2.2 Client registration

Client registration (figure 2.3) is required in order to participate in the exchange of end-to-end encrypted content. The concept of user accounts is less relevant, as encrypted content is exchanged between two clients. A user can register up to 8 client applications (usually different devices) in total: 7 are permanent 1 is temporary. Attempts to register more than 7 permanent clients will result in an error and require a permanent client to be removed. Registering a new temporary client will replace the old one. These restrictions limit the amount of computation clients need to perform when sending encrypted messages, as messages are encrypted individually between clients. The prekeys are used by other clients to initiate cryptographic sessions with the newly registered client and are defined in section 4.1.1 on page 9. Upon successful client registration the server returns a client ID (Cid) which is unique per user ID.

2.2.1 Further data

The following data will also be collected during client registration: • Class: The device class: Mobile, Tablet or Desktop. • Model: The device model, e.g. iPhone 7. • Label: A human-readable label for the user to distinguish devices of the same class and model. • Cookie label: A cookie label links the client to authentication cookies (cf. section 3 on the next page). When such a client is later removed from the account, i.e. when a device is lost, the server will revoke any authentication cookies with a matching cookie label. Once set, cookie labels can never be changed. • Password: If the user has a password, client registration requires reauthentication with this password, with the exception of the first registered client of an account. Similarly, removing a registered client also requires the password to be entered.

2.2.2 Metadata

The server collects the following metadata for every newly registered client and makes it available it to the user: • Timestamp: The UTC timestamp when the client was registered. • Location: The geographic coordinates of the IP address used to register the client. This information is only collected to make notifications about new registrations more meaningful.

2.2.3 Notifications

When a new client is registered with an account, all existing clients of the same account are notified of that event. Additionally, the user will be notified via e-mail. These notifications help the user to identify suspicious clients registered with their account, e.g. when login credentials are stolen.