your favorite message and the calling app could reveal your IP address to the person on the other end of the call. And that, essentially, is because most chat apps default to peer-to-peer connections (i.e. you and the person you’re talking to connect directly to each other) to improve the quality of the conversations. calls.
This is not necessarily a big risk. But, according to experts, it is not clear that users are aware of this potential privacy issue or how calling works through popular messaging apps such as Telegram, Signal, WhatsApp, Facebook Messenger, Apple’s FaceTime, Viber, Snapchat and Threema.
“Even for users with more extreme threat models, I think most of them are not aware of the fact that calls can leak their IP address to the person they are calling,” Cooper Quintin, security researcher at Electronic Frontier . Foundation, told TechCrunch.
Matthew Green, professor of cryptography at Johns Hopkins University, said in X (formerly Twitter) that did not realize that Signal was revealing IP addresses in calls between contacts. Green also added that many users probably don’t know either.
“Every time someone sets a feature to non-default, I’m guessing 95% of users never touch it. When they put it in the ‘Privacy’ settings menu, I raise my expectations to 99%. But Privacy > Settings > Advanced? I bet we are at 99.8% now.” green wrotereferring to the option to completely disable peer-to-peer calling in Signal.
IP addresses don’t reveal your precise location, but they can still pose a risk to users who have their IP address exposed, especially victims of abuse, according to Runa Sandvik, a digital security expert and founder of Granitt, a startup that helps defend users at risk. IP addresses can also be linked to a person’s Internet activity, which can subject users to surveillance.
Experts agree that there is no one-size-fits-all solution and that this is a complicated problem.
“It’s hard to decide what would be the best way to do it,” said Quintin, who has studied the security and privacy of various messaging applications. “I don’t think there is a good way to do this that perfectly protects everyone’s privacy at all times. People calling each other can reveal their IP address to each other. Or the encrypted messaging app’s proxy servers may have a list of all callers. And law enforcement can potentially access that.”
Telegram
In October, we reported that Telegram leaks users’ IP addresses during calls made between contacts. Security researcher Denis Simonov, also known as n0a, made a relatively easy tool to use which is designed to capture the other person’s IP address during a call, as long as the two callers are in each other’s contacts. Telegram reveals users’ IP addresses in that circumstance because calls between contacts are by default peer-to-peer for better “quality and reduced latency,” according to Telegram spokesperson Remi Vaughn.
“The downside to this is that it requires both parties to know each other’s IP address (since it is a direct connection). “Unlike other messengers, calls from those not in your contact list will be routed through Telegram servers to hide that,” Vaughn told TechCrunch.
Other apps work similarly and can also filter IP addresses. Below, we look at some of the world’s most popular calling and chat apps and break down how they work and under what circumstances they can reveal IP addresses between callers. (Note: All instructions below are for iOS apps.)
Sign
In a blog post Regarding the launch of video calling on Signal starting in 2017, Signal founder Moxie Marlinspike wrote that from then on Signal would establish a peer-to-peer connection in calls between contacts. Otherwise, Signal would continue transmitting calls through its servers, masking the caller’s IP addresses.
“By default, Signal will only attempt to establish a P2P (peer-to-peer) connection if you are initiating the call or if you are receiving a call from someone in your contacts. If you receive a call from someone who is not in your address book, Signal will transmit that call through the Signal service,” Marlinspike wrote.
It’s important to remember that Signal messages and calls are end-to-end encrypted by default, meaning the company cannot see or listen to the content of any communication.
Like Telegram, which has an option to disable peer-to-peer by default to prevent users’ IP addresses from being leaked, Signal also offers that option.
If you want to completely eliminate the risk of exposing your IP address on Signal, tap your avatar at the top left, tap Settings, then Privacy, scroll to Advanced, and turn on “Always forward calls.” .
Signal opted to make peer-to-peer calling the default between contacts to provide users with better audio quality and lower latency calls, according to Signal President Meredith Whittaker.
“If we had streaming as the default option, it wouldn’t work well for many people in different parts of the world. Peer to peer is faster and more performant, which in many cases is the difference between the feature working or not,” Whittaker told TechCrunch. “So ultimately it’s not just a question of performance, but ‘will this work for people?’ affair.”
According to Josh Lund, senior technical writer at Signal, what Signal is doing is now the industry standard. “Using peer-to-peer connections is how voice over IP applications work. And I think that’s a really important point to accurately represent,” Lund said.
Meta-owned WhatsApp, one of the most popular chat apps in the world, if not the most popular, is designed to automatically switch between peer-to-peer calls and relayed calls, WhatsApp said.
That choice depends on call latency and which option provides better call quality. Sometimes it is peer to peer, sometimes it is better to broadcast the call through the WhatsApp server, according to WhatsApp. Like Signal, WhatsApp messages and calls are end-to-end encrypted by default.
As of this writing, users do not have the option to turn off peer-to-peer calling like they do on Signal. But, according to WhatsApp, the company has been rolling out an optional feature, which is already present in beta versions – that would give WhatsApp users the ability to hide their IP address from other people they call, something the company plans to fully implement in the coming weeks.
By activating this feature, all calls will go through WhatsApp servers. In other words, WhatsApp will soon give users the ability to opt out of peer-to-peer calls, just like Signal and Telegram now do.
Face to face
Apple’s FaceTime, which is also end-to-end encrypted by default, uses peer-to-peer connections for every call. according to Apple security documentation.
“When the user answers the call, audio is streamed seamlessly from the user’s iPhone over a secure peer-to-peer connection between the two devices,” Apple says in the guide.
There is no option to disable this peer-to-peer connection. Apple did not respond to a request for comment.
Facebook Messenger
Facebook Messenger makes it clear on a help page that “in audio or video calls between just two people, your IP address will be shared with the other person’s device to establish a peer-to-peer connection.”
“A peer-to-peer connection uses your IP address to connect directly to the person you are calling and help improve the audio and video quality of your call. While this happens in the background, it is possible for the other person to discover your IP address,” the page reads.
Meta spokesperson Alex Dziedzan told TechCrunch that “if you answer a call on Messenger, you will share your IP address. “You can’t turn off calling as a feature.”
snapchat
It’s unclear how Snapchat calls work and whether they leak IP addresses or not. There is no reference to using peer-to-peer calling or whether the calls expose IP addresses anywhere on Snapchat’s official website. Snapchat did not respond to requests for comment.
viber
On its website, Viber says that “peer-to-peer is only used in 1-to-1 calls on Viber.” And that users can choose to disable peer-to-peer communication so that “your IP address is no longer used in your Viber calls, but will reduce the quality of your calls.”
To turn off peer-to-peer calling, go to More in the bottom left corner with the three dots, tap Settings, then Privacy, scroll down and turn off “Use peer-to-peer.”
Viber did not respond to a request for comment.
tresma
Privacy-oriented messaging app Threema works similarly to Signal. Threema spokesperson Julia Weiss told TechCrunch that calls between “unverified contacts” are “always routed through Threema’s server to hide the IP address.”
Users who verify each other, either by scanning their QR code or Threema ID in real life or through contact discovery (a system that allows users to link their Threema ID to their phone numbers or addresses email), your calls will be peer-to-peer. default torque.
And, like Signal and Telegram, Threema users can disable peer-to-peer by default, making all calls go through their relay servers.
To turn that option on, go to Settings, Threema Calls, and then turn on “Always Forward Calls.”
Read more on TechCrunch: