Some are quick to promote apps as being safe for your use just because they are encrypted. I will talk about how many of the popular apps that are commonly t...
I think you are not the target of this video. The target of this video are people who do not think about threat modeling at all and just assume it is safe to use because e2ee and Signal marketing BS and continue using these services the exact same way as they used gmail or Facebook messenger before. And he is right to point out that that immediately invalidates most of the privacy benefits due to metadata leakage.
And he is right to point out that that immediately invalidates most of the privacy benefits due to metadata leakage.
That’s just not true?
Switching from Messenger to Signal will always be a huge step up regarding privacy and security, no matter what your threat model is. Some metadata potentially (we don’t have any evidence that Signal has ever leaked anything) leaking is much better than knowing your metadata (and data) is being used to track you constantly…
I think you are not the target of this video. The target of this video are people who do not think about threat modeling at all and just assume it is safe to use because e2ee and Signal marketing BS and continue using these services the exact same way as they used gmail or Facebook messenger before
What? If someone doesn’t think about threat modeling I either explain it to them or build a reasonable model for them. I don’t tell them to go live in the woods because otherwise there is one bit of information about them that might leak…
I think an important difference is that we are comparing companies that definitely sell your metadata to companies that could sell your meta data but where there is no known case (to me) that they actually do, e.g Signal. So it comes down to trust.
Not really. One of the main points he makes in the video is that phone-number use in an inherent metadata leak and even without Signals involvement it can be used to reverse track a social graph without you being able to do anything about it.
And this is not a theoretical threat either, something like that was done to identify democratic activists during the recent Hong-Kong protests and put them in jail.
And this is not a theoretical threat either, something like that was done to identify democratic activists during the recent Hong-Kong protests and put them in jail.
Note that while this is about Telegram, this problem of reverse phone-number lookup also exists AFAIK with Signal.
Where is the source for Signal?
Because ASAIK there is no metadata accessible for Signal besides creation data of the account and the last time the account was online. No groups, no contacts, no anything. Source
You are missing the point. If you have a big list of suspect phone-numbers you can put them into Signal and it will show all that have their phone numbers registered with Signal. That is a metadata leak and quite a significant one.
You wouldn’t be able to know which of the Signal accounts actually belongs to a particular demografic other than “it uses Signal”. It’s definitely much less significant than all the datamining you can do in Facebook/Whatsapp and Telegram.
With a big enough “it uses Signal” democrafic , you wouldn’t even be able benefit much from knowing a number is in Signal… if every phone had a Signal account that metadata would be virtually useless.
Sure, it’s a leak, but it’s one leak that also exists in Whatsapp and Telegram, along with many others leaks that those other messengers have and Signal doesn’t.
I’m definitely not a fan of Signal (or Moxie’s views) myself, but I would definitely much rather people use it instead of having billions of them continue in Whatsapp or Telegram. The whole point being made is that there’s a big difference between using Signal and using those, we aren’t implying that any particular form of communication is perfect. None are. It’s just some are better than others. Saying that Signal is in the same level is not exactly fair.
Sure, but other messengers that do not use phone-numbers do not leak this info. And as long as Signal is used by a certain minority it is a risky metadata leak.
And you can turn this in any way you want, but using phone-numbers as the public identifier is a really bad idea and disqualifies Signal for most privacy sensitive communication. Even if everyone was using Signal it would be still a bad idea to hand out your phone number and have it visible in group-chats.
You are missing the point. If you have a big list of suspect phone-numbers you can put them into Signal and it will show all that have their phone numbers registered with Signal.
Yes. That’s exactly what you get. A list of Signal users.
That is a metadata leak and quite a significant one.
Why is a user list in itself “a significant metadata leak”.
You would need other information for that, like groups, contacts, online times or anything else. But you don’t get that, so I can only repeat my question: what is the problem with it?
I explained that already in much detail elsewhere in this thread.
tl;dr as a Signal user you are a minority that is automatically suspect to law-enforcement and when this meta-data is overlapped with other meta-data is is easy to narrow down a list of suspects and get legal permission to deploy more intrusive surveillance methods. In addition once that more intrusive surveillance method is deployed on a device, it can read other linked phone-numbers from Signal group-chats and thus those people are also compromised because phone-numbers are always linked to government issued identities (either explicitly or due to payments).
You (as aggressor) scan all your known mobile numbers agains let’s say Signal and discover that some numbers use Signal. That I understand. But now what? Unless you are the company Signal you would not have access to further data, or ?
Sure you can easily get further data by for example asking the phone companies for cell-tower log-in location and times. This you can then narrow down against your list of Signal using suspects and either remotely infect their phones with a trojan or simply snatch up the hardware at a “random” police check and access the already decrypted messages with identifiable phone-numbers of all the group-members.
Compare that to a messenger that does not use phone numbers at all and even does not transmit network IDs to other group-chat members. Then the police has no idea who to target and no reasonable indication that could be used with a judge to get a search warrant either.
Sure you can easily get further data by for example asking the phone companies for cell-tower log-in location and times. This you can then narrow down against your list of Signal using suspects and either remotely infect their phones with a trojan or simply snatch up the hardware at a “random” police check and access the already decrypted messages with identifiable phone-numbers of all the group-members.
What the fuck? Sure, you could also just being tortured till you tell them everything you know, but fking tracing over cell companies is not a security flaw in an app.
They could also just as well decrypt your self hosted emails that are cached on your device.
What I explained is commonly done by law-enforcement agencies to get search warrants and permission to install trojans on devices of a relatively large number of suspects. Having your phone number registered with Signal, having been near a certain place and at a certain time + being male and 20 something years old is usually sufficient to get permission to do so by a judge as these three metadata points significantly narrow down the number of suspects.
Luckily law-enforcement agencies in most countries don’t go around torturing large amounts of people on very weak indications that they might have been somehow within 5km of a protest or crime.
What does having Signal installed has to do with tracking down and installing a Trojan?
I don’t think that they will track only track you down for using Signal, and if they are they still will install a Trojan even without Signal installed on your phone.
Hence my comment about more detailed explanation. Of course only having Signal installed will not get you on a list of suspects for being targeted for trojan installation by law-enforcement.
But it is a significant metadata point and also further security risk for related persons once you are being targeted, and one that is totally unnecessary as there are equally good messengers that do not require phone-number use at all.
I think you are not the target of this video. The target of this video are people who do not think about threat modeling at all and just assume it is safe to use because e2ee and Signal marketing BS and continue using these services the exact same way as they used gmail or Facebook messenger before. And he is right to point out that that immediately invalidates most of the privacy benefits due to metadata leakage.
The technologies used in Signal protect a lot against metadata leakage. Group information is encrypted, your contact list isn’t stored on their servers (it is sent but obscured and uses a lot of tricks to make it harder for them to access it). They also have sealed sender which enables them to reduce the metadata they collect.
That’s just not true? Switching from Messenger to Signal will always be a huge step up regarding privacy and security, no matter what your threat model is. Some metadata potentially (we don’t have any evidence that Signal has ever leaked anything) leaking is much better than knowing your metadata (and data) is being used to track you constantly…
What? If someone doesn’t think about threat modeling I either explain it to them or build a reasonable model for them. I don’t tell them to go live in the woods because otherwise there is one bit of information about them that might leak…
I think an important difference is that we are comparing companies that definitely sell your metadata to companies that could sell your meta data but where there is no known case (to me) that they actually do, e.g Signal. So it comes down to trust.
Not really. One of the main points he makes in the video is that phone-number use in an inherent metadata leak and even without Signals involvement it can be used to reverse track a social graph without you being able to do anything about it.
And this is not a theoretical threat either, something like that was done to identify democratic activists during the recent Hong-Kong protests and put them in jail.
Source?
https://www.zdnet.com/article/hong-kong-protesters-warn-of-telegram-feature-that-can-disclose-their-identities/
Note that while this is about Telegram, this problem of reverse phone-number lookup also exists AFAIK with Signal.
Where is the source for Signal? Because ASAIK there is no metadata accessible for Signal besides creation data of the account and the last time the account was online. No groups, no contacts, no anything. Source
You are missing the point. If you have a big list of suspect phone-numbers you can put them into Signal and it will show all that have their phone numbers registered with Signal. That is a metadata leak and quite a significant one.
You wouldn’t be able to know which of the Signal accounts actually belongs to a particular demografic other than “it uses Signal”. It’s definitely much less significant than all the datamining you can do in Facebook/Whatsapp and Telegram.
With a big enough “it uses Signal” democrafic , you wouldn’t even be able benefit much from knowing a number is in Signal… if every phone had a Signal account that metadata would be virtually useless.
Sure, it’s a leak, but it’s one leak that also exists in Whatsapp and Telegram, along with many others leaks that those other messengers have and Signal doesn’t.
I’m definitely not a fan of Signal (or Moxie’s views) myself, but I would definitely much rather people use it instead of having billions of them continue in Whatsapp or Telegram. The whole point being made is that there’s a big difference between using Signal and using those, we aren’t implying that any particular form of communication is perfect. None are. It’s just some are better than others. Saying that Signal is in the same level is not exactly fair.
Sure, but other messengers that do not use phone-numbers do not leak this info. And as long as Signal is used by a certain minority it is a risky metadata leak.
And you can turn this in any way you want, but using phone-numbers as the public identifier is a really bad idea and disqualifies Signal for most privacy sensitive communication. Even if everyone was using Signal it would be still a bad idea to hand out your phone number and have it visible in group-chats.
Yes. That’s exactly what you get. A list of Signal users.
Why is a user list in itself “a significant metadata leak”. You would need other information for that, like groups, contacts, online times or anything else. But you don’t get that, so I can only repeat my question: what is the problem with it?
I explained that already in much detail elsewhere in this thread.
tl;dr as a Signal user you are a minority that is automatically suspect to law-enforcement and when this meta-data is overlapped with other meta-data is is easy to narrow down a list of suspects and get legal permission to deploy more intrusive surveillance methods. In addition once that more intrusive surveillance method is deployed on a device, it can read other linked phone-numbers from Signal group-chats and thus those people are also compromised because phone-numbers are always linked to government issued identities (either explicitly or due to payments).
Ok, out of interest, how does this work?
You (as aggressor) scan all your known mobile numbers agains let’s say Signal and discover that some numbers use Signal. That I understand. But now what? Unless you are the company Signal you would not have access to further data, or ?
Sure you can easily get further data by for example asking the phone companies for cell-tower log-in location and times. This you can then narrow down against your list of Signal using suspects and either remotely infect their phones with a trojan or simply snatch up the hardware at a “random” police check and access the already decrypted messages with identifiable phone-numbers of all the group-members.
Compare that to a messenger that does not use phone numbers at all and even does not transmit network IDs to other group-chat members. Then the police has no idea who to target and no reasonable indication that could be used with a judge to get a search warrant either.
What the fuck? Sure, you could also just being tortured till you tell them everything you know, but fking tracing over cell companies is not a security flaw in an app.
They could also just as well decrypt your self hosted emails that are cached on your device.
What I explained is commonly done by law-enforcement agencies to get search warrants and permission to install trojans on devices of a relatively large number of suspects. Having your phone number registered with Signal, having been near a certain place and at a certain time + being male and 20 something years old is usually sufficient to get permission to do so by a judge as these three metadata points significantly narrow down the number of suspects.
Luckily law-enforcement agencies in most countries don’t go around torturing large amounts of people on very weak indications that they might have been somehow within 5km of a protest or crime.
What does having Signal installed has to do with tracking down and installing a Trojan?
I don’t think that they will track only track you down for using Signal, and if they are they still will install a Trojan even without Signal installed on your phone.
Hence my comment about more detailed explanation. Of course only having Signal installed will not get you on a list of suspects for being targeted for trojan installation by law-enforcement.
But it is a significant metadata point and also further security risk for related persons once you are being targeted, and one that is totally unnecessary as there are equally good messengers that do not require phone-number use at all.