Many companies opt to give data to governments voluntarily, but either way none can deny a request sent by a court. So yes, the government will get all the data the companies have if they can prove their need in court (very low bar mind you).
Phone companies have direct link to governments. They might need to overcome some evidence hurdle if they want to use that data in court, but assume they know everything. VPNs might be worth looking.
Don’t use email to anything that requires anonymity or security. You can use services like SimpleLogin or Addy.io to hide your true email from big tech / data brokers / breach databases, but probably not the government.
For private communication, maybe SimpleX is your best option. No data required to open an account and no notifications sent through Google/Apple.
Signal requires a phone number and Matrix/Element requires an email. Sure you can use temp numbers and email, but that’s added potential points of failure. And I think both will use Google/Apple infrastructure for notifications. They might encrypt the contents, but the government can still have the timestamps on your messages. Unless both parties have custom Android OS without Play Services.
If you have a specific need, I’d go with SimpleX. If it’s for general avoidance of surveillance, I’d go with Signal, it’s more mainstream and it’s hard enough already to get people to use anything other than WhatsApp/iMessage.
If you use a End to end encrypted messenger like simplex, signal, etc. your messages cannot be seen by anyone except the sender and the receiver.
Signal allows discovery by both usernames and phone number. So you can just ask someone to message you on your phone number or your username.
That is true for simplex as well since servers know your IP and they also see the message queues. Any threat model where the messaging network is your adversary, simplex, currently, is about the same as signal.
“Once again, Signal doesn’t have access to your messages; your calls; your chat list; your files and attachments; your stories; your groups; your contacts; your stickers; your profile name or avatar; your reactions; or even the animated GIFs you search for – and it’s impossible to turn over any data that we never had access to in the first place.”
What data does signal provide in case of a goverment request then?
The date that each account last connected to the Signal service
Proved multiple times in court docs and unsealed subpoenas. Contrary to popular belief, they don’t provide the phone numbers. The phone numbers are actually supplied by the law enforcement to get the above 2 data about the phone number.
I’d advise thinking if this is something you actually need. The worst that can happen with Google/Apple notifications is that those companies can know is that someone (they can’t link it to you) received a notification.
Signal notifications currently do not show anything like who sent the message, who received the message, message content, etc. The way it works is this:
Someone sends you a message
It goes to Signal server
Signal then sends a ping that contains instructions to ping a random ID to Google firebase.
Whichever device has that random ID, and the device then connects to Signal server directly.
If you still want Signal notifications without Google/Apple servers and without an alternative OS like GrapheneOS, then you can look at Molly (https://molly.im/), which is a secure frontend for Signal that has independent notifications.
But in my opinion, most (99%) of people actually don’t have a high enough threat model that Apple/Google based notifications would hurt them.
Doing what Signal or other applications are doing is not enough.
The backend server should be sending decoy notification traffic to throw off threat actors observing traffic on the wire and then using timestamps to correlate conversations.
Google/Apple should also be sending decoy notifications to help mitigate this issue, but at the end of the day, it will still be a mitigation and not a real solution.
While this is not relevant for the absolute majority of people, it’s relevant to highly targeted individuals to whom Signal and other similar apps are recommended to keep them safe.
Correlation attacks are currently undefendable given the attacker has access to the entire or large-ish part of the network. If someone creates a perfect solution, I’d be the first to jump in. Otherwise it’s just a matter of large enough control and enough time.
No current solution that depends on a network can defend against correlation attacks by the network itself.
I agree they should solve for it, but it’s not at all an easy solution.
Yes very sure. SimpleX servers can have both your IP (I think they partially solved it?) and keep logs (since SimpleX cannot actually test if each server is running clean code, no attestation available). Of course the answer from SimpleX is “use trusted nodes”, but what happens when most nodes are in places like US and Germany where owners can be forced to quietly make tracking changes through stuff like NSLs. The only guarantee should be technical or hard legal guarantees. Community moderation isn’t the best.
It is also happened sometimes against more robust anonymity focused decentralized networks like Tor network, where malicious guard nodes, and control of sufficient exit nodes can help correlate. Network correlation will always be a problem until someone is able to make all traffic look the same, or absurdly actually random over long time. Exactly the same ball park as fingerprinting.
I don’t actually think we’re disagreeing here. You’re saying that their servers are not safe from being compromised (well, nothing is, so…) and they currently have low safeguards to protect against compromised community servers, which users don’t use unless they manually add the anyway.
But baseline (hacking aside) is still no, SimpleX doesn’t keep logs and LE won’t get your logs by asking them for your data.