An official FBI document dated January 2021, obtained by the American association “Property of People” through the Freedom of Information Act.

This document summarizes the possibilities for legal access to data from nine instant messaging services: iMessage, Line, Signal, Telegram, Threema, Viber, WeChat, WhatsApp and Wickr. For each software, different judicial methods are explored, such as subpoena, search warrant, active collection of communications metadata (“Pen Register”) or connection data retention law (“18 USC§2703”). Here, in essence, is the information the FBI says it can retrieve:

  • Apple iMessage: basic subscriber data; in the case of an iPhone user, investigators may be able to get their hands on message content if the user uses iCloud to synchronize iMessage messages or to back up data on their phone.

  • Line: account data (image, username, e-mail address, phone number, Line ID, creation date, usage data, etc.); if the user has not activated end-to-end encryption, investigators can retrieve the texts of exchanges over a seven-day period, but not other data (audio, video, images, location).

  • Signal: date and time of account creation and date of last connection.

  • Telegram: IP address and phone number for investigations into confirmed terrorists, otherwise nothing.

  • Threema: cryptographic fingerprint of phone number and e-mail address, push service tokens if used, public key, account creation date, last connection date.

  • Viber: account data and IP address used to create the account; investigators can also access message history (date, time, source, destination).

  • WeChat: basic data such as name, phone number, e-mail and IP address, but only for non-Chinese users.

  • WhatsApp: the targeted person’s basic data, address book and contacts who have the targeted person in their address book; it is possible to collect message metadata in real time (“Pen Register”); message content can be retrieved via iCloud backups.

  • Wickr: Date and time of account creation, types of terminal on which the application is installed, date of last connection, number of messages exchanged, external identifiers associated with the account (e-mail addresses, telephone numbers), avatar image, data linked to adding or deleting.

TL;DR Signal is the messaging system that provides the least information to investigators.

  • argv_minus_one@beehaw.orgEnglish
    19·
    1 year ago

    Takeaways:

    • End-to-end encryption works.
    • The only trustworthy computer is your computer. Don’t use cloud storage.
    • The only trustworthy software is open-source software. Proprietary software serves the interests of the proprietor, not the user.

    All of this was already well-known, of course, but it’s always nice to get confirmation.

  • StrayCatFrump@beehaw.orgEnglish
    17·
    1 year ago

    Also remember this is useless without complementary security measures:

    1. Encrypt the storage on any device where these are installed (including your desktop/laptop drives if you install e.g. the desktop version of Signal).
    2. Lock your devices with pin or password, and store that pin/password only in your head (there’s no such thing as telepathy at this point in time so they can’t physically force it out of you, unlike biometric data like your fingerprints).

    If you are relying on “Legally they’re not allowed to,” instead of, “They simply can’t, despite all they might try,” then you’re not doing it right.

  • Napain@lemmy.mlEnglish
    16·
    1 year ago

    i love how telegram isn’t even encrypted or anything but they just ghost the authorities

    • __forward__@lemm.eeEnglish
      11·
      1 year ago

      To clarify because this is always a point of confusion whenever the topic comes up. Telegram is, of course, transport encrypted. Someone listening on the wire cannot read your data. It is not end-to-end encrypted, meaning Telegram can always read your messages and can, in principle, give anyone access.

      • ookees@beehaw.orgEnglish
        7·
        1 year ago

        That’s not entirely true. Telegram’s one on one secret chat is end to end encrypted. As well as one on one voice and video calls. Group chats are not end to end encrypted.

        Additionally Telegram does have an auto delete features built in for all of its chat types. So while I can’t entirely rule out that Telegram could have a backup of a chat somewhere, you have a bit more piece of mind if you turn on the auto delete feature.

        • __forward__@lemm.eeEnglish
          3·
          1 year ago

          Thanks for the clarification I should have mentioned this. Especially for calls it is actually relevant but I feel like very few people actually use secret chats.

      • locness3@discuss.tchncs.deEnglish
        2·
        1 year ago

        It’s worrying how Telegram says “all your chats are protected with strong encryption” while this is just standard stuff nowadays (wasn’t when Telegram came out, to be fair). While it’s technically true, it’s almost sure to be misinterpreted and have it sound like it’s equal to actual e2ee software

    • TemporaryBoyfriend@lemmy.caEnglish
      2·
      1 year ago

      This is why I prefer cloud services outside US jurisdiction, and refuse to use anything based in the USA - like iCloud. National Security Letters are a thing, and even massive companies like Apple can’t fight them.

  • tram1@programming.devEnglish
    14·
    1 year ago

    Telegram states at their site that: “To this day, we have disclosed 0 bytes of user data to third parties, including governments.”

    But according to Spiegel this is false. I don’t know German, I read the article using google translate, correct me if I’m wrong.

    Here is a quote from the article: “Contrary to what has been publicly stated so far, the operators of the messenger app Telegram have released user data to the Federal Criminal Police Office (BKA) in several cases.”

    If this is true, the fact that they are lying is very worrying…

      • tram1@programming.devEnglish
        3·
        1 year ago

        I don’t think this is what they mean. If you read the whole paragraph they also talk about “[…]the data that is not covered by end-to-end encryption”…

        It says that they have nothing to give on Secret chats, and then: “To protect the data that is not covered by end-to-end encryption[…]” … “Thanks to this structure, we can ensure[…]” … “To this day, we have disclosed 0 bytes of user data to third parties, including governments.”

        I mean, I would consider phone numbers, IPs, metadata, non-secret chats (I don’t know if that’s a thing, never used Telegram), to be “user data”.

        • Lexi Sneptaur@pawb.socialEnglish
          3·
          1 year ago

          I agree with you here, I’m simply playing devils advocate as to how Telegram can get away with this claim. I trust secret chats on Telegram and use them with my more… spicy acquaintances.

    • hare_ware@pawb.socialEnglish
      3·
      1 year ago

      I distinctly remember Telegram having given a phone number and account creation date for someone to a government, they didn’t have anything else to provide allegedly.

    • twhite@lemmy.mlEnglish
      6·
      1 year ago

      Yeah but I’m still mad about their decision to drop SMS/MMS.

      Wonderful app, great handling of signal to signal messaging, but it really took away my ability to sell end to encryption to friends and family.

      • Luke@lemmy.mlEnglish
        7·
        1 year ago

        it really took away my ability to sell end to encryption to friends and family

        As I understand it, SMS and MMS aren’t encrypted (and that’s why support was dropped). Unfortunately, you were never selling your friends e2e as long as they kept using SMS, even if they used it through Signal. In fact, it’s arguable that the false perception of security in “now I’m texting through Signal, and that means it’s secure!” was even more damaging than never having switched in the first place. (Unless they went all the way and stopped using SMS, of course.)

        So, nothing is lost from that perspective. Now you can more accurately recommend ppl to use Signal messages instead of SMS and know that you are more accurately selling e2e with every convert because they can’t keep using insecure messaging through Signal.

      • Panteleimon@beehaw.orgEnglish
        3·
        1 year ago

        That’s fair, though personally I’m kindof glad they did. “Signal is a secure messaging app” is a lot easier to explain to non-tech-savvy people than “Signal is a secure messaging app, as long as you are messaging someone who is using Signal too. It can also send regular texts but they can’t be encrypted.” Leaving that nuance out would have left people texting with a false assumption of security, but I lost several people explaining it because it “sounds complicated”.

        • flynnguy@programming.devEnglish
          2·
          1 year ago

          Yeah, but now a lot of people I convinced to use it, no longer use it because they just want to use one app.

      • ninchuka@lemmy.oneEnglish
        2·
        1 year ago

        sms through signal was not encrypted, how would that even work? how would the signal app even know your contacts were using an app that supports encryption?

        • twhite@lemmy.mlEnglish
          1·
          1 year ago

          You’re correct I should have better worded my point: Signal used to be a single app that someone could install that could handle sending out their regular unencrypted SMS messages and Signal encrypted messages.

          Signal also did exactly what you’ve described - auto-enabled encryption when it detected another signal user by phone number.

          The net result was more people using encrypted messaging.

        • Onihikage@beehaw.orgEnglish
          1·
          1 year ago

          Signal accounts are based on your phone number, so if you’re messaging a number that has an account with Signal, the app could see that and would send the message through Signal’s protocols to that Signal account instead of with the SMS protocol which is not encrypted.

    • StarkillerX42@lemmy.mlEnglish
      4·
      1 year ago

      The really nice part about this is that this is exactly what Signal says they can share, and have been forced to share in the past. It’s a tested history of complete policy transparency.

    • Sojourn@geddit.socialEnglish
      3·
      1 year ago

      I believe Matrix has the same encryption as Signal. Though there are some things that leak metadata, like reactions for some reason. Would like an investigation into it as well, as I pretty frequently use it. Obviously this is assuming it’s an encrypted chat. Though would also like to see the comparison of an invite only encrypted room, vs a public joinable encrypted room.

  • TemporaryBoyfriend@lemmy.caEnglish
    9·
    1 year ago

    And FYI, the info about Signal was confirmed as they received a subpoena a couple years back, and their response was part of the public court records.

    • ehrenschwan@feddit.deEnglish
      3·
      1 year ago

      Yeah, Signals response pointing to how their service works and than all the data consisting of only these two things war hilarious.

  • Melpomene@kbin.social
    5·
    1 year ago

    Thanks for the great summary! Also a good reminder to people that storing your backups on a “as secure as we decide it is” service like iCloud isn’t ideal if you want to protect your data from government snooping.

    Edited to remove pre-coffee salt and lack of nuance.

    • Leigh@beehaw.orgMEnglish
      4·
      1 year ago

      This perspective lacks nuance.

      a service like iCloud is a bad idea if you care about your privacy

      Like all security and privacy measures, you have to consider your threat profile. From whom are you trying to maintain privacy from? If it’s other people or companies, then using a service like this is perfectly okay. If you’re worried about state actors or governmental agencies coming after you, then you have a very different set of requirements and considerations than most people, and you should plan accordingly.

      But saying that services like this aren’t for people who care about their privacy is a little disingenuous. As with all things, it’s a matter of degrees.

      • Melpomene@kbin.social
        6·
        1 year ago

        Fair point… and I’ll edit the comment to reflect that. Thanks for catching the lack of nuance… guess fasting for 24 hours has me both tired and salty.

      • mobyduck648@beehaw.orgEnglish
        2·
        1 year ago

        I feel a lot of people get ‘dragnet surveillance against everyone on the internet’ mixed up with ‘being actively under pressure from a state-level actor’. If the likes of MI5 or the FBI were genuinely after someone they’d need a lot more than an encrypted messaging service and a VPN to avoid them.

        I like my current setup but I’m under no illusion it would do much at all against the ‘electric cattle prod and water-boarding’ school of decryption exploits.

        • Melpomene@kbin.social
          1·
          1 year ago

          It’s not so much Apple is bad as “commercial providers, including Apple, aren’t great at privacy.”

          • fades@beehaw.org
            1·
            1 year ago

            I (and many others) would argue Apple is great at privacy, unless you are trying to hide from subpoenas

    • xray@beehaw.org
      1·
      1 year ago

      Generally agree, but this document is also from January 2021. Apple brought E2EE to almost all aspects of iCloud in December 2022 including iCloud Backups. It’s opt-in, so theoretically, if you were having a conversation with a contact who didn’t opt-in to E2EE but backed up their iMessages to iCloud, the government could still access your messages via that contact even if you opted-in to E2EE, but still.

    • Azzu@discuss.tchncs.de
      1·
      1 year ago

      Also depends on if the backup is properly encrypted. If it is, security of whatever storage you use is pretty irrelevant.

  • GuyDudeman@beehaw.orgEnglish
    5·
    1 year ago

    Here’s my foolproof method of not having any issue with the FBI: Don’t do illegal stuff.

    • Wowbagger@lemm.eeEnglish
      34·
      1 year ago

      You’d be surprised at how many things you do today that has been illegal or will be illegal in the future. The last part is the real scary one.

    • flora_explora@beehaw.orgEnglish
      26·
      1 year ago

      This is such a bad take lacking any solidarity with people that have no choice in doing illegal stuff or who are trying their best to make the world a better place. What is legal or illegal is solely defined by governments. In the context of the US, it is now illegal in some parts to have an abortion, to be transgender, to be an immigrant, to be black, etc. So “don’t do illegal stuff” is a reminder of your privileged position to be able to lean back and have nothing to fear, while other people just by existing or by trying to survive automatically are considered illegal. And think of all the whistleblowers like Edward Snowden. We as peole are much better off because of them, yet they have to fear the state’s repressions.

      Your response makes me really angry just by how inconsiderate and insulting it is :(

      • GuyDudeman@beehaw.orgEnglish
        1·
        1 year ago

        Edward Snowden immediately fled to a fascist kleptocracy. Dude doesn’t care about anything. He just wanted his fame and glory and to save his own ass.

        Where in the US is it “illegal” to be trans or black? C’mon.

        And even then, it’s not a federal issue. The FBI doesn’t give a shit whether or not someone travels to another state to get an abortion.

    • MagicShel@programming.devEnglish
      13·
      1 year ago

      While Don’t break the law, asshole is solid advice for staying off the FBI’s radar, it’s not really a guarantee.

      • DekkerNSFW@lemmy.fmhy.mlEnglish
        17·
        1 year ago

        And sometimes, justice requires breaking the law. Remember that the Holocaust was legal and Stonewall was not.

          • Cenzorrll@beehaw.orgEnglish
            5·
            1 year ago

            You’re right, it’s 2023 and Roe v. Wade was recently repealed, what do you think about that?

              • Cenzorrll@beehaw.orgEnglish
                3·
                1 year ago

                Saying “it’s 2023” has no bearing on what is possible, seeing as how our society just lost 50 years of federally protected health and privacy rights. It’s 1972 to half the population now, not 2023.

                Your argument “don’t do anything illegal and you won’t have anything to hide” is worthless to the half the population that had their rights to make their own health decisions stripped away from them.

                Your statements are the Mason guy of the 40s anti-fascist propaganda.

                https://www.youtube.com/watch?v=rJriMuVEPMY&pp=ygUQRG9udCBiZSBhIHN1Y2tlcg%3D%3D

                • GuyDudeman@beehaw.orgEnglish
                  1·
                  1 year ago

                  You guys are talking specifically about the FBI, which has no jurisdiction over abortion law enforcement.

          • jherazob@beehaw.orgEnglish
            4·
            1 year ago

            You’re now being intentionally obtuse, again look at all the anti-trans legislation, look at the repeal of Roe, look at all that and so much that is in the works, the fact that you’re in the privileged position to ignore it AND proceed to also ignore how damn many people don’t, leads me to believe you’d be the guy hiding the zombie bite in the team. Don’t be the guy hiding the zombie bite in the team, you can do better.

            • GuyDudeman@beehaw.orgEnglish
              1·
              1 year ago

              There is no place in America where it is illegal to be trans.

              And you’re talking about just state issues. The FBI only deals with federal issues.

      • GuyDudeman@beehaw.orgEnglish
        1·
        1 year ago

        There are no guarantees in life. Who’s to say that the FBI didn’t write this article specifically to direct people to use Signal?

        • Murais@lemmy.oneEnglish
          27·
          1 year ago

          And everyone knows that the FBI was never involved in the extrajudicial killing of an innocent dissident besides that one time.

            • Murais@lemmy.oneEnglish
              1·
              1 year ago

              Can you name all of the actors that played Putties in the original English run of Power Rangers from the 90s?

              See, I can set arbitrary, movable goal posts, too.

              It doesn’t work that way. FBI documents remain classified for 50 years before being accessible to FOIA. That means that we don’t have the means to confirm culpability outside that 50-year window.

              I can throw names at you. But here’s what I know will happen in response. You will either;

              A) Claim the person was not innocent. Despite conflicting claims, they either had a weapon, attempted violence, whatever. So they deserved to be murdered.

              Or

              B) The situation is not clear. Nobody was outright blamed. Details are fuzzy. Investigations were inconclusive.

              Regardless of what I post, the outcome will never be “Wow, you’re right. I guess law enforcement does kill innocent people without impetus sometimes.” You will always move the goal posts and claim that I did not meet your burden of proof. Because you’re arguing ideologically in bad faith. And since I’m not a fucking idiot, I’m not going to waste my time.

              And if you want to say that you are, in fact, arguing in good faith, then my rebuttal is simple;

              I’m not doing your fucking homework for you, Billy.

    • jherazob@beehaw.orgEnglish
      6·
      1 year ago

      Tell that to trans people in Florida, or people seeking abortion healthcare on Texas

  • sparky@lemmy.federate.cc@lemmy.federate.ccEnglish
    4·
    1 year ago

    iMessage is now fully secure like Signal and Telegram, if you’ve enabled advanced data protection in your Apple ID. This also protects your photos and other personal information from snooping and data breaches. Apple users should turn on this great feature in Settings -> iCloud.

    • emzaid@infosec.pubEnglish
      4·
      1 year ago

      I’ve been using session as my family chat. The only thing I dislike is its connection to Oxen. But it makes an interesting case for resistance to Sybil attacks. But that’s not really in my threat model for family messages lol. I’m mostly happy we moved the fuck away from messenger. I’ll probably move them to matrix, but I gotta wait a bit before switching them again lol

      In terms of usability, it’s not hard to set up and has been very stable for the 1.5 years we’ve been using it. Even getting my less tech savvy family on it was pretty easy.