privacy when the surrounding technical and architectural decisions allow the inference of contextual information. 

WhatsApp’s experience serves as a reminder that, as regulators, researchers, and users increasingly scrutinize the security boundaries of dominant messaging services, it is imperative that strong cryptography be used to protect billions of users as well as continuous transparency and rigorous oversight. Metadata needs to be treated as a first-class security concern, rather than something that can't be avoided.
Read more »
VPN security
Chat Control Regulation Client Side Scanning cybersecurity risks Data protection Encryption Backdoors End To End Encryption Online Surveillance Privacy VPN security

Chat Control Faces Resistance from VPN Industry Over Privacy Concerns


 

The European Union is poised at a decisive crossroads when it comes to shaping the future of digital privacy and is rapidly approaching a landmark ruling which will profoundly alter the way citizens communicate online. 

A final vote on October 14 is expected to take place on September 12, 2025, as Member States will be required to state their position on the proposed Child Sexual Abuse Regulation — commonly referred to as "Chat Control" — in advance of its final vote. Designed to combat the spread of child abuse content, the regulation would place an onus on the providers of messaging services such as WhatsApp, Signal, and iMessage to scan every private message sent between users, even those messages protected from being read by third parties. 

The supporters of the legislation argue that it is a necessary step for ensuring the safety of children, but critics argue that it would effectively legalise mass surveillance, thereby denying citizens access to secure communication and exposing their personal data to the possibility of being misused by government agents or exploited by malicious actors. 

Many observers warn that this vote will set a precedent that could have profound implications for the privacy and democratic freedoms of the continent as a whole if its outcome were to turn out favorably. 

The proposal is called “Chat Control” by its critics, since it requires all messaging platforms operating in Europe to actively scan user conversations, including those that are protected by end-to-end encryption, in search of child sexual abuse material that is well-known and previously unknown. 

In their opinion, such obligations threaten to undermine the very foundations of secure digital communication, creating the possibility of unprecedented levels of monitoring and abuse, which advocates argue could undermine the very foundations of secure digital communication.

The VPN Trust Initiative (VTI), an organisation which represents a group of major VPN providers, has been pushing back strongly against the draft regulation, stating that any attempt to weaken encryption would erode the very basis of the Internet's security. VTI co-chair, Emilija Beranskait, emphasised that "encryption either protects everybody or it doesn't," imploring governments to preserve strong encryption as a cornerstone of privacy, trust, and democratic values, urging them to adopt stronger encryption. 

According to NordVPN's privacy advocate, Laura Tyrylyte, while client-side scanning is indeed a safety and security concern, it is not an acceptable compromise between an organisation's safety and security, contending that solutions must not be compromised in the interest of addressing a single issue alone. 

Moreover, NymVPN's CEO, Harry Halpin, condemned the proposal as “a major step backwards for privacy” and warned that, once normalised, such surveillance tools could be used against journalists, activists, or political opponents. In addition, experts have raised significant technical concerns with the introduction of mandatory scanning mechanisms, stating that such mechanisms will fundamentally undermine the technology underlying online security. 

Moreover, they are concerned that client-side scanning infrastructure could be repurposed so that surveillance is widened far beyond what it was originally intended to do, which runs counter to the European Union's own commitments under initiatives such as the Cyber Resilience Act and efforts to prepare for quantum cryptography in the future. 

However, a deeply divided political debate is ongoing in the EU. Eight member states have formally opposed the proposal, including Germany and Luxembourg, while fifteen others, including France, Italy, and Spain, are still in favour of the proposal. 

There is still some uncertainty regarding the outcome of the October vote because only Estonia, Greece, and Romania have not decided. In addition to the pressure being put on the EU Council, more than 500 cryptography experts and researchers have signed an open letter urging it to reconsider the risks associated with introducing what they consider a dangerous precedent for the future of the digital world in Europe. 

It has been suggested that under the Danish-led proposal, messaging platforms such as WhatsApp, Signal, and ProtonMail would have to scan private communications without discrimination. In their current form, the proposal would violate end-to-end encryption in an irreparable way, according to experts. 

A direct analysis of links, photos, and videos is part of the system that will run directly on the users' devices before messages are encrypted. 

Only government and military accounts are exempt from this analysis, with the draft regulation last circulated to EU delegations on July 24, 2025, claiming to safeguard encryption. Still, privacy specialists are of the opinion that true security cannot be maintained using client-side scanning. 

Laura Tyrylyte, NordVPN's privacy advocate, observed that "Chat Control's client-side scanning provisions create a false choice between security and safety." The solution to one problem, even a serious one like child safety, cannot be at the expense of creating systemic vulnerabilities that are more dangerous to everyone." 

Several other industry leaders expressed similar concerns as well, including Harry Halpin, CEO of NymVPN, who condemned the measure as “a significant step backwards for privacy.” He explained that the indiscriminate scans of private communications are disproportionate in nature, creating a backdoor that could be exploited if it is normalised. 

There is a risk that such infrastructure could easily be redirected towards attacking journalists, political opponents, or activists while also exposing ordinary citizens to hostile cyberattacks. In Halpin's view and the opinion of others, it is more effective to carry out targeted, warrant-based investigations, to take down illegal material swiftly, and to use properly resourced specialist teams rather than universal surveillance as a means of detecting illegal activity. 

However, despite the simple concessions made in the latest draft, such as restricting the detection to visual contents and excluding audio and text, the scientific community has remained steadfast in its criticism regardless of the concessions made. 

The researchers point out that there are four critical flaws to the system: the inability to scan billions of messages accurately; the inevitable weakening of encryption through the monitoring of devices on-device; the high risk that surveillance can expand beyond its stated purpose due to "function creep"; and the danger that mass monitoring in the name of child protection will erode democratic norms. 

While the EU has promised oversight and consent mechanisms, cryptography experts claim that secure and reliable client-side scanning cannot be performed at scale, despite promises of EU oversight and consent mechanisms. This proposal, therefore, is technically flawed as well as politically perilous. 

VPN providers are also signalling that they will not stand on the sidelines if the regulation is passed. Several leading companies, including Mullvad, a popular privacy-focused service, have expressed concern about the possibility of withdrawing from the European market altogether if the proposed legislation is passed. 

If this happens, millions of users will be impacted, and innovation in this field may be curtailed. Similar advocacy groups, including Privacy Guides, have sounded the alarm in the past weeks, warning that the new regulations threaten to undermine the privacy of all citizens, not only those suspected of wrongdoing, and they urge all citizens to take notice before the September 12 deadline. 

A growing number of social media platforms are also being criticised, and voices like Telegram founder Pavel Durov have pointed out that comparable laws have failed in the past, as determined offenders have simply moved to smaller applications or VPNs to avoid these weaker protections, which leaves ordinary users to bear the brunt. 

The debate carries significant economic weight. The Security.org website indicates that more than 75 million Americans already use VPN services to keep their privacy online. As Chat Control advances, this demand is expected to grow rapidly in Europe. As per Future Market Insights, by 2035, the VPN industry is expected to grow to a value of $481.5 billion; however, experts caution that heavy regulation may fragment the market and stifle technological development.

Denmark has continued to lobby for the proposal despite mounting opposition from civil society groups, technology companies, and several member states as the EU Council prepares to vote on October 14, as tensions are increasing. In recent weeks, citizens have taken to online platforms such as X to voice their concerns about the proposed legislation, warning that Europeans would not have fundamentally secure digital privacy. 

Analysts point out that in order to adapt to this changing environment, VPN providers may need to use quantum-resistant technologies faster or explore decentralised models, as highlighted in recent forward-looking studies, which point to the existential stakes of the industry. 

However, one central fear remains across all debates: once surveillance infrastructure is embedded in the environment, its scope is unlikely to be limited to combating child abuse. In their view, it could create a framework for broad and permanent monitoring, reshaping the global norms of digital privacy in a way that undermines both the rights of users and technological innovation in the process. 

A key question to be answered before the EU's vote on October 14 is whether it can successfully balance child protection with its longstanding commitments to privacy and digital rights while maintaining a sense of security. 

It is noted that decisions made in Brussels will have a global impact, potentially setting global standards for how governments deal with encryption, surveillance, and online safety, as experts warn. For legislators, the challenge is to devise effective solutions that protect vulnerable groups without dismantling the secure infrastructures that rely on modern communication, commerce and civic participation. 

One possible path forward, according to observers, could be bolstering cross-border investigative collaboration, strengthening rapid takedown protocols for harmful material, and building specialised law enforcement units which are equipped with advanced tools that are able to target perpetrators rather than citizens collectively, to achieve a better outcome. 

In addition to the fact that private measures would prove better at combating criminal networks, privacy advocates argue that they would also preserve the trust and innovation that Europe has championed for decades, as well as the sense of security that Europe has promoted for decades. 

There will be a clear indication of the EU's global leadership position in safeguarding both child safety and civil liberties through this decision, or whether it will serve as a model for other nations to emulate in terms of surveillance frameworks to maintain secure neighbourhoods.
Read more »
End To End Encryption
cloud storage cloud storage services Cyber Security Data Storage Data Synchronization E2EE End To End Encryption

Security Risks Discovered in Popular End-to-End Encrypted Cloud Storage Platforms

 

Recent cryptographic analysis by researchers at ETH Zurich has uncovered significant security vulnerabilities in five major end-to-end encrypted (E2EE) cloud storage platforms: Sync, pCloud, Icedrive, Seafile, and Tresorit. These platforms are collectively used by over 22 million people and are marketed as providing secure data storage. However, the study revealed that each of these platforms has exploitable flaws that could allow malicious actors to gain access to sensitive user data, manipulate files, or inject harmful data. The research was conducted under the assumption that a malicious attacker could control a server with full ability to read, modify, and inject data. 

This is a plausible scenario in the case of sophisticated hackers or nation-state actors. The researchers found that while these platforms promise airtight security and privacy through their E2EE models, their real-world implementation may fall short of these claims. Sync, for instance, exhibited critical vulnerabilities due to unauthenticated key material, which allows attackers to introduce their own encryption keys and compromise data. It was found that shared files could be decrypted, and passwords were inadvertently exposed to the server, compromising confidentiality. Attackers could also rename files, move them undetected, and inject folders into user storage. pCloud’s flaws were similar, with attackers able to overwrite private keys, effectively forcing encryption using attacker-controlled keys. 

This, coupled with public keys that were unauthenticated, granted attackers access to encrypted files. Attackers could also alter metadata, such as file size, reorder file chunks, or even inject files. Icedrive was shown to be vulnerable to file tampering due to its use of unauthenticated CBC encryption. Attackers could modify the contents of files, truncate file names, and manipulate file chunks, all without detection. Seafile also presented several serious vulnerabilities, including susceptibility to protocol downgrade attacks, which made brute-forcing passwords easier. The encryption used by Seafile was not authenticated, enabling file tampering and manipulation of file chunks. As with other platforms, attackers could inject files or folders into a user’s storage space. 

Tresorit fared slightly better than its peers, but still had issues with public key authentication, where attackers could potentially replace server-controlled certificates to gain access to shared files. While Tresorit’s flaws didn’t allow direct data manipulation, some metadata was still vulnerable to tampering. The vulnerabilities discovered by the ETH Zurich researchers call into question the marketing promises made by these platforms, which often advertise their services as providing the highest level of security and privacy through end-to-end encryption. In light of these findings, users are advised to exercise caution when trusting these platforms with sensitive data, particularly in cases where the server is compromised.  

The researchers notified Sync, pCloud, Seafile, and Icedrive of their findings in April 2024, while Tresorit was informed in late September 2024. Responses from the vendors varied. Icedrive declined to address the issues, Sync is fast-tracking fixes, and Tresorit is working on future improvements to further safeguard user data. Seafile has promised to patch specific vulnerabilities, while pCloud had not responded as of October 2024. While no evidence suggests that these vulnerabilities have been exploited, the flaws are nonetheless concerning for users who rely on these platforms for storing sensitive data. 

The findings also emphasize the need for ongoing scrutiny and improvement of encryption protocols and security features in cloud storage solutions, as even end-to-end encryption does not guarantee absolute protection without proper implementation. As more people rely on cloud storage for personal and professional use, these discoveries are a reminder of the importance of choosing platforms that prioritize transparent, verifiable security measures.
Read more »
Telegram Messenger
App privacy Cyber Security data security End To End Encryption Messaging Apps Secure Messenger Telegram Telegram Messenger

Examining Telegram’s Encryption Flaws: Security Risks and Privacy Concerns

 

Telegram is often perceived as a secure messaging app, but this perception is flawed. Unlike WhatsApp, Telegram doesn’t have end-to-end encryption by default. While Secret Chats offer end-to-end encryption, this feature must be activated by users and does not apply to group chats or the desktop versions. However, it must be noted that all chats on Telegram are encrypted in transit and at rest.

Additionally, Telegram’s apps are open source, and its encryption protocols are fully documented, allowing independent researchers to verify their integrity and implementation. To date, no vulnerabilities in Telegram’s encryption have been identified. This leaves room for potential vulnerabilities, including access by admins, authorities, and hackers. While Telegram is widely used for its innovative features like chat organization and community management, its encryption methods raise red flags among security experts. The platform encrypts data in transit, preventing message interception. 

However, the majority of conversations on Telegram are not end-to-end encrypted, meaning administrators could access them if required by law enforcement. This poses risks for users discussing sensitive topics or sharing confidential information. Further, Telegram is the only messenger to offer verifiable builds on both iOS and Android, enabling researchers to confirm that the apps on app stores are built from the published source code. 
Moreover, Telegram’s encryption methods are seen as complex and opaque. For example, the optional Secret Chats use a proprietary encryption algorithm, which is difficult to verify and may include hidden vulnerabilities. Cryptography professionals have criticized this, noting that unless an encryption system is open-source, it cannot be thoroughly vetted for weaknesses or backdoors. One of the significant drawbacks of Telegram’s security is its inapplicability to group chats. Group conversations cannot be encrypted, which increases the risk of unauthorized access to user messages. 

For those needing strong privacy for sensitive communications, this is a serious limitation. Given that other popular messaging platforms like Signal and WhatsApp offer end-to-end encryption by default, users of Telegram may want to reconsider using the app for private or sensitive discussions. Signal, for instance, uses the highly respected Signal Protocol, which has been audited and proven to be robust. Telegram, by comparison, leaves users with limited protection due to its closed-source encryption. Despite these concerns, Telegram remains a popular app due to its versatile features, making it more than just a messaging platform. Telegram’s organizational tools, community management features, and ability to broadcast information have made it a favorite among certain groups, especially those sharing tech news or international updates. 

However, for those who prioritize security, Telegram’s limited encryption may not be sufficient, making apps like Signal or even WhatsApp a safer option for encrypted messaging. While Telegram has many innovative features, its encryption limitations leave it far from being the most secure messaging app.
Read more »
User Security
Data Privacy End To End Encryption Mobile Security SMS Attack User Security

Here's Why You Should Stop Using SMS Messaging

 

Cybersecurity is more critical than ever in today's digital world. However, one commonly employed but often missed area of weakness could be something you use every day. Since Nokia made the technology available to the public in 1993, Short Message Service, or SMS messaging, has been the major way people have texted. You might be surprised to hear that it's one of the riskiest methods of mobile communication given that it's typically included by default on most mobile devices. 

However, if you intend to stay safe and private, you should avoid using it. Here are five of the reasons why. 

Lacklustre end-to-end encryption

SMS is not encrypted from beginning to end. SMS messages, in reality, are frequently sent as plain text. This means that there are no safeguards in place and that anyone with the necessary knowledge can intercept an SMS. If your mobile provider employs encryption, it is most likely a poor and outdated method that is only used during transit. 

SMS relies on obsolete technology 

SMS technology is based on a set of signalling protocols known as Signalling System No. 7 (SS7), which was established in the 1970s. It is out of date and highly insecure, making it exposed to different forms of cyberattacks. As Ars Technica reported at the time, in 2017, a hacker gang used an SS7 security hole to circumvent two-factor authentication and drained people's bank accounts. Similar attacks have taken place several times over the years. 

The government can read your SMS texts 

Why haven't the security flaws in SS7 been fixed? One probable explanation is that regulators are uninterested in doing so since governments all across the world eavesdrop on their citizens. Whether or not this is the true reason, it is undeniable that your government could read your SMS texts if it so desired. Law enforcement in the United States does not even require a warrant to examine correspondence older than 180 days.Congressional Representative Ted Lieu presented legislation to stop this in 2022, but it was unsuccessful. 

Messages stored by your carrier 

SMS texts are saved by carriers for a set period of time (the length varies depending on the carrier). Metadata, which is information on the data itself, is kept much longer. If you aren't concerned about police enforcement reading your texts, you should be aware that your mobile provider can as well. While it is true that laws, regulations, and internal rules restrict mobile providers from spying on users, unauthorised access and breaches do occur. 

SMS message cannot be unsent 

Unsending an SMS message is not possible. If the recipient receives it, it will remain on their phone indefinitely unless they delete it manually. It's one thing to send a terrible and embarrassing SMS, but what if the recipient's phone has been hacked or otherwise compromised? And what if you revealed personal information in an SMS that you should not have revealed? This is probably not a scenario you want to think about. 

Switch from SMS to a secure messaging app 

SMS should not be used by anyone who is concerned about their personal cybersecurity and wishes to safeguard their privacy. The difficulty is that it provides a level of ease that alternatives simply cannot equal, at least for the time being. However, in most cases, that is not a sufficient justification to employ it. 

Secure, end-to-end encrypted messaging apps outperform SMS in practically every other way. And, if you have no other choice, use SMS wisely. Do not share information that you would not want a third party to have access to, and remember to take additional security steps.
Read more »
UK Home Secretary
Cyber Security Data Privacy End To End Encryption Tech Giant UK Home Secretary

UK Home Secretary Clashes with Meta Over Data Privacy

 

Suella Braverman, the UK Home Secretary, wants to "work constructively" with Meta on the company's plans to implement end-to-end encrypted (E2EE) messaging in Instagram and Facebook by the end of the year, which she thinks will provide a "safe haven" for paedophiles and harm children. 

Meta said it will continue to share relevant details with law enforcement and child abuse charities. Braverman has written to tech giant to voice her worries. 

A number of charities and technology professionals have signed the letter, which begs the firm to disclose more details on how it will keep consumers safe. 

Braverman told Times Radio earlier this week that E2EE might lead to platforms being "safe havens for paedophiles."

"Meta has failed to provide assurances that they will keep their platforms safe from sickening abusers," Braverman added, urging parents to "take seriously the threat that Meta is posing to our children. It also must develop appropriate safeguards to sit alongside their plans for end-to-end encryption.” 

Braverman stated that the government will use the powers given to it by the new Online Safety Bill legislation, which allows telecoms regulator Ofcom to compel tech companies to violate E2EE and hand over information linked to probable abuse cases if necessary. 

It is currently unclear whether this is possibly feasible without incorporating back-door access to such systems, which, according to tech companies, creates security and privacy issues. 

Meta stated that it has a "clear and thorough approach to safety" that focuses on "sharing relevant information with the National Centre for Missing and Exploited Children and law enforcement agencies." 

Braverman's intervention comes a day after the Online Safety Bill was given final approval by parliament and will now receive royal assent before becoming law. Tech firms such as Meta have decried the bill's threat to E2EE, with WhatsApp threatening to leave the UK if it becomes law. 

The government appeared to make a partial retreat earlier this month, stating it would only employ these powers as a "last resort" and when a technology that permits information to be extracted in a secure manner is established. 

Prime Minister Rishi Sunak stated his support for the measure earlier this year, in April. "I think everyone wants to make sure their privacy is protected online," Sunak said. "But people also want to know that law enforcement agencies can keep them safe and have reasonable ways to do so, and that's what we're trying to do with the Online Safety Bill." 

Meta said in August that by the end of the year, it would be implementing E2EE on private communications across all of its platforms.
Read more »
User Safety
Cyber Security data security End To End Encryption Mail Servers ransomware attacks User Safety

Cloud Email Services Strengthen Encryption to Ward Off Hackers

 

The use of end-to-end encryption for email and other cloud services is expanding. This comes as no surprise given that email is one of the top two cyberattack vectors. 

Mail servers made up 28% of all affected hardware, according to Verizon's annual 2022 Data Breach Investigations Report, and 35% of ransomware activities involved email. In its 2022 report, the EU Agency for Cybersecurity noted that ransomware is responsible for 10 terabytes of data theft each month, with 60% of businesses likely having paid a ransom. An updated Gartner study from 2021 found that 40% of ransomware attacks begin with email.

To address these issues, Google, Microsoft, and Proton, whose Proton Mail service was a pioneer in secure email, expanded their end-to-end encryption offerings. 

Google revealed a beta of client-side encryption services for Gmail on the web in a blog post last month. Up until January 20, 2023, customers of Google Workspace Enterprise Plus, Education Plus, and Education Standard may apply for the beta.

The tech giant stated that client-side encryption "helps strengthen the confidentiality of your data while helping to address a broad range of data sovereignty and compliance needs," noting that it encrypts all data at rest and in transit in Google Workspace between its facilities. 

Moreover, it claims that Google Drive, Google Docs, Sheets, Slides, Google Meet, and Google Calendar already support client-side encryption. Users simply need to click the lock icon and choose the option for additional encryption, according to Google, in order to add client-side encryption to any message. Writing and including attachments work as expected.

Microsoft, which last updated its message encryption in 2019, declared in April of last year that updates to Windows 11 would include security patches to address phishing and malware threats. 

If so, Microsoft will probably also include end-to-end encryption since Office 365 Message Encryption currently uses Transport Layer Security encryption. Despite the fact that this service, according to the provider, enables users to encrypt and rights-protect messages intended for internal and external recipients using Office 365, non-Office 365 email applications, and web-based email services like Gmail.com and Outlook.com, it does not shield users from phishing or malware attacks as well as E2EE. 

Google's announcement came after that of Proton, a platform for encrypted cloud storage that was introduced in 2013 by CEO Andy Yen in Geneva, Switzerland. With a focus on mobile devices, the company increased its encryption offerings last fall. These new additions included secure cloud storage and a secure calendar feature, both of which have apps for iOS and Android devices. 

Users can safely upload, save, and share files to and from their phone using Proton Drive, a free encrypted cloud service that was made available in late September and made its iOS and Android debuts in December. 

The three main functions of Proton Drive are as follows:

  • Any uploaded file on the user's device is encrypted before it is stored on Proton servers. 
  • Metadata such as file and folder names, file extensions, file sizes, and thumbnails are encrypted. 
  • File expiration and viewing passwords are included, allowing for secure sharing with non-Proton users.

Proton said that since the beta launch of Proton Drive last September, with over 500,000 users participating, it has seen an average of one million files uploaded per day, roughly half of which are photos.

Additionally, it offers two paid levels of service for its encrypted drive, Drive Plus with 200GB storage for $4.99/month or $47.88/year and Proton Unlimited with 500GB for $11.99/month or $119.88/year, all of which are available to individual users.
Read more »
WhatsApp
End To End Encryption Government Database internet outage Message encryption Proxy Server User Privacy Vulnerabilities and Exploits. WhatsApp

WhatsApp Allows Communication Amid Internet Outages

On January 5, WhatsApp revealed a new feature that enables users to connect via proxy servers so they may continue using the service even when the internet is restricted or disrupted by shutdowns.

Concept of Whatsapp proxy 

When selecting a proxy, users can connect to WhatsApp via servers run by individuals and groups devoted to promoting free speech throughout the world. According to WhatsApp, using a proxy connection preserves the app's privacy and security settings, and end-to-end encryption will continue to secure private conversations. As per the firm, neither the proxy servers, WhatsApp, nor Meta will be able to see the communications that are sent between them.

When it comes to assisting users when WhatsApp is prohibited in a country, the messaging service stated, "If WhatsApp is restricted in your nation, you can utilize a proxy to connect and communicate with loved ones. End-to-end encryption will still be used to protect private communications while using a proxy connection to WhatsApp."

In accordance with the new rules, internet service providers had to remove anything that law enforcement regarded to be illegal and cooperate with police investigations, which included locating the authors of malicious materials.WhatsApp countered this claim by saying that it will continue to secure users' private messages and would not compromise their security for any government.

According to Juras Jurnas of the proxy and online data collecting company Oxylabs, "For persons with government restrictions on internet access, such as was the situation with Iran, utilization of a proxy server can help people keep a connection to WhatsApp as well as the rest of the public, internet free."

After activists in response to the death of Mahsa Amini, 22, while in police detention, the Iranian government restricted access to Instagram and WhatsApp last year. The suspension of Article 370 of the Indian Constitution by the Indian Parliament resulted in a shutdown of the internet in the state of Jammu & Kashmir. This state-imposed lockdown was implemented as a precautionary measure. Only two districts, Ganderbal and Udampur, have 4G availability. After 552 days without internet or with slow internet, the former state was finally connected to 4G on February 6th, 2021.

The business stated it is working to ensure that internet shutdowns never occur and that individuals are not denied human rights or prevented from seeking immediate assistance as these scenarios arise in various locations throughout the world. 

Internet platforms had to comply with police investigations, including locating the authors of malicious information and destroying anything that authorities had determined to be illegal, according to the new legislation.WhatsApp countered that it would maintain the privacy of users' private messages and would not compromise its security for any government.






Read more »
Risk Management
API Cyber Security Email services End To End Encryption Risk Management

Kiteworks Leased Email Encryption Totemo

 

Kiteworks, the leading email encryption gateway supplier, regulates and secures vital digital content traveling within and out of global corporations, and used by hundreds of the largest multinational organizations in the German, Austrian, and Swiss markets. Kiteworks enables businesses to effectively manage risk and assure compliance with all the sensitive content sent, shared, received, and saved. 

This is accomplished using the Kiteworks platform, which unifies, tracks, controls, and secures all sensitive digital content communications sent through the platform via email, file share, managed file transfer, web forms, and application programming interfaces (APIs).

The totemo purchase expands the Kiteworks platform's email functionality beyond user or plug-in activation within the platform to the native mail client, offering automatic coverage of any sensitive digital content sent and received via email. 

Email content metadata on individuals, apps, devices, networks, protocols, and files will be centrally digested and normalized as totemo's technology will be integrated into the Kiteworks platform in the coming months. To limit the danger of private information being exposed and to meet regulatory compliance requirements, companies can establish centralized and comprehensive tracking and controls. 

Businesses that use this integrated intelligence will strengthen and expand the total cyber-defense strategy, extending privacy protection and compliance beyond the data center, cloud, and wide-area network (WAN) perimeters to third-party sensitive content communications. 

"Acquisition of totemo automates and extends the platform's email encryption with S/MIME, OpenPGP, and TLS protocols," explains Jonathan Yaron, Chairman and Chief Executive Officer of Kiteworks. The acquisition will have a major impact on the governance, compliance, and security industries. Customers may manage and regulate critical information that is distributed both internally and internationally using a mix of technologies from two industry leaders in content communications. 

Kiteworks' ability to allow customers to manage risk and meet regulatory requirements throughout their sensitive content communications infrastructure is strengthened by the synergy between the two businesses' product offerings.

Enterprise-ready, end-to-end encryption and automatic conversion across a wide range of encryption protocols are added to the Kiteworks platform by totemo. No other provider can match this set of skills, much alone the associated business benefits like compliance, risk mitigation, and operational efficiency. 

The conclusion is that businesses must do more to safeguard their sensitive data. CIOs, CISOs, and risk and compliance managers are under increasing pressure to secure sensitive data and demonstrate regulatory compliance while reducing friction in employees' day-to-day procedures. It must safeguard content when it is at rest, in transit, and in use. 

It also needs to safeguard content during file transfers and file sharing, within APIs, and on web forms, in addition to email. Totemo's email encryption gateway technology will be integrated into the Kiteworks platform, resulting in the most comprehensive private content communications governance, compliance, and risk protection available in the market.
Read more »
Technology
End To End Encryption Secure Messenger Signal Technology

Signal Foundation owner says Telegram is not as secure as it claims

 Marlinspike stated that the security of the Telegram service is low since the personal data of users is on servers without any protection. According to him, this data includes contacts, media files, and every message that was created in unencrypted form. Allegedly, system administrators and engineers have easy access to this information.

Moxie Marlinspike believes that Telegram uses the dubious security protocol MTProto version 2.0, and end-to-end encryption E2EE does not always work.

The developer of the Telegram messenger, Pavel Durov, gave the founder of Signal an answer that simply shocked. He stated that the service stores all messages and user data in the public domain and does not assign itself the status of "the most secure messenger."

Durov wrote that his company still does not disclose personal data to third parties and third-party organizations. He said that any messenger does not give complete privacy to the user. For example, US companies work closely with the FBI and the NSA. According to the legislation of this country, they allow the introduction of backdoors that can become available to government agencies without notification and a court case.

Pavel noted that the Signal Foundation is sponsored by the CIA government agencies and can provide any data even without an official request.

Indeed, there is an opinion that the Signal Foundation is a project of the CIA, which, through intermediary organizations, organizes financial support and implements its agents.

It should be noted that Signal itself was hacked two years ago. The Israeli company Cellebrite, a developer of spyware, has gained access to the messages and attachments of the messenger. At the moment, the company cooperates with the governments of many countries and can provide access to the service.

Read more »
Subscribe to: Comments (Atom)