In a move that reaffirms their strong and consistent stance on private communication, Signal is poised to leave their business in the UK over a newly passed anti-encryption law. What does this mean for those in the UK who wish to communicate privately and securely?
Signal Encrypted Messaging Service
Signal is my go-to app for secure and private communications. The company / app has been around for almost 10 years. Founded by Moxie Marlinspike and Brian Acton. Moxie is a security researcher and former head of security at Twitter. Brian co-founded WhatsApp and left in disgust after Facebook purchased the company.
UK Online Safety Bill Targets Encryption
The bill was drafted in the spring, discussed by tech companies during summer, and now passed into law in the fall this month.
Read the draft of the bill: UK Online Safety Bill
Clause 122 is the key focus. Depending on how it is interpreted, this could allow UK regulators to coerce government back doors in the software. If you want to do business in the UK you’ll need to follow their rules. Like GDPR, the language can be nebulous and the enforcement haphazard or absent. It is unclear how this law will impact secure private communications in the UK.
Here’s the response from Signal.
Government Subpoena Returns No Results
Currently, authorities can subpoena Signal for information; however, the company can only give what they have. A big part of the privacy here is the lack of data that Signal collects. By collecting as little data as possible to do business, Signal guarantees privacy because they have so little information to turn over. Think of it like the principle of least privilege applied towards privacy.
Because it isn’t enough to subpoena, the authorities must craft legislation to get them the information they want.
The Fantasy of a Magical Back Door
It is a common refrain from those in power that they must have special access to your information for the common good. The Internet is used for some horrible things; however, we shouldn’t be so quick to throw the baby out with the bathwater.
Let me be blunt: encryption is either broken for everyone, or it works for everyone. There is no way to create a safe backdoor.– Meredith Whittaker
Encryption is a binary choice – a zero sum game. There is not such thing as a back door that only the good guys can access. If the authorities in the UK can access your information, then so can other unfriendly nations, actors, and groups.
I lost count of how many articles I’ve read over the years about this myth. You cannot have your cake and eat it too.
Encryption is No Magic Bullet
As important as encryption is for private communications, there are more simple things that can foil your efforts to speak with confidentiality.
The Front Door is Open
Lousy operational security (opsec), getting sloppy with your communications, and confiscation can all make the most powerful encryption useless. Border crossings and law enforcement probes can leave you without your device while they make a copy of the disk and analyze it offline. It is true that your Signal data is safe but not if it is kept outside the application.
Here I don’t mean outdated crypto but rather the endpoints. If you are not in control of the endpoints then you do not have privacy. End to end encryption without secure endpoints is vulnerable.
Conclusion: Use Signal – Even If You Live in the UK
For those residing in the UK, I’d get Signal and wait and see what happens with the law. If the UK government pushes for a back-door and Signal backs-out be on the lookout for proxies to access the service. In case the app is banned then other ways to download and install it will be available.
If you’re not already using Signal you should start. It’s very easy to use and effortless to invite people onto the platform. For those of us who are security conscious and privacy advocates, we must use tools which promote our values of free speech and private communications.
Thanks for reading!