I’ve been using Signal for years, as the go to messaging app. It’s fully encrypted, and all Signal ever knows about you is when you made an account, and if you still use it. In light of the protest in the US and world-wide against racism and police brutality, Signal posted a blog post yesterday explaining how Signal works.

What if the worst should happen, and some unauthorized party were to compromise Signal? We don’t have to speak hypothetically, because the US government already tried this, so we can examine what that looked like.
The only Signal user data we have, and the only data the US government obtained as a result, was the date of account creation and the date of last use – not user messages, groups, contacts, profile information, or anything else.

Reading their blog I realised I never donated anything yet to Signal, which is a non-profit. So I set up a monthly donation. So they can keep up their great work.

Some links I thought worth reading the past few days

The second founder, Jan Koum, of WhatsApp has left Facebook, apparently over differences in dealing with encryption and the sharing of data of WhatsApp. The other founder, Brian Acton, had already left Facebook last September, over similar issues. He donated $50 million to the non-profit Signal Foundation earlier this year, and stated he wanted to work on transparent, open-source development and uncompromising data protection. (Koum on the other hand said he was going to spend time on collecting Porsches….) Previously the European Union fined Facebook 110 million Euro for lying about matching up data of Whatsapp with Facebook profiles when Facebook acquired Whatsapp in 2014. Facebook at the time said it couldn’t match Whatsapp and Facebook accounts automatically, then 2 years later did precisely that, while the technology for it already existed in 2014 of which Facebook was aware. Facbeook says “errors made in its 2014 filings were not intentional” Another “we’re sorry, honestly” moment for Facebook in a 15 year long apology tour since even before its inception.

I have WhatsApp on my phone but never use it to initiate contact. Some in my network however don’t use any alternatives.

The gold standard for messaging apps is Signal by Open Whisper Systems. Other applications such as Whatsapp, FB Messenger or Skype have actually incorporated Signal’s encryption technology (it’s open after all), but in un-testable ways (they’re not open after all). Signal is available on your phone and as desktop app (paired with your phone). It does require you to disclose a phone number, which is a drawback. I prefer using Signal, but the uptake of Signal is slow in western countries.

Other possible apps using end-to-end encryption are:
Threema, a Switzerland based application, I also use but not with many contacts. Trust levels in the application are partly based on exchanging keys when meeting face to face, adding a non-tech layer. It also claims to not store metadata (anonymous use possible, no phone necessary, not logging who communicates with whom, contact lists and groups locally on your device etc). Yet, the app itself isn’t open for inspection.

Telegram (originating in Russia, but now banned for not handing over encryption keys to Russian authorities, and now also banned in Iran, where it has 40 million users, 25% of its global user population.) I don’t use Telegram, and don’t know many in my network who do.

Interestingly the rise in using encrypted messaging is very high in countries high on the corruption perception index. It also shows how slowly Signal is growing in other countries.

VPN tools will allow you to circumvent blocking of an app, by pretending to be in a different country. However VPN, which is a standard application in all businesses allowing remote access to employees, itself is banned in various countries (or only allowed from ‘approved’ VPN suppliers, basically meaning bans of a messaging app will still be enforced).

Want to message me? Use Signal. Use Threema if you don’t want to disclose a phone number.

Russia is trying to block Telegram, an end-to-end encrypted messaging app. The reason for blocking is that Telegram refused to provide keys to the authorities with which messages can be decrypted. Not for a specific case, but for listening into general traffic.

Asking for keys (even if technologically possible), to have a general backdoor is a very bad idea. It will always be misused by others. And yes, you do have something to hide. Your internet banking is encrypted, your VPN connection from home to your work computer is too. You use passwords on websites, mail accounts and your wifi. If you don’t have anything to hide, please leave your Facebook login details along with your banking details in the comments. I promise I won’t use them. The point isn’t whether I or government keep our promises (and I or government might not), it’s that others definitely won’t.

As a result of Telegram not providing the keys, Russia is now trying to block people from using it. This results in millions of IP addresses now being blocked, more than 1 IP address per the around 14 million users of Telegram in Russia. (Telegram reports about 200 million users globally per month). Because the service partly runs on servers of Amazon and Google data centers, and those are getting blocked. This impacts other services as well, who use the same data centers to flexibly scale their computing needs. The blocking attempts aren’t working though.

It shows how fully distributed systems are hard to stamp out, it will merely pop up somewhere else. The internet routes around damages, it is what it was designed to do.

Let’s see if actions will now be taken by Russian authorities against persons and assets of Telegram, as that really is the only (potential, not garantueed,) way to stamp out something: dismantling it. In the case of Telegram, a private company, there are indeed people and assets one could target. And Telegram is pledging to deploy those assets in resisting. Yet dismantling Telegram, even if successful and disregarding other costs and consequences for a government, defeats the original purpose of wanting to listen in to message traffic. Traffic will easily move into other encrypted tools, like Signal, while new even more distributed applications will also emerge in response.

Summary:

  • General backdoors, bad idea, regardless of whether you can trust the one you give back door access to.
  • Blocking is hard to do with distributed systems.
  • If you don’t accept attempts to do either from data driven authoritarian governments, you need to accept the same objections to general back door access apply to other situations where you think the stated aim has more merit.
  • Do use an encrypted messaging app, like Signal, as much as possible