this post was submitted on 31 Aug 2024
907 points (99.0% liked)

Privacy

31609 readers
331 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Chat control is back on the agenda again and the works is kept in secret.

Link to document

Take Action!

Edit: More information about the meeting

you are viewing a single comment's thread
view the rest of the comments
[–] TCB13 25 points 2 months ago* (last edited 2 months ago) (2 children)

First they obliterate telegram (most likely the only ones that would not comply and still offer service in Europe, Facebook and Apple would just comply, Signal would drop Europe) and a few days later they restart talks on this.

[–] [email protected] 23 points 2 months ago (3 children)

Telegram isn't in trouble because they are a ""private"" messenger because 1) they aren't and 2) they basically asked for it. They are hosting pirates, drug dealers and scammers and they refuse government requests for the data they have about the user. That is the issue: not complying with data requests. For example, signal, a truly secure messenger, will comply with data requests and will send the authorities everything they have about a user, which is really not that much to begin with. This whole Telegram story is absolutely unrelated to chat control

[–] [email protected] 12 points 2 months ago (1 children)

I beg to differ - meta both facebook and Instagram have loads of issue with crimes like human trafficking, pornography including the revenge one, scams and even live streams of rapes.

Every time you try to report scams or even impersonating anybody they reply "it doesn't violate community standards"

Is Zuckerberger being accused of human, sex , pedophilia and drugs trafficking

https://www.firstpost.com/world/instagram-enabled-paedophiles-to-find-child-pornography-prey-on-children-12707612.html

https://variety.com/2023/digital/news/instagram-pedophile-network-child-pornography-researchers-1235635743/

https://www.theguardian.com/technology/2023/jun/07/meta-instagram-self-generated-child-sexual-abuse-materials

Of course it is about chat control. American companies do allow sniffing the traffic, "the russian" telegram doesn't allow sniffing.

That's the only reason

[–] [email protected] 1 points 2 months ago

Yes there m illegal things on social media, but they are not public group chats with hundreds of people in them sharing info on how to do x crime better. What you will mostly see on Instagram etc when it's about illegal stuff are links to those telegram channels. And yes meta/everyone else should definitely do better at moderatibg their platforms.

[–] [email protected] 7 points 2 months ago (1 children)

Specifically, they have the technological ability to prevent some crimes on their platform and have repeatedly refused to do so, or even engage with attempts to do so. Because they're not E2EE they can see what everyone is doing and are therefore legally required to step in when someone is (for example) selling drugs on their platform.

Signal (etc) have no insight into the actions of their users and when they are legally required to take action they do, they take the minimal legally required action (unlike other services from, ex, Apple). Signal follows the law, Telegram does not.

States are really pissy about E2EE for this (and other) reasons. They want to get rid of it because they want to monitor all private conversations. That's why E2EE is important.

[–] TCB13 -1 points 2 months ago (1 children)

This has nothing to do with the ability for the company to see what users do, but with the fact that govts can order Signal and others to hand user data, ban chats and whatnot while Telegram simply ignores requests like those.

Govts aren't pissed about the fact that Telegram might be an accessory to a crime, they're pissed because they can't compromise it. Do you remember the FBI vs Apple situation, they wanted backdoors / access to E2EE stuff and Apple was refusing to provide and they went against one of the largest tech companies out there. Do you really believe that the US govt just went after Apple but wouldn’t go after a small company like Signal? This looks shady - almost like there’s a security vulnerability / backdoor in Signal they can use whenever they want.

[–] [email protected] 2 points 2 months ago (1 children)

They can order Signal to turn over data (and the have) and signal has complied when it was legally required of them to do so, handing over all of their no data.

That's the difference.

If that weren't true they wouldn't be so constantly upset about E2EE.

[–] [email protected] -1 points 2 months ago (1 children)

nd when a judge or a 3 letters agency will request to Signal that they want access to the messages that somebody will send from a date?

It's their app, and they can do it. Do you think that they will refuse?

[–] [email protected] 3 points 2 months ago* (last edited 2 months ago) (1 children)

No, they cannot do it. That's what E2EE means. It means they do not have the technological ability to do it. It is not possible.

Yes, even if a judge orders. You can see instances of that on their website: https://signal.org/bigbrother/

Yes there are weak points (the huge one with Signal being: requiring your cell phone number as a part of authentication) but that's far beyond the level of technical expertise required to, say, just intercept clear text communications, ex from Telegram. If a government is wiretapping you then you've got problems that neither Signal nor Telegram can solve.

Now maybe you will suspect that a three letter agency will force them to do something bad, like send a suspect a hacked/backdoored version of the app or something but by and large i don't think they would do that. They'd just go to Google or Apple and put a keylogger on your phone, or some other solution. Realistically, though, this is a level of effort far beyond what >99% of all humans need to worry about. Choosing Telegram over Signal because you're afraid the government is manipulating your Signal app is a sign of incoherent paranoia.

A more serious concern would be, for example, the government capturing all data sent across the Internet and then holding onto it until some hypothetical future computer is developed that can just break the encryption. That's still pretty silly but it's something the US (at least) is doing. Still way beyond what they would need to get your Telegram messages because, again, they don't need to decrypt those. They can just look.

The difference being: Signal cooperates as they're legally required to buy do not have the technological capability to betray you. Telegram has the technological capability to betray you (and governments can spy on Telegram, with or without Telegram's assistance) but refuses to cooperate.

Signal is much better and more reliable in this.

[–] [email protected] -1 points 2 months ago (1 children)

Signal can add backdoors to their own app and, if the app get compromised (or the device) the security of the encryption model is not relevant. It's the reason because I see comparable Signal and Telegram.

Signal is open source, but (info based in this 3 years old thread on f-droid):

  1. Have binary blobs and propietary dependencies.
  2. Don't let reproducible builds.
  3. It's hostile to forks (they blocked libreSignal from their servers)
  4. Don't want independent builds from f-droid (nor any fork in f-droid)

Which no seems FOSS friendly.

[–] [email protected] 3 points 2 months ago (1 children)

I've already addressed this but i guess i'll expand on it.

Signal would not be able to add backdoors to all its users. Security researchers would see pretty quickly (more below) and that would be pretty big news because Signal is quite popular with people who care about their privacy.

They could in theory backdoor an individual's Signal app but, again, that's pretty inefficient. If anyone ever noticed it would be a big black mark against Signal, though they may not have much choice in the matter if it really came to it. However, we know that big governments and other sophisticated attackers usually prefer to just stick spyware on your phone. It's easier, more comprehensive, and doesn't require collaboration with Signal.

In contrast, you don't need to do any of that with Telegram because it's not E2EE. Your argument is basically "security features can be defeated by a sufficiently advanced attacker so use this other service that doesn't have them to begin with." This makes no fucking sense.

I don't know what you're talking about with FOSS stuff. Yeah, Telegram is open source. Signal is too. Some Signal forks (particularly the ones with "Signal" in their names) have been killed but others still exist, ex molly.im.

Signal client does have reproducible builds and has since 2016, as far as i know. This is another point against Signal being backdoored.

Beyond that, Signal has gone through a number of formal security audits. As far as i know, Telegram has not.

Finally, Telegram itself. Telegram could simply enable E2EE for all chats. They choose not to and that is concerning if you care about your privacy or security.

Yeah Signal could be better but that isn't a case to use Telegram over Signal when Telegram is worse in almost every respect.

[–] [email protected] 0 points 2 months ago

I agree that signal has a more robust security model. What I mean is that itbhasbalso habe risks, and a lot of people are ignoring it.

The backdoor could be a sleeping function activated from outside to targets of interest or 'special' updates from the google store (i.e.: with the help of google install a different version of the app to the target). But I'm not a security nor android expert, and it's all theoretical if this attack vector is possible, but I think that is unlikely.

Also, if the NATO country where I live wants to spy my mobile, it would use Pegasus 🤷🏽‍♀️

Off topic: The Signal reproducible builds don't work since, at least, may.

[–] TCB13 0 points 2 months ago (1 children)

I agree with you, but just think about this:

signal, a truly secure messenger, will comply with data requests and will send the authorities everything they have about a user, which is really not that much to begin with.

A govt asks Signal for info on a user, then Signal hands over a bunch of IP logs, metadata and a few encrypted messages that are still pending delivery or something on their servers.

Do you remember the FBI vs Apple situation, they wanted backdoors / access to E2EE stuff and Apple was refusing to provide and they went against one of the largest tech companies out there. Do you really believe that the US govt just went after Apple but wouldn't go after a small company like Signal? This looks shady - almost like there's a security vulnerability / backdoor in Signal they can use whenever they want.

Why would they go after the "not E2EE" chat but not after the "unbreakable and private" one? Telegram delivers trust, users trust that they won't share any info to govts. Signal only delivers a promise that their E2EE will be enough to make the information govts get useless.

This whole Telegram story is absolutely unrelated to chat control

Chat control is exactly about baking backdoors and providing govts full access to chat logs etc. something that Telegram would never be okay with. They don't even reply to govts requests most of the time, let alone be compromised at that level.

[–] [email protected] 9 points 2 months ago (1 children)

Signal only delivers a promise that their E2EE will be enough to make the information govts get useless.

Signal do more than just a promise. Their encryption techniques are available to see. You can confirm if it's enough protection for you or not. Telegram are the ones making a promise. I'm not saying they've broken their promise (as evidenced by the arrest).

But it is just a promise when Telegram still has the ability to see messages. Signal can't see messages and therefore don't have to rely on a promise that can be broken (willingly or not). They instead rely on encryption, which appears to be far stronger than any promise could be.

For all we know, this is performative and the French government already has access to Telegram's servers and can see everything. If they have access to Signal's, oh well, they can't see shit.

[–] TCB13 -2 points 2 months ago (2 children)

Telegram are the ones making a promise. I’m not saying they’ve broken their promise (as evidenced by the arrest).

The fact that govts go after them kinda validates the promise. Unlike Signal.

[–] [email protected] 7 points 2 months ago (1 children)

It validates that governments can see what's happening on Telegram, and that makes Telegram a target.

They can't go after the likes of Signal because they have very little to go on in the first place. They can't say definitively what's happening there as they can't see any messages. Unlike Telegram.

It's not a conspiracy that Signal are compromised, so they're being ignored. They're being ignored because there's nothing to see, so governments might as well spend resources going after the apps where information is visible instead. At least they might get a result. E2EE apps are too difficult.

[–] [email protected] 1 points 2 months ago

(Properly implemented E2EE is too difficult at the moment but those are some big caveats. Still: didn't use Telegram.)

[–] Tangent5280 0 points 2 months ago

If you aren't going to turn out evil, raise your right hand.

[–] [email protected] 12 points 2 months ago (1 children)

I'm still confused about people who consider telegram a private chat.

It's easy to verify for yourself that it isn't, so how is this still going around?

[–] TCB13 -5 points 2 months ago* (last edited 2 months ago) (1 children)

Telegram isn’t E2E encrypted and the telegram company can access all your messages, however, just think about the bigger picture there. How come that the E2E encrypted WhatsApp, Signal and whatnot never had their CEOs arrested for not moderating content / enabling criminal activity? Think about that.

[–] [email protected] 10 points 2 months ago (1 children)

I'm not sure what point you're trying to make here. You start by agreeing that telegram is simply not private. Then you move on to implying that it must be, because the CEO got arrested?

How does that change the fact that it is, by your own assessment, not private?

To answer your question, the answer from my perspective is quite simple. Noncompliance. If telegram had complied to local laws, like the others have and continue to do, he would not have gotten in trouble.

[–] TCB13 -5 points 2 months ago (2 children)

the answer from my perspective is quite simple. Noncompliance. If telegram had complied to local laws, like the others have and continue to do, he would not have gotten in trouble.

Exactly you're getting there. Now let me ask something, if Facebook/Apple/Signal/Matrix comply with such laws how private are they? Those companies will happily censor chats and hand records to the govt, Telegram won't.

Now you can argue that they do hand info the the govts but it is all encrypted and whatnot... do you really trust there aren't backdoors there? Or cleaver ways to get around it like what we saw with push notifications or macOS analytics?

Govts are only after Telegram because they can't infiltrate the company, ask for data etc. If Signal was really as secure and private like everyone says it is then their executives would already be in jail and whatnot for "enabling criminal activities".

[–] [email protected] 6 points 2 months ago (1 children)

Not much of this makes sense. Maybe we don't have an equal understanding of private. If thats the case, this discussion is going nowhere.

I will point out, though, that this is particularly nonsensical

Govts are only after Telegram because they can't infiltrate the company, ask for data etc.

Telegram doesn't use encryption. Everything is in clear text. Nobody needs a back door to get access. Not even governments. It's all just out in the open

[–] TCB13 1 points 2 months ago (1 children)

Telegram doesn’t use encryption. Everything is in clear text. Nobody needs a back door to get access. Not even governments. It’s all just out in the open

This isn't even true, Telegram isn't IRC. Like any modern application, uses SSL (encapsulated in MTProto) to protect connections. Govts will only have access if they manage to compromise those certificates, like your bank's website.

[–] Persen 3 points 2 months ago

Or if they copy the data from the servers, as it isn't e2e, the data is unencrypted on the server (or usually encrypted on the server with keys accesible by people working there) as far as I know.

[–] rottingleaf 2 points 2 months ago (1 children)

If Signal was really as secure and private like everyone says it is then their executives would already be in jail and whatnot for “enabling criminal activities”.

It doesn't have anything to do with what "everyone says". We don't do that with security. Well, Telegram users do, but Charles Darwin wrote about that process. Others look at what academics say or are competent enough themselves (no, you are not).

[–] TCB13 -2 points 2 months ago

Every encryption is secure until someone breaks it. Like we saw on Wifi (WPA2 and WPS) or the push notification issue it may not even be a direct attack to the cryptography of something, may be a way around it.