Encryption App Signal Wins Fight Against FBI Subpoena and Gag Order (dailydot.com) 88
An anonymous reader quotes a report from The Daily Dot: Signal, widely considered the gold standard of encrypted messaging apps, was put to the test earlier this year when a FBI subpoena and gag order that demanded a wide range of information on two users resulted in a federal grand jury investigation in Virginia. The makers of Signal, Open Whisper Systems, profoundly disappointed law enforcement. The app collects as little data as possible and therefore was unable to hand anything useful over to agents. "That's not because Signal chose not to provide logs of information," ACLU lawyer Brett Kaufman told the Associated Press. "It's just that it couldn't." "The Signal service was designed to minimize the data we retain," Moxie Marlinspike, the founder of Open Whisper Systems, told the New York Times. The subpoena came with a yearlong gag order that was successfully challenged by the American Civil Liberties Union. Signal's creators challenged the gag order as unconstitutional, "because it is not narrowly tailored to a compelling government interest." The challenge was successful. In addition to being popularly considered the best consumer encrypted messaging app available, Signal's technology is used by Facebook for Secret Conversations, WhatsApp for encrypted messages, and Google's Allo. Confronted with the subpoena, Marlinspike went to the ACLU for legal counsel. The ACLU responded with a letter saying that even though Signal did not have data the FBI sought, it still strenuously objected (PDF) to the fact the FBI wanted so much information.
Encrypted, Ordered, and Gagged (Score:2, Funny)
Those Feds sure have a kinky power trip going on... I wonder if they wear zipper masks...
Re: (Score:3, Insightful)
Under a FOIA request I finally managed to find out how they manage to function under those conditions. It seems Federal Agencies have been issued glass belly buttons. Now, since they can't pull their heads from their anus they no longer have to. They can still see where they are going.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
This is why I come to Slashdot. Superior insights and wisdom.
Thank you, and Cheers!
Re: (Score:3, Interesting)
Keeping most users on a few big US brands generational "free" applications helped a lot too.
If the gov cant get in thanks to real encryption try and get into one end of the users computers.
As some point the users is going to be reading plain text again and could even be typing in a message.
Some software sent down to any user of interest to capture the message as decode
Re:Damn Fine Marketing (Score:5, Insightful)
I bet their business will pick up with a sterling endorsement from the ACLU.
s/ Yeah, those sneaky bastards having the unmitigated gall to actually stand by principles to protect their users when challenged which tends to engender trust in return from their users!
I mean, how low will some people go, right? 'Principles' are nothing but unscrupulous marketing tools and obstacles to the smooth and efficient functioning of the government, and therefor should be abolished! /s
Strat
Re: Damn Fine Marketing (Score:3, Insightful)
I'm afraid your sarcasm will fall on deaf ears. Over 30 years of right wing pro corporate and cop worshipping propaganda have made some people react negatively to the mere mention of the term ACLU. Most of them can't even articulate a valid and actually factual reason why they hate that organization.
This trait of ignorant subservience to propaganda sadly is now adopted by a lot of shrill people on the left now when asked why they dislike Trump. So now both sides sport tons of ignorant idiots.
It's fine to
Re: Damn Fine Marketing (Score:4, Insightful)
Most of them can't even articulate a valid and actually factual reason why they hate that organization.
I have no particular love for the ACLU. They seem to be only interested in protecting *some* rights. Others, like the 2nd Amendment's noninfringable right for individuals to keep and bear arms for self defense and as part of the many disincentives towards tyranny built into the Constitution...not so much.
Be that as it may, I still call this a good move by the ACLU and hope they prevail. I will cheer them when they are right and chide them when they are wrong the same as anyone else regardless of party or ideology.
People need to stop thinking in terms of groups and group rights and concentrate on what is right for individuals. That's the real problem. TPTB have spent the last 60 years dividing people into subgroups and ethnicities and pitting them against each other to create the emotional tension to create partisan followers fueled by hate and resentment for their fellow Americans.
Let's just worry about what is *good*. Those basic principles that built the US and made it the most prolifically-generous and charitable nation to have ever existed. Just look out for your neighbor. Lend a hand if you can. Don't let them play Emperor Palpatine; "Yes!...Let the hate flow through you!"
"With malice toward none, with charity for all, with firmness in the right as God gives us to see the right, let us strive on to finish the work we are in, to bind up the nation's wounds, to care for him who shall have borne the battle and for his widow and his orphan, to do all which may achieve and cherish a just and lasting peace among ourselves and with all nations." - President Abraham Lincoln, Second Inaugural Address
Don't let the hate-merchants who want to divide us all up, stir up hatred, and pit us against each other like Roman Coliseum gladiator-slaves, win.
Strat
Re: Damn Fine Marketing (Score:5, Insightful)
Re: (Score:2)
Not really. The NRA is just a gun manufacturing lobby; that's why they won't stand up for 3D printed guns.
But that counts. There's an entire industry, with money and motivation behind it, fighting for the second amendment.
Who fights for the other amendments? Nobody, which is why the definitions for things like "freedom of speech" (first), "fair and speedy trial" (sixth), and "excessive bail ... fines ... cruel and unsual punishment" (eighth) are so loose and squishy.
Re: (Score:2)
Why should the ACLU waste their resources on the 2nd amendment. There are plenty of other organizations.
So it is a waste of ACLU resources to defend the 2nd Amendment but not a waste to attack it?
Re: (Score:2)
Re: (Score:2)
The ACLU disagrees, with the NRA, on how the 2nd amendment is meant to be read. Many American's do, with many laws. That's why we have courts.
That will be very comforting when the USSC changes their mind, rules that the 2nd amendment means what the ACLU thinks it means, and that "the people" only have collective rights.
Re: (Score:2)
Re: (Score:2)
So collective rights will then include the 1st, 4th, 9th, and 10th:
"... or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances." ..."
"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures
"The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people."
"The powers not delegated to the United States by the Constitution
Re: (Score:2)
Re: (Score:2)
I'm not sure what your saying. We don't need gun rights enshrined in the constitution.
Then repeal them instead of sacrificing the meaning of the other rights recognized in the Bill of Rights.
For example, there is no constitutional prohibition on murder. It's just not an appropriate place for that sort of regulation.
We never needed a 5th Amendment anyway. Maybe we can sell it on Ebay.
Re: (Score:3)
60 years? Is that all? In America?
What about legal Jim Crow racism, which officially ended almost 50 years ago but persisted for ove
Re: (Score:1)
Jim crow laws are on the books still. One was struck down a year or two back, because it was being used to bar minorities from owning guns. It hasn't just been 'going on' it's still going on. People use law as a weapon to hurt groups they want to discriminate against. That's why the highest laws are set in stone as things that a lawful government can never do. politics is all about dividing people by arbitrarily inventing reasons why "things a lawful government can never do" actually means "Things* a l
Re: (Score:2)
You seem to have some thorough and strong opinions. Please explain to me why a 50cal is OK, but grenades, fully automatics, silencers, and tactical nukes are not?
You'd have to ask those who decided those things don't fall under the 2nd Amendment.
My opinion is that any weapons normally carried by a current US infantry soldier as basic battlefield infantry loadout is protected. That means M4 carbines w/select-fire, grenades, etc should be protected and legal to own. The whole point of the 2nd Amendment besides self-defense is to create a civilian military force to repel threats to the nation from either foreign invaders or as a disincentive to domestic tyranny which w
Re: (Score:3)
It sounds like they didn't even need to stand by their principals, they simply designed the system to not collect the data that law enforcement was seeking. That seems to be the most prudent option now, build your system so that it can't be used by law enforcement to gather evidence and you don't have to waste time and money servicing their requests.
Re: (Score:2)
Whispering should be illegal (Score:2, Insightful)
People should be compelled to speak loudly enough that their communications can be recorded by law enforcement.
If you have nothing to hide you have no reason to whisper.
Re: (Score:1)
Re: (Score:1)
RTFA. They just should that they cannot help criminals. They do not have the data the criminals want.
Re: (Score:2)
The US government has already shown that is it not above compelling people to speak loudly. The problem, though, is that it is impossible to trust loud conversation which was compelled.
Re: (Score:2)
They can supena the certificate's private key (Score:2)
That is something that Signal does know. And with the key they can man-in-the-middle the site.
I wonder what happens if the key is put inside a Hardware Security Module (HSM). They are carefully designed never to release the key, each request needs to be process by the HSM itself. I would be suprised if Signal or anyone else in this space uses one though.
And of course, the Feds will have their own CA and so could just forge the cert.
Doing SRP on a HSM though, that would slow them down. SRP also kills phi
Re: (Score:3)
Signal has protections against MITM attacks. Once you've securely connected with someone a MITM attack isn't going to break that secure communication channel, keys have already been exchanged.
Re: (Score:2)
The may not be able to MITM the connection, but with the developers' signing key they could push an update out which would send the cleartext straight from the app to the FBI's servers. To avoid that attack vector you would need to disable auto-updates and only install versions (manually, after verifying the signature on the binary) which have undergone a thorough security audit by someone you trust—preferably yourself.
Re: (Score:2)
The may not be able to MITM the connection, but with the developers' signing key they could push an update out which would send the cleartext straight from the app to the FBI's servers. To avoid that attack vector you would need to disable auto-updates and only install versions (manually, after verifying the signature on the binary) which have undergone a thorough security audit by someone you trust—preferably yourself.
The may not be able to MITM the connection, but with the developers' signing key they could push an update out which would send the cleartext straight from the app to the FBI's servers. To avoid that attack vector you would need to disable auto-updates and only install versions (manually, after verifying the signature on the binary) which have undergone a thorough security audit by someone you trust—preferably yourself.
You're assuming I can trust myself. What if my other personality received a NSL and isn't telling me about it?
Re: (Score:3)
OWS doesnt own the private key, so subpoena away mother fucker
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Apple and Google (Score:1)
So when is Apple and Google going to stop keeping logs?
Re: (Score:2, Interesting)
Wait, what? You're saying it uses Google libraries?
If so... uh, no thanks. I don't care HOW "secure" their own code is. Once you use Google services, you have to consider that you are backdoored. If not today, then in the future when G updates the libs because it wants some more of your data.
ANY use of Google services - the biggest advertising dataminer on the planet -means that product CANNOT be trusted. They are the biggest force against privacy on the internet, and that's saying a lot.
Best part of the story ... (Score:1, Insightful)
[blah blah blah ...] Moxie Marlinspike
I thought this app was for privacy? (Score:2, Informative)
It says it needs access to:
Device & App History
Identity
Calendar
Contacts
Location
SMS
Phone
Photos/Media/Files
I have a hard time feeling private with all those permissions. I'm surprised it didn't ask for my blood type.
I know pretty much everything "requires" access to everything these days. When your printer wants access to your contact list, something is wrong. This is a privacy app, why is it so intrusive?
On their page, it even says "Using Signal, you can communicate instantly while avoiding SMS fees". So
Re: (Score:2)
>So why does it want access to SMS?
For the authentication phase.
Re:I thought this app was for privacy? (Score:5, Informative)
It says it needs access to:
Device & App History
[snip]
All the permissions Signal requires are explained here [whispersystems.org]. They all make sense in context, and many can be disabled without affecting normal use (e.g. location, calendar, camera, etc.).
To answer your question about SMS in particular, OWS says "Signal is capable of functioning as a complete replacement to your phone’s stock messaging application. In order to do this, it needs to be able to send and receive text messages (both SMS and MMS). You can also import your existing messages into Signal when it is first installed, and these permissions allow that database to be read as well."
Re: (Score:2)
Location and calendar are literally "we may use these in the future." It's bad practice to request preemptive permissions.
Not Related To Need (Score:2)
Objection (Score:1)
So what happened? (Score:2)
What a completely incoherent article! The title says they won a fight. What fight was that? Was there a court ruling? If so, what issue did it decide and what did it say? Or does it have something to do with the grand jury investigation mentioned vaguely and confusingly in the summary? Who or what was that grand jury investigating? Did they just make a decision about something? I really can't tell what the story is here.