The FBI asked Signal to hand over user data, Signal complied by giving them nothing

[JLO64]

Summary

Recently Signal (a privacy oriented messaging app) was asked by the FBI as part of a grand jury subpoena in California to hand over whatever user data the service collected for a certain individual (whom we know nothing about). Signal prides itself as being end-to-end encrypted using their open source protocol (which WhatsApp also uses) and for collecting as little user data as possible. After contacting the ACLU (American Civil Liberties Union), Signal complied with the FBI's request by handing over all the data they had on this individual. His phone number, when he registered his Signal account, and when he last used it.

 

Quotes

Quote

The only information Signal maintains that is encompassed by the subpoena for any particular user account, identified through a phone number, is the time of account creation and the date of the account’s last connection to Signal servers. That is all. We have provided the information responsive to the subpoena in Signal’s possession in Attachment A.

 

Quote

Attachment A

 

Account

REDACTED

 

Responsive Information in Signal’s Possession

Last connection date: 1634169600000 (unix millis)

Account created: 1606866784432 (unix millis)

My thoughts

Honestly, the thing that surprised me the most about this wasn't Signal's response (which was hilarious nonetheless) but the fact that the FBI earnestly expected them to hand over some very sensitive data. If the FBI seriously thought they would hand over this person's bank/card info, transaction history, job info, tax id number, utility bills, driver/photo id, and a bunch of other stuff, what does this say about other messaging apps (Facebook Messenger, WhatsApp, iMessage, LINE)? Are they monitoring and cataloguing their users' data so that they can comply with similar law enforcement requests?

 

While I understand the argument that certain measures need to be used in order to prevent horrible things from happening (terrorism, drug trafficking, child pornography) I would like to believe that there are certain lines that should not be crossed. I'm aware that most aspects of our privacy are dead online, but even this is a bit unnerving.

 

TLDR

Use Signal.

 

Sources

https://signal.org/bigbrother/cd-california-grand-jury/ (I'd link the PDFs for the FBI and Signals correspondence separately but I can't figure out how to do that)

https://youtu.be/3oPeIbpA5x8 (Here's a video about this topic)

[CommanderAlex]

I guess they'll have to go the old fashion way on this individual...

 

Spoiler

 

[Quackers101]

but when is the FBI going to raid level boss access my "smart" microwave?

Forced Biodemtric Intelligence,having a home on FaceBook, oh wait... into the Meta-verse?

[leadeater]

21 minutes ago, JLO64 said:

(Facebook Messenger, WhatsApp, iMessage, LINE)? Are they monitoring and cataloguing their users' data so that they can comply with similar law enforcement requests?

Many of them yes. Also note, handing over everything you have, be it nothing, is complying, unless there are laws which require you to collect a certain amount of data.

[LaroTayoGaming]

Well that's a great move for signal though xD

[poochyena]

2 hours ago, JLO64 said:

the fact that the FBI earnestly expected

..is that actually fact or just a wild, unfounded speculation?

[Spotty]

38 minutes ago, poochyena said:

..is that actually fact or just a wild, unfounded speculation?

They wouldn't have requested it through a subpoena if they didn't have at least some expectation to receive at least some of the information requested. The problem is that the FBI wouldn't know what information they have until they request it. This is the information requested by the FBI in the subpoena:

 

[poochyena]

31 minutes ago, Spotty said:

The problem is that the FBI wouldn't know what information they have until they request it.

Exactly. They were hoping for information, not outright "earnestly expected" it. Seems significantly more likely to me this is just a generic template they sent to every company that potentially has information they could use. Even "Last connection date" is something.

[Kisai]

5 hours ago, JLO64 said:

 

 

My thoughts

Honestly, the thing that surprised me the most about this wasn't Signal's response (which was hilarious nonetheless) but the fact that the FBI earnestly expected them to hand over some very sensitive data. If the FBI seriously thought they would hand over this person's bank/card info, transaction history, job info, tax id number, utility bills, driver/photo id, and a bunch of other stuff, what does this say about other messaging apps (Facebook Messenger, WhatsApp, iMessage, LINE)? Are they monitoring and cataloguing their users' data so that they can comply with similar law enforcement requests?

 

Short answer. Yes. And they have done so since inception. In particular. Paypal. If you have ever used Paypal, the government knows everything about you.

 

If you want to get into the details, Paypal deals with "LexisNexis" , so does pretty much any company that has ever sued a customer or employee.

 

This is the tradeoff between privacy and security. If you want stuff to be secure and private, it's going to cost money somewhere, and wherever that point crosses over (eg your ISP, your VPN), is where your private data will get into the hands of the government. So the FBI might not be able to get the contents or encryption keys of the user of the Signal app, but they can pretty much knock on the ISP's door and have them tell the FBI the moment that customer with that IP address connects to Signal so they can go straight to the user with the device.

 

Anyhow, I think most people are too paranoid. It's not the government you really need to protect yourself from, it's private companies selling access to your private data for any reason. As long as someone out there is a data broker (which includes credit bureaus like Transunion and Equifax (who have leaked data themselves), your banks, your ISP's, etc. These companies know enough about you, just from you being a customer, that you don't necessarily need to be doing anything wrong to be caught in the cross hairs of an investigation (just look at how many times people complain about bank fraud rather publicly, and if you look through their social media, their birthdate, name and address are in plain view. This is just one reason why real name policies are extremely stupid, as not only does it make the user a target for cyberbullying, but a target for spearphishing as well.

 

So Signal handing over "basically nothing" probably is all they reasonably have. It does not make them evil for doing so. The fact that the phone number is the only piece of information they have/use also tells you how much personal information can really be scrubbed. A phone number is not an identity document, a phone number can be spoofed, easily (just look at all the spam phone calls and text messages.) So the onus is on the FBI to prove that the phone numbers are even that of the customer.

 

[Master Disaster]

The internet is rejoicing over this, I see it differently. This seems like a great case for the lobbyists to use when pushing to get encryption banned from the internet.

[Akolyte]

5 minutes ago, Master Disaster said:

The internet is rejoicing over this, I see it differently. This seems like a great case for the lobbyists to use when pushing to get encryption banned from the internet.

I was thinking the same thing.  

 

I can see why they would think that way - I don't think it's right.  If you're a judge or senator or whatever, and you noticed people getting away with horrific crimes because they are using encryption - I can understand their frustration.  Unfortunately banning encryption wouldn't be the solution, but yeah.  It's scary. 

 

 

[leadeater]

2 minutes ago, Akolyte said:

I was thinking the same thing.  

 

I can see why they would think that way - I don't think it's right.  If you're a judge or senator or whatever, and you noticed people getting away with horrific crimes because they are using encryption - I can understand their frustration.  Unfortunately banning encryption wouldn't be the solution, but yeah.  It's scary. 

Encryption will never get banned, not ever. Now there other implementations that might get affected like end to end encryption or requirement to implement something akin to multiple data channels, one end to end encrypted and one client server that is sending log/audit/telemetry data that may get mandated under some law or w/e.

 

Encryption itself will never get banned.

[Video Beagle]

8 hours ago, JLO64 said:

Signal's response (which was hilarious nonetheless)

Hilarious? That's a weird thing to find funny.

 

Scene: "The FBI was trying to get information to track down someone they suspect of kidnapping children."

OP: "Yeah, it's hillarious they didn't get much!"

 

It's not comedy. It's the very serious need to balance individual privacy and community security.

 

(Nor is this tragedy and needs to be changed, necessarily. My point is these are serious issues to be discussed.)

[LAwLz]

7 minutes ago, leadeater said:

Encryption will never get banned, not ever. Now there other implementations that might get affected like end to end encryption or requirement to implement something akin to multiple data channels, one end to end encrypted and one client server that is sending log/audit/telemetry data that may get mandated under some law or w/e.

 

Encryption itself will never get banned.

I think when people talk about "banning encryption" they aren't talking about an absolute ban on any and all kinds of encryption. They are talking about what you described. Kneecapping and heavily restricting and moderating the use of it so that the point of it essentially being useless. 

 

It's like saying "Sweden hasn't banned guns. The police still has guns, sometimes, and if you're a civilian you can still own nerf- and water guns. Clearly guns aren't banned like some people say". 

[Master Disaster]

47 minutes ago, leadeater said:

Encryption will never get banned, not ever. Now there other implementations that might get affected like end to end encryption or requirement to implement something akin to multiple data channels, one end to end encrypted and one client server that is sending log/audit/telemetry data that may get mandated under some law or w/e.

 

Encryption itself will never get banned.

You're a man of the world so I shouldn't need to point this out but remember the aristocracy is nothing if not hypocritical.

 

"One rule for me, another for thee" has always been a thing.

 

Perhaps banning wasn't the correct description, perhaps restricting is more apt?

[WolframaticAlpha]

Heh, this is the best ad for signal.

[Sauron]

9 hours ago, JLO64 said:

what does this say about other messaging apps (Facebook Messenger, WhatsApp, iMessage, LINE)? Are they monitoring and cataloguing their users' data so that they can comply with similar law enforcement requests?

yes.

[Master Disaster]

Just now, Sauron said:

yes.

Was this ever in doubt? If something is free (and not FOSS) then you are the product.

[porina]

The request was reasonable as was the response. That the FBI had a court order approving of the request at least gives some oversight on the transfer of any data. That there was hardly any is separate to that. However, the valid but may be perceived lacking response may shape law making in future. For example, compelling companies to store a certain amount of data for a certain amount of time.

[tikker]

13 hours ago, JLO64 said:

Honestly, the thing that surprised me the most about this wasn't Signal's response (which was hilarious nonetheless) but the fact that the FBI earnestly expected them to hand over some very sensitive data.

I'm surprised why people think law enforcement isn't allowed/supposed/able to ask for these details through a court. I don't know about this case, but let's assume everything's fine and normal and you are investigating a criminal. You find out he used this messaging service, how is it suprising for them to ask this service for his details they may have? It's just like the ProtonMail situation a while ago where they got court-ordered to start logging. These are still companies that need to oblige by the law. Instead, be happy that Signal indeed only logs what it advertises, i.e. next to nothing.

[Justaphysicsnerd]

13 hours ago, JLO64 said:

what does this say about other messaging apps (Facebook Messenger, WhatsApp, iMessage, LINE)?

US government did have the pandora's box program and other very privacy intrusive programmes back in the day which could be continuing till this day (but iitc, it was all a part of patriot act which was repealed like 3-4 years ago). Also its FBI, they could have forced them to comply because FBI could be very intimidating.

[Dutch_Master]

I see a considerable lack of oversight in the comments: US Law does not, unless it changed since I last looked into it, apply to anyone outside the US.

 

Banning (or otherwise restricting in any way) the use of encryption for US citizens is a meaningless and token response from US lawmakers who show their ignorance on the matter by doing so. US based apps will relocate their HQ to areas outside the US and continue to offer encrypted services, even to Americans. They can't afford the loss of the other 7 bn (!! )potential customers to (foreign) competitors who do offer encryption, should they remain in the US with just 365m inhabitants.

 

Besides, Big Tech may have a bad rep nowadays, but they still have considerable (financial) leverage over US lawmakers, especially when words like consensus, bi-partisanship and collaboration have been scrapped from Congress dictionaries for party-ideological reasons

[wamred]

It is hilarious that the FBI thought they could get anything from signal. 

[Kronoton]

32 minutes ago, wamred said:

It is hilarious that the FBI thought they could get anything from signal. 

 

I see 2 options:

 

- FBI is incompetent that they had no idea how little they would get

 

- this was just "a game" to get just that outcome which will be used later (as in "proving" how evil encryption is)

 

[tinfoil mode]

 

3rd option:

 

- FBI did get all the info they wanted and also handed Signal a gag order forcing them to claim they had given nothing 

[jagdtigger]

9 minutes ago, Kronoton said:

[tinfoil mode]

 

3rd option:

 

- FBI did get all the info they wanted and also handed Signal a gag order forcing them to claim they had given nothing 

Signal gone through several audits so IDK how viable this theory is:
https://community.signalusers.org/t/wiki-overview-of-third-party-security-audits/13243

Also the 2nd option should be under this mode as well.