Encrypted or unencrypted. Distributed or hierarchical. Peer-to-peer or direct download. Open source or closed.
These are opposing methods of handling and dealing with data. You likely use all of them in some fashion even if you’re not aware of it. There are pros and cons to each. Some offer more user control, others offer more control to companies and service providers.
One technology might let you “peek under the hood” if you were so inclined, another is locked off to protect a company’s intellectual property. Each choice that a technology company makes about how it wants to handle user data has cascading effects that might not be known for some time.
Yesterday offered a stark juxtaposition that can result from these choices.
Open Whisper Systems receives Grand Jury subpoena for Signal user data
In the “first half of 2016” (the most specific we’re permitted to be), we received a subpoena from the Eastern District of Virginia.
We’ve designed the Signal service to minimize the data we retain about Signal users, so the only information we can produce in response to a request like this is the date and time a user registered with Signal and the last date of a user’s connectivity to the Signal service.
Notably, things we don’t have stored include anything about a user’s contacts (such as the contacts themselves, a hash of the contacts, any other derivative contact information), anything about a user’s groups (such as how many groups a user is in, which groups a user is in, the membership lists of a user’s groups), or any records of who a user has been communicating with.
All message contents are end to end encrypted, so we don’t have that information either.
Yahoo secretly scanned customer emails for U.S. intelligence
Yahoo Inc last year secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by U.S. intelligence officials, according to people familiar with the matter.
The company complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI.
In both instances, the government came knocking on the doors of these companies, demanding access to information. Open Whisper Systems pushed back, Yahoo rolled over and showed its belly.
If true, U.S. intelligence has breached the email information of every grandparent in America. Millions of pictures of cats and grandkids. https://t.co/HUfNUSbzf0
— Daniel Gershburg (@DanielGershburg) October 4, 2016
Despite its often rumored demise, email keeps trucking along. Why?
Interoperability. There is no additional app to install, account to create, or system to get used to. Need to communicate with someone you’ve never spoken to before at a new company? Send them an email. “It just works.”
But email has a number of issues. By default, it’s not encrypted. Very few people bother to run their own mail servers. More than likely they use a cloud based email provider (Gmail, Yahoo, etc.). That means lots of people have access to it. If you’re a lawyer, that’s a big no-no and a violation of attorney client privilege.
Not to mention that is vulnerable to prying (the government’s eyes). So is almost everything else you likely consider “private” that you do online. You can be forced to give up those “private” messages you send on Twitter and Facebook during discovery. It’s probably why my Social Media Subpoena Guide is one of my most popular posts. Which
I’m (finally) close to updating for 2016/2017. If you want to know when it drops, fill out the form below.
Why Secure Messaging?
But convenience and interoperability often come at the expense of security. Or at least that used to be the case. In the wake of various email leaks and scandals, encrypted, private messaging and calls have gained attention and prominence. Snapchat, the current social media darling, became popular because it offered self-destructing messages. It made people feel like they could be a bit more free with what they share…but actually Snapchat retains more information about what you do you than you think.
To truly remain private, you need a communication platform that is:
- Open source – Anyone can look at the code and see if there is any funny business going on under the hood.
- E2E Encrypted – Secure from prying eyes without the right key.
- Log free – The service has to be committed to logging as little information about its users as possible.
There are a number of communications services that offer some of these options: Whatsapp, Wickr, Telegram, etc. But Signal has gained the most traction of late due to its easy-to-use-design and endorsement from some high profile people who have had issues with government surveillance (like Edward Snowden).
And as can be seen from Whisper’s response to the subpoena they received, the endorsement is warranted. Whenever anyone subpoenas Whisper for user Signal data…they essentially don’t have anything to give them by design. Using Signal might take you a couple of extra steps, but it’s currently the best way to to ensure that your digital communication remain private.
How To Conceal Your Digital Wake
For the truly paranoid, while writing this post I also went back and updated my post on how to conceal your digital wake. A digital wake is the bits of information you leave behind that are stored and retained by other computers as you go about the internet. If you want a step-by-step guide on how to privately browse the interwebz, here you go.
Know what else you can open and close? My book.