Cryptocat toys with users privacy

Last week some news about Cryptocat caught my eye, they have just launched a new monitor. This monitor allows you to see usage numbers of Cryptocat in globally in rough areas. Like I did with the WhatsApp alternatives I immediately checked the privacy policy and was surprised with what I found.

Cryptocat is a chat client that features encryption using Off-The-Record (OTR) encryption. This means that Cyrptocat logoboth ends have to be online at the same time to do secure negotiation, after which messages can be exchanged. So it is not really a WhatsApp alternative, although it does feature encryption.

The encryption techniques of Cryptocat has been under fire before. Last year we saw a scathing post describing how broken the Cryptocat encryption was and that any chats exchanged before that time were completely vulnerable. The designers of Cryptocat fixed things, but they did not think this was a very big deal.

A similar thing happened with the monitor: the published Privacy Policy did not actually allow them to collect and use the data to create the monitor. After I informed Cryptocat through Twitter, the team hastily fixed things and published an updated Privacy Policy. Note that this has been done without informing users, and the monitor has been kept online during the whole period.

Nadim Kobeissi answered days later that my critique was “disconnected from reality”, that the Privacy Policy was just “a wiki draft”, and that he did not see the point. Allow me to refute that the Privacy Policy is listed in their Documentation Page, there is no mention of the word “draft” anywhere on their website or in the policy itself, and there is no other Privacy Policy available on the website.

Another point he raised was that Tor did actually the same thing with their monitor. Even though this is a fallacy it is true, and Tor does also not ask permission to collect this data. The Tor project does show a history graph of the total number of users, which can be changed to show per country statistics. Even worse,  There is a myriad of documentation, but I have not been able to find a privacy policy, or a similar statement about what kind of data the Tor software collects. They only provide warnings that using Tor does not necessarily make you anonymous.

I called the Cryptocat monitor a marketing tool, the team claims to use it to detect censorships events. But with this vague way of doing statistics I fail to see how you could actually detect something like that. The Tor monitor shows a graph of total connections (per country), which is much easier to interpret and to follow.

2014-03-14 09.36.45 am

Cryptocat Monitor

Tor

TOR usage in the Netherlands