Evaluating the Privacy Properties of Secure VoIP Metadata

Published in International Conference on Trust and Privacy in Digital Business (TrustBus 2018), 2018

Download paper here

Abstract:

Some governments do not consider metadata as personal data, and so not in the scope of privacy regulations. However, often, metadata gives more relevant information than the actual content itself. Metadata can be very useful to identify, locate, understand and manage personal data, i.e., information that is eminently private in nature and under most privacy regulation should be anonymized or deleted if users have not give their consent. In voice calls, we are facing a critical situation in terms of privacy, as metadata can identify who calls to whom and the duration of the call, for example. In this work, we investigate privacy properties of voice calls metadata, in particular when using secure VoIP, giving evidence of the ability to extract sensitive information from its (“secure”) metadata. We find that ZRTP metadata is freely available to any client on the network, and that users can be re-identified by any user with access to the network. Also, we propose a solution for this problem, suitable for all the ZRTP-based implementations.

Recommended citation: Resende, João S., Patrícia R. Sousa, and Luís Antunes. “Evaluating the privacy properties of secure VoIP metadata.” International Conference on Trust and Privacy in Digital Business. Springer, Cham, 2018.