this post was submitted on 20 Aug 2025
49 points (94.5% liked)

Privacy

7053 readers
72 users here now

A community for Lemmy users interested in privacy

Rules:

  1. Be civil
  2. No spam posting
  3. Keep posts on-topic
  4. No trolling

founded 2 years ago
MODERATORS
iopq@lemmy.world
49
Signal, encryption and backdoors (lemmy.world)
submitted 4 days ago by kingofras@lemmy.world to c/privacy@lemmy.world
17 comments fedilink hide all child comments
 

So we know the UK, France, Sweden and Australia all have “pondered out loud” about getting platforms like Signal to allow backdoors into encrypted calls and messages.

This creates a sense of safety about these platforms being secure, because governments want to come after them.

Here’s a tinfoil hat take: Five Eyes is significantly reducing inter cooperation. The non-fascist parts of the alliance don’t want to share with the obvious authoritarian, but the authoritarian one used to share the fruits of their established backdoors with them, and now they don’t.

Note that the US isn’t asking signal for a backdoor. Why? Back in 2015-2016 (last years of Obama), Apple had a loud and visible feud with the FBI. Since the authoritarian came to power, this all disappeared from the media. Interestingly, 10 years have gone by since that moment, every single aspect of our lives has become more surveilled, and somehow the US govt has stopped trying to get into phones? *While the CEO is making hand deliveries of 24 karat gold bars to the Oval Office?

TLDR; I think a safe assumption that they are in our devices by now. Fundamentally people misunderstand encryption. Encryption is only as strong as the weakest link. If your signal chats are unencrypted for consumption on your device, then that’s when the unencrypted content can be captured.

For the longest time, Apple stored your iCloud backups encrypted. Looked good in marketing materials, until they casually admitted the decryption key is stored in the same cloud.

Combine this with ICE capturing citizens without due process. If you have a vanilla smart device, you’re doing the surveillance for them. /tinfoilhat

all 19 comments
sorted by: hot top controversial new old
[–] goatinspace@feddit.org 15 points 4 days ago (1 children)

OS has AI, Siri, service that reads everything. Don't need to break encryption

[–] goldkiddo@feddit.it 2 points 1 day ago

distopian world

[–] Ulrich@feddit.org 9 points 4 days ago

Android is open source. Install a third-party OS. There's no way they can read your unencrypted backups without raising giant red flags.

Nothing from Apple is open source so yeah, that's a strong possibility.

[–] Tundra@sh.itjust.works 6 points 4 days ago (3 children)

It is a tinfoil hat moment, but I often think the same thing (I use Signal extensively)

Again this is all conjecture but If they have been breached, I would imagine it was when Moxie suddenly left the company.

Another point of failure is how signal is centralised, have you ever tried Session? they moved countries when they were approached .

Ultimately, there has to be some trust involved though, which is where the healthy paranoia stems from.

[–] kingofras@lemmy.world 2 points 4 days ago

I haven’t but I use matrix as the most idealistic level of communication protocol.

Ultimately though, my point is that the in-app security is only as good as the OS it runs on.

[–] possiblylinux127@lemmy.zip 1 points 2 days ago

Signal is not breached. That is propaganda spread by those who see Signal as a threat.

[–] DupaCycki@lemmy.world -1 points 4 days ago

Session is basically what people think Signal is.

[–] DupaCycki@lemmy.world 2 points 4 days ago (1 children)

Here’s a tinfoil hat take: Five Eyes is significantly reducing inter cooperation. The non-fascist parts of the alliance (...)

Who are those non-fascist parts exactly...? New Zealand?

[–] kingofras@lemmy.world 2 points 4 days ago

Touché

~~non-fascist~~ less-fascist

[–] possiblylinux127@lemmy.zip 2 points 2 days ago

I think Signal is better than no Signal

Signal needs to be more popular. It isn't the best in terms of anonymity but it is user friendly and well known. I would rather have lots of people on a app that is decent for privacy than a few on something highly anonymous.

[–] sunzu2@thebrainbin.org 1 points 1 day ago

If your signal chats are unencrypted for consumption on your device, then that’s when the unencrypted content can be captured.

I have been critical on record here of Signal, but the issue you are describing is not a signal issue, it is your OS issue.

The issue with Signal is that it leaks enough meta data to profile you and who you communicate with. There is no indication that it can be breached as of now.

Using corpo provided OS is the issue, be windows, iOS or android...

These creeps got root access to your device so that means that glowies got access to your device.

[–] july@leminal.space 1 points 4 days ago

Sounds like windows recall

[–] burgerchurgarr@lemmus.org 1 points 4 days ago (1 children)

Not that it’d surprise me, but where did Apple admit that they store the keys in the same cloud?

Also, not that I believe them, but what they communicate when you encrypt is that they don’t have that key and if you lose it it’s gone.

[–] kingofras@lemmy.world 1 points 4 days ago (1 children)

Not broadcast, but inferred.

https://support.apple.com/en-au/102651

Standard data protection

Standard data protection is the default setting for your account. Your iCloud data is encrypted in transit and stored in an encrypted format at rest. The encryption keys from your trusted devices are secured in Apple data centres so Apple can decrypt your data on your behalf whenever you need it, such as when you sign in on a new device, restore from a backup or recover your data after you've forgotten your password. As long as you can successfully sign in to your Apple Account, you can access your backups, photos, documents, notes and more.

[–] burgerchurgarr@lemmus.org 1 points 3 days ago (1 children)

Got it but they also say

If you enable Advanced Data Protection and then lose access to your account, Apple will not have the encryption keys to help you recover it — you’ll need to use your device passcode or password, a recovery contact, or a personal recovery key. Because the majority of your iCloud data will be protected by end-to-end encryption, you'll be guided to set up at least one recovery contact or recovery key before you turn on Advanced Data Protection. You must also update all of your Apple devices to a software version that supports this feature. You can turn off Advanced Data Protection at any time. Your device will securely upload the required encryption keys to Apple servers and your account will once again use standard data protection.

Since they are closed source there is no way for me to verify that’s true, but that’s also not exactly in line with what you’re saying.

[–] kingofras@lemmy.world 2 points 3 days ago (1 children)

Your quote is about Advanced Data Protection, mine about standard. It’s a hidden 30 min setup that most people don’t bother with.

[–] burgerchurgarr@lemmus.org 2 points 3 days ago

Yeah I know that but for me that’s where it gets interesting. It doesn’t really matter to me what others do And in a privacy community you can expect that at least we bother with those things. And whether or not my advanced data protection really is proper E2EE that’s where it gets interesting imo.

Not trying to antagonize you because I consider us in the same team, just saying that with this is kinda the same as with crypto wallets: not your key, not your wallet (or in this case, not encrypted). If I just rely on Apples default settings then yeah I consider that compromised.