Secure messaging service says it will not weaken its encryption, privacy safeguards for government
    • BakedCatboy@lemmy.mlEnglish
      1·
      9 minutes ago

      I managed to use the reader mode trick to get the text:

      Signal warns it would pull out of Canada if made to comply with lawful access bill

      Marie Woolf 6 - 8 minutes

      Udbhav Tiwari, Signal vice-president of strategy and global affairs, says Ottawa’s Bill C-22 could threaten encryption and make private messaging services a potential target for cyberattacks.

      Secure messaging service Signal, which uses end-to-end encryption, is warning it would withdraw from Canada if asked to compromise its users’ privacy under Bill C-22, Ottawa’s proposed lawful access legislation.

      In an interview, Udbhav Tiwari, Signal vice-president of strategy and global affairs, said the company has deep concerns about measures in the bill, including its potential to introduce security vulnerabilities.

      Mr. Tiwari said that Signal “would rather pull out of the country than be compelled to compromise on the privacy promises we have made to our users.”

      He expressed fears that Bill C-22, which is currently being scrutinized by Commons committee, could threaten encryption.

      Mr. Tiwari also warned changes to systems required under the bill could make private messaging services a potential target for cyberattacks.

      “Bill C-22 could potentially allow hackers to exploit these very vulnerabilities engineered into electronic systems, with private messaging services serving as an ideal target for foreign adversaries,” he added in a text message.

      Spy watchdog asks for greater oversight of proposed lawful access regime, including to boost public trust

      Signal was founded in 2012 and is not linked to major tech companies. It has millions of Canadian users and is used for secure communication by journalists, dissidents, government agencies, private citizens and politicians.

      The bill would require telecoms, internet companies and other electronic service providers to make changes to their systems to give surveillance capabilities to police and the Canadian Security Intelligence Service to combat threats and criminal activity.

      Signal runs on its own centralized servers. The only user data it stores are phone numbers, users’ last login information and the date they joined the service. Users’ contacts, chats and other information are stored by users themselves, on their phones.

      The bill would require “core providers” – which would later be defined through regulations – to retain metadata for up to a year.

      The metadata would not include e-mails, web-browsing history, social-media activity or text messages, but it could include information about which telephone numbers have been in touch with each other, and data allowing someone’s location to be pinpointed.

      “End-to-end encryption is incompatible with exceptional access, no matter how creative the route taken to achieve it,” Mr. Tiwari added in a statement. “Provisions that enable the deliberate engineering of vulnerabilities into critical infrastructure like Signal are a grave threat to privacy everywhere.”

      White hat hackers warn lawful access bill could make it easier for criminals to penetrate Canadian systems

      Last year, a Signal chat between U.S. national security officials and Defence Secretary Pete Hegseth mistakenly included a journalist. The chat specified timings of warplane launches and when bombs would drop in planned attacks on Yemen’s Houthis.

      At a Commons committee hearing on Bill C-22 earlier this month, Public Safety Minister Gary Anandasangaree, who introduced the bill, was asked about its impact on encrypted services, and described it as “encryption-neutral.”

      Tech companies, including Apple, and the Canadian Chamber of Commerce have warned the lawful access regime proposed by the bill could weaken or break encryption.

      Meta, which owns encrypted messaging service WhatsApp, testified earlier this month to a Commons committee examining the bill. Rachel Curran, the tech giant’s head of public policy in Canada, warned that the bill “could conscript private companies into service as an arm of the government’s surveillance apparatus – with expansive scope and insufficient safeguards.”

      “As drafted, the bill could require companies like Meta to build or maintain capabilities that break, weaken, or circumvent encryption or other zero-knowledge security architectures, and force providers to install government spyware directly on their systems,” she said.

      Simon Lafortune, a spokesperson for Mr. Anandasangaree, said Wednesday: “We want to reassure Signal and all service providers that we are not legislating to require them to install capabilities to enable surveillance and any assertions otherwise are false.”

      The broadly worded bill could lead to the rollout of forced metadata collection for messaging apps, said Kate Robertson, a senior research associate at the University of Toronto’s Citizen Lab whose expertise includes cybersecurity, state agencies’ use of personal data and surveillance activities.

      Ms. Robertson said that when recently pressed to commit to protection for encryption, “government officials were reticent.”

      “Encrypted communication systems are a lifeline for human rights defenders, journalists and dissidents around the world,” she said.

      Matt Hatfield, director of OpenMedia, a non-profit that advocates for widespread and affordable internet access, said “Signal, WhatsApp and other encrypted messaging services could clearly be scoped into Bill C-22 under its current definitions of electronic service providers.”

      “A future public safety minister could issue orders to them requiring them to retain user metadata,” Mr. Hatfield said in an e-mail.

      Michael Geist, Canada Research Chair in internet and e-commerce law and professor at the University of Ottawa, said he expected private messaging services to become a high-value target for law enforcement if the bill becomes law, including for obtaining metadata.

      He said that currently, courts focus on obtaining data itself, but the lawful access regime would mandate permanent structural changes to company systems.

      “There is a significant difference between court-ordered disclosures and mandates to retrofit or change technical structures,” he said.

  • NarrativeBear@lemmy.worldEnglish
    150·
    17 hours ago

    This just in, Canada post and other mail providers will now be opening all envelopes and packages sent. All contents will be scanned or photographed and held on file for 2 years time, and released to relevant authorities upon request of investigation. To make things easier please do not seal packages or envelopes for easier and more convenient access.

    All photos and scanned documents will be held in a highly secured database with easy backdoors access!

    Pretty much the equivalent in terms of what Canada wants to implement with access to signal chats, VPN logs, and asking ISPs to keep logs for 1-2 years minimum.

    Somehow our politicians don’t seem to see the similarities between sending a message online vs sending a physical envelope in the mail. Also, in both cases a person could encrypt their messages/letters if they choose leaving regular folks with less security.

  • 9488fcea02a9@sh.itjust.worksEnglish
    6·
    11 hours ago

    I dont understand how they will pull out of canada… will the google play store have geo-restrictions on installing the apk?

    or will they just deactivate any account with a canadian phone number?

    • Cocodapuf@lemmy.worldEnglish
      13·
      10 hours ago

      Pulling out is super easy. Just don’t release a compromised version of the app. Done.

      If the app in its current form doesn’t comply with Canadian law, then the play store can’t legally distribute it. So, problem solved.

      So basically Signal can pull out of Canada by doing nothing different than they’re already doing.

      As for the users who already have the app installed, well that’s just too bad for the Canadian government isn’t it.

    • magnue@lemmy.worldEnglish
      5·
      11 hours ago

      Probably the same way Imgur dealt with the UK age verification. If you’re from the UK, you are basically IP blocked from Imgur.

    • sleepyplacebo@rblind.comEnglish
      1·
      3 hours ago

      It’s possible Signal could stop distributing the app through the Play Store and Apple App Store within Canada. Signal is likely to shut off all servers they rent that are hosted inside of Canada at the very least.

      In terms of them deactivating people’s accounts registered with Canadian numbers that seems less likely to me.

      Even if they potentially blocked Canadian IP addresses, Signal already has support for proxies built in and those are ran by diverse people throughout the world. Some individuals host them.

      This isn’t exactly the same since each situation with each country is different in terms of the law but Signal is banned in some countries such as Iran, Qatar, UAE and others already and people still use Signal by using Signal TLS proxies, VPNs, and other censorship circumvention tools such as Tor.

      They didn’t deactivate accounts after being banned and they still allow phone number registration in those countries.

      For Android people could download the apk file from Signal’s website instead of getting it from the Play Store at least.

      https://signal.org/android/apk/

      While we don’t know with certainty what they will do in each situation the past may be an indicator of what they will do to a large extent. But Signal has never pulled out of a country voluntarily before as far as I know so it is uncharted territory.

      I think the intentional deactivation of current accounts is unlikely to happen in this case with Canada.

    • Pika@sh.itjust.worksEnglish
      18·
      13 hours ago

      They’ve threatened to for a lot of them, but I’m not actually sure if they’ve actually done so.

      There’s a few countries that blocked signal, but I don’t know if signal has voluntarily pulled out of any country yet

      For example, they’ve threatened to leave Canada, Sweden, and Australia so far from memory

    • badgermurphy@lemmy.worldEnglish
      11·
      13 hours ago

      I don’t know of any yet, but these “encryption is for crooks” laws all keep barely failing, so they have not had to yet, from what I’ve seen.

  • TarantulaFudge@startrek.websiteEnglish
    66·
    7 hours ago

    Maybe we should be looking at the larger picture here this is exactly why Signal or any other privately owned centralized messaging system can never be trusted. Stop using Signal or WhatsApp.

    Look at alternatives like Matrix that are immune to this sort of thing.

  • Treczoks@lemmy.worldEnglish
    211·
    9 hours ago

    I seriously dislike those “lawful access” shit, but Signal getting out of somewhere is a win.