Zevvle with friends and contact privacy

Last year, we did something a little different for our referral program. We set aside 1 million shares of Zevvle for inviting your friends & family. But it always felt a little off — you’d get shares for inviting someone, but they’d get nothing (except for being with Zevvle, of course!).

Today we’re changing that, so anyone who joins with a referral link will also get a share of Zevvle. We’re backdating it, too — if you joined through a referral link, it’ll now show on the new contacts tab (more below).

You can read more about the program here.

Moar Stats

For any of your contacts on Zevvle — if you’ve both enabled access to your contacts in-app — you’ll see each other as fellow Zevvlers and get a new screen with more stats:

Zevvle contact screen
The new contact screen in-app.

We’ve decided not to show who called who the most, or average times to answer the phone, although if there’s anything else you’d like to see do let us know!

But how do we find out if any of your contacts are on Zevvle?

Cryptography, hashing and k-anonymity

Instead of violating your privacy and sending all your contacts to our servers to see if any of them use Zevvle, we use a process popularised by Troy Hunt from HaveIBeenPwned.com. It takes advantage of something called k-anonymity to make sure anonymised data (i.e., your contacts) really are anonymous.

As a side note…

WTF is ‘hashing’?

Hashing is like shredding paper, if you could shred a piece of paper exactly the same way every time. You can never recreate the original piece from the shreds, but you know that if 2 separate shreds are identical, they came from the same piece. This is how it works for a phone number:

Hashing a phone number

Assuming the hashing function is legit, given that mess of text starting 96684… it’d be as-close-to-impossible-as-possible to recreate the original phone number.

It’s a very useful tool in cryptography to anonymise data, and is often used to store passwords (hopefully).

So to find out if any of your contacts use Zevvle, we do this:

  1. For each of your contacts, we hash their phone numbers. This happens in-app on your phone, and the numbers never leave your device.

  2. We then take the first character of each hash and send those to our servers. Each character can be one of 16 values and it’s impossible to find out which phone number it came from — phone numbers have billions of possible combinations.

  3. For the SIM cards on our system, we do the same as step 1 — hash all the phone numbers and compare those with the list of characters you sent. If any of the first characters match, we send you back the full hash. As we’re only comparing against 1 character, there will be many matches and we don’t know which — if any — are the correct ones.

  4. Back on your phone we compare the full hashes and if any of those match — hey presto, they also have Zevvle!

This means we can show which of your contacts use Zevvle without us knowing who your contacts are. However, we’ve made sure this only works if the other person has also enabled access to their contacts. In other words, nobody will know you’re on Zevvle unless you allow us.

Have a great weekend!

Nick Goodall