Signal not in compliance with new rules, say officials(hindustantimes.com)
hindustantimes.com
Signal not in compliance with new rules, say officials
https://www.hindustantimes.com/india-news/messaging-application-signal-not-in-compliance-with-new-rules-say-officials-101624508925464.html
98 comments
This is the major downside of centralised app stores. On the plain old internet, nobody had to care about the whims of regressive governments. Worst case, the government would try to block the website and often fail and/or face public backlash. Now, the government can just tell google or apple that they don't like the app, and the problem is solved. This is quite tragic for an app like signal because it really does not deal with the country's currency in any shape nor does it have any presence in the country, but because google/apple have to do business in the country, signal takes the fall.
And before you say "just buy a different device" my understanding is that Indian customs have blocked the PinePhone.
Well, and even if they weren't, it costs a lot of money and means you loose access to your existing apps and ecosystem.
The pinephone is very cheap, but yes you lose your ecosystem.
Cheap for us or cheap for people in India?
The cheapest Pinephone ($150) costs about the same as the average smartphone in India.
Yes, but adjust for salary in india.
Well yes, but there are almost no new phones under that price. It's priced appropriately for a new phone in India.
But the phone you already have, once purchased, costs $0. So it's a high switching cost!
of course, you would either sell the phone or wait for it to break or become too old before switching.
I'm really interested how this will continue. At least on Android phones you can still sideload Signal via an alternative app store.
If you want to piggy back on Google's centralized notification system (which saves network and battery usage), you have to distribute via the play store. I have no idea whether signal does this, but it would make sense for them to.
Signal has a means of delivering push notifications using their own infrastructure via websockets. It has a higher battery drain than using Google's push infrastructure, but it works.
You don't. You do need to create an app in the Google API console to obtain the key to send GCM notifications, but that's completely independent from the Play Store.
Also I believe microG does intermediate with GCM if you ask it to.
There has been speculation that in a future Android version, Google will extend features of its Advanced Protection program to all devices. One of those is that sideloading of APKs will no longer be possible unless you do it over the command line via ADB. Only a tiny percentage of the population, techies like us, would be comfortable doing that. So, "you can still sideload" might not be a thing for long.
It definitely becomes tiresome than downloading an alternative chat app from Playstore. Signal has been gaining ground in India since Whatsapp came up with its new terms. A ban on Playstore will hinder that progress.
This is one of the big reasons I've chosen to use Android where I can install apks on my device. Though I may not have the "blue bubble" of iMessage so many in the USA seem to associate with higher status
Android allows sideloading apps, and IIRC the market share of iOS in India is very small.
> On the plain old internet, nobody had to care about the whims of regressive governments.
Wasn't X forced to not have encryption built in due to the US's horrible encryption laws at the time?
Wasn't X forced to not have encryption built in due to the US's horrible encryption laws at the time?
> centralised app stores
Makes me wonder...are there blockchain-based app stores that could serve as a viable alternative?
Makes me wonder...are there blockchain-based app stores that could serve as a viable alternative?
No need for a blockchain. Distributed software distribution has been around forever, whether it was handing out disks back in the day or streaming warez over BitTorrent now. The problem is trust.
Blockchain enabled transaction processing where the parties to the transaction don't need to trust each other, as long as they are only transacting in goods stored on the blockchain. Once you get into the world of one party having to physically deliver something the other party will use, you're back to the problem of trust.
So until all software runs on the blockchain, no, as long as you still need to install it onto your device, you need to be able to trust the delivery network. You certainly don't need a central authority for that. Normal desktop devices work perfectly fine with people relying on PGP signatures in common Linux distros or something like Chocolatey on Windows and Brew on Mac. But you don't need a blockchain, either, nor does it add any value.
Blockchain enabled transaction processing where the parties to the transaction don't need to trust each other, as long as they are only transacting in goods stored on the blockchain. Once you get into the world of one party having to physically deliver something the other party will use, you're back to the problem of trust.
So until all software runs on the blockchain, no, as long as you still need to install it onto your device, you need to be able to trust the delivery network. You certainly don't need a central authority for that. Normal desktop devices work perfectly fine with people relying on PGP signatures in common Linux distros or something like Chocolatey on Windows and Brew on Mac. But you don't need a blockchain, either, nor does it add any value.
Why would you need blockchain? For decades decentralized services worked without blockchain.
A blockchain allows developers to out-source the running of a globally-available append-only log. Such a log is useful for building something like Trillian:
https://transparency.dev/#trillian
https://transparency.dev/#trillian
Ok but how does a globally-available append-only log help distribute applications ? The technology is probably interesting, but it doesn't help solve the problem at hand
If you can securely distribute the hash of the binary, you can probably also distribute a set of URLs representing where the binary can be downloaded from.
Bittorrent would fit well as a way of distributing the apps themselves, as that ecosystem already uses magnet links, and developers could quite cheaply run a node which acts as a seed of last resort.
Bittorrent would fit well as a way of distributing the apps themselves, as that ecosystem already uses magnet links, and developers could quite cheaply run a node which acts as a seed of last resort.
Bittorrent has everything you'd need for distributing apps: of course the distribution of binaries is there, but it also has storing of arbitrary information, even mutable (http://bittorrent.org/beps/bep_0044.html). This way once you have a version you can fetch further versions by periodically polling the hash that contains the latest version.
I was very confused by this comment until I realized that this is a different project from the Trillian messenger.
But bLoCkChAiN!!
> “Signal has not complied with the guidelines. Services like iMessage do not fall under the traceability clause since the significant social media intermediaries in the nature of messaging services have to comply,” said an official, requesting anonymity.
What does “Services like iMessage do not fall under the traceability clause since the significant social media intermediaries in the nature of messaging services have to comply” mean?
What does “Services like iMessage do not fall under the traceability clause since the significant social media intermediaries in the nature of messaging services have to comply” mean?
"you don't decrypt message for us so we don't like you"
They probably have a method to trace message metadata using the application provider's infrastructure.
It's sort of like a home phone. Law enforcement officials can contact Verizon to learn who you called and who called you, what time, duration of the call, etc.
It's sort of like a home phone. Law enforcement officials can contact Verizon to learn who you called and who called you, what time, duration of the call, etc.
You mean with a warrant right?
Warrants have legal meaning but little practical impact. They can be requested and granted very easily. The process offers very little protection. If the cops ask for warrant to request the list of numbers called, they will get it.
That said, warrants are not always needed. The logic goes that the phone company already knows who you have called. They needed that information when they connected the calls. They store that information for billing purposes. So connection/metadata isn't private because you have already shared it with the phone company. In many countries that is sufficient to moot the entire warrant debate. (This logic then extends to other data used to make connections and route internet traffic such as IP addresses.) And if the phone company/ISP is a state-owned/backed/licensed enterprise there is little privacy left to argue over.
That said, warrants are not always needed. The logic goes that the phone company already knows who you have called. They needed that information when they connected the calls. They store that information for billing purposes. So connection/metadata isn't private because you have already shared it with the phone company. In many countries that is sufficient to moot the entire warrant debate. (This logic then extends to other data used to make connections and route internet traffic such as IP addresses.) And if the phone company/ISP is a state-owned/backed/licensed enterprise there is little privacy left to argue over.
> Warrants have legal meaning but little practical impact. They can be requested and granted very easily. The process offers very little protection. If the cops ask for warrant to request the list of numbers called, they will get it.
What are you basing this on? Warrants require probable cause (in the US at least). Are you saying that that the probable cause requirement still allows warrants to be granted very easily? Or that the probable cause requirement is not being followed?
What are you basing this on? Warrants require probable cause (in the US at least). Are you saying that that the probable cause requirement still allows warrants to be granted very easily? Or that the probable cause requirement is not being followed?
> Are you saying that that the probable cause requirement still allows warrants to be granted very easily? Or that the probably cause requirement is not being followed?
Well, both.
Warrants may be granted very easily via the FISA courts [0]. They are unenforced in the warrantless wiretap programs [1]. If your wiretap happened to be illegal, and you want to work around this to win the court case anyway, you use parallel construction to build a case that does not rely on the secret wiretap [2]:
> Because the SOD's work is classified, DEA cases that began as NSA leads can't be seen to have originated from a NSA source.
> So what does the DEA do? It makes up the story of how the agency really came to the case in a process known as "parallel construction."
[0]: https://en.wikipedia.org/wiki/United_States_Foreign_Intellig...
[1]: https://en.wikipedia.org/wiki/NSA_warrantless_surveillance_(...
[2]: https://www.washingtonpost.com/news/the-switch/wp/2013/08/05...
Well, both.
Warrants may be granted very easily via the FISA courts [0]. They are unenforced in the warrantless wiretap programs [1]. If your wiretap happened to be illegal, and you want to work around this to win the court case anyway, you use parallel construction to build a case that does not rely on the secret wiretap [2]:
> Because the SOD's work is classified, DEA cases that began as NSA leads can't be seen to have originated from a NSA source.
> So what does the DEA do? It makes up the story of how the agency really came to the case in a process known as "parallel construction."
[0]: https://en.wikipedia.org/wiki/United_States_Foreign_Intellig...
[1]: https://en.wikipedia.org/wiki/NSA_warrantless_surveillance_(...
[2]: https://www.washingtonpost.com/news/the-switch/wp/2013/08/05...
You are talking about a particular type of warrant. I don't think the average local police force is getting FISA warrants for their day-to-day police work (maybe I'm wrong? I would like to see numbers on that before I change my mind though), and OP did not limit their statment to FISA warrants.
The news sources I've encountered seem to imply otherwise. The linked Washington Post article was an early hint at this, and built on original material from [0]. Now we have other sources backing this up, such as [1], and detailed breakdowns of this practice with lots of evidence as seen in [2]. Just search for the word "local" or "state" in [2] if you need the details.
[0]: https://www.reuters.com/article/us-dea-sod/exclusive-u-s-dir...
[1]: https://theintercept.com/2018/01/09/dark-side-fbi-dea-illega...
[2]: https://www.hrw.org/report/2018/01/09/dark-side/secret-origi...
[0]: https://www.reuters.com/article/us-dea-sod/exclusive-u-s-dir...
[1]: https://theintercept.com/2018/01/09/dark-side-fbi-dea-illega...
[2]: https://www.hrw.org/report/2018/01/09/dark-side/secret-origi...
>> Are you saying that that the probable cause requirement still allows warrants to be granted very easily?
Yes. Probable cause is not a significant burden and can be met with "evidence" that would normally never be admitted. Cops regularly rely on unnamed out-of-court CIs. For telephone call records, the simple fact that a phone number appeared during an investigation is likely enough for a warrant to see which other numbers it has connected to.
Yes. Probable cause is not a significant burden and can be met with "evidence" that would normally never be admitted. Cops regularly rely on unnamed out-of-court CIs. For telephone call records, the simple fact that a phone number appeared during an investigation is likely enough for a warrant to see which other numbers it has connected to.
Interesting, thanks.
The problem is that no warrant is needed if the phone company complies without asking for one.
Basically the government says "hey can we see this users data? (And if you say no, we'll get a warrant that requires you to do extra work)", and then the phone company turns over your data without requiring the warrant because they don't care about you.
I was specifically addressing OP's statement that the warrant requirement does not offer much protection - I'm not talking about situations where a warrant is not required. I think I probably agree with you that over-compliance by phone companies is a problem, but that's not what I was asking about.
Third-party doctrine had eroded the need for warrants for a long time. Luckily there's been progress in slowly clawing back our rights in the last decade or so.
https://en.wikipedia.org/wiki/Third-party_doctrine
https://en.wikipedia.org/wiki/Third-party_doctrine
Hopefully yes, but that's a separate matter. The important part is that it's technically feasible and you can then use whatever legal (or otherwise) mechanisms to get the metadata.
In the USA, the Stored Communication Act lets law enforcement pull call records without a warrant, if that's what you were asking?
Yes, a perfectly valid legally issued warrant for any and all details about all messages the officer wants.
Obfuscated "we want Apple to move some production to India, this is why we don't want to piss them off".
I think it makes a bit more sense as "significant social media platforms in the guise of messaging services" , since iMessage doesn't function as a social media platform.
edit: removed editorializing.
edit: removed editorializing.
That’s the only interpretation that at least makes some kind of sense.
Not that I agree with it. Signal and iMessage have way more in common than they do differently, but at least it’s a coherent sentence.
Not that I agree with it. Signal and iMessage have way more in common than they do differently, but at least it’s a coherent sentence.
It probably means that usage of iMessage is not significant enough.
I would be amazed if less than 5 million people in India used iMessage.
[deleted]
It's well known that the Indian government is no friend of an uncensored Internet. Look at the great many well documented instances of them messing around with it:
https://en.wikipedia.org/wiki/Internet_censorship_in_India
https://en.wikipedia.org/wiki/Internet_censorship_in_India
Indian government is just the reflection of the majority in India. They can do these things because they know that the majority don't care about these issues. Take the same bunch of people in the government and put them in Germany and they would be making pro privacy laws left and right all day.
A "reflection of the majority in India" assumes that everyone in India votes or can vote which I find to be extremely unlikely given most of the population live in rural areas and are uneducated.
Indian election rules state "no voter should have to travel more than 1.24 miles to vote."[1] It's irrelevant that most of the population is rural. They can all vote.
1. https://www.washingtonpost.com/world/asia_pacific/election-w...
1. https://www.washingtonpost.com/world/asia_pacific/election-w...
India's literacy rate is around 70%. So the majority is not uneducated.
The voter turnout for 2019 Indian election was 67% compared to 66.7% of 2020 US election. So your rural areas and uneducated theory leads to less votes doesn't hold much essence :)
The voter turnout for 2019 Indian election was 67% compared to 66.7% of 2020 US election. So your rural areas and uneducated theory leads to less votes doesn't hold much essence :)
funny.
do you know the criteria for being called a literate in india?
http://gojiberries.io/2006/07/03/literacy-in-india-can-india...
sorry if the source is old, i couldnt find a fresh one. the argument still holds, india is counting being a "literate" as someone who can write his/her name or read passages from 2nd grade. if that is what is passing as being literate then yeah, india is a literate country. if not then don't trust these figures
sorry if the source is old, i couldnt find a fresh one. the argument still holds, india is counting being a "literate" as someone who can write his/her name or read passages from 2nd grade. if that is what is passing as being literate then yeah, india is a literate country. if not then don't trust these figures
[deleted]
[deleted]
who gives a flying fuck about credentials - the 'Chai walla' will run circles on 80% of HN crowd with his street smarts.
careful. HN might be forced to disclose your "metadata" for trying to tarnish the image of the supreme jumla minister
They vote. All 1.4 billion of them. Right down to the smallest and poorest villages. It fields a vast array of parties and political ideologies. India well deserves its title as "the world's greatest democracy".
A much larger population of Indians are educated than you might think, and India has higher voter turnout than the US does.
Not if you look at literacy rates.
The voting process in India has excellent coverage of rural areas.
Yeah. Vox made a very good video about it during the last elections.
https://youtube.com/watch?v=RWldvqO4AIY
https://youtube.com/watch?v=RWldvqO4AIY
This is a quick way to further increase Signal's user base. If someone in India does not know about Signal, this type of "don't use it! it's noncompliant!" government behavior will drive more users to the platform.
Many have tried Signal in the past few months here in India because of WhatsApp's privacy policy changes which managed to create quite a buzz. None of my friends stuck around though. Everyone is back to WhatsApp.
Couldn't the Government ban Signal relatively easily? A simple dns ban should suffice, no?
DNS injection can be relatively easily bypassed by using DNS over HTTPS/TLS.
ISPs usually block websites by terminating the connection on seeing a blacklisted SNI which is part of the TLS handshake (So the server can respond with the appropriate TLS certificate). The only way to bypass is either to use domain-fronting (aka using different SNI/Host, not standard-compliant, doesn't work with most CDNs), or use a different protocol. (Not that practical)
ECH/eSNI plan [1] to make the SNI encrypted, and therefore uncensorable in future. (The draft is now in it's later stages). Ofcourse this can end up with government potentially blocking all ECH traffic.
[1] https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni
[1] https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni
Signal responds to dns banning with their own tricks. Previously it was domain fronting https://signal.org/blog/looking-back-on-the-front/ I'm sure they wouldn't leave India without a similar fight.
The government of India is turning fully fascist and wants to have tight control over every narrative. Signal shouldn't yield
They're going to get banned from the AppStore then. The end result will be Signal being forced underground with far fewer users. There's nothing Signal can do, really.
Add: and Signal's centralized server IPs banned. Signal is really weak here; shouldn't have been centralized to begin with.
Add: and Signal's centralized server IPs banned. Signal is really weak here; shouldn't have been centralized to begin with.
Signal can pull a Durov and start hopping popular cloud hostings and CDNs, pushing latest server IPs via FCM. This worked for a year in Russia - they banned several large subnets of AWS and DigitalOcean, millions of IPs and smaller subnets, temporarily banned Google, but in the end still gave up after a year.
Signal has already tried similar approaches (domain fronting), and had to stop because the cloud providers do not want any of it.
> Add: and Signal's centralized server IPs banned. Signal is really weak here; shouldn't have been centralized to begin with.
Here is Moxie's talk about this very subject, and why he thinks that decentralized products can be much weaker products.
https://www.youtube.com/watch?v=Nj3YFprqAr8
Here is Moxie's talk about this very subject, and why he thinks that decentralized products can be much weaker products.
https://www.youtube.com/watch?v=Nj3YFprqAr8
Then people will sideload it. Those who care, anyway, I don't know how many do.
sremani(2)
It sounds as if Signal could comply with this by removing the "forward" button in India, right? Then there is no "first originator" as seen by Signal.
There still is, of course. Cut and paste works, and android's share works, but both of those send the message out of Signal (and perhaps back into Signal).
There still is, of course. Cut and paste works, and android's share works, but both of those send the message out of Signal (and perhaps back into Signal).
They say that honest and nonviolent people have no need for self-keyed cryptography, that using it just enables criminals. This is true, but nobody is self-encrypting to help others to prey upon them. They are doing it to prevent becoming a victim. Guess who the predator is….
The cipherpunk future is fundamentally a dystopia. Trust in authority would be a wonderful thing. I actually thought the authoritarian future would be more subtle and well-tolerated, like “Brave New World”, but it’s shaping up a lot like “1984”, and I can’t understand why a central-authority would self-destruct like that, under no force of occupation.
The cipherpunk future is fundamentally a dystopia. Trust in authority would be a wonderful thing. I actually thought the authoritarian future would be more subtle and well-tolerated, like “Brave New World”, but it’s shaping up a lot like “1984”, and I can’t understand why a central-authority would self-destruct like that, under no force of occupation.
On whitepapes, I surmised that WhatsApp is supposedly meta-connection secured (unless reconstruction is being done by WhatsApp backend).
All the while with Signal app, I’m fairly certain that message content is most secured (than Whatsapp) but is operationally resistant to providing meta-connection info.
Interestingly enough, I find that Matrix (Element iOS app) to be strongest in both aspect of connection metadata and secured message content.
All the while with Signal app, I’m fairly certain that message content is most secured (than Whatsapp) but is operationally resistant to providing meta-connection info.
Interestingly enough, I find that Matrix (Element iOS app) to be strongest in both aspect of connection metadata and secured message content.
[deleted]