Source protection is a paramount concern for journalists in every beat. Platforms like SecureDrop and apps like Signal allow you the ability to securely and privately speak with whistleblowers to break important stories. Beyond protecting the confidentiality of these conversations, however, is the concern for the metadata, or data about data, that identifies who you’ve been talking to. Let’s discuss the risks of modern address books and how to mitigate them.
Before cell phones, the name, phone number and other details that made up a source’s contact information was entirely offline, existing only on the ink in your notebook or rolodex. Whether anyone had access to this potentially sensitive information was a simple matter of whether they had those “papers and effects” physically in their hands.
Following paper notebooks, many early cell phones, or in some cases, the early adopters of Personal Data Assistants held their contacts in a dedicated space within that device. Similar to their analog predecessors, they were protected from falling into the wrong hangs by simply keeping those wrong hands physically away from them. Some additional protections included unlock codes for some cell phones and PDAs, which were not typically used as a security measure so much as a way to prevent accidental pocket-dialing or as plot points for mid-2000s romantic comedies. These protections also didn’t encrypt the contents of those devices, which could still be extracted with the forensics tools of that era. Early cell phones typically stored contacts on a SIM card since there was little room for that data on the phones themselves. SIM cards also offered little or no protection against forensics tools.
Once cell phones had plenty of on-device storage and people’s contact lists became too large to store on SIM cards, cell phones began to save that information in their internal memory instead. As cell phones and PDAs merged to become smartphones, several advances were made to protect their contents. This eventually included full-disk encryption, which more completely protects a smartphone’s internal memory from being exfiltrated by even advanced forensics tools — as long as the screen unlock code is sufficiently unique, long, random, and the phone is fully turned off. This created the promise of the present day, where an address book in a smartphone can be protected even if it falls into the wrong hands. Check out our guide on smartphone security to learn how to enable full-disk encryption on your device.
Both Google’s Android and Apple’s iOS provide excellent protection of your smartphone’s contents from unauthorized physical access. Unfortunately, what happens in your smartphone doesn’t usually stay in your smartphone anymore.
Apple’s iCloud is designed to sync a particularly long list of data you store in its software products, so you can use it on any of their hardware products you sign into. As they spell out in its terms of service, that means Apple gets a copy of that data too, including your contacts.
Additionally, if you have Siri enabled, it may automatically create suggested contacts based on contact data found in other Siri-supported apps. Fortunately, this can be turned off.
Similarly, once you sign into your Android phone with your Google account, the contacts you have in your phone are copied to Google’s servers, so that they’re available to any device you sign into your Google account with. Just like the way adding a contact to your iPhone’s Contacts app syncs with your Contacts app on your Mac, adding a contact in your Android phone while signed in to your Google account will also add it to your Google contacts, which you can view for yourself on any device you’re signed into Google on at contacts.google.com.
Additionally, Google automatically creates and copies contacts based on who you communicate with using Gmail, Google Calendar and other services. Even if your canonical rolodex is totally offline, Google may be building its own “shadow rolodex” based on your interactions with those contacts within Google’s services. Fortunately, this can be turned off.
In both the case of using Google or Apple’s cloud service to sync your contacts, this means that Google or Apple’s copies of your contact list can be obtained through a variety of legal orders, without the need to extract that data from your phone itself. If your concerns around the privacy of your contact list include protecting your contacts from being known to a government, cloud syncing your contacts might be something to avoid.
Aside from lawful access, unlawful access in the form of hackers getting access to your Google or Apple account is another risk to consider. Someone with access to your Google or Apple iCloud account would also have access to any contacts you’ve synced with those accounts. Fortunately, using long, random and unique passwords generated and stored with a password manager, as well as enabling two-factor authentication (2FA) for online accounts will go a long way towards keeping them safe from unlawful access.
Both Apple’s iCloud and Google allow you to selectively choose which types of data (e.g. contacts, photos) you allow to share with their services. We recommend adjusting your Apple iCloud and Google settings to not sync contacts with the cloud before adding sensitive sources.
If you want to remove existing contacts from Apple or Google’s servers, you’ll first want to refer to their privacy policies to see how long they keep data around after you “delete” it, which may be a few days to several months or, in the case of financial transaction data, years.
For contacts stored in iCloud, the contact has to first be deleted in Apple’s Contacts app while iCloud syncing is still turned on for it. After the contact is deleted, the record of that deletion will sync with Apple’s servers and eventually be removed from them. Once that happens, you can turn sync off to prevent new entries on your smartphone from syncing to iCloud.
For contacts stored in Google’s servers, those can be directly deleted from https://contacts.google.com/. They’ll (eventually) be removed from apps currently synced with Google Contacts, such as Android’s Contacts app, if you are signed in to Google on an Android phone and have Google Contacts sync turned on. If you’d like to re-add a contact that was deleted back into just one Android device without syncing it with Google, you’ll have to first turn off Google Contacts sync before adding a contact back into your Android device.
If you’re sharing a device with someone else, worried your device may be taken from you or just want to avoid Apple or Google’s apps altogether, it may be worth storing particularly sensitive contact info outside a normal address book app and in a password manager instead. Password managers like 1Password offer the ability to store contacts as “identities” with fields for name, phone number, address and more.
With some effort, contact information can be stored securely on the modern devices you use every day. However, the medium of contact where contact information is used may not secure it effectively. Even end-to-end encrypted email can’t conceal the email addresses of a sender or recipient, and phone calls generate metadata which can be logged by telephone companies and sometimes law enforcement. Apps like Signal offer the ability to communicate with minimal metadata, and whistleblowing platforms like SecureDrop allow first contact between journalists and sources without disclosing a telephone number, email or even an IP address. If your newsroom is interested in discussing strategies for secure contact storage and communication, drop us a line.