So we know the UK, France, Sweden and Australia all have “pondered out loud” about getting platforms like Signal to allow backdoors into encrypted calls and messages.
This creates a sense of safety about these platforms being secure, because governments want to come after them.
Here’s a tinfoil hat take: Five Eyes is significantly reducing inter cooperation. The non-fascist parts of the alliance don’t want to share with the obvious authoritarian, but the authoritarian one used to share the fruits of their established backdoors with them, and now they don’t.
Note that the US isn’t asking signal for a backdoor. Why? Back in 2015-2016 (last years of Obama), Apple had a loud and visible feud with the FBI. Since the authoritarian came to power, this all disappeared from the media. Interestingly, 10 years have gone by since that moment, every single aspect of our lives has become more surveilled, and somehow the US govt has stopped trying to get into phones? *While the CEO is making hand deliveries of 24 karat gold bars to the Oval Office?
TLDR; I think a safe assumption that they are in our devices by now. Fundamentally people misunderstand encryption. Encryption is only as strong as the weakest link. If your signal chats are unencrypted for consumption on your device, then that’s when the unencrypted content can be captured.
For the longest time, Apple stored your iCloud backups encrypted. Looked good in marketing materials, until they casually admitted the decryption key is stored in the same cloud.
Combine this with ICE capturing citizens without due process. If you have a vanilla smart device, you’re doing the surveillance for them. /tinfoilhat
this is pavel weirdov’s stance - all crypto is blown by the NSA, so we’re better off without. people simply love leaving their plaintext shit in the clown!
while the rest of the rant isn’t without talent and/or merrit, it’s got little to do with the main idea. it is conceivable you’re exposed to nation-state actors via various vectors (how about the absolutely opaque and closed-source modem firmware running on yo’ libre OS?) but you’re definitely better off with more security than without, by way of the swiss-cheese security model - a lot of shit has to overlap so you get compromised.
If we take your TLDR at face value, then the result is in no way specific to Signal. Threema, Session, Matrix, Briar, RocketChat, and any other messenger (including the closed source ones) would be equally affected. For that matter, so would Keybase, any encrypted e-mail provider you access from your phone, your VPN (personal or paid) … everything.
Given that, singling out Signal in the post title is clickbaity at best. If I’m putting on my <tinfoilhat> it could be seen as an attempt to drive people to less secure options by scaremongering the one that provides the most protection.
But if we make the assumptions you suggest, why stop there? An undisclosed vulnerability needn’t be limited to stock Android - any fork is potentially vulnerable. And why aren’t they calling for LUKS backdoors? Or the elimination of VPNs? Or … </tinfoilhat>
The reality is that there is another axis to security this type of all-or-nothing aproach to security ignores - how interested are they in you as a target. When that is factored in, the conclusion is that the use of encryption as secure as possible wherever possible helps everyone, because:
- Most approaches to retrieving that data take time and effort to apply. The governments have vast resources, but not unlimited, so they pick their targets based on priority. More people using encryption helps with this.
- The more often they use a backdoor or vulnerability, the more likely they are to be caught at it. So they will probably save it for higher priority targets. More people using encryption helps with this.
- High priority targets remain vulnerable to the hammer attack. With governments, this more often looks like terrorism charges, tax audits, obvious surveillance for intimidation, etc. In extreme cases though, everything up to and including disappearing and assassination are on the table. This one encryption doesn’t help with.
TLDR: Even if true (big if), this type of scaremongering is unhelpful at best, and probably counterproductive. Name checking the most secure option when the threat model applies to any possible messenger is clickbaity and definitely counterproductive.
Oh … but oh!
TLDR; The people accusing an author of clickbait are often penning bait to drag the OP into a mud fight.
You make some valid points but the way you’re going on the offence and present your points isn’t welcoming to more discussion for me. Maybe others will.
Except that I didn’t accuse you of clickbaiting - I pointed out that the style was similar and has unfortunate consequences.Because the headlines we’re used to reading are so pervasively clickbait, it’s an easy trap to fall into because that’s how we’re used to seeing things titled.Edit: On rereading my comment - yeah, that did come off pretty confrontational. Signal gets a lot of bad-faith criticism from people pushing alternatives that are provably less secure, so it’s a knee-jerk reaction for me at this point. In my defense, there’s a reason the more confrontational statements were in a “tinfoil hat” tag - it was meant to make clear they were not literal accusations.
So you are saying that because the US likely has work around for apple encryption that they also have access to all signal chats?
Not exactly. I’m saying most likely, as far as vanilla iOS and Android, most likely there are NSA backdoors available for counterintel (most likely unreported exploits) that allow them root OS access if required. It would wait till the phone is sleeping and charging and on wifi and then you wouldn’t notice. I doubt this would happen routinely to everyone, but the lack of them asking for a backdoor while a bunch of other western countries are, is pretty telling. And it wouldn’t just be signal. It would simply be everything that’s on your device.