A frequent question we get here at Cryptocat is: “why don’t you add a buddy lists feature so I can keep track of whether my friends are on Cryptocat?” The answer: metadata.
If you’ve been following the news at all for the past week, you’d have heard of the outrageous reports of Internet surveillance on behalf of the NSA. While those reports suggest that the NSA may not have complete access to content, they still allow the agency access to metadata. If we were talking about phone surveillance, for example, metadata would be the time you made calls, which numbers you called, how long your calls have lasted, and even where you placed your calls from. This circumstantial data can be collected en masse to paint very clear surveillance pictures about individuals or groups of individuals.
At Cryptocat, we not only want to keep your chat content to yourself, but we also want to distance ourselves from your metadata. In this post we’ll describe what metadata you’re giving to Cryptocat servers, what’s done with it, and what parts of it can be seen by third parties, such as your Internet service provider. We assume we are dealing with a Cryptocat XMPP server with a default configuration, served over SSL.
Reminder: No software is likely to be able to provide total security against state-level actors. While Cryptocat offers useful privacy, we remind our users not to trust Cryptocat, or any computer software, with extreme situations. Cryptocat is not a magic bullet and does not protect from all threats.
Who has your metadata?