• Privacy and the move to Signal

  • Signal just experienced a boost to its user base due to WhatsApp’s recent policy changes. The need for privacy seems to be the main driver for this sudden rush to Signal, but what is the issue with privacy and how did we get here? Let’s take a look at the story around privacy.

    From my perspective privacy started to become an issue with Clipper Chip back in 1993. Wikipedia has the best description of Clipper Chip:

    The Clipper chip was a chipset that was developed and promoted by the United States National Security Agency as an encryption device that secured “voice and data messages” with a built-in backdoor that was intended to “allow Federal, State, and local law enforcement officials the ability to decode intercepted voice and data transmissions.

    There were concerns this technology would be abused and our privacy would be violated. That was a somewhat prophetic observation. Over the years intrusions into privacy came in the form of the Patriot Act, Google, and then social media.

    Intrusions into Privacy

    Intrusions into privacy

    When Gmail hit the scene this was one of the first overt intrusions into online privacy. Gmail would scan the content of your email and show you ads based on that content. Social media sites would capitalize on this concept exponentially. Google Ads plays a big part in monetizing your data, your profile, and your online actions.

    Bruce Schneier has a book called Data and Goliath. In his book he says just like pollution was the side effect of the Industrial Revolution, data is the side effect of the digital revolution.

    The amount of data we are producing is staggering. 1.7MB of data is created every second by every person during 2020. In the last two years alone, the astonishing 90% of the world’s data has been created. 2.5 quintillion bytes of data are produced by humans every day. 463 exabytes of data will be generated each day by humans as of 2025

    Information as a commodity is highly profitable. Your data has a market value to corporations, threat actors, politicians, and many other entities you are probably unaware of.

    Our attention, focus and concern for privacy was about to change in a monumental way with the Snowden revelations.

    Privacy’s Watershed Moment

    NSA Surveillance

    The Snowden revelations was privacy’s watershed moment. Snowden revealed the comprehensive NSA surveillance program and how it was being abused. You can read more about this in a book called Dark Territory – The History of the Cyber War by Fred Kaplan, or watch the Snowden movie.

    The NSA surveillance program revealed just how little privacy we had at this point. Our data was being accessed without the proper authorization and abuses were slowly being revealed.

    The NSA’s surveillance program caused the EU-US Privacy Shield agreement to be invalidated. Privacy Shield was designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. 

    Max Schrems, and Austrian Lawyer played a huge part in this by taking Facebook to court. His argument was the due to the NSA surveillance program Facebook could not ensure the privacy of European Citizens.

    The court ruled in his favor and Privacy Shield was invalidated. Over time Privacy Shield was replaced with GPDR, the General Data Protection Regulation, which protects the privacy of citizens in the European Union and gives them access to courts in the United States.

    This was the start of the privacy movement and drive for secure applications to protect your data, communications, and provide online anonymity. I’ll get more into that later in this post.

    The Privacy Rabbit Hole

    Privacy's Rabbit Hole

    What is the driving force to invade your privacy and anonymity online?

    It depends.

    Business want to get ads for their products in front of you. Sometimes products you weren’t aware you needed. This is beneficial for both parties, and sometimes extremely creepy.

    Data analytics companies want to influence your behavior for certain agendas such as social issues, political issues, and legal issues. We saw this happen with Cambridge Analytica and how your voting behavior could be influenced based on your online behavior profile.

    Social media sites monetize your data for advertising and don’t get me started on credit reporting agencies. We are the main product for both of these business models with no control over how our data is being used.

    Threat actors want to steal your data for profit, identity theft, corporate espionage, and in some cases military espionage. What looks like individual breaches are sometimes events chained together for the purposes of blackmail, corruption, and spy craft.

    For example, the Office of Personnel Management data breach revealed interesting data of people within the government. Combine that data with the Ashley Madison breach and you might find one of these people having an illicit affair. That’s a good combination for blackmail or leverage to get at government secrets or espionage.

    Then there’s the data we are most familiar with such as financial and healthcare data. All these factors and more are what’s driving our concern for privacy.

    The government and law enforcement agencies want access to your data to detect and prevent domestic terrorism and other criminal activity.

    What we’ve started to realize is that domestic surveillance, social media companies, corporations, communications companies, data companies, and even strangers know far too much about us than we care for.

    If I Can See You, They Can See Us

    Eyes on privacy

    Let’s review some of the concerning privacy issues that you may or may not be aware of:

    Online activity: Your Internet activity can be tracked and logged using cookies, tracking pixels, web server logs, internet history, and ISP logs. You might consider using a VPN to get more anonymity, but the VPN provider can still track you.

    You think your can trust your VPN provider? Are you certain? This is a good time to review the story of a company called Crypto AG. Once again, Wikipedia sums it up nicely:

    Crypto AG was a Swiss company specialising in communications and information security. It was secretly jointly owned by the American Central Intelligence Agency (CIA) and West German Federal Intelligence Service (BND) from 1970 until about 1993, with the CIA continuing as sole owner until about 2018. With headquarters in Steinhausen, the company was a long-established manufacturer of encryption machines and a wide variety of cipher devices.

    That’s just one example of a government agency’s intrusion into privacy. This happens in other countries around the world. Consider that before you trust that online VPN provider wherever they may be.

    Even if you manage to totally secure your Internet activity, what you post online and how you communicate can still be used to identify you through writing and linguistic analysis. I recently tracked down someone harassing my daughter online using this same approach.

    Other areas that capture your activity and share your information:

    Turnpike cameras: They aggregate images of your vehicle and share those with investigation database companies. For a few dollars I can run your tag and get images with times and dates of your commute on the turnpike.

    Facial Recognition: This is in widespread use in certain areas to identify you. While the information may not be widely available to the public, certain entities are capitalizing on this intrusion into your privacy.

    Cell Phones: By now we should all know that we are literally carrying around one of best surveillance tools ever invented. You cell phone can be used to eavesdrop, capture images, video, GPS data, and provide access to you personal data stored on it. I’m starting to allude to one of the needs for Signal with this observation.

    OSINT: Open Source Intelligence is a method of using publicly available information to build a profile and gather information. All these entities intruding into your privacy also leak a lot of data about you.

    This makes it possible for the average person to spend a few hours online and determine where you live, what you like to eat, who your family member are, and any legal and financial issues you have, just to name a few data points.

    This isn’t a comprehensive list of all the intrusion into privacy that are out there, this is just a few to think about and there are many others.

    The Case for Signal

    The use case for Signal

    With some background on privacy in place, what’s to be gained from using Signal?

    Signal provides end to end encrypted messaging for texts, calls, and video. What makes Signal’s approach worth looking at is a concept called Perfect Forward Secrecy (PFS). PFS uses a different encryption key for each message so that even if one message is decrypted, the same decryption key can’t decrypt your other messages. This is a good approach to solid encryption. I won’t use a VPN connection without it.

    If you need a secure communication channel where your personal safety might be at risk, Signal is worth taking a look at. For example whistle blowers and journalists are two situations that would benefit from secure communications.

    A story that immediately comes to mind is the journalists reporting on the human rights violations in the UAE. These journalists had their iPhones hacked into for the purposes of identifying them for interrogation or even worse. With proper encrypted communications in place it would be impossible to obtain the communications of the reporters.

    Whatever your reasons are for looking for more privacy, it’s going to take more than just a few secure applications to achieve that. You will need to operationalize your approach to privacy, change your behavior, and make operational security (OPSEC) a priority. Even with all those changes, it’s still going to be a challenge to achieve total anonymity and privacy.

    Privacy Trade Offs

    Privacy trade offs.

    There are many arguments for and against the issues around privacy. At the forefront is national security and criminal activity. This is based on arguments of having backdoors into encryption for law enforcement purposes.

    There’s a benefit to be had in that context, but the problem is trusting it to not be abused.

    On the negative side of the argument: Total privacy and anonymity could prevent terrorism from being detected and prevented, certain crimes from be solved, and affect businesses that leverage online data for sales and marketing.

    Giving up a degree of privacy to achieve a balance would be beneficial in cases like this, but where do you place the guardrails, who gets access to the data, and how do we prevent it from being used against us? We are divided on both of these questions and may never find a true balance.

    The Paradox of Privacy

    The paradox of privacy.

    As much as we desire privacy and anonymity, we need to come to terms with it’s not likely or even possible at this point. All the technology and metadata can be used in some way to identify us on some level no matter how hard we try to achieve more privacy.

    When we say we want more privacy, what we can hope to get is more control over our data and how it’s being used. GPDR is an excellent approach to this.

    The GPDR approach to controlling and securing your data includes:

    • Lawfulness, fairness and transparency
    • Purpose limitation
    • Data minimization
    • Accuracy
    • Storage limitations
    • Integrity and confidentiality
    • Accountability

    We are seeing this approach taking place in the United States with California leading the way with the California Consumer Privacy Act. This act is very similar to GPDR in that it provides residents of California the following:

    • Know what personal data is being collected about them.
    • Know whether their personal data is sold or disclosed and to whom.
    • Say no to the sale of personal data.
    • Access their personal data.
    • Request a business to delete any personal information about a consumer collected from that consumer.
    • Not be discriminated against for exercising their privacy rights.

    These are good steps in the right direction and have been adopted by other states over the past few years.

    Privacy Resources

    Privacy Resources

    If you want to take a deep drive on privacy, and the current issues then the Electronic Frontier Foundation (EFF) is the place to look.

    The EFF maintains a collection of privacy tools, news stories, and helps those being singled out in some cases. The EFF is one of the best resources for stances agains intrusions into privacy in my opinion.

    Other sites for privacy tools: