Most PRIVATE Keyboard Apps!

00:00

Let’s say you’ve really clamped down  with privacy on your phone.  

00:03

You’ve installed the best private messenger.  You use the most private browser and search  

00:07

engine. You feel pretty good, right? But there's one thing that might still  

00:12

be leaking everything you do on  the device: Your keyboard.  

00:17

Think about it, our smartphones have become an  extension of ourselves, allowing us to intimately  

00:22

communicate, do sensitive work, and access the  world around us by tapping on a screen.  

00:28

And the gateway to this world is the  keyboard: it's where we type our searches,  

00:32

our credit card details, our passwords. How private is your phone keyboard?  

00:38

It depends which keyboard you're using, not all  keyboard apps on our phones are the same.  

00:43

Some people just use their built-in system  keyboards, others might download 3rd-party  

00:48

keyboards. Some keyboards just talk  locally to your device, but others  

00:52

might be sending off all of your keystrokes  to a centralized server. These have wildly  

00:58

different privacy implications. How do you tell the difference?  

01:01

In this video we're going to dive into keyboard  privacy, and try to help you make sure you're not  

01:07

accidentally giving away every key you type. Let's start by understanding what a  

01:12

virtual keyboard is and how it  interacts with your device.  

01:16

When we use a computer, we have a physical  device with keys that allows us to input  

01:21

text or numbers into the computer. When  we have a device with just a screen,  

01:25

like an iPad or phone, we use a virtual keyboard  which is a software-based system that renders an  

01:32

image of a keyboard on the display and operates  as a touchscreen for inputting keystrokes.  

01:37

Let's look at 3 types of virtual keyboards.  First, there's the System Keyboard. Your phone's  

01:43

operating system, like Android or iOS for example,  comes with a built-in virtual keyboard.  

01:49

When you tap on a text input field, like  in a search bar, SMS or Instagram comment,  

01:55

by default your operating system's keyboard will  appear. This is usually the case for all apps on  

02:01

your phone: by default they generally use the  operating system’s built-in keyboard.  

02:06

But occasionally there are  app-specific keyboards.  

02:09

Some apps might have unique requirements,  for example a musical instrument app  

02:13

might need a piano instead of letters. Others, like some banking apps, might have their  

02:18

own keyboard app for added security. Then there are Third-Party Keyboards,  

02:22

keyboard apps that you install on your phone  that you can set as your default keyboard  

02:27

instead of using the system’s in-built keyboard. Some of the benefits of 3rd party keyboards are  

02:32

that they might offer more features  than your system-provided keyboard,  

02:35

like swipe typing, custom themes,  or support for multiple languages.  

02:40

You can often personalize them, and do other  specialized tasks like make custom emojis.  

02:45

There are countless 3rd-party  keyboard apps available that  

02:48

offer all kinds of functionality. But while all these benefits are attractive,  

02:53

it’s important we also look at how each  app handles privacy. We conduct sensitive  

02:58

activities on our keyboard, so it’s vital  we make sure we can really trust it.  

03:04

So what things do you need to look for when  deciding whether to use a 3rd-party keyboard?  

03:09

First, how well do you know the  developer, and do you trust them?  

03:13

Before using any software, a user needs  to be able to trust that the software  

03:18

isn't hiding anything malicious, and is  actually doing what it says it's doing.  

03:23

Your keyboard software is no different. This is a difficult problem to figure out.  

03:27

Really you should only install something if you  have heard of the company who manages it, and  

03:32

you know that they have a good reputation. It seems unfair, because there might be countless  

03:38

unknown developers who are creating really  great products. But the stakes for your  

03:43

privacy and security are really high. It’s  kind of like accepting candy from strangers;  

03:48

while many might have good intentions, the risk  involved for those who don't is too significant  

03:54

to ignore, so it’s smart to be super careful.  Then you should understand the technical details  

03:59

of how the keyboard handles your data. Does it send keystrokes – like all your personal  

04:04

messages, passwords, and other sensitive  information – to centralized servers?  

04:09

This is how keyboards that  allow you to do searches work,  

04:12

and is also sometimes how those that check  your spelling in real time work too.  

04:17

That’s a huge privacy leak. Then there’s a question of how that data is being  

04:21

transmitted back to these centralized servers: Is it being sent using proper encryption? Or can  

04:27

it also be intercepted and read by others who  want to snoop on your activity? And once these  

04:32

keystrokes are collected, how is the information  being stored and who has access to it? If there’s  

04:37

a rogue employee or inevitable data breach, is all  of your private information going to be leaked?  

04:44

You also have to be able to have confidence  in the developers' technical abilities to  

04:48

ensure good security in the app, to  make sure it doesn’t have bugs that  

04:52

hackers can use to get your information. Major operating system developers have extensive  

04:58

resources dedicated to security, while third-party  developers can vary wildly in terms of their  

05:04

technical abilities and security practices. Then there are permissions.  

05:08

One big issue with 3rd party keyboards is  that they often request extensive permissions,  

05:14

including what's termed as "Full Access." This permission allows the keyboard to communicate  

05:20

outside of its standalone application,  potentially accessing the internet and sending  

05:25

data back to its developers or servers. While some permissions may be understandable,  

05:30

such as full network access for online  functionalities like GIF search, the extent  

05:34

of these permissions often raises eyebrows. If a keyboard is requesting a large number of  

05:39

permissions, you should be skeptical. For example, what would a keyboard  

05:43

need access to your location for? Does your keyboard really need access to storage?  

05:49

Does it need access to your microphone, especially  if it doesn’t have a voice-to-text option?  

05:54

Does the app need to be running in  the background while not in use?  

05:58

Granting broad permissions can potentially  expose users to unnecessary privacy risks  

06:03

so you should be mindful about what  permissions your keyboard asks for.  

06:07

Finally, keyboards can also  have trackers in them.  

06:10

You can do research on both the trackers  and permissions required by apps that you  

06:14

install by using websites like Exodus, which  is a privacy audit platform for Android.  

06:19

So now that we know some potential red flags  to look out for, let's take a closer look at  

06:24

some different keyboard apps. The unfortunate reality is that  

06:27

a lot of these keyboards actually  don't hold up under scrutiny.  

06:32

AI.type was a popular keyboard that in 2017  leaked the personal information of over 31  

06:38

million customers because of a lack of password  protection on the company's database server.  

06:44

This breach exposed names,  phone numbers, email addresses,  

06:48

and even text typed using the keyboard. SwiftKey experienced a data leak after being  

06:53

acquired by Microsoft. Apparently, users  reported that the keyboard was suggesting  

06:58

private email addresses to other SwiftKey  users, which is a terrifying breach.  

07:03

On top of that Swiftkey has 3 trackers and  requires 21 permissions in order to operate  

07:09

including your precise location. Why does  my keyboard need my precise location?  

07:15

Citizen Labs, a security firm in Canada, found  serious problems in Sogou, a Chinese language  

07:21

keyboard with several hundred million users. They reported that Sogou not only records and  

07:27

sends out all keystrokes to centralized servers as  part of its ordinary functionality but they used a  

07:33

flawed custom encryption method that allowed  this data to be intercepted and decrypted,  

07:39

many people questioned whether  this was done intentionally.  

07:42

Having a 3rd-party keyboard installed on your  phone, even if you don’t use it, can still pose  

07:47

significant security and privacy risks because of  all the permissions that you’re granting it.  

07:53

Maybe you’re diligent about only  granting the necessary permissions,  

07:56

but keeping dormant software on your device  increases the risk of vulnerabilities.  

08:01

For example in 2019 Apple’s iOS13 had a bug that  granted third-party keyboards full access to  

08:09

iPhones even when users had them turned off. Now let's dive into System keyboards,  

08:14

and see if those that Apple and Google have  bundled with your phone are any better.  

08:18

Built-in system keyboards provided by the OS can  vary wildly in how they are implemented and how  

08:24

they treat your data. We’ll start with Apple's  iOS keyboard. By default, it does record some  

08:29

data and Apple isn’t really transparent about  what data it collects from the keyboard.  

08:34

Apple’s documentation says that the  data they collect from the keyboard  

08:38

is used to find out what their users are  doing: from the emojis we most frequently  

08:42

use to identifying new trending words. This means that with iPhone analytics enabled,  

08:48

some of our keyboard activity  is being sent to Apple.  

08:51

One thing that Apple does do to try  to protect user privacy is implement  

08:55

a technique called “Differential Privacy”. This is where random noise is added to keystrokes  

09:01

before they're submitted to Apple, to prevent that  data from being tied back to specific users.  

09:06

The effectiveness of differential privacy  depends on a variable known as the “privacy  

09:11

loss parameter” or “epsilon” which is a measure of  how specific the data being sent to Apple is.  

09:18

Imagine you have a slider that, when set to  the very left end, preserves total privacy of  

09:23

individuals in the dataset by adding a large  amount of noise to the data. The trade-off  

09:28

is that the aggregate stats that Apple is now  collecting are inaccurate. That same slider,  

09:33

if set to the very right end, gives perfect  accuracy to the aggregate stats, but now  

09:39

users have lost all their privacy. The closer the epsilon value is to 0,  

09:44

the higher the noise and therefore the  higher the privacy protection.  

09:48

To put it in perspective, many in the  academic community consider an epsilon  

09:52

value of 1 or less to be a good privacy  protection standard, and anything above  

09:57

1 a serious privacy compromise. But when researchers reverse-engineered  

10:01

Apple’s software, the epsilon value was a whopping  14! This figure is way above what is acceptable  

10:08

and basically means that while Apple does use  differential privacy, at the level of settings it  

10:14

uses, it offers very little privacy protection. On top of that, Apple keeps both the code and the  

10:20

epsilon value secret, which means  they could change it at any time.  

10:24

One thing that we'd recommend is to  opt out of iPhone analytics entirely,  

10:29

which reduces the amount of data tracking. “I'm turning off the switch”.  

10:32

However even with this setting opted out of,  the security team Mysk uncovered that Apple  

10:37

still collects extremely detailed data  of your usage from different apps.  

10:42

It’s unclear whether this includes data from  your keyboard, because even if you inspect  

10:47

the data being created inside the keyboard process  while it is running, the keyboard process might be  

10:52

caching the data somewhere and having another  process pick it up and sending it off.  

10:56

But switch off analytics regardless, your keyboard  and everything else, will still function great  

11:01

without it and you’ll have better privacy. Gboard, originally known as Google Keyboard,  

11:06

can be considered both an in-built  system keyboard and a 3rd-party keyboard,  

11:11

depending on the device. Many Android devices include it as  

11:14

the default keyboard, but on phones like Samsung  and LG which don’t by default include Gboard,  

11:21

users can choose to download and  install it from the Play Store.  

11:24

Instead of using differential privacy, which  uploads your data with noise added, Google  

11:29

uses what it calls Federated Learning. Federated Learning works by downloading the latest  

11:35

text prediction model to your device, it improves  it by learning from behavior data on your phone,  

11:41

and then sends a summary of the changes to  the cloud instead of the raw data.  

11:45

This sounds great, because your raw  data doesn’t leave your device.  

11:49

Unfortunately, recent studies have shown attacks  where the raw data can be reconstructed, breaking  

11:55

the privacy of federated learning. For example this paper shows how the  

11:59

sentence a user types on their mobile  handset, when sending text messages  

12:03

can be reconstructed with high accuracy. Federated Learning, while turned on by default,  

12:08

can be opted out. Just go into Gboard settings and  click on Privacy and turn it off. But this only  

12:13

stops Federated Learning. And it’s important to  know that your data is still being sent off your  

12:18

device, only it’s very difficult to be able to  tell whether that data is coming from the keyboard  

12:23

itself or not. Ultimately, both Gboard and iOS  keyboards are closed source, so there is no way to  

12:30

verify that they don’t send off your keystrokes  when analytics and learning are turned off.  

12:35

And in both cases, there’s no easy way to  disable keyboard permissions for network  

12:40

access to rule this out. According to Exodus  privacy, Gboard also requires 16 permissions,  

12:46

including the ability to find accounts on the device  

12:49

and read your contacts. So what are our options?  

12:52

Ultimately, for the best privacy you might  want to opt for an operating system that  

12:56

isn’t collecting all your data like Google  and Apple are for Android and iOS.  

13:01

We recommend GrapheneOS, which is a security  and privacy-focused mobile OS based on Android,  

13:08

that doesn’t rely on any services from Google.  GrapheneOS uses the Android Open Source Project  

13:14

Keyboard as its built-in system keyboard, without  relying on Google’s proprietary binaries.  

13:20

It’s a complicated way of saying that it’s a clean  version that doesn’t use any of the closed-source,  

13:26

Google-specific components. Like the operating  system itself, Graphene’s keyboard is designed to  

13:32

prioritize privacy and security, ensuring that  typed data isn't shared or compromised.  

13:38

As it’s open-source, users have a better chance  of being able to verify that the keyboard  

13:42

is doing what it says it’s doing. And since GrapheneOS doesn't include Google  

13:46

services or other telemetry services, there's  no inherent data collection or phoning home  

13:52

from the keyboard or the OS itself. Finally, GrapheneOS has no ties to any  

13:57

large data-driven corporations.  It doesn't have a central company  

14:01

like Google or Apple behind it with a vested  interest in user data for advertising.  

14:06

So using the built-in system keyboard  on an operating system like graphene  

14:09

is a great choice for privacy. However if you aren’t willing to make the  

14:14

switch to another operating system just yet, there  are also some more privacy-preserving 3rd party  

14:19

keyboards you can consider. Anysoftkeyboard is open source,  

14:23

and one of the most mature alternative options out  there jam packed with features and configurations.  

14:29

It is one of the few keyboards with support for  gesture typing and is also famous for its ability  

14:34

to choose multiple keyboard layouts as well.  It’s great for someone who wants to be able  

14:38

to really customize their experience. Its auto  correct and auto suggest features are not sending  

14:44

your queries anywhere outside your phone but are  based off of your local data and dictionaries.  

14:49

OpenBoard is another solid option that  is based on Android’s Open Source Project  

14:53

keyboard. The keyboard offers a lot of  the core features we expect from modern  

14:58

keyboards such as multi language support,  and autocorrect and suggestions.  

15:03

In my experience, it offers the best autocorrect  feature of all the open source options.  

15:08

Like Anysoftkeyboard, OpenBoard’s auto correct  is also based on local information and doesn’t  

15:13

send queries off the phone. However it is still  lacking features such as glide typing.  

15:18

A popular newcomer is Florisboard which  is still in early beta but has some nice  

15:22

theming options and recently added gesture  typing. It also lacks autocorrect features,  

15:28

but that’s on its roadmap. Simplekeyboard is another option and, as its  

15:32

name suggests, is minimalistic, offering the bare  minimum of what a virtual keyboard should do.  

15:38

All of these are open source and free. But keep in  mind that just because something is open source,  

15:44

it doesn’t mean that it’s safe. It depends if  anyone is actually auditing the code, so you  

15:49

should still be careful what you install. For those migrating from Gboard, OpenBoard  

15:53

and AnySoftKeyboard probably  offer the closest experience  

15:57

and have decent autocorrect features. Apple users don’t have many choices, and are  

16:02

probably best sticking with the in-built system  keyboard with iPhone analytics disabled.  

16:07

One potential option if you don’t want  to use Apple’s keyboard, is Fleksy.  

16:12

It claims to be privacy centric but because  it is proprietary and closed source,  

16:16

there is no way to verify its claims. Its privacy policy is somewhat tough to navigate  

16:21

to, and says it can collect precise location  data to provide ‘location-based’ services,  

16:28

which in our opinion is outside the  scope of what a keyboard should do.  

16:32

According to Exodus they have 6 trackers  and require 19 permissions.  

16:36

So again, we think the best option  for iOS is just the in-built keyboard  

16:40

with analytics disabled. One thing to keep in mind with  

16:43

software is that these apps can be updated  and their permissions changed at any time,  

16:48

so it's important to stay vigilant and check  for updated information since this video’s  

16:53

release before installing anything. It’s also important to understand that your  

16:57

keyboard can undermine the privacy of even  the most privacy-focused apps. For example,  

17:03

you might be using Signal, a really great  private messenger that encrypts your messages  

17:08

before sending them out. But if you're using a  keyboard app that doesn't protect your privacy  

17:13

and is sending your keystrokes before the  message is even encrypted, then you’ve  

17:17

completely undermined your privacy. This feels wrong. I'm a peacekeeping  

17:22

program created to help. A third-party keyboard app isn't  

17:27

just something you should add to your phone  because it offers some cool features. It's  

17:31

a critical decision for user privacy, and the  integrity of your keyboard underpins the privacy  

17:37

of your whole device. Choose wisely. NBTV is funded by community donations. If  

17:43

you’d like to support our free educational  content, please visit NBTV.media/support.  

17:48

And take a look at our book “beginner’s  introduction to privacy” that also supports  

17:52

our channel. Liking sharing and commenting on  our videos also really helps us. Thank you so  

17:57

much for watching through til the end!