Zum Inhalt der Seite gehen

PSA: We've received questions about push notifications. First: push notifications for Signal NEVER contain sensitive unencrypted data & do not reveal the contents of any Signal messages or calls–not to Apple, not to Google, not to anyone but you & the people you're talking to. 1/
Als Antwort auf Meredith Whittaker

Mike Kuketz 🛡
Mike Kuketz 🛡

The all-important question is: Can Signal create a link to a Signal account for a Google/Apple Push ID? If not, how is this technically avoided or implemented?

And another important question is: How often has Signal already issued push IDs to authorities? If so, what information exactly is involved?

A clear answer to these questions would be helpful.

Als Antwort auf Mike Kuketz 🛡

daisE 🌈
daisE 🌈
@kuketzblog
Could you please explain the relevance of your question? AfaIk, the Signal server does not log from where or when a message has arrived. It also does not log when the ping was pushed or the message was picked up. State queries to Google (and Signal) can therefore (worst case) only find out when and to which account a ping from the Signal server was pushed. So imho, when and by whom something was sent remains unknown. Or what other information could be obtained and how?
@Mike Kuketz 🛡
Als Antwort auf Mike Kuketz 🛡

Meredith Whittaker
Meredith Whittaker
@kuketzblog These are the law enforcement requests we've been forced to reply to, including our responses. signal.org/bigbrother/
@Mike Kuketz 🛡
Als Antwort auf Meredith Whittaker

Mike Kuketz 🛡
Mike Kuketz 🛡

So the only information according to the documents are:
- Last connection date
- Account created

However, the reply also states: "As an initial matter, Signal-by design-does not possess almost any of the categories and types of information listed in the order." So maybe they didn't ask for this information explicitly enough?

I would still like an answer to my question about how to technically prevent a Google/Apple Push ID from being linked to a Signal account. Thanks.

Als Antwort auf Mike Kuketz 🛡

daisE 🌈
daisE 🌈
@kuketzblog it still would be nice to get an answer as to how this * could be relevant for what...
* knowing the signal account which got a simple ping by push.
@Mike Kuketz 🛡
Als Antwort auf Meredith Whittaker

Mike Kuketz 🛡
Mike Kuketz 🛡

The main problem is summarised again here - in German: kuketz-blog.de/signal-threema-…

You can use DeepL or another translator to translate it into English.


Signal/Threema: Klare Kommunikation zur Push-Problematik wünschenswert

Das Thema »Behörden fragen Apple und Google nach Nutzern von Messenger-Apps« hat mich nicht losgelassen.
Kuketz IT-Security Blog
Als Antwort auf Meredith Whittaker

Meredith Whittaker
Meredith Whittaker
In Signal, push notifications simply act as a ping that tells the app to wake up. They don't reveal who sent the message or who is calling (not to Apple, Google, or anyone). Notifications are processed entirely on your device. This is different from many other apps. 2/
Als Antwort auf Meredith Whittaker

Daniel Gultsch
Daniel Gultsch
IIRC the criticism was mostly about being able to map Signal ID (the phone number) to a Google account. This is independent to whether or not you put the message content into the notification.
FWIW only sending wake up signals instead of content seems pretty standard for personal communication apps these days. Signal isn't unique in that regard.
Als Antwort auf Meredith Whittaker

Meredith Whittaker
Meredith Whittaker
What's the background here? Currently, in order to enable push notifications on the dominant mobile operating systems (iOS and Android) those building and maintaining apps like Signal need to use services offered by Apple and Google. 3/
Als Antwort auf Meredith Whittaker

Meredith Whittaker
Meredith Whittaker
Apple simply doesn’t let you do it another way. And Google, well you could (and we've tried), but the cost to battery life is devastating for performance, rendering this a false option if you want to build a usable, practical, dependable app for people all over the world.* 4/
Als Antwort auf Meredith Whittaker

Meredith Whittaker
Meredith Whittaker
So, while we do not love Big Tech choke points and the control that a handful of companies wield over the tech ecosystem, we do everything we can to ensure that in spite of this dynamic, if you use Signal your privacy is preserved. 5/
Als Antwort auf Meredith Whittaker

Meredith Whittaker
Meredith Whittaker
*(Note, if you are among the small number of people that run alt Android-based operating systems that don't include Google libraries, we implement the battery-destroying push option, and hope you have ways to navigate.) 6/
Als Antwort auf Meredith Whittaker

Daniel Gultsch
Daniel Gultsch
if your persistent TCP connection drains the phone's battery I think you might have implemented it wrong. How do you think Google Push works under the hood?