The FBI asked Signal to hand over user data, Signal complied by giving them nothing

[Kisai]

1 hour ago, jagdtigger said:

Lets say this gets passed, do you know what will happen? Law abiding citisen - sucks to be you. Criminal - shows the middle finger while using illegal messenger ignoring that law. You can try to shuffle around things, play with other ideas but the end result is the same. Then there is the issue of abuse, like what happened not so long ago wih protonmail. Using an anti-terror law to unmask a simple activist.

Basically it's still the gun argument.

 

When you ban guns, only criminals have guns. When you ban encryption, only criminals have encryption. When you require real names, then only criminals will still use fake names.

 

It's like people fail to understand basic human psychology. 

 

The universal backdoor to encryption is to pay another criminal to pick up the sender, fly them to some place with no/weak human rights, and torture them to give it up. That's exactly what Gitmo is for. Let's call it "enhanced password recovery"

 

Sometimes the answer doesn't look pretty.

 

Now, human rights aside, what is the best way to ensure something isn't used by criminals? Don't invent it in the first place.

[Zodiark1593]

18 minutes ago, valdyrgramr said:

I don't support the right for criminals using it and being able to hide behind it nor do I support a company pretending they're above the law.  If you're fine with it then don't complain when enough isn't done to solve a case where you or someone you care about is the victim.  Remember, you support that criminal's right to encryption. 

Technology is above the law. The only limit being the ingenuity and will of the person or criminal using it. Words on a piece of paper is comparatively meaningless vs the impact computer code can have upon everyone. 

[leadeater]

1 hour ago, jagdtigger said:

Yes they are dumb, it could work for a fe times, or maybe a few dozen. But sooner rather than later they piece it together and your magic tactic is rendered useless. But the conns remain, you set a precedent and now everyone and their dog will demand similar measures for lesser crimes.

Well firstly slippery slope can go jump off a slope/cliff (bad pun intended ) Something does not have to lead to something else.

 

And no most criminals would never know, not even many of the smarter ones. The smarter ones didn't know for literally years that they were using an AUS AFP and US FBI messaging App, even after initial warnings it was suspicious. So nah likelihood is blissful unawareness while communication patterns are being logged and collated.

 

Quote

AFP provided the technical staff for Operation Ironside, which started three years ago after a similar take-down of encrypted communications provider Phantom Secure, federal police said.

 

The FBI gained access to the AN0M app in 2018, and started running it clandestinely, installed on Google Android devices that criminals sold to each other.

"The mobile phones, which were bought on the black market, could not make calls or send emails. [They] could only send messages to another device that had the organised crime app.

https://www.itnews.com.au/news/afp-and-fbi-sting-used-encrypted-app-to-intercept-crims-comms-565626

[jagdtigger]

2 hours ago, valdyrgramr said:

Failure to comply with a warrant, signed by a judge, in the US can get you into a lot of legal hot water. 

Except they did, cant hand over something you dont have.

[JZStudios]

8 hours ago, poochyena said:

"earnestly expected" assumes huge ego and ignorance. Expecting something from someone and requesting something are insanely different things.

They hoped for information. There is no "but". That is how investigations worked, you find people with connections to the case and hope they have they comply and have information relevant to your case. You can't know what they know until you ask.

You don't request something without expecting to get something out of it. If anything they expected something and hoped for more, not the other way around.

[poochyena]

37 minutes ago, JZStudios said:

You don't request something without expecting to get something out of it.

maybe you don't but most people do. When someone wants something from someone, you ask. Most people ask whether they expect a response or not.

[JZStudios]

46 minutes ago, poochyena said:

maybe you don't but most people do. When someone wants something from someone, you ask. Most people ask whether they expect a response or not.

If someone asks for a cookie, they expect a cookie and might hope for a cake. You don't ask for a cookie and expect to get a cake instead. In this case, the feds asked for a cake and got a cookie instead.

Especially in this regard since Signal was court ordered to hand over the cake, even though they only had crumbs left.

[poochyena]

10 minutes ago, JZStudios said:

If someone asks for a cookie, they expect a cookie

Do you think when Linus tells people during a video to visit lttstore.com and buy a water bottle, that he expects everyone watching the video to do so? I have absolutely no idea where you are getting the idea from that asking someone for something implies they are expecting to get that thing.

[kirashi]

20 hours ago, Master Disaster said:

This seems like a great case for the lobbyists to use when pushing to get encryption banned from the internet.

20 hours ago, leadeater said:

Encryption will never get banned, not ever. Now there other implementations that might get affected like end to end encryption or requirement to implement something akin to multiple data channels, one end to end encrypted and one client server that is sending log/audit/telemetry data that may get mandated under some law or w/e.

12 hours ago, wanderingfool2 said:

It's a whole lot easier to write it so that it can't be abused compared to encryption.  I am in the camp that if there is reasonable suspicion of a crime there should be a warrant system to compel someone to unlock a device.

2 hours ago, jagdtigger said:

Except they did, cant hand over something you dont have.

Agree that something can't get banned if it can't be proved it was used. TAPS FOREHEAD. Plausible Deniability says "what encryption? I am unable to recall anything you are referring to" followed by complying to unlock your phone using a secondary decryption code, allowing law enforcement into a second partition that's completely devoid of any incriminating evidence.

 

VeraCrypt already supports such encryption methods, so it's only a matter of time until someone writes Operating Systems that do the same for our computers and mobiles devices. If proper security practices are followed, there would be zero proof a second passphrase that unlocks the real partition containing juicy criminal bits even exists.

https://documentation.help/VeraCrypt/Plausible Deniability.html

Quote

Plausible Deniability

In case an adversary forces you to reveal your password, VeraCrypt provides and supports two kinds of plausible deniability:

1. Hidden volumes (see the section Hidden Volume) and hidden operating systems (see the section Hidden Operating System).
2. Until decrypted, a VeraCrypt partition/device appears to consist of nothing more than random data (it does not contain any kind of "signature"). Therefore, it should be impossible to prove that a partition or a device is a VeraCrypt volume or that it has been encrypted (provided that the security requirements and precautions listed in the chapter Security Requirements and Precautions are followed). A possible plausible explanation for the existence of a partition/device containing solely random data is that you have wiped (securely erased) the content of the partition/device using one of the tools that erase data by overwriting it with random data (in fact, VeraCrypt can be used to securely erase a partition/device too, by creating an empty encrypted partition/device-hosted volume within it). However, you need to prevent data leaks (see the section Data Leaks) and also note that, for system encryption, the first drive track contains the (unencrypted) VeraCrypt Boot Loader, which can be easily identified as such (for more information, see the chapter System Encryption). When using system encryption, plausible deniability can be achieved by creating a hidden operating system (see the section Hidden Operating System).
   
   Although file-hosted VeraCrypt volumes (containers) do not contain any kind of "signature" either (until decrypted, they appear to consist solely of random data), they cannot provide this kind of plausible deniability, because there is practically no plausible explanation for the existence of a file containing solely random data. However, plausible deniability can still be achieved with a file-hosted VeraCrypt volume (container) by creating a hidden volume within it (see above).

 

5 hours ago, Kisai said:

Basically it's still the gun argument. When you ban guns, only criminals have guns. When you ban encryption, only criminals have encryption. When you require real names, then only criminals will still use fake names. It's like people fail to understand basic human psychology.

 

The universal backdoor to encryption is to pay another criminal to pick up the sender, fly them to some place with no/weak human rights, and torture them to give it up. That's exactly what Gitmo is for. Let's call it "enhanced password recovery." Sometimes the answer doesn't look pretty.

 

Of course, as @Kisai notes by referencing the https://xkcd.com/538/ comic, Plausible Deniability only works if the user in question has an unbreakable psyche when tortured up to the point of severe bodily harm, at which time the investigative body will wipe their hands clean of any wrongdoing, regardless of how many crimes were committed during their torture and/or killing of the suspect.

 

 

Oh, and I'm staying out of the whole "if you don't believe encryption used by criminals should be broken" argument because that's no different than saying people shouldn't be allowed on airplanes with shiny, pointy objects. News Flash: if one tries hard enough, anything can be weaponized, as see in S02E08 of 24 when someone is killed on a plane using a credit card ripped in half.

 

At the end of the day, humans should not do evil things that negatively impact the lives of other humans. Period.

 

CAUTION: Placed GIF of the scene referenced above inside a spoiler because some scenes of 24 are not for all audiences. Although the GIF does NOT show any actual blood or gore, if one wishes NOT to watch it, they can instead learn about the dangers of credit cards at the link below.

https://24.fandom.com/wiki/Day_2:_3:00pm-4:00pm#:~:text=Jack asks Nina what Faheen told her%2C and Nina answers%2C "Everything%2C" and slashes Faheen's throat with the broken gift card.

Spoiler

 

[wanderingfool2]

14 hours ago, jagdtigger said:

Nope, this is the kind of law that would get stuffed with loopholes. Because its just so much easier to find a corrupt/biased/tech illiterate judge who will rubberstamp anything than do their work properly. This can of worms most be kept sealed shut tightly at all costs...

You are assuming the worst.

 

The fact is, in this day and age there are crimes that are committed using encryption where the options are pretty much as follows:

Ban encryption or force backdoors [neither of which is a good idea]

Break encryption [not-feasable in most cases]

Warranted access to gain access to device.

 

It's not a can of worms either, because if a warrant is granted and you can show that there wasn't proper grounds to issue the warrant all evidence gets tossed (which means, they would have even less evidence to work on as they no longer would be able to go after that evidence...poisoned fruit).

 

Ultimately though, you would if you want to argue the point that it shouldn't be then you should also have to submit your thoughts on a solution to the problem.  Saying "do their work properly" won't work either because as I've said there are crimes that can be committed without the ability to actually investigate without getting access to the data...and ultimately being able to compel people is the least intrusive in my opinion.

 

Signal is great, and I don't think encryption should ever be weakened, but it is I think time we recognized as a society that better encryption while good also comes with some drawbacks which need to have solutions.

[CarlBar]

4 hours ago, wanderingfool2 said:

You are assuming the worst.

 

The fact is, in this day and age there are crimes that are committed using encryption where the options are pretty much as follows:

Ban encryption or force backdoors [neither of which is a good idea]

Break encryption [not-feasable in most cases]

Warranted access to gain access to device.

 

It's not a can of worms either, because if a warrant is granted and you can show that there wasn't proper grounds to issue the warrant all evidence gets tossed (which means, they would have even less evidence to work on as they no longer would be able to go after that evidence...poisoned fruit).

 

Ultimately though, you would if you want to argue the point that it shouldn't be then you should also have to submit your thoughts on a solution to the problem.  Saying "do their work properly" won't work either because as I've said there are crimes that can be committed without the ability to actually investigate without getting access to the data...and ultimately being able to compel people is the least intrusive in my opinion.

 

Signal is great, and I don't think encryption should ever be weakened, but it is I think time we recognized as a society that better encryption while good also comes with some drawbacks which need to have solutions.

 

 

The problem allways comes back to the fact that where dealing with the virtual world of the internet, not the physical "real" world. In the real world you can actually assume that most anything you do or say in private is, well private. The resources, equipment, and especially the physical access needed to make that not the case are not easy to get, so most groups other than law enforcement and intelligence agencies don't have the means, and the difficulty removes a lot of the incentive to do so randomly.

 

The internet however because of it's ability to connect you to so very many people makes theoretical access much easier, and that same interconnection means if the point of entry is right you can access a great deal of information, if not all interaction with very little effort, provided you have the appropriate tools and can find a viable point of entry. And the interconnection of the internet again makes the tools more accessible. Which is why so much of the discussion focuses on points of entry. Something that has enormous checks and balances IRl and is sufficiently difficult as be impractical 99.99% of the time is in the virtual world vastly easier.

 

End-to-end encryption is seen, rather naturally as securing one of the more obvious trouble points, the vulnerability of the operating company to error, malfeasance, or just plain incompetence in their security precautions, (again this is somthing that IRL is much less of a problem in most 1st world countries, the degree of checks, balances, and "human eye's only signoffs" involved make such issues much less likely to cause breaches, especially on any significant scale). No nefarious entity can see what your doing in your private goings on purely by going after the service providers you use because they don't have the info. They'd have to compromise your personal internet connection and monitor it, (or more likely your PC and log everything). 

 

Like i said i can conceive of idea's to work around this, but they rely on fundamentally restructuring the internet and the way it works in fashions that would require political willpower and international cooperation on a level that just isn't reasonable. I mean that doesn't rule out some band-aids here or there, but this is allways going to be a complex and difficult issue to deal with, and the question of adequate checks and balances on any new legal measures is itself a huge can of trouble.

 

And thats all before we get into the issue of foreign citizens doing stuff, at which point depending on diplomatic factors your ability to influence things to be as you wish can nosedive sharply. 

[leadeater]

40 minutes ago, CarlBar said:

The resources, equipment, and especially the physical access needed to make that not the case are not easy to get

Directional high gain mics actually aren't that expensive or hard to get, even that is going above what you really need anyway. You can get cheap paperclip sized recording devices with 10 hours of battery that are easily hidden on a person or their property without their knowledge, retrieval is however an obvious issue.

 

Anyway the physical proximity aspect is really the main or only factor against why this isn't done, it's also highly illegal and quite easy to prove and prosecute.

 

40 minutes ago, CarlBar said:

the point of entry is right you can access a great deal of information

Only if the data protection is garbage, which to be fair most are. Hence any legal framework has to include this aspect along with regular compliance and audit checks.

 

However the reality is all this information is already been collected and kept and we have regular data breaches so if this situation were to be legally required then that situation would be improved, I'm not talking token BS here, then the main objections would be from those that just wish that sort of data to not be collected from or about them and that is a fair position to take. There are of course extreme ends on both sides of that particular track as well too.

 

And honestly the internet doesn't have to fundamentally change for quite vast improvements it's just that those who actually have the majority voice and power in this also happen to be vehemently opposed to any and all regulations to do with internet, data and communications no matter what it is and without even looking at it. Many of these people gravitated to computer and global networks and started businesses because the total freedoms is what attracted them so much all those years ago.

 

Edit:

Also if anyone thinks regulation wouldn't have impacts on any of these data protection issues try and think of the last time the Visa/Mastercard payment networks themselves were breached. Never is the answer. It's not from the lack of trying or lack of interest in the data either.

[leadeater]

2 minutes ago, valdyrgramr said:

Yet, they can still be held in contempt for not doing what the subpoena ordereded.  That's how the law works.

You can't if you don't have the data, especially if you never had it. That's one of the reason why we have data management policies at work that cover the deletion of anything that isn't required. Because we can be subjected to Official Information Requests by any citizen, so police matters are not our only concern, which means we shouldn't keep anything we don't need because what might be or look fine today might not tomorrow or w/e else reason, like say some liability matter and we were actually in some manor culpable but because the information regarding that had been deleted (before an investigation) then you basically dodge that bullet.

 

If you legitimately do not having something then you cannot be held in contempt or be charged with obstruction.

[jagdtigger]

5 hours ago, wanderingfool2 said:

You are assuming the worst.

When it comes to politicians, agencies, and the police you better do that or you might regret it. Im not taking high-stakes chances, especially not the kind where i can only loose. (Like this case.)

[Helpful Tech Witch]

17 hours ago, valdyrgramr said:

No, it's not.  Again, if the FBI has enough to get a warrant against you or you've been convicted of a crime then the legal system should be legally allowed to have that encryption broken to obtain any info that can help the case against you.   That does not break encryption for everyone.  Or, did you break some law and are now paranoid?

this could be used as an excuse to get any encryption.

But your post is getting very close to "If you have nothing to hide you have nothing to fear".

Does that need explaining either?

[CarlBar]

1 hour ago, leadeater said:

Directional high gain mics actually aren't that expensive or hard to get, even that is going above what you really need anyway. You can get cheap paperclip sized recording devices with 10 hours of battery that are easily hidden on a person or their property without their knowledge, retrieval is however an obvious issue.

 

Anyway the physical proximity aspect is really the main or only factor against why this isn't done, it's also highly illegal and quite easy to prove and prosecute.

 

Only if the data protection is garbage, which to be fair most are. Hence any legal framework has to include this aspect along with regular compliance and audit checks.

 

However the reality is all this information is already been collected and kept and we have regular data breaches so if this situation were to be legally required then that situation would be improved, I'm not talking token BS here, then the main objections would be from those that just wish that sort of data to not be collected from or about them and that is a fair position to take. There are of course extreme ends on both sides of that particular track as well too.

 

And honestly the internet doesn't have to fundamentally change for quite vast improvements it's just that those who actually have the majority voice and power in this also happen to be vehemently opposed to any and all regulations to do with internet, data and communications no matter what it is and without even looking at it. Many of these people gravitated to computer and global networks and started businesses because the total freedoms is what attracted them so much all those years ago.

 

Edit:

Also if anyone thinks regulation wouldn't have impacts on any of these data protection issues try and think of the last time the Visa/Mastercard payment networks themselves were breached. Never is the answer. It's not from the lack of trying or lack of interest in the data either.

 

Again i don't necessarily disagree here, the problem is the way almost any proposal approaches this is piecemeal in nature. So whilst it should include better protective requirements, i'm not willing to assume it will unless it's really freaking comprehensive.

 

Also i'd disagree on the major overhaul thing. I'm not talking changing networking protocols or anything, but more a change in fundamental approach to how things are approached backed by the legal frameworks to enforce it and adjudicate and account for all the cross border stuff the international nature of the internet invokes, (Most current civil laws aren't really designed to deal with situations where different people in different countries are interacting in a way that doesn't involve either of them leaving their respective countries), and that requires multi-national political cooperation, (which is what i'm refer to with my bits about political will mostly). And well look at the current climate change situation for how that works out even with a more pressing set of problems on the table.

 

I'd also point out not everyone involved in this discussion is from somwhere where the local authority can be trusted not to abuse such a system, and we can both probably name countries that sit somwhere between those extreme's.  They have legitimate concerns about abuse of systems, i'm not going to dismiss those out of hand even if they're not an issue for me personally.

 

1 minute ago, valdyrgramr said:

Actually, you can.  However, you can defend yourself against it or go through a process to get it overturned "if" there is a legitimate reason.

 

The warrant was posted earlier in the thread, it explicitly specified "if available" for all requests.

[jagdtigger]

8 minutes ago, valdyrgramr said:

Well, it's a subponea.  But, wasn't it not even supposed to go public?  "If availble" means you have still have prove you don't have the data, and "if" they lied to the bureau then that's a crime on its own.  The FBI and court won't just take their word for it.

Unless they can proove Signal is lying they cant do a thing and most take their word. Its how courts work, "provide proof or get lost"....

[jagdtigger]

1 minute ago, valdyrgramr said:

Signal has to prove it too.

Nope, they gave everything they have, if FBI thinks they didnt they have to prove it. Signal dont have to do a thing after they complied with the request.

[Rohith_Kumar_Sp]

On 10/31/2021 at 12:51 PM, Master Disaster said:

The internet is rejoicing over this, I see it differently. This seems like a great case for the lobbyists to use when pushing to get encryption banned from the internet.

what outcome did were you excepting and people react? did you want signal to log and give all data to the police and people reacting differently? 

[HarryNyquist]

 

45 minutes ago, valdyrgramr said:

Signal has to prove it too.

 

Lying about a subpoena is essentially the same as lying in a court on the stand under oath. The FBI must presume that Signal has provided the truth of what they have available, per the subpoena's requests (which are very precise, note the "if available" parts; if the information is not available, Signal is not legally bound to produce this information from thin air).

 

If the FBI believes Signal is lying, then the FBI must prove they are lying. Signal is presumed innocent (e.g., they are following the subpoena to the best of their ability) until the FBI can prove otherwise, beyond reasonable doubt.

[wanderingfool2]

3 hours ago, jagdtigger said:

When it comes to politicians, agencies, and the police you better do that or you might regret it. Im not taking high-stakes chances, especially not the kind where i can only loose. (Like this case.)

You are completely ignoring what the point I am making.  Tell you what, instead of spouting the same old "oh it's going to be exploited" try saying how it can be exploited.  And like I had originally said, try thinking of a better solution to the problem of crimes that are not capable of being solved by doing the "work properly"...guess what the old school methods don't work in the modern internet age.  There is sometimes evidence that exists only in the digital space, that can only be accessed by breaking encryption or having the person give access to it.

 

I've addressed the issue already, in that a warrant system to compel access to a device would be limited to the access of information.  It wouldn't be like the secret warrants of Prism, since the warrant would be compelling you...which means that all you have to do is prove there wasn't a reasonable suspicion of said crime and literally a lot of the evidence gets thrown out

 

There are plenty of crimes I could commit right now were if I take the right simple precautions of using signal law enforcement would not be able to gather the evidence to convict.  There are likely cases out there that are not being prosecuted just due to the fact that a device can't be accessed.  An example would be a peeping tom scenario.  Someone sees a glimpse of someone outside, stops them, then police are called.  The phone is encrypted so the police can't access anything, and can't compel the person to unlock it.  It is now a hearsay case and likely won't be prosecuted just because there isn't any evidence (sure they might know where the evidence is, but they can't access it)

 

End to end encryption is here to stay, and that's a good thing.  Things such as Signal have it's benefits and businesses operating require it to remain more safe...but again it creates a void where now an individual can be the gatekeeper to data that is critical to an investigation.

 

The conversation really then has to boil down to

- Is it worth letting crimes happen were convict-able evidence is not able to be accessed, or being unable to find accomplices  [not dismissing this as a valid argument, but in this day and age it seems as though more and more crimes may fall victim to this]

- Right to compel access to device

- Banning or weakening encryption [which I am completely against]

[BuckGup]

Why are people rejoicing that Signal complied with the FBI and gave data about a user when asked? It's not what was shared it's the principal they aren't upholding which defeats any confidence in security. Who knows maybe a timestamp and phone number were the only pieces needed to convict the person and the FBI knew that's the only info Signal stores.

[jagdtigger]

4 minutes ago, wanderingfool2 said:

Tell you what, instead of spouting the same old "oh it's going to be exploited" try saying how it can be exploited.

How they were able to force proton with an anti-terror law to catch some harmless activist, that law was never intended for this but still got used without any repercussion AFAIK. History has ample of examples how law can and will be exploited if authorities feel like it....

Giving them the power to force someone into submission feels way too similar to witch trials....

[wanderingfool2]

17 minutes ago, jagdtigger said:

How they were able to force proton with an anti-terror law to catch some harmless activist, that law was never intended for this but still got used without any repercussion AFAIK. History has ample of examples how law can and will be exploited if authorities feel like it....

Giving them the power to force someone into submission feels way too similar to witch trials....

That side-steps the issue, with an irrelevant questionable example...fyi though, "harmless" is very subjective.  I was 20 min late dropping someone off for cancer treatment once, do you know why?  Because climate activists were marching down a street nearby the hospital and I got caught in an area where I couldn't bypass them.  Driving home they were marching still slow marching, but this time along a route that ambulances take.  For the record there were 3 ambulances which got ensnared in the traffic, lights flashing, from what I saw before I got to a side-street to avoid it.  Characterize it what you want, but rarely activist parties are "harmless".  Under the way your logic works, I can say that activists should be allowed because they end up protesting causing damage.

 

As an fyi as well, it wasn't even an anti-terror law that enabled all of this on the Swiss side of things.  The activists were actively breaking a law, theft/damage to property, and trespass...where damage to property is what.  The request essentially got the IP address to identify them.

 

Your example also kind of plays into my hand.  Assuming it wasn't allowed, then the French authorities might not have been able to identify the individuals....or it would have taken more time (which means a more stretched thing police resource and higher cost to taxpayers).  Again, it breaks down to a few things, banning/weakening encryption, ability to compel an individual or letting things continue the trend.  Each with it's own sets of consequences.

[RejZoR]

1 hour ago, BuckGup said:

Why are people rejoicing that Signal complied with the FBI and gave data about a user when asked? It's not what was shared it's the principal they aren't upholding which defeats any confidence in security. Who knows maybe a timestamp and phone number were the only pieces needed to convict the person and the FBI knew that's the only info Signal stores.

And why people expect companies like Signal and ProtonMail to be above the law? Coz they are not. They need to comply with the law and it's just because of how they operate that they physically cannot supply more user data. If whatever timestamps alone are reason to convict you, then you were screwed anyway from the beginning.