Signal president Meredith Whittaker is prepared to withdraw the privacy-focused messaging app from Australia — saying she hopes it doesn’t become a “gangrenous foot” by poisoning its entire platform by forcing it to hand over its users’ encrypted data to authorities.

Ms Whittaker says Signal would take the “drastic step” of leaving any market where a government compelled it to create a “backdoor” to access its data, saying it would create a vulnerability that hackers and authoritative regimes could exploit, undermining Signals’ “reason for existing”.

Pressure has been mounting on Signal and other secure messaging platforms. ASIO director general Mike Burgess has urged tech companies to unlock encrypted messages to assist terrorism and national security investigations, saying offshore extremists use such platforms to communicate.

archive.today

  • pulsewidth@lemmy.world
    link
    fedilink
    English
    arrow-up
    33
    ·
    3 days ago

    To the ASIO chief claiming that they need this to monitor terrorism I would answer that legislation has already made it illegal to not unlock your phone if you are presented with a ‘data access order’ - which police can obtain from a judge. Their claim of ‘but terrorists’ falls apart when they are free to surveil suspected terrorists in 1000 other ways and can then arrest them with very loose suspicions, hold their phone while they obtain a data access order, and then force them to unlock it and see all the Signal chat data and groups they’re in. If you don’t unlock your phone it’s fines or 2 years in jail.

    So they don’t need to have a backdoor into Signal or any other E2E encrypted chat to ‘stop terrorism’. It’s just a wishlist item because they’re jealous that they can’t hoover up everyone’s chats to datamine any more.

  • quokka@aussie.zone
    link
    fedilink
    English
    arrow-up
    66
    ·
    3 days ago

    offshore extremists use such platforms to communicate.

    Yes, yes they do. But that is not justification for reading everyone’s messages.

    • No1@aussie.zone
      link
      fedilink
      English
      arrow-up
      25
      ·
      3 days ago

      As our esteemed PM Malcolm Turnbull said way back in 2017:

      “The laws of mathematics are very commendable but the only law that applies in Australia is the law of Australia”

      • MHLoppy@fedia.io
        link
        fedilink
        arrow-up
        5
        ·
        3 days ago

        Haha, that was Turnbull? It really sounds more like an Abbott thing to have said!

          • MHLoppy@fedia.io
            link
            fedilink
            arrow-up
            5
            ·
            3 days ago

            This is now becoming incredibly tangential to the original post, but the comment thread reminded me of the time the hacker known as “Alex” uncovered Tony Abbott’s passport and phone numbers, who reacted pretty well to it: https://mango.pdf.zone/finding-former-australian-prime-minister-tony-abbotts-passport-number-on-instagram/

            And then Tony Abbott just… calls me on the phone?

            Mostly, he wanted to check whether his understanding of how I’d found his passport number was correct (it was). He also wanted to ask me how to learn about “the IT”.

            He asked some intelligent questions, like “how much information is in a boarding pass, and what do people like me need to know to be safe?”, and “why can you get a passport number from a boarding pass, but not from a bus ticket?”.

            The answer is that boarding passes have your password printed on them, and bus tickets don’t. You can use that password to log in to a website (widely regarded as a bad move), and at that point all bets are off, websites can just do whatever they want.

            He was vulnerable, too, about how computers are harder for him to understand.

            “It’s a funny old world, today I tried to log in to a [Microsoft] Teams meeting (Teams is one of those apps), and the fire brigade uses a Teams meeting. Anyway I got fairly bamboozled, and I can now log in to a Teams meeting in a way I couldn’t before.

            It’s, I suppose, a terrible confession of how people my age feel about this stuff.”

            Then the Earth stopped spinning on its axis.

            For an instant, time stood still.

            Then he said it:

            “You could drop me in the bush and I’d feel perfectly confident navigating my way out, looking at the sun and direction of rivers and figuring out where to go, but this! Hah!”

            This was possibly the most pure and powerful Australian energy a human can possess, and explains how we elected our strongest as our leader. The raw energy did in fact travel through the phone speaker and directly into my brain, killing me instantly.

            When I’d collected myself from various corners of the room, he asked if there was a book about the basics of IT, since he wanted to learn about it. That was kinda humanising, since it made me realise that even famous people are just people too.

    • Kairos@lemmy.today
      link
      fedilink
      English
      arrow-up
      28
      ·
      3 days ago

      additionally if the app is compromised these “extremists” will just move to one that isn’t.

      I swear COVID made people forget that actions have consequences. You can’t just change something and expect all other things to be equal.

  • ZoDoneRightNow@kbin.earth
    link
    fedilink
    arrow-up
    21
    ·
    3 days ago

    This just in: Offshore extremists are allegedly using a substance commonly known as “water” to maintain hydration levels.

    • shads@lemy.lol
      link
      fedilink
      English
      arrow-up
      15
      ·
      3 days ago

      Yes it would be, let’s hope more companies follow that example. The more companies that make it clear that Australian politics are never an excuse for compromising the privacy and safety of their users the more hope there is that the message will start to get through. Plus we could serve as a salutory warning for the rest of the world… “Wow go down the path of driving whole market segments out of your economy has bad effects on that same economy.”

      • naught101@lemmy.world
        link
        fedilink
        English
        arrow-up
        14
        ·
        3 days ago

        I can totally see Australian politics being OK with signal leaving, since that would push users on to other less secure/more compliant apps

        • shads@lemy.lol
          link
          fedilink
          English
          arrow-up
          13
          ·
          3 days ago

          You might be right, but its going to get harder for them to crow about the wins ASIO is making when competent people are spinning up more bespoke solutions they have even less hope of compromising. Plus when people go down the current path that the UK populace is what are ASIO going to claim next, VPNs have to be banned. You know Australia lacks the technical competence to implement that correctly, suddenly every business is having their workflow broken to appease a bunch of “intelligence” wonks. The further they over reach the more likely they will trip themselves up.

          • naught101@lemmy.world
            link
            fedilink
            English
            arrow-up
            4
            ·
            3 days ago

            A messaging app is extremely hard to “spin up bespoke solutions” for, because a solution’s success is 99% dependent on the network effect.

            Perhaps when a protocol like signal but decentralised is available, then we might be able to say that.

            • brisk@aussie.zone
              link
              fedilink
              English
              arrow-up
              6
              ·
              3 days ago

              There are already a bunch of them, including XMPP and Matrix which both implement Signal’s double ratchet encryption (via OMEMO, in XMPPs case)

              • shads@lemy.lol
                link
                fedilink
                English
                arrow-up
                1
                ·
                3 days ago

                I’ve certainly played with Matrix, got voice working but video was a struggle (I may have just stuffed up my STUN server install). Yet again this is an area that organised crime, terrorist groups etc have it easier, they can dictate what their members use rather than relying upon persuasion to get them onboard. I am pretty certain that the NSA have people dedicated to infiltrating these sorts of small scale chat apps, but like everything else who knows how many are actually in the wild and just have good enough opsec to avoid that infiltration (and yes how many they let stay open for intelligence purposes).

          • maniacalmanicmania@aussie.zoneOP
            link
            fedilink
            English
            arrow-up
            2
            ·
            3 days ago

            I think that the number of folks who will run bespoke solutions will be so small that it’ll be insignificant. Signals benefit is its ease of onboarding. If Signal leaves ASIO knows there’s nothing else out there for 99% of it’s users.

            • shads@lemy.lol
              link
              fedilink
              English
              arrow-up
              5
              ·
              3 days ago

              With the irony being I am sure I read an article a few months back about the rise in small scale private encrypted chat applications that some groups are spinning up because they don’t trust things like signal.

              I concede the point, maybe I am a bit blindsided by the level of knowledge I can bring to bear on this as I wouldn’t find it at all difficult to spin something up.

              I mean how trivial would it be to insert encrypted packets using a one time pad into meme images, half the conversations between my wife and I would look suspicious under those circumstances, a straightforward sequence of pre shared DSA pairs and the odds of ASIO being able to break it are miniscule.

                • shads@lemy.lol
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  edit-2
                  3 days ago

                  I can 100% commit to that, but I would suggest that its likely quite unlikely. I have a feeling it was offline on actual dead tree somewhere.

            • Insane_Turnip@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              ·
              3 days ago

              the number of folks who will run bespoke solutions will be so small that it’ll be insignificant

              For the vast majority of people, you are right. But for the very few malignant actors, that is the thing they’ll do. It will make ASIO’s job harder as they’re now trying to trace foreign VPN’s, custom-made encryption programs and other stuff that I personally don’t know about (I’m not overly knowledgeable about such computer things).

              The >99% of Signal users forced into the sunlight aren’t the threat. It’s the <1% of Signal users who ‘go underground’ that are the threat.

              • quokka@aussie.zone
                link
                fedilink
                English
                arrow-up
                2
                ·
                3 days ago

                Personally, I’ll spin up a Mastodon (or similar) instance for my kid and his mates.

                • No1@aussie.zone
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  edit-2
                  3 days ago

                  “Sir, we have identified a potential terrorist cell. Or a paedophile ring. Which week is it again?”

        • quokka@aussie.zone
          link
          fedilink
          English
          arrow-up
          3
          ·
          3 days ago

          You mean apps that they’d really like you pass age verification by having MyGovDigitalSurveillanceDefinitelyNotTrackingYou app?

    • quokka@aussie.zone
      link
      fedilink
      English
      arrow-up
      10
      ·
      3 days ago

      Yep. And meanwhile the kids will be chatting/abusing in Google Docs. Or IRC servers they spin up for free in AWS or whatever. Or, shock, SMS.

    • null_dot@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      9
      arrow-down
      1
      ·
      3 days ago

      Not really.

      This happens everywhere. It’s the police job to ask for access and it’s the signal CEO’s job to decline.

      Ultimately the ASIO (aus federal police) won’t call signal’s bluff because signal leaving isn’t good for them. Threat actors would just use some alternative platform.

      • Pup Biru@aussie.zone
        link
        fedilink
        English
        arrow-up
        8
        ·
        3 days ago

        australia is also a special kind of fucked up with this though… the assistance and access act that passed in 2018 is absolutely horrible

      • Zagorath@aussie.zone
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        3 days ago

        ASIO (aus federal police)

        I mean, sort of? The Australian Federal Police would be the Australian federal police (the hint is in the name!). But it’s true that ASIO does take on many roles that in America are done by the FBI, while AFP does more typical things associated with policing.

    • pulsewidth@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      3 days ago

      Its just pressure from the ASIO chief (our NSA equivalent) at this stage. No legislation.

      The Signal CEO is rightly firing back saying it’ll never happen, and if push comes to shove they’ll leave.

  • KitKatKitCat@piefed.social
    link
    fedilink
    English
    arrow-up
    20
    ·
    3 days ago

    I’ve been using Signal for almost a decade. If Australia tries to force their hand, I don’t know what alternatives I’ll have to use.

    • Zozano@aussie.zone
      link
      fedilink
      English
      arrow-up
      9
      ·
      3 days ago

      Signal?

      Just download the .apk directly from the signal website.

      Or from the github repo

      Or download it through f-droid

      Or install Obtainium

    • shirro@aussie.zone
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      2 days ago

      There are a number of good alternatives. Signal wins because it’s well known, easy to use and install. Governments are targetting private communications, not a specific app so their entire class is under threat and alternatives that can be backdoored will be.

      It’s all very short sighted. If you really want to stop private communications you have to outlaw all people with technical knowledge and access to general purpose computers. I can cobble something together that is secure enough for a criminal or terrorist to communicate with freely available software but it won’t be full featured or nice to use.

      Taken to the extreme this thinking ends with sending all the people with glasses to “work” some fields in the country because intellectuals challenge the security of the regime. That makes no fucking sense in a liberal democracy. So why even start down this path. Get a warrant and surveill people at the end points. It’s the only acceptable solution.

    • Zagorath@aussie.zone
      link
      fedilink
      English
      arrow-up
      8
      ·
      3 days ago

      Threema is a good option. Not an easy option, but a good one. It uses the Signal protocol, but your private key stays on your device, and you manaage which users you trust to save their public key for communicating with them yourself, including giving three levels of verification for (1) if it’s a random person and you have no way of verifying who they are, (2) if it’s a person whose ID matches someone in your address book, and (3) if it’s someone you’ve met in person and scanned a verifying QR code.

      • psud@aussie.zone
        link
        fedilink
        English
        arrow-up
        3
        ·
        3 days ago

        I’m using signal right now for a family group, so complex solutions won’t work

      • theroff@aussie.zone
        link
        fedilink
        English
        arrow-up
        1
        ·
        3 days ago

        Will Signal block Australian IP addresses, or nix accounts that have a +61 phone number? I’d assume the former but if Signal and other social media platforms go for the latter it will be painful for Australian netizens.

      • melbaboutown@aussie.zone
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        3 days ago

        I’m not au fait with this but can you use a raspberry pi for a makeshift vpn or something?

        Seems like a thing the tech savvy people do

        • Funky_Beak@lemmy.sdf.org
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          2 days ago

          The raspi still needs to be out of the country for it to work how you want it to. If you have the raspi in the same area then the data is still vulnerable. They may block vpn providers, but they just can’t block wireshark connecting to a off shore server because they would shutdown alot of methods, buissnesses use to transfer data. Well they could but it be some next level stupid.

        • null_dot@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          4
          ·
          3 days ago

          You can but it’s unnecessary. For most people just configuring each device to use a vpn is the path of least resistance.

          • melbaboutown@aussie.zone
            link
            fedilink
            English
            arrow-up
            3
            ·
            3 days ago

            I’ve just seen a comment about the UK floating vpn bans and am considering the possibility in Australia so I’m probably commenting in the wrong thread.

        • Bob Robertson IX @discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          3
          ·
          3 days ago

          The problem is everyone you chat with would also have to do this… unless you’re talking with people outside of Australia or can convince everyone else to also get a VPN.

    • quokka@aussie.zone
      link
      fedilink
      English
      arrow-up
      4
      ·
      3 days ago

      as with Signal, is not really about what you’ll use, but what alternative gains traction and you can persuade your contacts to use. I hope one of the decentralised alternatives is able to rise to mainstream status.

      • KitKatKitCat@piefed.social
        link
        fedilink
        English
        arrow-up
        5
        ·
        3 days ago

        Persuading enough people I know to use Signal was hard enough already. I only got lucky because I already had some other friends who were already on the platform. It’s much easier to persuade people if you tell them other people are already using it. I just get frustrated that people are too lazy to tap a couple of buttons on their phone to download an app.

        • JackbyDev@programming.dev
          link
          fedilink
          English
          arrow-up
          2
          ·
          3 days ago

          One of my friends is just so opposed to using anything else other than Meta Messenger and SMS. He says he doesn’t want app bloat. I get it, but I’d also like to not have corporations spying on our chats. 🙄

    • Rivalarrival@lemmy.today
      link
      fedilink
      English
      arrow-up
      1
      ·
      3 days ago

      VPN, with an endpoint in a nation where Signal isn’t particularly popular, so nobody thinks to fuck with it.

  • eureka@aussie.zone
    link
    fedilink
    English
    arrow-up
    7
    ·
    3 days ago

    Last I heard, plenty of companies used Signal for certain secure messaging. And I don’t just mean dodgy off the record stuff, I mean confidential things that Teams is too open for.

    • shirro@aussie.zone
      link
      fedilink
      English
      arrow-up
      3
      ·
      2 days ago

      Opening up private company communications to the government makes that data a huge target for foreign intelligence and criminal organisations. Even our allies will happily pass on valuable company secrets to their own companies. Everyone is out for themselves. The software our government uses to analyse data will generally be closed source and supplied by a foreign power and not sufficiently audited.

      Unfortunately our politicians are dangerously ignorant about the techological risks to national sovereignty and our economy. So they rely on often dubious advice from parties with a vested interest that is opposed to the public interest.

    • maniacalmanicmania@aussie.zoneOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      3 days ago

      It’s pretty convenient for sharing new account/access passwords which is something I need to do occasionally. In the back of my mind I keep hearing a voice saying ‘you could do this more securely if you thought about it for a moment’ but I just ignore the zealot in my skull.

      • Fuse Views@infosec.exchange
        link
        fedilink
        arrow-up
        2
        ·
        3 days ago

        @9tr6gyp3

        There is NO back-door to Signal.

        @signalapp is blind to all communications. (Including, probably, this toot! 🤪)

        Signal itself does NOT know who has messaged whom, nor when, nor how (e.g. the IP address is NOT known.)

        If Signal was subpoenaed to produce my records, they could produce:

        1. My phone number. (Actually, my number is the only way Signal could ‘reference’ my data.)
        2. The date I joined Signal.
        3. The date I was last active on Signal.
        4. (This one is a maybe…) The existence of secondary devices that I use - such as the Desktop app.

        I’m *fairly* sure that is all of it.
        (Please let me know if I’m wrong.)

        @sunzu2

        • sunzu2@thebrainbin.org
          link
          fedilink
          arrow-up
          2
          ·
          3 days ago

          They likely keep the logs of IP addresses they can produce tbh

          National Security laws would prevent them from disclosing this. This is just “natural” vulnerability along with a kyc’d sim card ;)

            • sunzu2@thebrainbin.org
              link
              fedilink
              arrow-up
              1
              ·
              2 days ago

              Under National security laws if Signal is told to log and report, will log and report.

              Sure it might exit smaller market, but if us told it to log, it will log.

              In fact they force you to use a phone number BC phone is essentially KYC lite.

              What you are saying is a trust me bro. From technical perspective signal can generate a heat man of who you are communicating and when. Store this info and turn it over.

              That’s the inherent defect when using centralized server infrastructure controlled by a company.

              Go easy on the corpo kool aid and use some common sense.

              SimpleX is trying to solve this issue but it ain’t ready for main stream

              • Fuse Views@infosec.exchange
                link
                fedilink
                arrow-up
                1
                ·
                2 days ago

                @sunzu2

                To do the things you are suggesting that Signal could be forced to do, Signal would have to rewrite its entire codebase as well as the client apps.

                Fortunately, Signal is open source, and such changes would be noticed.

                As it stands, it doesn’t matter what is demanded nor by whom as the only user data, including traffic analysis, that Signal can currently reveal is insignificant.

                Signal simply cannot disclose data it itself cannot access.

                Yes, decentralised services are preferable, but Signal has probably the easiest onboarding experience for the average user, especially those new to the concept of E2EE.

                @maniacalmanicmania @9tr6gyp3 @signalapp

                • sunzu2@thebrainbin.org
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  2 days ago

                  Signal simply cannot disclose data it itself cannot access

                  Signal can’t log you pinging their servers?

        • 9tr6gyp3@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          3 days ago

          I never claimed there was a backdoor…?

          Your items 1, 2, 3 are data that Signal stores, as well as the encrypted blobs of our conversations.

          Which means they have data, right?