TL;DR: if you allow Vero to access your phone’s Contacts even for a brief moment, instead of one-time reading them, it quietly stores them all, links them to your account and uses to shape the user experience. It also gives users who have given access to their Contacts a way of connecting with users who have explicitly denied Vero’s access to their respective phone’s contact list. As an icing on the cake, there’s no way you can delete that info from the service afterwards. This blog post examines how this works.
From their Privacy Policy (Feb 23, 2018 version), for some reason filed under “Information we may receive from third parties”:
“If you allow us access to your contacts list, your contacts’ user IDs, and your connection to those contacts, may be used and stored to make your experience more social, and to allow you to add your contacts on the Service as well as provide you with updates if and when your contacts join Vero.”
So, they’re not doing anything that isn’t covered by their privacy policy – no surprises there. That’s also not the point. My main issue with the behavior I’m about to demonstrate is the fact that it was hidden in the privacy policy and not informed to the user during appropriate set-up screen, and this is just something I happened to pick up on during my first test run! There’s bound to be a lot more similar under-the-hood behavior affecting users’ privacy.
Oh, and that privacy policy is just as bad as you’d expect for a social media app, but I’ll get to that in another blog post.
Let’s look at an example. When a user creates account, he is greeted with the following screen to find friends. Notice the text at the bottom: “we take privacy seriously”…
I’d assume for most users this is an easy trap to fall into: choice like this is pitting user’s curiosity to find potential friends from a brand new social media platform against common sense privacy. Selecting Allow will scan your phone’s Contacts and list Vero users with matching phone numbers.
Vero seems to really, really try to convince you that giving them your phone number is essential. This seems to be the trend these days, and as a data point it is indeed very precious for advertisement and analytics reasons. Luckily apps like Wire have shown that phone number isn’t actually needed for authentication or ease of finding connections.
Back to the app permissions. After setting up an account, user can choose to disable permission for Vero accessing Contacts. This can be done through phone’s own app settings, as usual. On a positive note, Vero hadn’t asked for any other permissions, and only Camera, Location and Storage were even listed as possible options.
So, at this stage, a user has
- a) enabled app permission for Contacts during the set-up phase and
- b) disabled the same permission afterwards.
However, from Vero’s perspective the point b) makes no difference. This became apparent when a couple of minutes later a person whose phone number I had, created an account. I got a push notification from Vero telling me so, but interestingly enough, the screen that opened didn’t tell who exactly this person was (it displays only Vero account name) nor why I got the notification in the first place. If the newly joined contact uses an alias unknown to the user, there’s no indication that you’d know or have any connection to this person.
After a couple of questions later I managed to connect that alias to my friend. Turns out that he hadn’t given permission to Vero to dig through his Contacts (a smart move!), but as a result he was not only suggested to me as a contact nevertheless, but he himself was not notified that I was a potential connection or that I received his Vero account as a suggested connection.
I realize that this might not be the most groundbreaking discovery, but it’s still one that I believe is worth sharing. I have a feeling that we’ll see a lot of similar posts in the future and not just by your’s truly. After all, people seem to already desperately try to get off this hype train called Vero.
Joel Latto 
This sounds very similar to what Telegram does.
LikeLike
Might very well be. That’s one of the reasons I like Wire: no need to give your or others’ phone numbers for E2EE communications.
LikeLike
SO are we going to ignore that facebook does this? And also facebook owns whatsapp, so they have instant access to your contacts if your on that. And the theory that facebook has access to your phones mic, even when its not open collecting data from conversations? Articles like this look more like fear mongering, because this app is a major competitor to the Zuckerberg social media empire. So my question is, how much did Zuckerberg pay you to make this article Joe? #sellout
LikeLike
Hi there, thanks for the comment. I actually blogged a couple of years ago the instructions to delete a Facebook account: https://joellatto.com/2015/07/30/how-to-delete-facebook-account/
Let me be absolutely clear: I do NOT encourage anyone to have a Facebook profile – I don’t have one either! Also regarding WhatsApp, I’ve been a big fan of Wire as an alternative to that (I suggest you’d take a look at that also).
So no, I don’t think I’d qualify as an sellout. I also don’t think attacking someone personally instead of participating in a constructive dialogue will help anyone in this world. If anything, it just undermines the attacker’s credibility.
LikeLike