Background information
1612

SnowHaze - The secure browser developed by Swiss students

Dominik Bärlocher
3.6.2017
Translation: machine translated

The idea came to Yvan Monneron's students on a hike after a discussion about privacy. He is now a partner in a limited company and co-founder of the SnowHaze project, a secure browser for Apple's iOS platform.

Yvan Monneron is 22 years old, studies mechanical engineering and, in his spare time, has developed a browser for Apple's iOS platform with four colleagues that puts Chrome, Safari and the rest of them in the shade. The browser with the name SnowHaze doesn't do anything revolutionary new, but it does it better and it does it by default. Because in addition to a pleasant surfing experience, SnowHaze has written one thing on its banner: The security and privacy of its users.

When students go on a hike

Yvan is sitting on the sofa in the digitec office in a T-shirt and shorts. In his trouser pocket: an iPhone. Because that's where his product, his browser, SnowHaze, lives. "We wanted to make a browser that makes data protection easily accessible and prioritises it," he says.

Why?

"Most browsers don't care about user privacy by default," he says. Browsers can be retrofitted, with Chrome using plugins such as NoScript, AdBlock Plus or Ghostery, and other browsers are also set up in this way. However, this requires a user to actively engage with the topic, have knowledge and then also have the ability to install and commission plugins.

  • Background information

    Eight browser extensions that make your life easier

    by Dominik Bärlocher

"The thing is: Your data is being marketed everywhere and used somewhere forever," says Yvan. His voice gets louder, he becomes passionate. Because this realisation is the one that once led him and his team to create SnowHaze, which is now a limited company. "We were on a hike during the semester break and discussed where all the data we were distributing was going." The foundation stone for SnowHaze was laid.

In operation, SnowHaze hardly differs from a normal browser. Only the user interface differs in that the navigation elements are dark. Most other browsers are light-coloured. "Somewhere along the line, we discussed offering a light-coloured theme in the next version," says Yvan. He flicks through his notebook, in which he writes down everything important, sorted by date. I'm usually the only one who takes notes during an interview. Yvan takes notes too.

Metadata as a danger

Chrome is free, Facebook is free and loyalty cards such as Migros Cumulus and the Coop Supercard are free. But are they really? "No, because data is a valuable resource in today's world," says Yvan. The 22-year-old explains. He explains this using the Coop Supercard, which works in exactly the same way as the Migros Cumulus Card.

  • The Coop Supercard is scanned with every purchase
  • The Coop Supercard has a number that is assigned to your name
  • This means that a card can be assigned to a purchase
  • Coop can therefore analyse what you buy

It is easy for Coop to determine what people in a certain age segment buy, because you gave them the data when you ordered the Supercard

Assume you are 30 years old. Then your purchase could be attributed to the following brands, among others, for analysis purposes:

  • Store
  • Age segment
  • Working yes/no? ← Based on shopping time
  • Gender: Men rarely buy tampons, women rarely buy aftershave
  • Relationship status: "Honey, can you buy me some aftershave quickly?"
  • ...

The whole thing is called data correlation and can take on truly uncanny proportions. An article in the US daily newspaper New York Times talks to a data analyst about how companies use the data that we customers give away for a per cent discount. In the article, the analyst describes how he used customer behaviour - the data was collected by supermarket chain Target using customer discount cards and credit card transactions - to find out when a woman was six months pregnant before the company's top brass banned him from further contact with the Times.

"When we use Google or Chrome or Safari, nothing else happens," says Yvan. Our data is collected, analysed and sold for advertising purposes. Be it from the browser itself or from websites that we visit as users. "And no browser does anything about this data," says Yvan.

If you want to hear more about metadata, here's a talk about what can be done with metadata.

The example of the loyalty card in the supermarket

In fact, there are numerous references to data correlation in the general terms and conditions of supermarket loyalty cards. The following quotes were taken from the terms and conditions on supercard.ch on 30 May 2017.

  • "The indication of a P.O. Box as the address of residence may be refused." → Coop insists on wanting to know where the customer lives
  • "By participating in the Supercard programme, a customer profile of the participant is created. A customer profile is made up of contact details, purchase data and any health-related data associated with the purchases. The contact details include information such as name, address, telephone number and e-mail address. The purchase data consists of, among other things, location and time details, data on the products, services and the use of benefits for which the Supercard is used for the purchase or utilisation."
  • "Furthermore, the participant authorises the Coop Cooperative to supplement the collected data with data from the Coop Group and with data from Supercard partner companies as well as from professional address dealers with additional characteristics (such as household size, house ownership, age, income class, etc.)."
  • "This Supercard data may be analysed for Marketing and advertising purposes. Target groups consisting of customers with similar customer and purchasing data can be formed. The advertising, offers and services of the Coop Group and Supercard partner companies can be customised to your personal customer profile."

From this, Yvan draws a conclusion that has been a mantra among privacy activists on the internet for years: if it's free, then you're not the customer. You are the product that is being sold.

Also worth noting in the Supercard terms and conditions is the fact that nowhere in the registration process is data on household size, home ownership and income class requested. This data is taken from your purchases.

The Cumulus card from Migros works in exactly the same way, but the terms and conditions are not as detailed.

According to Yvan, exactly the same thing happens with data that users leave behind on Facebook, Reddit, Google and everywhere else. At digitec too, by the way.

Control in the hands of users

So that's why SnowHaze. The browser, based on Apple's Webkit, brings the security options close to the user. On the iPhone, all it takes is a click on the cogwheel on the screen and the security options are there. "It's important to us that the options really are options," says Yvan. It's about enabling users to make an informed decision about how much of their privacy they want to give up.

If terms such as JavaScript, HTTPS or popover mean nothing to you, you have been denied an insight into security apart from a few peripheral topics and simple fixes. Because IT security is heavily tainted with computer nerd lingo. The SnowHaze team has prevented this by assigning an explanation to each option. In simple language. Because explanations don't have to be complicated in order to understand the mechanisms enough to make a decision.

In short: with SnowHaze, even IT security novices can understand what JavaScript does and why it can be a danger.

But: JavaScript is not necessarily blocked by default. The choice of whether you want JavaScript or not is up to you. You can switch JavaScript on or off with a normal slider.

The accolade from the experts

"Okay, these are just a few guys who have programmed something fun in their spare time," you might be thinking. The experts don't agree with this assessment. In particular, the US podcast "The Complete Privacy and Security Podcast" has not only attributed extreme expertise to the Swiss coders, but the presenters use the browser themselves and expressly praise it.

The podcast is regarded by security and privacy activists as one of the great sources of information, where entertainment is kept to a minimum but knowledge is emphasised. And in the tenth episode, the two hosts recommend SnowHaze from the 46:40 brand onwards and praise the variety of settings.

SnowHaze is currently only available for Apple iOS. This is because the students around Yvan are working on the project in their spare time. "We would rather maintain a product that we know everything about than release a half-finished product on two platforms." An Android version is a goal, but not yet planned.

Yvan can't answer the question of whether SnowHaze is the thing they want to start their own business with. After all, they are not looking for investors, even if they are not fundamentally averse to a financial backer. "As soon as we get bought out, we're dependent on someone again. Business interests then suddenly come into play and that could be tricky," says Yvan. However, there are good reasons for taking the step towards a company with business relationships, just as there are good reasons against it.

But before he can think about a possible Android version or investors, Yvan is a student again: "The end of term is coming up. Every student is busy with university stress then".

You might also be interested in this

  • Background information

    Security risk fingerprint and iris scanners

    by Dominik Bärlocher

16 people like this article

User Avatar
User Avatar
Dominik Bärlocher
Senior Editor
dominik.baerlocher@digitecgalaxus.ch

Journalist. Author. Hacker. A storyteller searching for boundaries, secrets and taboos – putting the world to paper. Not because I can but because I can’t not.

Computing
Follow topics and stay updated on your areas of interest
Smartphone
Follow topics and stay updated on your areas of interest

12 comments

Avatar
later