On a privacy note in general, I got an email from Proton today saying that they were changing their terms of service and I actually care enough about the service that I went and read the new terms and privacy policies for the products that I use. I will admit to not understanding a lot of the legal ease, but the part I was most interested in was the data retention policies and data encryption. And that all seems to be pretty bulletproof from a tech angle.
this post was submitted on 02 Oct 2024
97 points (97.1% liked)
Technology
58394 readers
4244 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
Telegram was built to protect activists and ordinary people from corrupt governments and corporations – we do not allow criminals to abuse our platform to evade justice.
So who gets to pick what's a lawful request and criminal activity? It's criminal in some states to seek an abortion or help with an abortion, so would they hand out the IPs of those "criminals"? Because depending on who you ask some will tell you they're basically murderers. And that's just one example.
Good privacy apps have nothing to hand out to any government, like Signal.
The second I went to sign up and learned a phone number was absolutely required, I knew that their privacy was pure bullshit. That little declaration at the end here is an absolute slap to the face.
Signal requires that as well. Their privacy is definitely not bullshit. As far as I can tell, it's a spam mitigation method. But yeah, Telegram is pretty much the very bottom of privacy. Even Meta now encrypts all messages across all platforms.
It's bad for privacy no matter how you sell it. Unless you have a good amount of disposable income to buy up burner numbers all the time, a phone number tends to be incredibly identifying. So if a government agency comes along saying "Hey, we know this account sent this message and you have to give us everything you have about this account," for the average person, it doesn't end up being that different than having given them your full id.
It's bad for privacy no matter how you sell it.
I mean it's not ideal but as long as it's not tied to literally any other information, the way Signal does it, it's "fine", and certainly not "bad" and especially not "pure bullshit".
So if a government agency comes along saying "Hey, we know this account sent this message and you have to give us everything you have about this account,"
They have done this several times, they give them nothing because they have nothing.
Says right there in the subpoena "You are required to provide all information tied to the following phone numbers." This means that the phone number requirement has already created a leak of private information in this instance, Signal simply couldn't add more to it.
Additionally, that was posted in 2021. Since then, Signal has introduced usernames to "keep your phone number private." Good for your average Joe Blow, but should another subpoena be submitted, now stating "You are required to provide all information tied to the following usernames," this time they will have something to give, being the user's phone number, which can then be used to tie any use of Signal they already have proof of back to the individual.
Yeah, it's great that they don't log what you send, but that doesn't help if they get proof in any other way. The fact is, because of the phone number requirement, anything you ever send on Signal can easily be tied back to you should it get out, and that subpoena alone is proof that it does.
This means that the phone number requirement has already created a leak of private information
What information? The gov already had the phone number. They needed it to make the request.
Additionally, that was posted in 2021.
Here's a more recent one.. Matter of fact, here's a full list of all of them. Notice the lack of any usernames provided.
Also note that a bunch of the numbers they requested weren't even registered with Signal, so the gov didn't even know if they were using the app and were just throwing shit at the wall and seeing what sticks.
You are required to provide all information tied to the following usernames
They can't respond to requests for usernames because they don't know any of them. From Signal: "Once again, Signal doesn’t have access to your messages; your calls; your chat list; your files and attachments; your stories; your groups; your contacts; your stickers; your profile name or avatar; your reactions; or even the animated GIFs you search for – and it’s impossible to turn over any data that we never had access to in the first place."
What else ya got?
but that doesn't help if they get proof in any other way.
If they're getting evidence outside of Signal, that's outside the scope of this discussion.
because of the phone number requirement, anything you ever send on Signal can easily be tied back to you should it get out
...no. It can't.
that subpoena alone is proof that it does.
It's proof that it doesn't.
Please, use some critical thinking here.
What information? The gov already had the phone number. They needed it to make the request.
Yes. That's the leak. A phone number can bridge the gap between your messages and your identity.
Notice the lack of any usernames provided.
You literally changed what I said to fit your narrative. Should a government agency already have access to a message and username, and make a legally valid request for the phone number associated with that username, Signal will be required by law to provide it, as it's already know and proven that they have access to it. The subpoena you provided shows that they already have the phone numbers, so it is moot to this point.
If they're getting evidence outside of Signal, that's outside the scope of this discussion.
No, it's not, that was literally the point of the discussion to begin with, you are the one trying to change it.
...no. It can't.
Do you not know how phone numbers work? Generally if you go through a reputable provider, you're going to be required to give at least your name. Additionally, even if you don't give them your address, your location can pretty easily be extrapolated from things like the area codes and areas in which the phone number has been used. A warrant/subpoena is all it would take, and since that phone number is already tied to any messages they may have, that ties them directly to your identity.
It's proof that it doesn't.
This one barely even warrants a response. You're either being plain obtuse or are genuinely failing to think critically about this, so I'll break it down for you. They wouldn't be serving a warrant to or subpoenaing Signal if they didn't know the accounts in question were involved in something, which at minimum strongly implies that they already have some evidence of these users' use of the service. Additionally, the fact that they're subpoenaing so many at once implies they were in some kind of group on Signal.
Let's try a hypothetical. Let's say we have downtrodden citizens A-F, who are using Signal to talk about Bad Government. Now, let's say someone from BG joins their group undercover and records those messages. Well, now BG wants to punish those poor DCs. If the undercover bad guy already has their phone numbers, job done, they can go find them. If not, all BG has to do is make a legal request for those phone numbers as associated with the usernames, which they do have. That would leave Signal with the choice of complying and directly harming these individuals, or becoming effectively a criminal entity within this territory.
Now, as for you, you have deflected, misquoted, misrepresented, and employed willful ignorance in this debate, and I will broker no further time for bad actors. Goodbye.
all BG has to do is make a legal request for those phone numbers as associated with the usernames, which they do have.
Once again, as I have explained several times now, no they don't.
You clearly have no intention of a civilized or honest conversation so have a nice day.
Another aspect is the social graph. It's targeted for normies to easily switch to.
Very few people want to install a communication app, open the compose screen for the first time, and be met by an empty list of who they can communicate with.
https://signal.org/blog/private-contact-discovery/
By using phone numbers, you can message your friends without needing to have them all register usernames and tell them to you. It also means Signal doesn't need to keep a copy of your contact list on their servers, everyone has their local contact list.
This means private messages for loads of people, their goal.
Hey, we know this account sent this message and you have to give us everything you have about this account
It's a bit backwards, since your account is your phone number, the agency would be asking "give us everything you have from this number". They've already IDed you at that point.
Yep, at that point they're just fishing for more which, hey, why wouldn't they.
It's a give and take for sure, requiring a real phone number makes it harder for automated spam bots to use the service, but at the same time, it puts the weight of true privacy on the shoulders and wallets of the users, and in a lesser way, incentives the use of less than reputable services, should a user want to truly keep their activities private.
And yeah, there's an argument to be made for keeping crime at bay, but that also comes with risks itself. If there was some way to keep truly egregious use at bay while not risking a $10,000 fine on someone for downloading an episode of Ms. Marvel, I think that would be great.
Exactly. The strive for zero knowledge is the proper way to be going.
But then you can't sell your customer's data for profit. Even if you don't now, you still have that option in the future.
Exactly. Which is the entire reason you should do it. Since you can't sell your customers for profit, that means you have to profit off of your customers. And another business could start up and compete with you. Also, your customers will trust you more.
Telegram users have never had privacy. Group chats are completely in the open and private messages are only encrypted if both users turn it on for each conversation—and it's off by default. I've never understood why anyone thinks Telegram is any better than posting anywhere else on the internet.
All this talk of encryption and sopenas is mostly pointless - all the police need to do is join any of the Telegram channels and see the evidence for themselves, like in this case - https://www.stuff.co.nz/nz-news/350438242/man-who-wanted-build-gallows-hear-jacinda-arderns-neck-snap-guilty-threats-kill
No doubt there are private channels but there's absolutely no shortage of criminal stuff happening out in the open.
all the police need to do is join any of the Telegram channels and see the evidence for themselves
I mean, that doesn't tell them who any of those people are?
That’s what subpoenas are for, to request the ip address and other identifying information are for. The documentation of activity in the channel is the evidence shown to a judge that then gets the official legal request.
That’s what that’s what subpoenas are for
Did you just not read the part of their comment that I quoted?
I did. Then I replied and here we are.
But your reply makes no sense since the person I was replying to specifically said they didn't need subpoenas.
No, they did not say that. Which is why I responded. You really do like to look for inane arguments.
If your strategy is just to blatantly lie about what was said, despite the fact that it's there for everyone to see, then I see no reason to continue this bad faith discussion. Bye.
Stop being eristic dude. Everywhere I go I see those dumbass comments of you. If no one here makes sense to you, then maybe the problem is in front of your monitor. But I'm pretty sure you're just looking for arguments.
Have you considered not following me around and harassing me? Or maybe just not being wrong all the time?
Half of them use their real name. Also a lot of them are sharing links to content they've posted using their personal FB account or whatever. They don't even try to have any opsec because they don't think they're doing anything wrong.
Half of them use their real name.
Which would never be admissible as evidence in court. I could make an account right now using your name, would that make you criminally liable for anything that I say?
Also a lot of them are sharing links to content they've posted using their personal FB account or whatever.
Do you think I couldn't create a FB account with your name? Do you know how many friend requests I get every day from redundant accounts trying to masquerade as people I'm already friends with?
All.non E2EE chat apps do this. Also Apple, Facebook, google etc. And don't forget the us gov has no problem giving a gag order and demand backdoors and encryption keys (lavamail).
France is going after activists and protesters. And it was France that held him. I think that says loads.