Quantcast
App Built by Former Skype Employees Retracts Promise Not to Read Your Messages

Wire is only two days old and already walking—backwards.

Wire, a new communications app backed by a Skype co-founder, launched yesterday to broad acclaim. It allows cross-platform video and messaging services—even from iOS to Windows—meaning that pretty much anyone can chat with anyone else.

It also promises to be secure. In an FAQ section of Wire's new site, one section asks "Who Can See The Messages I Send?"

"Your messages and conversation history can only been seen by you and the people in those conversations," is the reply.

After I approached Wire, the company removed that claim from its website

But, after I approached Wire with evidence from its privacy policy and other documents, the company has removed that claim from its website, putting serious doubt as to the privacy of its users' messages.

It started yesterday, when I posted a screenshot to Twitter showing that although Wire does use end-to-end encryption—which ensures a third party can't decrypt any information intercepted on its way from user to user—for its voice calls, it doesn't do the same for any messages or media that are sent across its service. Instead, these are encrypted to and from their data centres, rather than on your device. 

Since Wire's data centres are the ones doing the encrypting, that theoretically means that they can read your messages beforehand, or decrypt them, since they have the digital key to do so.

This was picked up by security expert the grugq, who tweeted "New messenger [Wire] DOES NOT encrypt messages or media end to end. It is not safe, do not use."

A Wire spokeperson told me in an email that "We've made technical design and product choices to provide Wire users with the benefits of a certain feature set—for example, the ability to enjoy conversations across multiple devices and platforms. We are constantly reviewing those choices with security in mind."

The lack of end to end encryption on messages was interesting in itself, but another apparently contradictory statement lay elsewhere on the Wire site.

A screencap from Wire's website before the company changed it.

Alexander Hanff, the Chief Privacy Officer at Connect in Private Corp., pointed out that in the company's privacy policy, it says that Wire "does not rent or sell your personal data or the content from your conversations with anymore. Furthermore, we do not share this information except in limited circumstances related to enforcing our Terms of Use policies and to our compliance with the law."

Now, how could Wire possibly know if the content of a message wasn't infringing their Terms of Use or the law? The only way that is possible is if they did have the ability to read their users messages, something that runs at odds with the claim that "Your messages and conversation history can only be seen by you and the people in those conversations."

"Their entire privacy policy is misleading and lack [sic] any information—just double speak," Hanff tweeted.

I raised this with Wire, and asked whether Wire can read the content of media and messages sent using their service.

They didn't answer that question. They did, however, remove the claim that messages can only be read by the user and recipient from their website. Fortunately, I got a screenshot of that statement beforehand.

A spokesperson told me "Thank you for your feedback. We have clarified what looked to be a contradictory statement on our support site. Really appreciate you bringing this to our attention."

At the moment, the FAQ section has no information on "Who Can See The Messages That I Send?"

Wire got tech pundits excited because it looked like a more modern communications tool than the 11-year-old Skype and seemed to take security seriously. But this shows that even in a post-Snowden world were tech companies are falling over each other to show they are more secure than their competitors, caution still needs to be exercised around anything when it comes to privacy.