this post was submitted on 09 Aug 2021
23 points (81.1% liked)
Privacy
33462 readers
520 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
This kind of shitty fear mongering is the reason why people should learn about threat modeling...
Well this is that this video is about, no? Maybe a bit hyperbole, but it does raise valid questions about metadata issues especially related to phone-number use that the e2ee fan-boys usually try to ignore.
No, this video talks about the tiniest bit of metadata leak as if it's the end of the world, when it isn't.
Putting all the apps at the same level is complete bullshit. Telegram doesn't even really do E2EE (it's off by default and only available for a fragment of the features provided by Telegram), and ProtonMail and Tutanota are completely different from Signal with regards to what they protect from.
His solution is to self-host emails. That's out of reach for 99.99% of internet users, and doesn't prevent any form of tracking. If you self host, you may be able to create infinitely many emails but they will all be identifiable to you because they all share the same domain name... If you use a VPS to host your email, your host can also access your running VM and all its data and there's nothing you can do about it, or even detect it.
ProtonMail, Tutanota, Signal are not designed to help you detonate a nuclear bomb in new york. They're designed to prevent the NSA from doing mass surveillance. And if you suddenly become a high value target, government agency might have access to some metadata through them, but that's true for almost any service you use, and those are going to give them much less metadata and are much more likely to try to fight in court to avoid having to share it.
This video also completely ignores the fact that at some point humans play a role. Even if everything is encrypted and no metadata exists, it is still very easy to just trick your friends and family to give away info about you. Unless you live in the woods with no contact at all, it will be much easier to just go through real people than breaking into theses systems relevant xkcd.
People (including me) do say just use Signal, because I'm not talking to Snowden, I'm talking to random people who don't know shit about computers and theses services are a very easy way to reclaim a lot of privacy without sacrificing features. Even I don't bother hosting my own stuff or refrain from communicating with other people just because they're not using tools that are way too complex for the normal user and lack features that every other service offers...
He does mention that he self-hosts and uses it to talk only to people on his own network, but in 99.999% of people that will mean only talking to themselves...
Which is totally bonkers since surveillance happens primarily in transit. If he's communicating with someone through PGP via Protonmail, it's just as secure as if he would do it through his own email. All of his banking details - things like that - are just as exposed on any email service (except maybe Google cause they read your inbox for "user experience").
The only time he mentions email in the vid is to say that its not secure and you shouldn't use it. Email was definitely not the focus of the vid.
Yeah fair enough, I'm just nit-picking for discussion's sake to be honest.
I think you are not the target of this video. The target of this video are people who do not think about threat modeling at all and just assume it is safe to use because e2ee and Signal marketing BS and continue using these services the exact same way as they used gmail or Facebook messenger before. And he is right to point out that that immediately invalidates most of the privacy benefits due to metadata leakage.
The technologies used in Signal protect a lot against metadata leakage. Group information is encrypted, your contact list isn't stored on their servers (it is sent but obscured and uses a lot of tricks to make it harder for them to access it). They also have sealed sender which enables them to reduce the metadata they collect.
That's just not true? Switching from Messenger to Signal will always be a huge step up regarding privacy and security, no matter what your threat model is. Some metadata potentially (we don't have any evidence that Signal has ever leaked anything) leaking is much better than knowing your metadata (and data) is being used to track you constantly...
What? If someone doesn't think about threat modeling I either explain it to them or build a reasonable model for them. I don't tell them to go live in the woods because otherwise there is one bit of information about them that might leak...
I think an important difference is that we are comparing companies that definitely sell your metadata to companies that could sell your meta data but where there is no known case (to me) that they actually do, e.g Signal. So it comes down to trust.
Not really. One of the main points he makes in the video is that phone-number use in an inherent metadata leak and even without Signals involvement it can be used to reverse track a social graph without you being able to do anything about it.
And this is not a theoretical threat either, something like that was done to identify democratic activists during the recent Hong-Kong protests and put them in jail.
Source?
https://www.zdnet.com/article/hong-kong-protesters-warn-of-telegram-feature-that-can-disclose-their-identities/
Note that while this is about Telegram, this problem of reverse phone-number lookup also exists AFAIK with Signal.
Where is the source for Signal? Because ASAIK there is no metadata accessible for Signal besides creation data of the account and the last time the account was online. No groups, no contacts, no anything. Source
You are missing the point. If you have a big list of suspect phone-numbers you can put them into Signal and it will show all that have their phone numbers registered with Signal. That is a metadata leak and quite a significant one.
You wouldn't be able to know which of the Signal accounts actually belongs to a particular demografic other than "it uses Signal". It's definitely much less significant than all the datamining you can do in Facebook/Whatsapp and Telegram.
With a big enough "it uses Signal" democrafic , you wouldn't even be able benefit much from knowing a number is in Signal.. if every phone had a Signal account that metadata would be virtually useless.
Sure, it's a leak, but it's one leak that also exists in Whatsapp and Telegram, along with many others leaks that those other messengers have and Signal doesn't.
I'm definitely not a fan of Signal (or Moxie's views) myself, but I would definitely much rather people use it instead of having billions of them continue in Whatsapp or Telegram. The whole point being made is that there's a big difference between using Signal and using those, we aren't implying that any particular form of communication is perfect. None are. It's just some are better than others. Saying that Signal is in the same level is not exactly fair.
Sure, but other messengers that do not use phone-numbers do not leak this info. And as long as Signal is used by a certain minority it is a risky metadata leak.
And you can turn this in any way you want, but using phone-numbers as the public identifier is a really bad idea and disqualifies Signal for most privacy sensitive communication. Even if everyone was using Signal it would be still a bad idea to hand out your phone number and have it visible in group-chats.
And yet Telegram and Whatsapp do that and more.
We are not comparing Signal with "messengers that do not use phone-numbers". We are comparing it to messengers in the level of Telegram and Whatsapp, because the point was that placing it all on the same level isn't accurate or fair. Reality isn't Black&White.
Signal is definitely flawed, but I'd much rather have people asking me to communicate via Signal than through Telegram/Whatsapp as they usually do. I do wish Signal was able to catter to that demografic.
Why? That is like saying lets only compare really bad options with slightly less bad options.
Threema for example does not require phone numbers and there are also good XMPP based messengers.
Because "slightly less" is a subjective measure that's relative to how pedantic we want to get.
Even XMPP is a "slightly less" bad option, in the sense that you are still targetable when using a sufficiently advanced method, and you are still not free of risk.
Even hosting your own instance you give away the IP, if you don't host it then you do have to trust the host, since it does store metadata (maybe more so than Signal).
Yes. That's exactly what you get. A list of Signal users.
Why is a user list in itself "a significant metadata leak". You would need other information for that, like groups, contacts, online times or anything else. But you don't get that, so I can only repeat my question: what is the problem with it?
I explained that already in much detail elsewhere in this thread.
tl;dr as a Signal user you are a minority that is automatically suspect to law-enforcement and when this meta-data is overlapped with other meta-data is is easy to narrow down a list of suspects and get legal permission to deploy more intrusive surveillance methods. In addition once that more intrusive surveillance method is deployed on a device, it can read other linked phone-numbers from Signal group-chats and thus those people are also compromised because phone-numbers are always linked to government issued identities (either explicitly or due to payments).
Ok, out of interest, how does this work?
You (as aggressor) scan all your known mobile numbers agains let’s say Signal and discover that some numbers use Signal. That I understand. But now what? Unless you are the company Signal you would not have access to further data, or ?
Sure you can easily get further data by for example asking the phone companies for cell-tower log-in location and times. This you can then narrow down against your list of Signal using suspects and either remotely infect their phones with a trojan or simply snatch up the hardware at a "random" police check and access the already decrypted messages with identifiable phone-numbers of all the group-members.
Compare that to a messenger that does not use phone numbers at all and even does not transmit network IDs to other group-chat members. Then the police has no idea who to target and no reasonable indication that could be used with a judge to get a search warrant either.
What the fuck? Sure, you could also just being tortured till you tell them everything you know, but fking tracing over cell companies is not a security flaw in an app.
They could also just as well decrypt your self hosted emails that are cached on your device.
What I explained is commonly done by law-enforcement agencies to get search warrants and permission to install trojans on devices of a relatively large number of suspects. Having your phone number registered with Signal, having been near a certain place and at a certain time + being male and 20 something years old is usually sufficient to get permission to do so by a judge as these three metadata points significantly narrow down the number of suspects.
Luckily law-enforcement agencies in most countries don't go around torturing large amounts of people on very weak indications that they might have been somehow within 5km of a protest or crime.
What does having Signal installed has to do with tracking down and installing a Trojan?
I don't think that they will track only track you down for using Signal, and if they are they still will install a Trojan even without Signal installed on your phone.
Hence my comment about more detailed explanation. Of course only having Signal installed will not get you on a list of suspects for being targeted for trojan installation by law-enforcement.
But it is a significant metadata point and also further security risk for related persons once you are being targeted, and one that is totally unnecessary as there are equally good messengers that do not require phone-number use at all.
When it comes to states spying you then there is no safety. The state can always just send someone over to put a gun on your head (or the legal equivalent) and voila, you yourself give them your data.
And I understand that states are very different in their (perceived) legal integrity, but if I should guess ( no evidence) then all the encryption and safety development benefit criminals most. Also some journalists and dissidents but mostly criminals to do their criminal business and in the whole, if you have the fortune to live in a state that can be mostly trusted I prefer that Police has some lever identity this kind communication. Not in-similar to when Police is allowed to tap your phone (after a judge signed off). Not many people where concerned about that.
So so in the end I feel the bigger threat are private companies who sell all your data for the highest bidder regards of the bidders intention. And provided you trust Signal, ProtonMail and Tutanota then they definitely reduce the risk there (imho).
Even with a gun to your head you can still make the choice to say "no". This is always the case - you always have the choice to refuse, you just have to be prepared to live with the consequences.
I needed to be police vetted for a job and they wanted to know lots of stuff about me, including who I'd slept with in the last five years (becaue, allegedly, this information could be used to blackmail so... Well so why would I tell the rozzers, exactly...? Anyway, getting off my point). I refused to tell them because the people I'd slept with hadn't given their consent. I was refused the job *shrug
I wouldn't give the job to a rapist either. 🙃
To be clear, I meant consent for me to share their love-life with the police!
You're a naughty person! But you did make me laugh.
I hope he just made a mistake when typing haha