this post was submitted on 26 Jun 2023
674 points (100.0% liked)

Technology

37742 readers
497 users here now

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:


This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
 

An official FBI document dated January 2021, obtained by the American association "Property of People" through the Freedom of Information Act.

This document summarizes the possibilities for legal access to data from nine instant messaging services: iMessage, Line, Signal, Telegram, Threema, Viber, WeChat, WhatsApp and Wickr. For each software, different judicial methods are explored, such as subpoena, search warrant, active collection of communications metadata ("Pen Register") or connection data retention law ("18 USC§2703"). Here, in essence, is the information the FBI says it can retrieve:

  • Apple iMessage: basic subscriber data; in the case of an iPhone user, investigators may be able to get their hands on message content if the user uses iCloud to synchronize iMessage messages or to back up data on their phone.

  • Line: account data (image, username, e-mail address, phone number, Line ID, creation date, usage data, etc.); if the user has not activated end-to-end encryption, investigators can retrieve the texts of exchanges over a seven-day period, but not other data (audio, video, images, location).

  • Signal: date and time of account creation and date of last connection.

  • Telegram: IP address and phone number for investigations into confirmed terrorists, otherwise nothing.

  • Threema: cryptographic fingerprint of phone number and e-mail address, push service tokens if used, public key, account creation date, last connection date.

  • Viber: account data and IP address used to create the account; investigators can also access message history (date, time, source, destination).

  • WeChat: basic data such as name, phone number, e-mail and IP address, but only for non-Chinese users.

  • WhatsApp: the targeted person's basic data, address book and contacts who have the targeted person in their address book; it is possible to collect message metadata in real time ("Pen Register"); message content can be retrieved via iCloud backups.

  • Wickr: Date and time of account creation, types of terminal on which the application is installed, date of last connection, number of messages exchanged, external identifiers associated with the account (e-mail addresses, telephone numbers), avatar image, data linked to adding or deleting.

TL;DR Signal is the messaging system that provides the least information to investigators.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 60 points 1 year ago* (last edited 1 year ago) (3 children)

Thanks for the great summary! Also a good reminder to people that storing your backups on a "as secure as we decide it is" service like iCloud isn't ideal if you want to protect your data from government snooping.

Edited to remove pre-coffee salt and lack of nuance.

[–] [email protected] 36 points 1 year ago (4 children)

This perspective lacks nuance.

a service like iCloud is a bad idea if you care about your privacy

Like all security and privacy measures, you have to consider your threat profile. From whom are you trying to maintain privacy from? If it’s other people or companies, then using a service like this is perfectly okay. If you’re worried about state actors or governmental agencies coming after you, then you have a very different set of requirements and considerations than most people, and you should plan accordingly.

But saying that services like this aren’t for people who care about their privacy is a little disingenuous. As with all things, it’s a matter of degrees.

[–] [email protected] 14 points 1 year ago

Fair point... and I'll edit the comment to reflect that. Thanks for catching the lack of nuance... guess fasting for 24 hours has me both tired and salty.

[–] [email protected] 7 points 1 year ago

Learn from Reddit, don't give corporations the power to do so and they can't inevitably abuse that power.

[–] [email protected] 7 points 1 year ago

I feel a lot of people get ‘dragnet surveillance against everyone on the internet’ mixed up with ‘being actively under pressure from a state-level actor’. If the likes of MI5 or the FBI were genuinely after someone they’d need a lot more than an encrypted messaging service and a VPN to avoid them.

I like my current setup but I’m under no illusion it would do much at all against the ‘electric cattle prod and water-boarding’ school of decryption exploits.

[–] [email protected] 6 points 1 year ago (1 children)

Excellent reply to the classic “apple = bad” comment

[–] [email protected] 9 points 1 year ago (1 children)

It's not so much Apple is bad as "commercial providers, including Apple, aren't great at privacy."

[–] [email protected] 1 points 1 year ago

I (and many others) would argue Apple is great at privacy, unless you are trying to hide from subpoenas

[–] [email protected] 12 points 1 year ago (1 children)

Generally agree, but this document is also from January 2021. Apple brought E2EE to almost all aspects of iCloud in December 2022 including iCloud Backups. It's opt-in, so theoretically, if you were having a conversation with a contact who didn't opt-in to E2EE but backed up their iMessages to iCloud, the government could still access your messages via that contact even if you opted-in to E2EE, but still.

[–] [email protected] 9 points 1 year ago

This. Apple users should turn it on in settings -> iCloud.

[–] [email protected] 4 points 1 year ago

Also depends on if the backup is properly encrypted. If it is, security of whatever storage you use is pretty irrelevant.