Slowly app & Data Privacy – Different worlds ?
An important topic, glad it is now being discussed
Yesterday I received a direct message on Reddit from a fellow user, with mention of a topic he created. His topic is very well written, explained and provides numerous links to additional information.
The theme of the post is the Privacy of our communications with our pen pal friends in the Slowly app. I responded with various comments, and immediately asked if he, /u/CrazyLizard on Reddit, would be interested in being published here, as a Guest Author post in this Blog.
CL agreed, and we collaborated to bring it here, hopefully reaching a larger audience as well. The full article follows. Thank you, CL!
Slowly app and Data Privacy – Two Different Worlds?
Guest post by CrazyLizard, original posted on Reddit here.
On 28th January, Slowly celebrated the “international data privacy day” with a free stamp (see here). What is this day about? According to wikipedia “The purpose of Data Privacy Day is to raise awareness and promote privacy and data protection best practices.”
So I asked myself: how does Slowly Communications Ltd. protects the data of the people using their app, aka our data?
I searched reddit but couldn't find any related topic – neither in this subreddit nor in privacy related subreddits, like r/privacy. That's why I decided to find out myself and share it with you here. Sorry if it gets a little too techyy at some point. Also, I'm not covering all aspects but a few important one. I hope to raise some awareness with it, I'm happy to hear your opinions and experiences.
A little Background
The terms “data protection” and “privacy” became a hot topic during the past weeks. Decisive for this was mainly WhatsApp announcing their new privacy policy update – if you have WA installed you surely saw the popup window asking for your consent already – if not, you probably heard about it in the news. To make it short: WhatApp will share your data with their parent company Facebook, which is nothing very new, but it raised the question again how companies handle our data. As a response, a lot of people switched to other messaging apps, like Signal or similar. For a simple explanation look up my post from last month in r/signal. I highly recommend you to look up the r/privacy subreddit to get familiar with the topic.
Back to Slowly: As a long-time Slowly user (almost 2 years now) I wondered if Slowly is respecting my privacy and it raised the question: Are my letters safe from 3rd parties?
The secrecy of correspondence
In the offline world we have something called the secrecy of correspondence, meaning our handwritten and printed letters are (most of the time) handled confidential and are intended only for the recipient. We can use registered mail to make sure the letter is received by the intended recipient and we can see immediately when someone else already read the content if the envelope is ripped up.
By using the term “letter”, what Slowly does, we naturally assume some sort of security and privacy. In the digital world this is usually achieved by an End-to-End-Encryption (E2E).
But why is this even important?
Many of us share personal information and stories with penpals, things we may not have told anyone else before. This should remain private. Some of us feel not safe talking about certain topics. One of my penpals wrote me while the political situation in her country was not very stable: “I don't want to talk about it (her political opinion), since it can be not so safe, I hope you understand.” This made me think even more about whether the letters are secure and encrypted as it can potentially endanger people if they are not.
Does Slowly encrypts our letters?
The Slowly homepage does not contain any information about encryption or safety regarding the letters, which gives the impression that it is not a priority for them, but...
There exists a page about encryption in the Slowly FAQ section [1], claiming that “All the messages (aka letters) sent between users are encrypted and protected by a JSON Web Token (JWT). The token expires and updates every time you open the app. All the information from our server to your app are transferred under 256-bit SSL powered by Cloudflare.”
There's one sentence in the FAQ at the end making it sound not very trustworthy:
However, please never share any personal or sensitive information through SLOWLY.
I think what Slowly meant to say here is similar to what they wrote in their privacy policy: “The letters you send to your pen friends may in turn be shared by them with others. Do not post or send information that you want to keep private.“ [2] which would be understandable for most of us I think. Still it is not clear in the FAQ.
The FAQ is very short, unclear and does not contain the magic word “End-to-End-Encryption”. It gives the impression that the letters are encrypted between the client (your phone) and server (Slowly) only, speaking of HTTPS here. A response from support reinforces this assumption:
Response to a support message from u/yann2 (Nov 18, 2020, 3:42 AM):
“[...] Slowly does not support end-to-end encryption, and right now, we do not have a solid plan or timeline to implement it. I am sure we will make an official announcement if we decided to do it one day.”
We don't know how our letters are stored on their servers. Realistically: The devs can read our letters (by having an decryption key – if there even are encrypted), e.g. if a report is filled against the person. Also possible: Our letters are stored in plain text. Both are a no go.
Why? First: People with bad intentions can attack the server, get access and therefor steal the data (aka our letters) and publish it somewhere on the internet. Second: Depending on the server location (see below) government agencies can request access to your data and letters. From the above response we know:
“Our data servers are mainly located in the US and some others in Europe, i.e. no servers in Hong Kong or China. And we will ignore the data requests coming from the governments or countries which do not have freedom of speech. – This is the official answer I replied to similar enquiries in case you want to know.”
At least Slowly ignores data requests from certain countries but that is no excuse for not using E2E encryption.
What about my (meta-)data?
According to another FAQ answer:
SLOWLY does not get any personal or monetary gain from your private information or personal data. [3]
Sounds good at first sight, but let's check that by reading their privacy policy (yes, I did this! Unbelievable, I know). The privacy policy is not too long (compared to other services), I highly encourage you to read it too!
Not far into the text we find this:
We collect different types of personal information about you and your activities.
Ok, let's see what they are
Email Address And Phone Number
These are used to register and be contacted by Slowly. As far as I remember a phone number is not required if you used an email to register (which is good).
Profile Information You Provide
[...] including gender, age, date of birth, interested topics and current location
This seems obvious as it is part of the apps concept. But these information can be bind to the following.
Automatically Collected Device Information:
- mobile device identification
- IP address
- cookie and beacon information
- geographic location
One important sentence here is:
Unless you have disabled location collection at the device level, we will continue to collect location information even if you have opted out of sharing location information on your profile.
Notice: Even if you disabled GPS on your phone they can still access you course location by using the network-based location.
In addition:
Activity and Usage Information:
We collect information about the features you use, the pages and screens you visit, and your transactions with us and with our partners and vendors, including information about your use of products or features offered through our Service.
Video Ads, and the popular 'Free Coins'
A highly popular feature (regarding to this sub) is the Free Coins feature, where you get free Slowly coins by watching ads. But what is happening under the hood?
Third party advertising companies may collect information using cookies, AdID, IDFA and other sources. Advertisers may use these and other sources in connection with our Service in order to collect and use data regarding advertisement performance and your interests for the purpose of delivering relevant advertising.
Other sources = other apps you use or webpages you visit. Meaning third party advertisers are profiling you by using the informations they get from Slowly too.
So the first quote from the FAQ is not 100% true. By watching the ads Slowly gets money and you get free coins. By watching ads the third-party advertising companies collect your meta-data and bind them to other data linked to you. Slowly is not actively selling your data but it is sold.
8 Trackers
Trackers are used in apps and websites to track all these informations about you. They can be used to track the usage of an app but also to create advertising profiles. To check how many trackers are build into an app you can use the exodus webpage for example. Here are the results of the Slowly Android app version 5.2.21 [4]:
Trackers: 8
- AdColony (used for Ads)
- Facebook Analytics
- Facebook Login
- Facebook Places
- Facebook Share
- Google AdMob (Advertising)
- Google Firebase Analytics
- IAB Open Measurement (Identification & Adverstising)
Permissions: 33 (I won't list them here)
That's a lot! And it's possible that the same are used in the iOS version. Fortunately Apple introduced the app privacy section in their app store, so you can somewhat see what information each app is collecting.
Slowly Calling Home to Facebook ?
Slowly contacting Facebook servers even if you don't use Facebook at all
Above is a screenshot (original image here) I made from a local VPN app that shows traffic from every app that is on my phone. I noticed that the Slowly app is constantly contacting Facebook servers, so made a quick test: I opened the app and browsed through some letters – that's it. As you can see, Slowly app pings a Facebook server every 2 to 10 seconds.
I did not logged in to Slowly with a Facebook account, I don't even have one. It's another good example that shows how Facebook knows things about you even if you don't have an account on one of their platforms and this sucks. Why did Slowly devs implement it in that way?
If you wondered what api.revenuecat.com at the bottom of the list is: it's the service slowly uses for their subscription model, which uses a lot of tracking and analytics too, according to their webpage.
Conclusion
Slowly letters are not End-to-End encrypted. In my opinion an E2E encryption should be the standard nowadays especially in messaging or similar apps. I hope Slowly will implement it soon.
By using Slowly you automatically feed the big tech (here: Facebook, Google) and other advertising companies with usage information. The app itself is filled with more than a handful of third-party trackers.
Slowly is doing a good job not requiring a phone number to register, using anonymous profile pages (avatars & nicknames) and not sharing exact locations. But it is important to differentiate between what others (penpals) can see and what Slowly or third-parties know about you, which is – as we saw – not always the same.
In the end I have mixed feelings. On the one hand Slowly says they are protecting our data but on the other hand they are tracking their users. The FAQs are short and unclear at some points. Also, they don't seem to put as much emphasis on encryption as I would like to see.
Famous Last Words
Banner image is a photo by 30daysreplay on Unsplash
Special thank you to all the folks behind the SLOWLY app.
Letters we share, with pen pals all over the world. A modern day take in the traditional penpal experience. Come and join us, using SLOWLY.
Follow Blog via your Fediverse/Mastodon account :
@friends-near-and-afar-letters-we-share@wordsmith.social
This page created in MarkDown language. Thank you for reading, feel free to comment, via a direct message to my Twitter account – or the Reddit one.
You can also post a public comment in the Reddit thread for it here.