Delisting Wire from PrivacyTools.io

But again - what makes Keybase more trustful than Wire? It is everything Wire is, with more metadata collection, not 100% FOSS, worse privacy policy and less transparent funding (i.e. source of income)

My Keybase metada is under same law (CLOUD Act) as Wire’s. So I need to trust them. And we have to have in mind that collecting more or less metadata is usually related to available features. So for me it is ok that Riot, Keybase or Wire collect more, since they offer more than Signal

IMO, it’s ok to delist Wire, but in that case Keybase should’t be on the list also. Maybe even Riot.

I accept the risk, and use Wire (and Keybase, Riot & Signal). Cause threat model is also what should be considered when recommending or choosing IM/VoIP service. If I were hiding from US, UK, Swiss… government, I wouldn’t use any of those. So, what is the threat model of average PTIO visitor? Answer to that question is the answer whether Wire should be on the list or not. At least in Team Chat Platform section, since that’s what it is now

1 Like

You continually quote Wire’s blog as if it proves some point, but Wire does not get to create the laws of the US. Wire is 100% owned by a US company, which makes it subject to US laws. It doesn’t matter where they physically are located and are operating, it matters where they are legally incorporated. This makes them subject to a multitude of US regulations, such as the CLOUD Act (which requires “U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil.”)

Additionally, as you apparently refuse to acknowledge, there are a multitude of other reasons Wire was delisted from PTIO, all of which were explained in the blog, but I will rehash them here for you anyways.

The Privacy Policy Change

Here we have two separate issues. The first is most obvious, they changed their privacy policy to say they can share user data (this includes the metadata we’ve referred to, such as every user you have ever communicated with) whenever they deem it “necessary”. Previously they stated they would only share this data when required by law.

Necessary is a weak word in this context, because it can be used in virtually any situation. Wire could say it was necessary to share your information to avoid business problems. If they didn’t share your information with advertisers for example, they might go out of business. Therefore it was necessary to share your data to continue offering the service. This is obviously only a hypothetical, and a highly unlikely one at that, but it shows that the new wording can be construed in any context.

But I think you may understand that. The second issue which you haven’t recognized is the fact that…

Wire decided not to disclose this policy change to its users, and when asked why, Brøgger was flippant in his response, stating: “Our evaluation was that this was not necessary. Was it right or wrong? I don’t know.”

This is an issue for a number of reasons. Firstly, of course this was a change that needed to be more clearly communicated, because as stated above it has a direct impact on the type of data sharing Wire is allowed to do. And, as you have stated yourself, Wire is worse than most other messengers when it comes to things like metadata, data that has already been well established as virtually-just-as-useful as content data itself, to advertisers and government parties alike.

Secondly, the fact that Wire, a company creating a privacy-focused messenger, and its CEO did not even consider the possibility that this was an issue is alarming. If we can’t trust them as a company to perform basic tasks like this, how are they a good recommendation?

Jurisdiction

I will again reiterate this point: Wire being US-based is not the only reason they were delisted and is not a reason to delist other US-based organizations like Signal.

However, Wire obfuscating their jurisdiction by continually stating their operations are Swiss-based while they are wholly owned by an American company is misleading at best. It’s something you and presumably many others will fall for, which is not really acceptable behavior from the Wire team. They should be more clear about their obligations.

Wire being Swiss-based and US-owned means it is subject to both the US and EU regulations. Typically we’d like to see less jurisdictional power over a service, not more of it.

Privacy

Wire has — for several years now in fact — been pivoting away from the privacy space as a whole. Sometime in late 2017 they removed all mention of even the word “privacy” from their homepage, where it was previously proudly displayed.

The shift from the “full privacy” Wire messenger of Oct 2017 to the “secure messenger” of Nov 2017 marked the first in this series of business changes from Wire. The only mention of “privacy” on the homepage now was on the fact they were subject to European privacy laws, text they changed to “European data protection laws” in Feb 2018. This to me demonstrates a cultural shift at Wire from a messenger that respects your privacy to a messenger that protects your data. These are similar but distinct concepts. The former to me at least seems like more of a commitment to user control over how their data is used when using their app, the latter seems like a mere commitment to hiding information from third-parties.

Personal Use

In a similar shift to the one above, Wire has been slowly but surely pivoting away from personal use of their app entirely, preferring to cater to the — presumably more lucrative — business communication segment, targeting Slack and Skype for Business users.

Go to Wire.com today and you will find no mention of their free Personal plan at all, not under their Solutions navbar menu, and no longer even on their pricing page. This to me is a problem for two reasons:

  1. Of course, as a general-purpose instant messenger we’re recommending, the free plan is a requirement, because there are many other services (Signal, Keybase, Matrix) that provide as-good or better functionality at no cost. When we recommend Wire (even though it technically does have a free plan), many users may not recognize this when they visit the site and will choose to purchase Wire Pro to use it, or worse, give up on it and stick with whatever they were using before because “oh no the private solutions cost too much!!1” — The former is obviously Wire’s goal, but we believe that is misleading.

  2. Perhaps more importantly, these gradual changes appear to put the personal plan in jeopardy altogether. Changes to the personal plan in general appear to have been put on the back burner in favor of more business-friendly modifications, and their slow removal of any evidence it even exists is the obvious first step towards removing it altogether.

As a company, Wire obviously no longer cares about their individual users, and that is something we need to take into account when we recommend their product. Yes, their personal plan still technically works, but that isn’t exactly comforting long-term.

Final Thoughts

I want to say that this is all — of course — fine for Wire to do and I’m fine with the fact that they’ve found a sustainable business model. But regarding them having a sustainable business model…

Their new business model will undoubtedly be great for them as a company. It just isn’t something PrivacyTools can recommend any longer, and it isn’t a pivot the privacy community in general should be accepting of.

5 Likes

Nicely explained, thank you. But it still doesn’t explain why it isn’t in Team Chat section. E.g. Rocket Chat uses their servers and Google for notifications even when self-hosting. Businesses usually care about the privacy just as it is necessary (e2ee and/or self hosting), i.e. they only want to control their data, not metadata, as private users do.

There are some wrong conclusions here.

Short explanations:

Being audited ≠ free of vulnerabilities

The most famous example we know is OpenVPN. It got audited in 2017 by two different parties. Issues were fixed. Shortly afterwards, a third party tested its security and found 4 critical security vulnerabilities that weren’t discovered during both audits. See also https://infosec-handbook.eu/blog/software-security-myths/#m2.

Plus:

  • An audit conducted one, two or three years ago may be already irrelevant because developers modified hundreds of lines of code or dependencies got updated.
  • An audit doesn’t guarantee that someone will fix the findings afterwards, and it doesn’t guarantee that fixes won’t introduce new vulnerabilities.

No CVE ID assigned ≠ free of vulnerabilities

If you find a security vulnerability, it doesn’t magically/automatically get a CVE ID. You must apply for an identifier. Of course, there are rules, so you can’t get CVE IDs for every security vulnerability that exists. For example, you likely won’t get a CVE ID for experimental (alpha/beta) software like WireGuard.

Or you just directly report findings to the manufacturer of a product. Then vulnerabilities get (hopefully) fixed without ever seeing a CVE ID if nobody applied for one. This audit of Wire shows such security-relevant findings. So there actually were security vulnerabilities that got fixed.

Product A has less CVE IDs than product B ≠ Product A is more secure than product B

This is similar to “There are more open issues for product B than for product A”, as described here: https://infosec-handbook.eu/blog/software-security-myths/#m3.

Maybe there was never a comprehensive audit of product A, or product B is just regularly tested while A was tested only once.

That is possible @crossroads, however we have never evaluated their business offerings ourselves and cannot make a judgement of it at this time.

You continually quote Wire’s blog as if it proves some point, but Wire does not get to create the laws of the US . Wire is 100% owned by a US company, which makes it subject to US laws. It doesn’t matter where they physically are located and are operating, it matters where they are legally incorporated.

No, Wire is a Swiss company with Swiss jurisdiction, please read their legal status if you do not believe to their blog.
Wire follows European privacy laws.

Here we have two separate issues. The first is most obvious, they changed their privacy policy to say they can share user data (this includes the metadata we’ve referred to, such as every user you have ever communicated with ) whenever they deem it “necessary”. Previously they stated they would only share this data when required by law.

They can only share some metadata (date and time of registration and IP geographical coordinates; the date and time of creation, creator, name and list of participants of a conversation for 72 hours) since data are e2e encrypted.

I agree with the fact that wire should have informed about privacy policy change in a better way as they did in the past blog. Since wire has always been committed to privacy blog.

Wire being Swiss-based and US-owned means it is subject to both the US and EU regulations. Typically we’d like to see less jurisdictional power over a service, not more of it.

According to my knowledge this is not true. Wire is Swiss based and server are EU based so data are protected by Swiss and EU laws, not USA laws. USA has to ask to both Swiss and EU court in order to obtain the metadata and they have 72 hours.

Wire has — for several years now in fact — been pivoting away from the privacy space as a whole. Sometime in late 2017 they removed all mention of even the word “privacy” from their homepage, where it was previously proudly displayed.

This is not precise, wire has been committed to privacy most than the majority of company blog. Of course, they removed the word privacy from the home page.

In a similar shift to the one above, Wire has been slowly but surely pivoting away from personal use of their app entirely, preferring to cater to the — presumably more lucrative — business communication segment, targeting Slack and Skype for Business users.

I agree, but your motivation are quite meaningless.

Their new business model will undoubtedly be great for them as a company. It just isn’t something PrivacyTools can recommend any longer, and it isn’t a pivot the privacy community in general should be accepting of.

I do not agree, at the moment, wire is still better than signal in terms both of privacy and security, even if of course I do not like drifting to business. So the facts show that the decision to maintain signal or other applications are not fair compared to wire.is

There are some wrong conclusions here.

Being audited ≠ free of vulnerabilities

I did not say this. This is your conclusion, not mine. I only wrote that thank to the audit of the applications, wire has not any CVE according to NIST NVD database. This does not means that it has not vulnerabilities.
I consider the facts, not the potential issues. A software that has been verified/audited is safer than one that has not been verified/audited. This is the direct consequence of Kerckhoffs’s principle.

No CVE ID assigned ≠ free of vulnerabilities

Product A has less CVE IDs than product B ≠ Product A is more secure than product B

In general, I agree that there are no applications without vulnerabilities and the compromise of security and confidentiality depends on their extent. The severity of known vulnerabilities does not guarantee the presence or absence of future vulnerabilities, but is a good indicator of the quality of design and implementation of a service.

I’m sorry, but I do not agree with your reference and its author. There are always exceptions even in math that is considered the perfect science. Indeed, the described myths are based on exceptions and are not valid in general.
The first myth is clearly against the Kerckhoffs’s principle which is recognized and accepted by the modern cryptography. The second, third and forth myth refer to specific cases.

Kerckhoffs originally stated six principles, you even included a link to the original ones. In their original form, five of them are actually not longer relevant for modern crypto. This is also mentioned in the Wikipedia article linked by you.

Assuming that you refer to the derived statement “A cryptosystem should be secure even if everything about the system, except the key, is public knowledge”, the debunked myth in the InfoSec article isn’t against this principle. The principle says “should be secure if everything about the system … is public knowledge”, it doesn’t say “must be open source to be secure.” This includes that a proprietary system should remain secure even if its code becomes public.

So the derived statement neither says “software must be open source to be secure” nor “audited software is more secure than software without an audit.” These are your assumptions, not Kerckhoffs’s principles.

Kerckhoffs originally stated six principles, you even included a link to the original ones. In their original form, five of them are actually not longer relevant for modern crypto. This is also mentioned in the Wikipedia article linked by you.

Assuming that you refer to the derived statement “A cryptosystem should be secure even if everything about the system, except the key, is public knowledge”, the debunked myth in the InfoSec article isn’t against this principle. The principle says “should be secure if everything about the system … is public knowledge”, it doesn’t say “must be open source to be secure.” This includes that a proprietary system should remain secure even if its code becomes public.

The Kerckhoffs’s principle: “A cryptosystem should be secure even if everything about the system, except the key, is public knowledge”.
or its extension:
The fewer and simpler the secrets that one must keep to ensure system security, the easier it is to maintain system security.” Bruce Schneier.

So the derived statement neither says “software must be open source to be secure” nor “audited software is more secure than software without an audit.” These are your assumptions, not Kerckhoffs’s principles.

A proprietary software is closed source, not transparent and secret. An open source software is transparent and public. This is a consequence consistent with the Kerckhoffs’s principle.
Moreover, an open source software can be analyzed by every programmer, but how many of them can fully understand it? A public audit realized by security experts improves software security even if does not garantee the absence of vulnerabilities.

Literally everything he explained to you is in the blog post.

“On the consumer side WhatsApp may have won the battle of the world,” Brøgger tells Sifted at his company’s Berlin offices. “But right now we’re getting great momentum on the enterprise side. We want to be the best communication tool for enterprises, for work.”

Wire CEO further explains they are not focusing on individuals and want to take on Slack and MS Teams.

So I would agree it could be considered for the team chat section, but it would need to be tested first with that functionality. I also think it should be done later as we see how the company involved with it’s new funding. As the pressure from investors mounts to be repaid, we could see even bigger changes come to the platform if they aren’t turning a profit soon enough.

3 Likes

When asked if he will announce future funding rounds, Brøgger laughs lightly. “Most likely,” he says, adding his clients were “of course” told about the funding.

Notably, he does not consider personal users to be clients of Wire at all.

“What we believe in is that privacy and security go hand-in-hand,” he says, adding that people need to remember they made a pivot from consumers to enterprises. “But I don’t think we (he and privacy advocates) fundamentally disagree.”

Again he reiterates that personal use is not at all what Wire wishes to promote and support.

Therefore I disagree, and believe our reasoning is completely reasonable. For the reasons I stated in my original reply.

1 Like

Nice article. More choice quotes:

Launched in 2012 by Alan Duric and Jonathan Christensen, an alumnus of the internet telecommunications tool Skype, Wire was originally a consumer app."

"Duric is still the company’s joint chief technology officer and chief operating officer in Switzerland. Funded mostly by Skype cofounder Janus Friis, Wire never seemed to gain the same traction on the consumer side as other secure messaging apps like Telegram and Signal.

It was a great application, Brøgger says, but had “literally zero revenue”.

Wire has since pivoted into enterprise and Brøgger was brought in two years ago to steer the platform to the “consumerisation of enterprise communication and collaboration”.

And a Snowden jab too!

1 Like

You add another quote that doesn’t say what you said, and link to Wikipedia where one can’t find this quote. So what is the purpose of this quote here?

This is again your interpretation of the derived statement from Kerckhoffs’s principles as already explained above. This principle doesn’t say “A proprietary software is closed source, not transparent and secret. An open source software is transparent and public.” It says: “A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.” Again, there is a SHOULD and EVEN IF in this sentence. There is no OPEN-SOURCE SOFTWARE or PROPRIETARY/CLOSED-SOURCE SOFTWARE. Then, it is about “a cryptosystem”, not about software in general.

Besides, proprietary software isn’t necessarily kept secret. You compare licenses here, and licenses aren’t security properties.

Exactly. In theory, many people could analyze source code that is publicly available. In reality, this doesn’t ensure more or less security as regularly shown by the discovery of long-lived security vulnerabilities (e.g., in the Linux kernel, in VNC software).

A non-public audit by security experts also improves software security. This is no benefit.


Anyway, you are repeating your interpretation of a sentence to somehow support your statement that Wire is more secure than Signal since there were more audits, and there are no assigned CVE IDs for Wire (written in this post Delisting Wire from PrivacyTools.io).

This doesn’t mean that something is more or less secure as already explained above. Somehow you now say that you didn’t say this … :man_shrugging:

2 Likes

At this point PTIO has made it very clear what their reasons are in several posts. Their decision is not going to change anytime soon. Not everyone will agree, but this is their website. Rehashing the same arguments is pointless.

Wire is now in the same market space as Slack and MS Teams, these are its main competitors now by Wire’s own press statements. These are not the type of apps PTIO ever recommends. It is very clear now that this has been Wire’s planned business goal for at least 2 years. This also will not change anytime soon.

Some people need to learn how to agree to disagree and move on. Those who can’t become a waste of time and resources which can be better spent serving the needs of the community.

3 Likes

You all clearly got payed by Signal. There is no reason why you should embrace unsecure software over Wire. Wire is Swiss jurisdiction. It is safer and more privat than Signal but you still recommend American spy software over secure Swiss software.

You have no idea what you are talking about. You are obvisly no security expert. Please don’t write things you don’t understand.

The descision is based on wrong „facts“. It must be corrected. This is what counts.

1 Like

Operated by an American company, and in partnership with the US Federal Government.

Man, you’re all reaching pretty hard to defend Wire, and you accuse us of being paid?

2 Likes

Lol okay.

2 Likes

Everything that needed to be discussed has been discussed, and everything further is non-constructive. I’m locking this thread. This is our official position on Wire. Future threads rehashing the same repeated and replied-to arguments we’ve seen here will be closed.

3 Likes