An official FBI document dated January 2021, obtained by the American association “Property of People” through the Freedom of Information Act.
This document summarizes the possibilities for legal access to data from nine instant messaging services: iMessage, Line, Signal, Telegram, Threema, Viber, WeChat, WhatsApp and Wickr. For each software, different judicial methods are explored, such as subpoena, search warrant, active collection of communications metadata (“Pen Register”) or connection data retention law (“18 USC§2703”). Here, in essence, is the information the FBI says it can retrieve:
-
Apple iMessage: basic subscriber data; in the case of an iPhone user, investigators may be able to get their hands on message content if the user uses iCloud to synchronize iMessage messages or to back up data on their phone.
-
Line: account data (image, username, e-mail address, phone number, Line ID, creation date, usage data, etc.); if the user has not activated end-to-end encryption, investigators can retrieve the texts of exchanges over a seven-day period, but not other data (audio, video, images, location).
-
Signal: date and time of account creation and date of last connection.
-
Telegram: IP address and phone number for investigations into confirmed terrorists, otherwise nothing.
-
Threema: cryptographic fingerprint of phone number and e-mail address, push service tokens if used, public key, account creation date, last connection date.
-
Viber: account data and IP address used to create the account; investigators can also access message history (date, time, source, destination).
-
WeChat: basic data such as name, phone number, e-mail and IP address, but only for non-Chinese users.
-
WhatsApp: the targeted person’s basic data, address book and contacts who have the targeted person in their address book; it is possible to collect message metadata in real time (“Pen Register”); message content can be retrieved via iCloud backups.
-
Wickr: Date and time of account creation, types of terminal on which the application is installed, date of last connection, number of messages exchanged, external identifiers associated with the account (e-mail addresses, telephone numbers), avatar image, data linked to adding or deleting.
TL;DR Signal is the messaging system that provides the least information to investigators.
signal ftw ✊
Yeah but I’m still mad about their decision to drop SMS/MMS.
Wonderful app, great handling of signal to signal messaging, but it really took away my ability to sell end to encryption to friends and family.
As I understand it, SMS and MMS aren’t encrypted (and that’s why support was dropped). Unfortunately, you were never selling your friends e2e as long as they kept using SMS, even if they used it through Signal. In fact, it’s arguable that the false perception of security in “now I’m texting through Signal, and that means it’s secure!” was even more damaging than never having switched in the first place. (Unless they went all the way and stopped using SMS, of course.)
So, nothing is lost from that perspective. Now you can more accurately recommend ppl to use Signal messages instead of SMS and know that you are more accurately selling e2e with every convert because they can’t keep using insecure messaging through Signal.
Maybe they are talking about feature that Signal, at the begging - long time ago, had feature to send encrypted SMS that they dropped and was forked into project Silence: https://git.silence.dev/Silence/Silence-Android which is now long abandoned.
Or maybe they talk about more recent events to totally drop sms support ( https://www.signal.org/blog/sms-removal-android/) which is great, it was confusing for me to differentiate.
sms through signal was not encrypted, how would that even work? how would the signal app even know your contacts were using an app that supports encryption?
You’re correct I should have better worded my point: Signal used to be a single app that someone could install that could handle sending out their regular unencrypted SMS messages and Signal encrypted messages.
Signal also did exactly what you’ve described - auto-enabled encryption when it detected another signal user by phone number.
The net result was more people using encrypted messaging.
That’s fair, though personally I’m kindof glad they did. “Signal is a secure messaging app” is a lot easier to explain to non-tech-savvy people than “Signal is a secure messaging app, as long as you are messaging someone who is using Signal too. It can also send regular texts but they can’t be encrypted.” Leaving that nuance out would have left people texting with a false assumption of security, but I lost several people explaining it because it “sounds complicated”.
Yeah, but now a lot of people I convinced to use it, no longer use it because they just want to use one app.
The really nice part about this is that this is exactly what Signal says they can share, and have been forced to share in the past. It’s a tested history of complete policy transparency.
and Session!