Use Signal, Use Tor (FBI edition)
...unless your life depends on it.
A recent Rolling Stones magazine article describes what the FBI can get with a warrant from your chat/messaging apps (iMessage, WhatsApp, LINE, Signal, etc.). The article is sensationalized, but the FBI document they cite is pretty interesting. It mostly just confirms what we already know about these apps.
In this post, I’ll help you navigate what this means.
You should first note the difference between the above list and the traditional phone messages (“SMS”). The above document shows that it’s hard getting message contents from messaging apps. However, with plain old SMS messages, they easily get the full message contents. SMS is not encrypted, and not protected by the 4th Amendment. The FBI doesn’t even need a warrant to get SMS message contents from the phone company.
In contrast to “SMS”, the above “messaging apps” encrypt messages and they are protected by the 4th Amendment, even if they weren’t encrypted. Thus, to get message contents, the FBI would first need to show probable cause to a judge in order to get a warrant. It’s not a big hurdle, but still an important one.
But since these apps use end-to-end encryption, even with a warrant, the FBI still has difficulty accessing message contents.
The word “end-to-end” means the app encrypts the message on the phone before sending to the other end. Anybody in the middle cannot decrypt the message, including the service provider who is responsible for transferring the message from one end to the other. Thus, when texting somebody on the iPhone, using “iMessage”, Apple transfers the message, but cannot decrypt it and see its content. Even when the FBI gives Apple a warrant demanding the contents of your messages, Apple cannot comply.
At least, this applies as far as transfer through their servers is concerned. As the above document describes, there’s another problem: these apps will sometimes backup messages. Apple has their “iCloud” backup service, where sometimes messages can be visible. Even if the FBI can’t get in-transit “iMessages”, they can get “iCloud” backups — and any iMessages stored in the backup.
Simply disabling iCloud backups for iMessage, WhatsApp, LINE, etc. will close this hole. Some apps already block backups, so that you can’t accidentally backup Signal, Telegram, Wickr, etc. messages. That’s why we like these apps better, but it doesn’t mean the other apps are necessarily bad.
While the above chart shows the FBI probably can’t read your messages, it does show how they can often get “metadata”. This includes your contact list and who you’ve been messaging. Metadata is less useful than message contents in court, but more useful during investigations looking for other evidence to convict you.
In particular, such metadata may result in a warrant for the contents of your phone. The above chart is what the FBI can get from service providers, there’s a wholly different chart somewhere (unpublished) about what the FBI can get from people’s phones.
And that likely includes message contents. End-to-end encryption means your service provider can’t see the messages, but they still exist unencrypted on the ends. If the FBI can force you to unlock your phone, they can read the contents as easily as you can yourself. That’s why some apps automatically delete message from the phone after a certain period of time.
What does all this mean?
First of all, you should use privacy features whenever you can. If you only use them when you have something to hide, then it becomes a beacon telling adversaries that you have something to hide. If you use them all the time, they can’t tell the difference.
Second, some apps do a better job at privacy than others. The gold standard is Signal (and Tor). But they are harder to use. Apple’s iMessage and Facebook’s WhatsApp are designed to be easier to use and support, which means making some privacy tradeoffs. But apps like Signal aren’t that much harder to use.
Thirdly, these products help you protect your privacy. If you use them wrongly, such as securely chatting with somebody who is an informant for the FBI, then all your privacy is lost. They can’t automatically prevent you from making such mistakes.
That’s why I always suffix my recommendations “don’t take my advice is your life depends upon it”. If you are a political dissident on the run from the government (for example) then there is no substitute to becoming enough of an expert yourself such that you no longer need my advice.
But do install Signal if you want to chat or phone me, it’s my preferred method of communication. If not, use iMessage, WhatsApp, Wickr, or LINE.
Great post and breakdown!
Why is Signal better for privacy than Wickr? Wickr is harder to use, but I thought it was as paranoid as Signal.