Signal president Meredith Whittaker is prepared to withdraw the privacy-focused messaging app from Australia — saying she hopes it doesn’t become a “gangrenous foot” by poisoning its entire platform by forcing it to hand over its users’ encrypted data to authorities.
Ms Whittaker says Signal would take the “drastic step” of leaving any market where a government compelled it to create a “backdoor” to access its data, saying it would create a vulnerability that hackers and authoritative regimes could exploit, undermining Signals’ “reason for existing”.
Pressure has been mounting on Signal and other secure messaging platforms. ASIO director general Mike Burgess has urged tech companies to unlock encrypted messages to assist terrorism and national security investigations, saying offshore extremists use such platforms to communicate.
offshore extremists use such platforms to communicate.
Yes, yes they do. But that is not justification for reading everyone’s messages.
additionally if the app is compromised these “extremists” will just move to one that isn’t.
I swear COVID made people forget that actions have consequences. You can’t just change something and expect all other things to be equal.
As our esteemed PM Malcolm Turnbull said way back in 2017:
“The laws of mathematics are very commendable but the only law that applies in Australia is the law of Australia”
Haha, that was Turnbull? It really sounds more like an Abbott thing to have said!
Too big words for him.
This is now becoming incredibly tangential to the original post, but the comment thread reminded me of the time the hacker known as “Alex” uncovered Tony Abbott’s passport and phone numbers, who reacted pretty well to it: https://mango.pdf.zone/finding-former-australian-prime-minister-tony-abbotts-passport-number-on-instagram/
And then Tony Abbott just… calls me on the phone?
Mostly, he wanted to check whether his understanding of how I’d found his passport number was correct (it was). He also wanted to ask me how to learn about “the IT”.
He asked some intelligent questions, like “how much information is in a boarding pass, and what do people like me need to know to be safe?”, and “why can you get a passport number from a boarding pass, but not from a bus ticket?”.
The answer is that boarding passes have your password printed on them, and bus tickets don’t. You can use that password to log in to a website (widely regarded as a bad move), and at that point all bets are off, websites can just do whatever they want.
He was vulnerable, too, about how computers are harder for him to understand.
“It’s a funny old world, today I tried to log in to a [Microsoft] Teams meeting (Teams is one of those apps), and the fire brigade uses a Teams meeting. Anyway I got fairly bamboozled, and I can now log in to a Teams meeting in a way I couldn’t before.
It’s, I suppose, a terrible confession of how people my age feel about this stuff.”
Then the Earth stopped spinning on its axis.
For an instant, time stood still.
Then he said it:
“You could drop me in the bush and I’d feel perfectly confident navigating my way out, looking at the sun and direction of rivers and figuring out where to go, but this! Hah!”
This was possibly the most pure and powerful Australian energy a human can possess, and explains how we elected our strongest as our leader. The raw energy did in fact travel through the phone speaker and directly into my brain, killing me instantly.
When I’d collected myself from various corners of the room, he asked if there was a book about the basics of IT, since he wanted to learn about it. That was kinda humanising, since it made me realise that even famous people are just people too.
I love ‘Alex’. I’ve seen them present a few times, such a great speaker.
To the ASIO chief claiming that they need this to monitor terrorism I would answer that legislation has already made it illegal to not unlock your phone if you are presented with a ‘data access order’ - which police can obtain from a judge. Their claim of ‘but terrorists’ falls apart when they are free to surveil suspected terrorists in 1000 other ways and can then arrest them with very loose suspicions, hold their phone while they obtain a data access order, and then force them to unlock it and see all the Signal chat data and groups they’re in. If you don’t unlock your phone it’s fines or 2 years in jail.
So they don’t need to have a backdoor into Signal or any other E2E encrypted chat to ‘stop terrorism’. It’s just a wishlist item because they’re jealous that they can’t hoover up everyone’s chats to datamine any more.
deleted by creator
Well that would be incredibly fucked.
Yes it would be, let’s hope more companies follow that example. The more companies that make it clear that Australian politics are never an excuse for compromising the privacy and safety of their users the more hope there is that the message will start to get through. Plus we could serve as a salutory warning for the rest of the world… “Wow go down the path of driving whole market segments out of your economy has bad effects on that same economy.”
I can totally see Australian politics being OK with signal leaving, since that would push users on to other less secure/more compliant apps
You might be right, but its going to get harder for them to crow about the wins ASIO is making when competent people are spinning up more bespoke solutions they have even less hope of compromising. Plus when people go down the current path that the UK populace is what are ASIO going to claim next, VPNs have to be banned. You know Australia lacks the technical competence to implement that correctly, suddenly every business is having their workflow broken to appease a bunch of “intelligence” wonks. The further they over reach the more likely they will trip themselves up.
A messaging app is extremely hard to “spin up bespoke solutions” for, because a solution’s success is 99% dependent on the network effect.
Perhaps when a protocol like signal but decentralised is available, then we might be able to say that.
There are already a bunch of them, including XMPP and Matrix which both implement Signal’s double ratchet encryption (via OMEMO, in XMPPs case)
Veilid comes to mind as well, still a work in progress
I’ve certainly played with Matrix, got voice working but video was a struggle (I may have just stuffed up my STUN server install). Yet again this is an area that organised crime, terrorist groups etc have it easier, they can dictate what their members use rather than relying upon persuasion to get them onboard. I am pretty certain that the NSA have people dedicated to infiltrating these sorts of small scale chat apps, but like everything else who knows how many are actually in the wild and just have good enough opsec to avoid that infiltration (and yes how many they let stay open for intelligence purposes).
I think that the number of folks who will run bespoke solutions will be so small that it’ll be insignificant. Signals benefit is its ease of onboarding. If Signal leaves ASIO knows there’s nothing else out there for 99% of it’s users.
With the irony being I am sure I read an article a few months back about the rise in small scale private encrypted chat applications that some groups are spinning up because they don’t trust things like signal.
I concede the point, maybe I am a bit blindsided by the level of knowledge I can bring to bear on this as I wouldn’t find it at all difficult to spin something up.
I mean how trivial would it be to insert encrypted packets using a one time pad into meme images, half the conversations between my wife and I would look suspicious under those circumstances, a straightforward sequence of pre shared DSA pairs and the odds of ASIO being able to break it are miniscule.
If you remember the article please share.
I can 100% commit to that, but I would suggest that its likely quite unlikely. I have a feeling it was offline on actual dead tree somewhere.
the number of folks who will run bespoke solutions will be so small that it’ll be insignificant
For the vast majority of people, you are right. But for the very few malignant actors, that is the thing they’ll do. It will make ASIO’s job harder as they’re now trying to trace foreign VPN’s, custom-made encryption programs and other stuff that I personally don’t know about (I’m not overly knowledgeable about such computer things).
The >99% of Signal users forced into the sunlight aren’t the threat. It’s the <1% of Signal users who ‘go underground’ that are the threat.
Personally, I’ll spin up a Mastodon (or similar) instance for my kid and his mates.
“Sir, we have identified a potential terrorist cell. Or a paedophile ring. Which week is it again?”
You mean apps that they’d really like you pass age verification by having MyGovDigitalSurveillanceDefinitelyNotTrackingYou app?
This just in: Offshore extremists are allegedly using a substance commonly known as “water” to maintain hydration levels.
DiHydrogen Monoxide can kill you!
Stop, they night actually fall for this. Recently all my sense of normal and impossible behaviour had been called into question.
Recently? This has been happening for many decades. I remember the fall of privacy and law after 9/11, and that wasn’t the start.
Has Australia just completely decided to go for broke
Yep. And meanwhile the kids will be chatting/abusing in Google Docs. Or IRC servers they spin up for free in AWS or whatever. Or, shock, SMS.
Google docs getting censored as well for some reason
@melbaboutown @quokka very sad
For real?
If their filter catches anything ‘inappropriate’
We’re trying desperately to outdo the UK…
Not really.
This happens everywhere. It’s the police job to ask for access and it’s the signal CEO’s job to decline.
Ultimately the ASIO (aus federal police) won’t call signal’s bluff because signal leaving isn’t good for them. Threat actors would just use some alternative platform.
australia is also a special kind of fucked up with this though… the assistance and access act that passed in 2018 is absolutely horrible
ASIO (aus federal police)
I mean, sort of? The Australian Federal Police would be the Australian federal police (the hint is in the name!). But it’s true that ASIO does take on many roles that in America are done by the FBI, while AFP does more typical things associated with policing.
Amazing.
Its just pressure from the ASIO chief (our NSA equivalent) at this stage. No legislation.
The Signal CEO is rightly firing back saying it’ll never happen, and if push comes to shove they’ll leave.
I’ve been using Signal for almost a decade. If Australia tries to force their hand, I don’t know what alternatives I’ll have to use.
Signal?
Just download the .apk directly from the signal website.
Or from the github repo
Or download it through f-droid
Or install Obtainium
Turn on your vpn or buy server space and routing all traffic through that’s my plan b here.
So you can talk to… yourself?
Run a matrix server to my friends if came to it or have the sever point to the outside web and use it as an end point. Im talking nuclear solutions here that would cost me to achieve. I really dont like security being missmanaged in the name of public safety. If you want my data, get a warrent arrest me and demand my passwords.
I’m using signal right now for a family group, so complex solutions won’t work
A VPN should have been my first thought. Rookie error on my part.
As someone who has toyed with using one to get around my state’s porn ban a little, sometimes it just routes me other states with porn bans. So it’s not necessarily a magic fix. It’s better than nothing but if everyone starts banning something you will have trouble.
Any good VPN will let you choose the jurisdiction of the endpoint.
Yes, but typically not for free.
It’s just a separate part of your ISP costs.
Will Signal block Australian IP addresses, or nix accounts that have a +61 phone number? I’d assume the former but if Signal and other social media platforms go for the latter it will be painful for Australian netizens.
I’m not au fait with this but can you use a raspberry pi for a makeshift vpn or something?
Seems like a thing the tech savvy people do
You can but it’s unnecessary. For most people just configuring each device to use a vpn is the path of least resistance.
I’ve just seen a comment about the UK floating vpn bans and am considering the possibility in Australia so I’m probably commenting in the wrong thread.
The UK needs to ban VPNs. To, uh, protect the children.
The problem is everyone you chat with would also have to do this… unless you’re talking with people outside of Australia or can convince everyone else to also get a VPN.
deleted by creator
The raspi still needs to be out of the country for it to work how you want it to. If you have the raspi in the same area then the data is still vulnerable. They may block vpn providers, but they just can’t block wireshark connecting to a off shore server because they would shutdown alot of methods, buissnesses use to transfer data. Well they could but it be some next level stupid.
Ah that’s a shame. I guess it could still be used as an adblocker. Time to go research VPNs
Threema is a good option. Not an easy option, but a good one. It uses the Signal protocol, but your private key stays on your device, and you manaage which users you trust to save their public key for communicating with them yourself, including giving three levels of verification for (1) if it’s a random person and you have no way of verifying who they are, (2) if it’s a person whose ID matches someone in your address book, and (3) if it’s someone you’ve met in person and scanned a verifying QR code.
Is it available for both smartphone ecosystems?
as with Signal, is not really about what you’ll use, but what alternative gains traction and you can persuade your contacts to use. I hope one of the decentralised alternatives is able to rise to mainstream status.
Persuading enough people I know to use Signal was hard enough already. I only got lucky because I already had some other friends who were already on the platform. It’s much easier to persuade people if you tell them other people are already using it. I just get frustrated that people are too lazy to tap a couple of buttons on their phone to download an app.
One of my friends is just so opposed to using anything else other than Meta Messenger and SMS. He says he doesn’t want app bloat. I get it, but I’d also like to not have corporations spying on our chats. 🙄
App bloat lol. Meta apps are some of the most bloated and resource hungry apps out there.
There are a number of good alternatives. Signal wins because it’s well known, easy to use and install. Governments are targetting private communications, not a specific app so their entire class is under threat and alternatives that can be backdoored will be.
It’s all very short sighted. If you really want to stop private communications you have to outlaw all people with technical knowledge and access to general purpose computers. I can cobble something together that is secure enough for a criminal or terrorist to communicate with freely available software but it won’t be full featured or nice to use.
Taken to the extreme this thinking ends with sending all the people with glasses to “work” some fields in the country because intellectuals challenge the security of the regime. That makes no fucking sense in a liberal democracy. So why even start down this path. Get a warrant and surveill people at the end points. It’s the only acceptable solution.
I use SimpleX.
I had it for a while. Hard to convince people to use it when it has probably less than 10,000 users.
VPN, with an endpoint in a nation where Signal isn’t particularly popular, so nobody thinks to fuck with it.
Last I heard, plenty of companies used Signal for certain secure messaging. And I don’t just mean dodgy off the record stuff, I mean confidential things that Teams is too open for.
Opening up private company communications to the government makes that data a huge target for foreign intelligence and criminal organisations. Even our allies will happily pass on valuable company secrets to their own companies. Everyone is out for themselves. The software our government uses to analyse data will generally be closed source and supplied by a foreign power and not sufficiently audited.
Unfortunately our politicians are dangerously ignorant about the techological risks to national sovereignty and our economy. So they rely on often dubious advice from parties with a vested interest that is opposed to the public interest.
It’s pretty convenient for sharing new account/access passwords which is something I need to do occasionally. In the back of my mind I keep hearing a voice saying ‘you could do this more securely if you thought about it for a moment’ but I just ignore the zealot in my skull.
math is math, idiots
backdoor” to access its data,
Is this what tos for signal say? It is their data?
Hmmm
Does Signal not have data?
There is NO back-door to Signal.
@signalapp is blind to all communications. (Including, probably, this toot! 🤪)
Signal itself does NOT know who has messaged whom, nor when, nor how (e.g. the IP address is NOT known.)
If Signal was subpoenaed to produce my records, they could produce:
- My phone number. (Actually, my number is the only way Signal could ‘reference’ my data.)
- The date I joined Signal.
- The date I was last active on Signal.
- (This one is a maybe…) The existence of secondary devices that I use - such as the Desktop app.
I’m *fairly* sure that is all of it.
(Please let me know if I’m wrong.)They likely keep the logs of IP addresses they can produce tbh
National Security laws would prevent them from disclosing this. This is just “natural” vulnerability along with a kyc’d sim card ;)
Nope and I was wrong.
@signalapp is only able to produce LESS information than I previously stated.- The phone number (which will already be known by the relevant authority.)
- Last connection date.
- Account creation date.
That’s it. Nothing else.
Signal does NOT log users’ IP addresses.See this for more information:
https://signal.org/bigbrother/santaclara/Under National security laws if Signal is told to log and report, will log and report.
Sure it might exit smaller market, but if us told it to log, it will log.
In fact they force you to use a phone number BC phone is essentially KYC lite.
What you are saying is a trust me bro. From technical perspective signal can generate a heat man of who you are communicating and when. Store this info and turn it over.
That’s the inherent defect when using centralized server infrastructure controlled by a company.
Go easy on the corpo kool aid and use some common sense.
SimpleX is trying to solve this issue but it ain’t ready for main stream
To do the things you are suggesting that Signal could be forced to do, Signal would have to rewrite its entire codebase as well as the client apps.
Fortunately, Signal is open source, and such changes would be noticed.
As it stands, it doesn’t matter what is demanded nor by whom as the only user data, including traffic analysis, that Signal can currently reveal is insignificant.
Signal simply cannot disclose data it itself cannot access.
Yes, decentralised services are preferable, but Signal has probably the easiest onboarding experience for the average user, especially those new to the concept of E2EE.
Signal simply cannot disclose data it itself cannot access
Signal can’t log you pinging their servers?
I never claimed there was a backdoor…?
Your items 1, 2, 3 are data that Signal stores, as well as the encrypted blobs of our conversations.
Which means they have data, right?
They can’t get rid of xmpp 😂
Anyone trying to undermine encryption is a short sighted idiot
