Signal's New Usernames Help Keep Cops Out of Your Data (theintercept.com) 39
Longtime Slashdot reader SonicSpike shares a report from The Intercept: With the new version of Signal, you will no longer broadcast your phone number to everyone you send messages to by default, though you can choose to if you want. Your phone number will still be displayed to contacts who already have it stored in their phones. Going forward, however, when you start a new conversation on Signal, your number won't be shared at all: Contacts will just see the name you use when you set up your Signal profile. So even if your contact is using a custom Signal client, for example, they still won't be able to discover your phone number since the service will never tell it to them.
You also now have the option to set a username, which Signal lets you change whenever you want and delete when you don't want it anymore. Rather than directly storing your username as part of your account details, Signal stores a cryptographic hash of your username instead; Signal uses the Ristretto 25519 hashing algorithm, essentially storing a random block of data instead of usernames themselves. This is like how online services can confirm a user's password is valid without storing a copy of the actual password itself. "As far as we're aware, we're the only messaging platform that now has support for usernames that doesn't know everyone's usernames by default," said Josh Lund, a senior technologist at Signal. The move is yet another piece of the Signal ethos to keep as little data on hand as it can, lest the authorities try to intrude on the company. Whittaker explained, "We don't want to be forced to enumerate a directory of usernames." [...]
If Signal receives a subpoena demanding that they hand over all account data related to a user with a specific username that is currently active at the time that Signal looks it up, they would be able to link it to an account. That means Signal would turn over that user's phone number, along with the account creation date and the last connection date. Whittaker stressed that this is "a pretty narrow pipeline that is guarded viciously by ACLU lawyers," just to obtain a phone number based on a username. Signal, though, can't confirm how long a given username has been in use, how many other accounts have used it in the past, or anything else about it. If the Signal user briefly used a username and then deleted it, Signal wouldn't even be able to confirm that it was ever in use to begin with, much less which accounts had used it before.
In short, if you're worried about Signal handing over your phone number to law enforcement based on your username, you should only set a username when you want someone to contact you, and then delete it afterward. And each time, always set a different username. Likewise, if you want someone to contact you securely, you can send them your Signal link, and, as soon as they make contact, you can reset the link. If Signal receives a subpoena based on a link that was already reset, it will be impossible for them to look up which account it was associated with. If the subpoena demands that Signal turn over account information based on a phone number, rather than a username, Signal could be forced to hand over the cryptographic hash of the account's username, if a username is set. It would be difficult, however, for law enforcement to learn the actual username itself based on its hash. If they already suspect a username, they could use the hash to confirm that it's real. Otherwise, they would have to guess the username using password cracking techniques like dictionary attacks or rainbow tables.
You also now have the option to set a username, which Signal lets you change whenever you want and delete when you don't want it anymore. Rather than directly storing your username as part of your account details, Signal stores a cryptographic hash of your username instead; Signal uses the Ristretto 25519 hashing algorithm, essentially storing a random block of data instead of usernames themselves. This is like how online services can confirm a user's password is valid without storing a copy of the actual password itself. "As far as we're aware, we're the only messaging platform that now has support for usernames that doesn't know everyone's usernames by default," said Josh Lund, a senior technologist at Signal. The move is yet another piece of the Signal ethos to keep as little data on hand as it can, lest the authorities try to intrude on the company. Whittaker explained, "We don't want to be forced to enumerate a directory of usernames." [...]
If Signal receives a subpoena demanding that they hand over all account data related to a user with a specific username that is currently active at the time that Signal looks it up, they would be able to link it to an account. That means Signal would turn over that user's phone number, along with the account creation date and the last connection date. Whittaker stressed that this is "a pretty narrow pipeline that is guarded viciously by ACLU lawyers," just to obtain a phone number based on a username. Signal, though, can't confirm how long a given username has been in use, how many other accounts have used it in the past, or anything else about it. If the Signal user briefly used a username and then deleted it, Signal wouldn't even be able to confirm that it was ever in use to begin with, much less which accounts had used it before.
In short, if you're worried about Signal handing over your phone number to law enforcement based on your username, you should only set a username when you want someone to contact you, and then delete it afterward. And each time, always set a different username. Likewise, if you want someone to contact you securely, you can send them your Signal link, and, as soon as they make contact, you can reset the link. If Signal receives a subpoena based on a link that was already reset, it will be impossible for them to look up which account it was associated with. If the subpoena demands that Signal turn over account information based on a phone number, rather than a username, Signal could be forced to hand over the cryptographic hash of the account's username, if a username is set. It would be difficult, however, for law enforcement to learn the actual username itself based on its hash. If they already suspect a username, they could use the hash to confirm that it's real. Otherwise, they would have to guess the username using password cracking techniques like dictionary attacks or rainbow tables.
Re: (Score:3)
To avoid any confusion to people I communicate with, my username is my phone number!
Re: (Score:2)
My user name is my phone number plus 42.
Re: (Score:3)
My voice is my passport.
Re: (Score:3)
This is why using a service based in a country hostile to a country that may want your data is preferable.
Re: (Score:1)
They will want agents in that country, who are preferably highly motivated native. In this regard, they have higher interest to blackmail you than domestic spy agencies.
There are bad sides to both approaches. One can get you a bit easier, but is probably less interested in you.
Re: (Score:2)
Blackmail me? With what, the contacts I have? You'd first of all have to know that country A wants to know who is in contact with these people and they will hardly tell country B who has that information.
Re: (Score:1)
This is the TV version of reality. In real world on the other hand, intelligence needs a lot of things from foreigners.
Snowden had a couple of good stories on how CIA does it for potential primary assets: arrange a car accident where target is the guilty party where someone gets really hurt. And then have an agent save the person from horrible responsibility, incurring personal feeling of debt. Then cash it in as something fairly innocent, but isn't. If you're not important enough to be a primary asset, but
Re: (Score:2)
I'm fairly sure the FBI won't come and talk to me. The Nazguls won't like that.
Re: (Score:1)
FBI is the responsible party for handling this, and they will talk to you to find out if your Chinese handlers messed up in some way. Once they figure out they haven't, they'll just pass you on to judicial system and that's that.
Funny part is, you mock it because you don't understand how US Espionage Act works. Most people don't to be fair. It's intentional, because it has clauses in it that would get a lot of Americans to demand change if it was made widely known, like the fact that government can prevent
Re: (Score:2)
You still assume that the US laws in general and the FBI in particular has any kind of importance where I am. That's kinda ... funny.
Re: (Score:1)
Granted. Where are you?
Next... (Score:2, Interesting)
So, now how to you set up an account without a phone number? If the system is IP based, there should be no need for a phone number. You should be able to use an Email address.
What? They don't do that? Why not? They don't believe in non-phone communications? They want to sell the number?
Re:Next... (Score:4, Informative)
They still use your phone number to valid your account. But your username is all other people see. Their is some other exceptions like if the other person in your conversation has your number in their contact list. You can change your username anytime, which will disconnect your phone number from the old username. If you want to be anonymous then you just follow a certain method using signal, If you don't care, then it's a different method. Bottom line is, you choose if someone can see your number.
Re: (Score:3, Interesting)
>"They still use your phone number to valid your account."
Right. But why can't that be done via Email instead?
Re:Next... (Score:5, Informative)
"They still use your phone number to valid your account."
Right. But why can't that be done via Email instead?
They use your phone number in an attempt to reduce spam and bots. You can register a zillion throw-away email addresses, but it is slightly harder with phone numbers. No system is perfect, of course.
Re: (Score:2)
>"They use your phone number in an attempt to reduce spam and bots. You can register a zillion throw-away email addresses"
I think there are many ways Email could be used and still throttle/limit spammers/bots. Delays, multiple challenges, content filters, blacklist filters, IP monitoring, activity monitoring, referrals, domain reputation, etc.
Re: (Score:2)
I lot of that involves spying on what users are saying/doing, and keeping records of what they have said/done in the past - things Signal seem to want to try and avoid.
Re: (Score:2)
It's trivial to generate new email accounts for free. They want there to be a cost to creating a Signal account (you must acquire a new phone number) to limit the amount of spam.
Re: (Score:2)
How does that exception work? There are sufficiently few distinct phone numbers that it's possible to brute force hash them all, so to avoid leaking the phone number to the end user it would seem that the client has to upload its entire contact list to the server.
Only messaging system... (Score:4, Informative)
"As far as we're aware, we're the only messaging platform that now has support for usernames that doesn't know everyone's usernames by default,"
They must not have looked very hard, I'd like to introduce them to Jami. https://jami.net/ [jami.net] P2P messaging, no servers, centralized or otherwise.
Re: (Score:2)
What's Keeping the Gubment (Score:2)
From,
In the case of Apple, modifying the app to their liking prior to distributing on the store to the end user?
Re: (Score:2)
On Apple, I don't think much can be done, but on Android, Signal is supposed to have reproducible builds, so you can see if what you get from the store matches the source code. And once you have done that, disable auto-updates. I don't know if anyone does that though, of if it works at all.
Not a suspicious username (Score:3)
Nothing_to_see_here_feds ?
No evidence is absolute (Score:2)
A tiny bit of plausible deniability that you might not have been the owner of the username is rarely going to be enough when on balance it's still almost certainly you.
Re: (Score:2)
The name-number connection will be more than enough for a search warrant, combined with all the ways to leak identity from your other online presence and evidence left on your own phone there aren't going to be many signal users with the operational security to maintain the charade.
Re: (Score:2)
the whole point (as i understand it, i'm no signal user) is that the name-number association is ephemeral, so the interested party only has (potentially) a very small time window to get that warrant. it means that even if they caught the interaction live, they'd be too late if the user has just enough time to press the [delete username] button. i see little ways in which they could defeat that except if they are already on you and set up a trap, at which point you are probably already screwed anyway.
i would
Re: (Score:2)
It's ephemeral in theory, but people still need to be able to reach you.
You would need to communicate a manual username cycling list and all your contacts too. I don't think criminals will have the discipline.
Re: (Score:2)
Man I just don't want people to have my cell number. I registered for Signal on a VOIP line used by my office phone, but I have SMS blocked at the carrier level and only give my personal phone number to people who have a live or die need for it. Signal dropping the phone number visibility requirement is great for me. I can finally tie it to a device I use more than once a week.
The fact that I have relatively anonymous encrypted chats to plan my international terrorism is just a nifty bonus.
Chad... (Score:2)
This will improve the reliability of meth distribution & retail no end!
Totally private and anonymous (Score:2)
I bet that eventually we will find out that Signal is ran by one of the intelligence agencies. They do everything they can to give the 'image' of being completely private, while also collecting and verifying your phone number to link to your account. The phone system of course being something completely controlled by and monitored by the government.
If you were going to create a super private messaging platform, at what point would you be collecting phone numbers from users?
Re: (Score:3)
Signal is open source. Both the Android client and the server are written in Java, which is dead easy to decompile and verify that it matches what is in git. If the client were escrowing private or session keys somewhere we would know. Assuming there is no shenanigans with keys going on, even if the NSA owns the servers, the best they could do is unmasking telephone numbers and doing traffic analysis. Which, given they already own the IP trunks and phone companies, they are able to do regardless.