Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Communications Encryption Google Government Businesses Network Privacy Security The Internet United States Your Rights Online

Encryption App Signal Wins Fight Against FBI Subpoena and Gag Order (dailydot.com) 88

An anonymous reader quotes a report from The Daily Dot: Signal, widely considered the gold standard of encrypted messaging apps, was put to the test earlier this year when a FBI subpoena and gag order that demanded a wide range of information on two users resulted in a federal grand jury investigation in Virginia. The makers of Signal, Open Whisper Systems, profoundly disappointed law enforcement. The app collects as little data as possible and therefore was unable to hand anything useful over to agents. "That's not because Signal chose not to provide logs of information," ACLU lawyer Brett Kaufman told the Associated Press. "It's just that it couldn't." "The Signal service was designed to minimize the data we retain," Moxie Marlinspike, the founder of Open Whisper Systems, told the New York Times. The subpoena came with a yearlong gag order that was successfully challenged by the American Civil Liberties Union. Signal's creators challenged the gag order as unconstitutional, "because it is not narrowly tailored to a compelling government interest." The challenge was successful. In addition to being popularly considered the best consumer encrypted messaging app available, Signal's technology is used by Facebook for Secret Conversations, WhatsApp for encrypted messages, and Google's Allo. Confronted with the subpoena, Marlinspike went to the ACLU for legal counsel. The ACLU responded with a letter saying that even though Signal did not have data the FBI sought, it still strenuously objected (PDF) to the fact the FBI wanted so much information.
This discussion has been archived. No new comments can be posted.

Encryption App Signal Wins Fight Against FBI Subpoena and Gag Order

Comments Filter:
  • Those Feds sure have a kinky power trip going on... I wonder if they wear zipper masks...

    • Re: (Score:3, Interesting)

      by AHuxley ( 892839 )
      The US always expected junk crypto and tame big brands to help with their crypto under PRISM, Bullrun, https://en.wikipedia.org/wiki/... [wikipedia.org].
      Keeping most users on a few big US brands generational "free" applications helped a lot too.
      If the gov cant get in thanks to real encryption try and get into one end of the users computers.
      As some point the users is going to be reading plain text again and could even be typing in a message.
      Some software sent down to any user of interest to capture the message as decode
  • People should be compelled to speak loudly enough that their communications can be recorded by law enforcement.

    If you have nothing to hide you have no reason to whisper.

    • Why do government scumbags/nsa scumbags/cia scumbags/local cop scumbags,you, want to record/listen to me whispering to my wife, i want to fuck her in the ass tonite ?
    • The US government has already shown that is it not above compelling people to speak loudly. The problem, though, is that it is impossible to trust loud conversation which was compelled.

    • Maybe they should come up w/ an encryption algorithm where the amount of data collected is inversely proportional to the volume in which one speaks. If one shouts over the phone, as little data as possible will be collected. If one whispers, the data will all be collected w/o even being encrypted, or using the simplest of encryption/decryption schemes.
  • That is something that Signal does know. And with the key they can man-in-the-middle the site.

    I wonder what happens if the key is put inside a Hardware Security Module (HSM). They are carefully designed never to release the key, each request needs to be process by the HSM itself. I would be suprised if Signal or anyone else in this space uses one though.

    And of course, the Feds will have their own CA and so could just forge the cert.

    Doing SRP on a HSM though, that would slow them down. SRP also kills phi

    • Signal has protections against MITM attacks. Once you've securely connected with someone a MITM attack isn't going to break that secure communication channel, keys have already been exchanged.

      • The may not be able to MITM the connection, but with the developers' signing key they could push an update out which would send the cleartext straight from the app to the FBI's servers. To avoid that attack vector you would need to disable auto-updates and only install versions (manually, after verifying the signature on the binary) which have undergone a thorough security audit by someone you trust—preferably yourself.

        • The may not be able to MITM the connection, but with the developers' signing key they could push an update out which would send the cleartext straight from the app to the FBI's servers. To avoid that attack vector you would need to disable auto-updates and only install versions (manually, after verifying the signature on the binary) which have undergone a thorough security audit by someone you trust—preferably yourself.

          The may not be able to MITM the connection, but with the developers' signing key they could push an update out which would send the cleartext straight from the app to the FBI's servers. To avoid that attack vector you would need to disable auto-updates and only install versions (manually, after verifying the signature on the binary) which have undergone a thorough security audit by someone you trust—preferably yourself.

          You're assuming I can trust myself. What if my other personality received a NSL and isn't telling me about it?

    • by geek ( 5680 )

      OWS doesnt own the private key, so subpoena away mother fucker

    • by Fruit ( 31966 )
      Assuming Signal uses some form of (elliptic curve) diffie-hellman [wikipedia.org], subpoenaing the private key will not allow the FBI to decrypt a single message. And since Moxie Marlinspike designed this system you can be sure it does.
  • by Anonymous Coward

    So when is Apple and Google going to stop keeping logs?

  • [blah blah blah ...] Moxie Marlinspike

  • by Anonymous Coward

    It says it needs access to:

    Device & App History
    Identity
    Calendar
    Contacts
    Location
    SMS
    Phone
    Photos/Media/Files

    I have a hard time feeling private with all those permissions. I'm surprised it didn't ask for my blood type.

    I know pretty much everything "requires" access to everything these days. When your printer wants access to your contact list, something is wrong. This is a privacy app, why is it so intrusive?

    On their page, it even says "Using Signal, you can communicate instantly while avoiding SMS fees". So

    • >So why does it want access to SMS?

      For the authentication phase.

    • by heypete ( 60671 ) <pete@heypete.com> on Wednesday October 05, 2016 @04:18AM (#53016031) Homepage

      It says it needs access to:

      Device & App History

      [snip]

      All the permissions Signal requires are explained here [whispersystems.org]. They all make sense in context, and many can be disabled without affecting normal use (e.g. location, calendar, camera, etc.).

      To answer your question about SMS in particular, OWS says "Signal is capable of functioning as a complete replacement to your phone’s stock messaging application. In order to do this, it needs to be able to send and receive text messages (both SMS and MMS). You can also import your existing messages into Signal when it is first installed, and these permissions allow that database to be read as well."

  • All governments repress conversations between citizens. It does not relate to a need to do so. It is not because a nation has enemies or the danger of some potential emergency. It is almost as expected as the fact that a banana will ripen and turn black. It can have to do with corruption and a seeking of ways to make money, a desire to maintain power, or a desire to squash people not liked by an administration. And frankly it is next to impossible to stop. If a spy agency wants to steer certain people to u
  • "Oh. Well, if you /strenuously/ object then I should take some time to reconsider."
  • What a completely incoherent article! The title says they won a fight. What fight was that? Was there a court ruling? If so, what issue did it decide and what did it say? Or does it have something to do with the grand jury investigation mentioned vaguely and confusingly in the summary? Who or what was that grand jury investigating? Did they just make a decision about something? I really can't tell what the story is here.

Computer programmers do it byte by byte.

Working...