Everyone who has been a long time Signal user has been getting a bunch of notifications recently to let them know that [insert random contact here] has recently joined Signal.
It’s all part of the recent exodus to Signal from Whatsapp after it was revealed that Whatsapp is going to start sharing data with Facebook and forcing users to accept the new terms. Elon Musk even helped kick the uptake of Signal along by suggesting people use it. Signal uses end-to-end encryption to protect messages, so that makes it heaps, heaps, safe. Right?
Well for most people, sure, it’s secure enough. And what you’re using it for probably isn’t going to land you in gaol or threaten your job or your livelihood. But what about for those where it could? Protection online has always meant caring about abuse cases, not just use cases. Things need to work the way most people need them to, but we must also fiercely defend the people that stick their necks out and take risks for the greater good.
People in Australia care about privacy, in fact almost 9 in 10 want more control over their personal information, and it’s a major concern for 70% of citizens. But technology is complicated, and there are lots of ways the apps and devices we use every day can and do undermine privacy. Eighty-three percent of Australians feel their personal devices listening to their conversations and sharing data with other organisations without their knowledge is misuse, as well as an organisation collecting information about them in ways that they would not expect.
Free and Open Source Software (FOSS) advocate Naomi Wu points out that vulnerabilities in keyboards on mobiles can be compromised, thus bypassing Signal’s encryption. If your keyboard records what you type before Signal (or any other application) even sees it, that can place you at risk if you’ve assumed that everything you do in an app is encrypted and therefore safe. While the problem isn’t specific to Signal, it’s relevant to the humans who use Signal, and the humans are the important part.
"Chinese users aren't using the default Gboard; they can't. They are using third party Chinese language keyboards or the ones that are bundled with their phones,” Wu said. “If that keyboard or the phone has a vulnerability, they are exposed. It doesn't matter how good an app’s encryption is".
Phones and keyboards could be compromised any number of ways: from lax security policies or chained compromises to legal access requests from a government. In Australia we have various surveillance laws such as the Assistance and Access Bill that means law enforcement can force a company to cooperate with the government to spy on people, and make it illegal to tell you they’ve been asked to.
"Any data your keyboard transmits back to the servers of the company that makes it is subject to the laws of that country," Wu adds. If the maker of the keyboard is located in China, or Russia, or even the USA, they may be asked by that government for help to access your conversations.
People that rely on encryption for the security and safety of themselves, their colleagues, and their families need to understand the true risks so that they can protect themselves. If they understand the role their devices and applications play in keeping their data safe they can understand how bypassing encryption can work in practice, and how those who wish them harm might try to do that.
Sure, it’s a difficult marketing message, and it’s not great that we need to tell people this, but at the end of the day who are we protecting?
For digital rights advocates it’s about protecting everyone, not just a special few. Encryption is for everyone, and everyone’s Electronic Freedom deserves to be protected.
If we stop protecting everyone’s rights, if we stop educating people about how technology really works, then we fail society.
So what can you do to improve your safety?
- Firstly, start with a good foundation. Preference applications with strong encryption and excellent privacy protections, like Signal! Signal is still the best messaging app for most people that we are aware of.
- Be cautious and aware that privacy and security has layers, and everyone’s risk profile is different. Signal is not a magic bullet, but it’s an excellent place to begin.
- When considering keyboards look for ones with a focus on privacy. Consider not using keyboards that require contacting the internet whether by using built in keyboards that do not need to send data off device or by using voice and image features that don’t require typing characters
- Advocate and educate tool providers on the additional needs for your communities - it’s well documented that tech has an issue with being male and white, hearing diverse needs is critical.
- If you’re a journalist, or provide privacy training to journalists, be aware that culturally and linguistically diverse communities have additional software and therefore safety considerations. Minimise the risk you’re asking your sources to take.
Dive deeper with more resources:
- EFF Surveillance Self Defense