This is how little Signal knows about its privacy-loving users

Privacy win for encrypted messaging app.

Subpoena reveals just how little Signal knows about its privacy-loving users

Open Whisper Systems, the developers of encrypted messaging app Signal, got hit by a US government subpoena asking the firm to cough up any information they had on accounts associated with two phone numbers.

A gag order was put on Signal’s makers, preventing them from going public about the US government’s demands for private data. After a legal fight that gag order has now been lifted, revealing…

…well, not revealing that Open Whisper handed over masses of private information about some of Signal’s users, but instead that because the firm – by design – keeps so little data about its users and their communications, it was unable to produce anything of much value.

Sign up to our free newsletter.
Security news, advice, and tips.

The American Civil Liberties Union, who represented Open Whisper in court, explains:

As the documents show, the government’s effort did not amount to much—not because OWS refused to comply with the government’s subpoena (it complied), but because the company simply does not keep the kinds of information about their customers that the government sought (and that too many technology companies continue to amass). All OWS was able to provide were the dates and times for when the account was created and when it last connected to Signal’s servers.

Signal data

The only data Signal was forced to hand over was the date the account was created, and the date it was last used (and even then it was presented as the number of milliseconds since the UNIX epoch – January 1, 1970 00:00:00 UTC).

For many companies it could be quite damaging to reveal just how much data about its customers it had to share with the authorities. With Signal it’s a victory. Privacy wins.

There’s a simple lesson here. If you don’t keep the data in the first place, hackers can’t steal it from you, and governments can’t demand it from you.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

8 comments on “This is how little Signal knows about its privacy-loving users”

  1. Matt

    Some guy in a tent in Yemen is fist pumping with one hand and soldering with the other. Or maybe it's a pedophile. Who cares right? Privacy trumps all. Hooray for not tracking activity and not allowing anyone, including law enforcement with a subpeona, from getting up in our business.

    1. Arnie · in reply to Matt

      Wow, you're basic cable. You must be one of the idiots that thinks the government does no wrong. Let me guess, you have nothing to hide so you don't care about privacy? if that's the case, feel free to post your email account login and password. I mean, you have nothing to hide right? nitwit.

      1. Chris · in reply to Arnie

        Specious reasoning FTW. Would you want a world where the proper authorities can't get access to any communications at all? It would be a nasty, brutish and short existence for us all. How many Orlando or Paris attacks get stopped before the public ever heard about them?

        The reality is that in 2016 LE/government requires at least *some* access to keep people safe. Yes, obfuscation and encryption are great tools for us all. They are also great tools for the bad guy. Where would you draw the line in the sand?

  2. cranstn rainston

    well if law enforcement actually took the time to LEGALLY get their subpoenas, instead of violating our privacy every chance they get, maybe these apps wouldnt be needed

    1. Bob · in reply to cranstn rainston

      What about the protection these apps afford individuals against cyber criminals?

      For most people it's not law enforcement who are the enemy – its criminals, hackers, blackmailers and snoops.

      1. Paul · in reply to Bob

        These apps only provide some of the protection we used to have. For example if I sent you a letter via snail mail and some weeks later law enforcement went to the Postal service provider and asked what they knew about me or you then how much could they tell them? Granted we may need to do something looking forward to allow monitoring with a suitable subpoena/warrant but retrospectively these apps only give us the protection we used to have

        1. Chris · in reply to Paul

          LE can and do intercept snailmail perfectly legally (at least here in the UK), open it, copy it, and send it on to the bad guy who is mostly unaware.

          1. Paul · in reply to Chris

            Indeed and agree, but that's only looking forward. They can't look back in time to see snailmail from before the intercept started. Also they can only intercept mail to somebody. LE have no idea what someone sends unless they has the suspect under surveillance and see which postbox they post mail into

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.