Cooper's Privacy Model

# Cooper's Privacy Model ### Our stance on privacy We believe that privacy is a fundamental human right. Therefore, as a team, we take great care in doing everything we can to build privacy preservation into each feature of our products. #### Our Privacy Principles ##### Baked in We think privacy-preserving should be baked into features for users. If it's not on by default, it might as well not be on at all. ##### Verifiable Privacy Many companies can make claims about privacy, but there's no real way any person can verify such claims themselves. We hold our craft to a much higher standard and want our privacy claims to be testable whenever possible. What this looks like in practice is that an interested party can use off-the-shelf tools to confirm our privacy claims whenver is feasible. ##### Enhances the user experience It can be hard to balance privacy with other core product decisions, and many privacy-preserving products compromise on the user experience to offer privacy solutions. We believe that it is worth going the extra mile so that privacy-preserving technology only makes the user experience better, and it is not an inhibitor. ### The Technology #### NEVPNManager API The iOS SDK provides the `NEVPNManager` API for users to set up personal VPN's. A VPN connection is created within NetworkExtension, and ends within the `NetworkExtension` process. No persistent VPN connection is ever instantiated to a port outside the device. Usage of the `NEVPNManager` API requires strong opt-in permissions from the users that prompt their passcode (if enabled in Settings) for usage. They are alerted exactly to the extent of the permission they give. We use this API to provide the on-device game detection feature to our users. ![](https://i.imgur.com/1MgEvui.png)*iOS Permission prompt for VPN access* #### Our Network stack and why we built it We’ve built a thoroughly tested network stack in Swift from scratch to enable our on-device gameplay detection feature. This was an extremely difficult technical feat that we are quite proud of. We're able to determine when a user is playing a game, all while keeping all detection and processing on-device; this is the standard set by Apple and other privacy-progressive companies. By building our own network stack and utilizing the capabilities of `NetworkExtension`, we can do all processing from the confines of your phone and the sandboxed `NetworkExtension` process. **And although this is a bit unorthodox in comparison to hosting a VPN server in the cloud, we could not guarantee our privacy values unless we built this feature the way we did.** ![](https://i.imgur.com/afcFasb.png) *Layers of the network stack implemented* ![](https://i.imgur.com/IVq6l7h.png) *How traffic flows through our NetworkExtension process* ###### What isn't sent to Cooper's servers All browsing activity is in no way, shape, or form ever sent to Cooper's servers. For example, if you're browsing the New York Times, the entire network connection to the newspaper's site would be instantiated from your phone and never proxied through our servers. Moreover, most connections nowadays are encrypted using TLS, so it's impossible for packets to be deeply inspected via TLS or HTTPS-based connections. ###### What is sent to Cooper's servers The following two payloads are the only things Cooper's servers receive from the NetworkExtension: ```json // 1. Pinging the server to update game status info when a game has been detected // POST: /games/change // Authorization: Bearer XYZ // Body: { "game_uuid": "9cce5764-b543-4f50-be1c-1ce9759cc3be", "is_now_playing": Bool } ``` ```json // 2. Pinging the server to check if VPN is operating normally // POST: /games/heartbeat // Authorization: Bearer XYZ { // empty payload } ``` These claims are publicly inspectable and also backed by our [Privacy Policy](https://cooper.chat/privacy-policy). Here's the excerpt from our Privacy Policy where we outline how we handle users (or lack of) data: > For iPhone users, the Cooper App and related App Extensions deploys Apple’s VPN technology (the Apple NEVPNManager API) to enable users to be alerted when their friends are playing their favorite games and to invite them to play and chat together in real time. The VPN is configured to detect when a user is playing a participating game and then notify other users. It also notifies us if your device is running the VPN or not (so you are not broadcasting your game activity or cannot see others’ game activity if you are not simultaneously sharing your own). No personal information is collected and stored on our servers to enable this functionality. The only data sent to our servers are a universally unique identifier (UUID) and other code to signal when a user is playing a game or not. All other data, including personal information, remains on the user’s device. #### Verifiable to all In alignment with our core privacy values, any person familiar with network analysis can verify the claims we make in this document and our [Privacy Policy](https://cooper.chat/privacy-policy). For example, our claims on what data we send can be verified using a variety of tools: ##### Charles Proxy > Charles Web Debugging Proxy is a cross-platform HTTP debugging proxy server application written in Java. It enables the user to view HTTP, HTTPS, HTTP/2 and enabled TCP port traffic accessed from, to, or via the local computer. [[1](https://en.wikipedia.org/wiki/Charles_Proxy)] Charles is downloadable [here](https://www.charlesproxy.com/). ##### Wireshark > Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. [[2](https://en.wikipedia.org/wiki/Wireshark)] Wireshark is downloadable [here](https://www.wireshark.org/). #### DNS Resolution Over the past few years, DNS Resolution has become an increased threat to privacy as many public DNS servers are not as altruistic as they claim to be. Additionally, most DNS traffic is unencrypted, which creates additional privacy concerns. To mitigate data harvesting of our users, we utilize Cloudflare's 1.1.1.1 DNS resolution service. > Unlike most DNS resolvers, 1.1.1.1 **does not sell user data to advertisers**. In addition, 1.1.1.1 has been measured to be the fastest DNS resolver available. 1.1.1.1 has also undergone multiple audits proving its reliance as a privacy-preserving alternative to other DNS resolvers. [[3]](https://blog.cloudflare.com/announcing-the-results-of-the-1-1-1-1-public-dns-resolver-privacy-examination/) Moreover, our stack uses the new DNS over TLS protocol for all DNS queries, meaning all DNS queries are encrypted when travelling over the global internet. Implementing and utilizing this security measure means a big privacy upgrade for all of our users. Moreover, users, as a result of the stack's DNS setup, get way faster speeds when connecting to their favorite apps and more privacy than they would've without Cooper. #### Alternative System Architectures ##### Hosting a VPN server in the cloud While this would have been orders of magnitude easier in technical implementation, we, the Cooper team, hold strong reservations about this model. First, when using this model, any claims about data privacy are not verifiable by the public. History has shown that companies have mishandled user data time and time again, and we wanted no part of this threat vector. We want to show to anyone that our software is doing what we say, not just promise. [[4]](https://www.allthingssecured.com/vpn/truth-about-vpn-logging-policies/#:~:text=The%20short%20answer%20is%20no,can%20be%20to%20secure%20yourself.) Second, hosting a VPN server in the cloud would add additional network latency that would affect users' connection speeds. By doing the network handling on-device, we virtually eliminate any latency issues that arise from physical separation of the networks. #### Other industry-standard privacy practices. * Our software uses HTTPS whenever possible * The User ID system on Cooper is privacy-preserving [[5]](https://en.wikipedia.org/wiki/Snowflake_ID) ## The Trust model In line with our principles, in order for privacy to be baked into the product, it has to permeate from the underlying technology all the way to the user experience of the product. Given that users engage with our product are choosing to share information with others, we have designed each aspect of the user experience to help users have a minimized surfaced area of accessible user data by others. #### Cooper's Friending System No user’s game activity is accessible unless a two-way double opt-in friendship has been established. Each user has to confirm they want to add the other user before the trusted relationship is created. After two users are friends, if they are both using Cooper and sharing their game presence activity, then they both can see whether the other user is online and which of their favorite games they are playing. ##### How users add their friends There are only two ways that a user can add one of their friends: 1. Phone number The closest proxy for an in-real-life (IRL) relationship is having a phone number in your Contacts. 2. User Unique ID The only other way that two users can become friends ois if they have been in the same group or voice chat together on Cooper, but this again requires that there is a chain of Contact relationships connecting you. User Unique ID's are 64bit integers that cannot be determined a priori for a user efficiently. ##### Contacts are <ins>not</ins> uploaded en masse Unlike many other communication apps, we've architected the app so that users have complete control over who they add. Moreover, as historical data breaches have shown, phone number hashes are not effective in preserving the privacy of your contacts. So we decided to never store them altogether to obviate the risk entirely! Our model is only to use what is relevant: "Is this individual friend you’re interested in, that you’ve meticulously selected, on Cooper?" We also don’t suggest or show you friends-of-friends that are on the app. ##### Impossible to stalk any user given a name or username We don’t allow people to search for non-Contacts, full stop. You won’t even know if they have an account, and you have no way of ever seeing their online status. ##### Max of 7 friends We enforce a max friend limit of 7 friends. We do this because it enables the following privacy-preserving UX: 1. It keeps the user experience to IRL/Close Friends. By having a max, you'll be more careful about which friends you add, sharing only your information with those closest to you. 2. Users, by design, have a bounded graph that they can share their game presence information with, which reduces the threat model overall. While having more friends might result in better growth numbers, the Cooper team believes that helping users make better privacy decisions is both best for the users and the company in the long run. ##### Bounded list of games sharing: The list of games we could possibly detect is stored [here](https://d24xrgbzecwwpu.cloudfront.net/games.json), ad infinitum. This ensures a limited surface area of sharing activity. Only a predetermined, set list of games are detected, all on device. ##### Easy controls to stop sharing game presence Any user can temporarily pause or turn off sharing game information altogether at any time. The strong double opt-in requirement for game presence information to be shared ensures healthy privacy standards that are fair for both parties in a friendship. The heartbeat ping checks to see if the game detection VPN is running on the user's device. Thus, this feature protects users’ double opt-in contract with their chosen friends with whom they share their presence information. Thus, the risk of friends snooping on each other is eliminated. ##### Users can opt out for a partial Cooper experience Any user can turn off game presence detection. When they do, as mentioned, they cannot see their other friends' game presence information. That said, they still can use other parts of the app like messaging and parties. Although we think game presence is a compelling feature, we always want to give our users choice. #### Simple business model ##### No ad networks, no data sharing, none of that shady business We want to monetize this product using in-app purchases. We think there are a lot of interesting ways to monetize the app using the payment rails of the App Store and IAP. You can read our [Privacy Policy](https://cooper.chat/privacy-policy) for the details of how we carefully handle our users' information, but the summary is that we don't sell it to anyone. ###### Subscriptions and "Battle Passes" As consumers have shown before, subscriptions and battle passes have been extremely successful in allowing companies to monetize their products while also allowing for better self-expression and enriched communication modalities.