this post was submitted on 26 Jun 2023
669 points (100.0% liked)

Technology

37739 readers
782 users here now

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:


This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
 

An official FBI document dated January 2021, obtained by the American association "Property of People" through the Freedom of Information Act.

This document summarizes the possibilities for legal access to data from nine instant messaging services: iMessage, Line, Signal, Telegram, Threema, Viber, WeChat, WhatsApp and Wickr. For each software, different judicial methods are explored, such as subpoena, search warrant, active collection of communications metadata ("Pen Register") or connection data retention law ("18 USC§2703"). Here, in essence, is the information the FBI says it can retrieve:

  • Apple iMessage: basic subscriber data; in the case of an iPhone user, investigators may be able to get their hands on message content if the user uses iCloud to synchronize iMessage messages or to back up data on their phone.

  • Line: account data (image, username, e-mail address, phone number, Line ID, creation date, usage data, etc.); if the user has not activated end-to-end encryption, investigators can retrieve the texts of exchanges over a seven-day period, but not other data (audio, video, images, location).

  • Signal: date and time of account creation and date of last connection.

  • Telegram: IP address and phone number for investigations into confirmed terrorists, otherwise nothing.

  • Threema: cryptographic fingerprint of phone number and e-mail address, push service tokens if used, public key, account creation date, last connection date.

  • Viber: account data and IP address used to create the account; investigators can also access message history (date, time, source, destination).

  • WeChat: basic data such as name, phone number, e-mail and IP address, but only for non-Chinese users.

  • WhatsApp: the targeted person's basic data, address book and contacts who have the targeted person in their address book; it is possible to collect message metadata in real time ("Pen Register"); message content can be retrieved via iCloud backups.

  • Wickr: Date and time of account creation, types of terminal on which the application is installed, date of last connection, number of messages exchanged, external identifiers associated with the account (e-mail addresses, telephone numbers), avatar image, data linked to adding or deleting.

TL;DR Signal is the messaging system that provides the least information to investigators.

top 50 comments
sorted by: hot top controversial new old
[–] argv_minus_one@beehaw.org 113 points 1 year ago* (last edited 1 year ago)

Takeaways:

  • End-to-end encryption works.
  • The only trustworthy computer is your computer. Don't use cloud storage.
  • The only trustworthy software is open-source software. Proprietary software serves the interests of the proprietor, not the user.

All of this was already well-known, of course, but it's always nice to get confirmation.

[–] PerogiBoi@lemmy.ca 66 points 1 year ago (3 children)

So basically use signal because they can get the least amount of data.

[–] MentalEdge@sopuli.xyz 32 points 1 year ago (6 children)

Matrix isn't on the list at all.

[–] PerogiBoi@lemmy.ca 12 points 1 year ago

I don’t think the list could have everything

[–] fmstrat@lemmy.nowsci.com 11 points 1 year ago

Wasn't heavily used at the time probably.

load more comments (4 replies)
[–] erre@feddit.win 14 points 1 year ago (2 children)

Or Telegram, unless you're a confirmed terrorist.

[–] archomrade@midwest.social 19 points 1 year ago

"I'm not a terrorist" - Subpoena DENIED

[–] BastingChemina@slrpnk.net 11 points 1 year ago

Terrorist can be a very broad term. In France the government is using anti terrorism laws against ecologist organisation.

They also incarcerated people from another organisation 3 years ago using the same antiterrorism law, they haven't found anything against them so now they are accusing them of using signal for their communication and encryption on their phone and laptop.

load more comments (1 replies)
[–] Melpomene@kbin.social 54 points 1 year ago* (last edited 1 year ago) (3 children)

Thanks for the great summary! Also a good reminder to people that storing your backups on a "as secure as we decide it is" service like iCloud isn't ideal if you want to protect your data from government snooping.

Edited to remove pre-coffee salt and lack of nuance.

[–] SemioticStandard@beehaw.org 37 points 1 year ago (6 children)

This perspective lacks nuance.

a service like iCloud is a bad idea if you care about your privacy

Like all security and privacy measures, you have to consider your threat profile. From whom are you trying to maintain privacy from? If it’s other people or companies, then using a service like this is perfectly okay. If you’re worried about state actors or governmental agencies coming after you, then you have a very different set of requirements and considerations than most people, and you should plan accordingly.

But saying that services like this aren’t for people who care about their privacy is a little disingenuous. As with all things, it’s a matter of degrees.

[–] Melpomene@kbin.social 13 points 1 year ago

Fair point... and I'll edit the comment to reflect that. Thanks for catching the lack of nuance... guess fasting for 24 hours has me both tired and salty.

load more comments (5 replies)
[–] xray@beehaw.org 9 points 1 year ago (1 children)

Generally agree, but this document is also from January 2021. Apple brought E2EE to almost all aspects of iCloud in December 2022 including iCloud Backups. It's opt-in, so theoretically, if you were having a conversation with a contact who didn't opt-in to E2EE but backed up their iMessages to iCloud, the government could still access your messages via that contact even if you opted-in to E2EE, but still.

load more comments (1 replies)
load more comments (1 replies)
[–] StrayCatFrump@beehaw.org 44 points 1 year ago* (last edited 1 year ago)

Also remember this is useless without complementary security measures:

  1. Encrypt the storage on any device where these are installed (including your desktop/laptop drives if you install e.g. the desktop version of Signal).
  2. Lock your devices with pin or password, and store that pin/password only in your head (there's no such thing as telepathy at this point in time so they can't physically force it out of you, unlike biometric data like your fingerprints).

If you are relying on "Legally they're not allowed to," instead of, "They simply can't, despite all they might try," then you're not doing it right.

[–] potsnpans@beehaw.org 38 points 1 year ago (10 children)
load more comments (10 replies)
[–] Sentinian@lemmy.one 27 points 1 year ago

Well this made me download signal, thanks fbi

[–] sparky@lemmy.federate.cc 23 points 1 year ago (4 children)

iMessage is now fully secure like Signal and Telegram, if you’ve enabled advanced data protection in your Apple ID. This also protects your photos and other personal information from snooping and data breaches. Apple users should turn on this great feature in Settings -> iCloud.

[–] argv_minus_one@beehaw.org 21 points 1 year ago* (last edited 1 year ago) (1 children)

Even if you turn that on, they're still scanning your content for, supposedly, child porn.

I very seriously doubt that their scanning is actually limited to child porn. And even if it is, if you take nude selfies and some AI thinks you look like a child, then some Apple employee will have to look at them to confirm…

[–] dingus@lemmy.ml 16 points 1 year ago (2 children)

They cancelled CSAM scanning as of last year. It never actually rolled out, due to backlash.

https://www.wired.com/story/apple-photo-scanning-csam-communication-safety-messages/

load more comments (2 replies)
load more comments (3 replies)
[–] ozoned@beehaw.org 23 points 1 year ago (15 children)

No mention of Matrix. Wonder if it's not on their radar, or they have nothing, or just wasn't important to put it on there?

[–] worfamerryman@beehaw.org 9 points 1 year ago

I think it is because it is a bit nuanced. I used to host a matrix server and if the FBI was like hey, give us the data to something.

I’d just give them anything they wanted. I did not allow signups, I only gave access to one friend and only had it setup as a learning project.

I’m sure my friend wouldn’t do anything shady on it, I’ve been close friends with him for about 30 years. But I’m not going to fight the fbi on their behalf. Plus, if they were using the server for something that the fbi needed to get involved with, I’d be pissed they used my server to do it.

tl:dr anyone can host a matrix instance and each host could have different levels of access.

load more comments (14 replies)
[–] NotSteve_@beehaw.org 22 points 1 year ago (1 children)

I'm actually surprised they can't get more WhatsApp data considering it's Facebook. I know WhatsApp's thing is encryption but... It's Facebook

load more comments (1 replies)
[–] sculd@beehaw.org 20 points 1 year ago (1 children)

As expected, Signal is still the best.

load more comments (1 replies)
[–] arcticpiecitylights@beehaw.org 17 points 1 year ago (4 children)

I'm curious what/if any info can be retrieved from Matrix servers?

load more comments (4 replies)
[–] Napain@lemmy.ml 14 points 1 year ago (2 children)

i love how telegram isn't even encrypted or anything but they just ghost the authorities

[–] __forward__@lemm.ee 11 points 1 year ago (3 children)

To clarify because this is always a point of confusion whenever the topic comes up. Telegram is, of course, transport encrypted. Someone listening on the wire cannot read your data. It is not end-to-end encrypted, meaning Telegram can always read your messages and can, in principle, give anyone access.

load more comments (3 replies)
load more comments (1 replies)
[–] ozoned@beehaw.org 12 points 1 year ago (2 children)

Is there a link to this article or doc or anything?

[–] ozoned@beehaw.org 37 points 1 year ago

Found a PCMag article indicating this:

https://www.pcmag.com/news/fbi-document-shows-how-popular-secure-messaging-apps-stack-up

So OP did indicate it's from 2021. That's a long time though in tech. So while interesting to see, who knows if this has changed in 2+ years.

[–] flashgnash@lemm.ee 12 points 1 year ago (3 children)

This makes me suspicious though, surely if they've declassified this that means they want people to see it, so isn't there a very real chance it's intentionally misleading?

[–] bbbhltz@beehaw.org 16 points 1 year ago (1 children)

I think that today, in 2023, some of the information here is outdated. We know that different messages can be intercepted and decrypted. It is labelled as unclassified, which I think might be different from declassified?

[–] SenorBolsa@beehaw.org 17 points 1 year ago* (last edited 1 year ago)

Correct it's labeled as unclassed sensitive info for law enforcement. That just means "don't share this shit on facebook if you want to keep your job"

load more comments (2 replies)
[–] tram1@programming.dev 12 points 1 year ago (5 children)

Telegram states at their site that: "To this day, we have disclosed 0 bytes of user data to third parties, including governments."

But according to Spiegel this is false. I don't know German, I read the article using google translate, correct me if I'm wrong.

Here is a quote from the article: "Contrary to what has been publicly stated so far, the operators of the messenger app Telegram have released user data to the Federal Criminal Police Office (BKA) in several cases."

If this is true, the fact that they are lying is very worrying...

load more comments (5 replies)
[–] Schedar@beehaw.org 11 points 1 year ago (6 children)

Wonder what a difference it now makes with the iCloud “advanced Data protection” that provides end to end encryption for iCloud backups etc. in theory that should block the iCloud backup route.

load more comments (6 replies)
[–] coffeekomrade@kbin.social 11 points 1 year ago (1 children)

Does this document account for Apple’s recent Advanced Data Protection feature?

[–] bbbhltz@beehaw.org 12 points 1 year ago (1 children)
load more comments (1 replies)
[–] GuyDudeman@beehaw.org 11 points 1 year ago (10 children)

Here's my foolproof method of not having any issue with the FBI: Don't do illegal stuff.

[–] wowbagger@lemm.ee 29 points 1 year ago (2 children)

You'd be surprised at how many things you do today that has been illegal or will be illegal in the future. The last part is the real scary one.

[–] pineapplelover@lemm.ee 9 points 1 year ago (1 children)

No matter what side on the political spectrum you're on, you should be afraid.

load more comments (1 replies)
load more comments (1 replies)
[–] MagicShel@programming.dev 23 points 1 year ago (2 children)

While Don't break the law, asshole is solid advice for staying off the FBI's radar, it's not really a guarantee.

[–] DekkerNSFW@lemmy.fmhy.ml 17 points 1 year ago (7 children)

And sometimes, justice requires breaking the law. Remember that the Holocaust was legal and Stonewall was not.

load more comments (7 replies)
load more comments (1 replies)
[–] flora_explora@beehaw.org 23 points 1 year ago* (last edited 1 year ago) (1 children)

This is such a bad take lacking any solidarity with people that have no choice in doing illegal stuff or who trying their best to make the world a better place. What is legal or illegal is solely defined by governments. In the context of the US, it is now illegal in some parts to have an abortion, to be transgender, to be an immigrant, to be black, etc. So "don't do illegal stuff" is a reminder of your privileged position to lean back and have nothing to fear, while other people just by existing or by trying to survive automatically are considered illegal. And think of all the whistleblowers like Edward Snowden. We as peole are much better off because of them, yet they have to fear the state's repressions.

Your response makes me really angry just by how inconsiderate and insulting it is :(

load more comments (1 replies)
[–] jonne@infosec.pub 21 points 1 year ago (5 children)

Tell that to Fred Hampton.

load more comments (5 replies)
[–] TeaEarlGrayHot@lemmy.ca 18 points 1 year ago

"If you've got nothing to hide, you've got nothing to fear!" 😉

load more comments (5 replies)
[–] fsniper@kbin.social 10 points 1 year ago (7 children)

Telegram seem to provide the least info, not signal.

[–] LollerCorleone@kbin.social 13 points 1 year ago (1 children)

But Telegram also have access to more info about its users, considering that messages are not end to end encrypted by default, than Signal does of its. This means that Telegram can share any data it wants, its users are just hoping that it won't. In the case of Signal, they don't have access to any meaningful data in the first place. Also leaving these here:
https://www.wired.com/story/the-kremlin-has-entered-the-chat/
https://tech.hindustantimes.com/tech/news/russian-court-directs-telegram-to-share-encryption-keys-to-access-users-messaging-data-story-1ZhjHvyTQJ89RhhNnp4bGL.html

load more comments (1 replies)
load more comments (6 replies)
load more comments
view more: next ›