International Association
for Cryptologic Research

Logging infrastructure is a crucial component of WhatsApp and other modern services. It helps us understand the performance and reliability of our mobile apps and improve them. There are different reasons that data is logged, but in many cases we only need to compute aggregate statistics, and do not need to know the specific user’s identity. A redesign of the logging framework to upload logs anonymously from our apps, provides a defense-in-depth, and mitigates risks such as accidental logging or misuse of user identifiers. However, this opens up the opportunity for attackers to corrupt or spam logs and bias the collected metrics through this unauthenticated channel. In this talk, we present PrivateStats, an anonymous, fraud resistant logging system we have built, using Verifiable Oblivious Pseudorandom Functions (VOPRFs), and are deploying in WhatsApp. We discuss a number of requirements that informed our choice of algorithms and design, and report on the first deployment of such a service at scale. We further discuss new cryptographic techniques that enable a more transparent and verifiable key rotation and distribution strategy, which is of independent interest. We believe that these lessons in scaling are useful for other organizations and motivate further research into anonymization at scale.