Governments impact on apps

Creating a topic following this discussion as I think it’s important and don’t want to derail the other topic into arguing.

Let’s make the arguing here.

Everybody should definitely be skeptical about everything in general, but I believe there should be extra caution for specific countries like Russia or China. It’s all about trust and unfortunately, the place do make a difference IMO.

If you went to a restaurant that says they sell an expensive fish like Bluefin Tuna. But actually what they served you is Tilapia (let’s say it’s 4 times the price) and you didn’t know. Later they get caught. Would you go back to this restaurant even if you liked it?

It’s like when Zoom got caught lying about their encryption.

Lot of people continued using it because they either didn’t care or didn’t know. But lots of privacy-minded individual stopped using it because they lost trust in the app (or weren’t using it in the beginning).

People will say that a country is not the developers so my analogy doesn’t apply.

While this is completely true, Russia and China are known for stuff like this:

Those judicial safeguards may seem small against the overwhelming might of agencies like the FBI or NSA, but tech companies like Google have used these court procedures to block handing over information like location data. The Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) have also fought and won recent cases involving law enforcement conducting warrantless collections of people’s data. “The U.S. has the FISA court process. We have the Constitution. We have the democratic process,” Carroll said. “We have some protections and backstops against the abuse of these powers, whereas in China and Russia they have none of that.”

“As Americans, we have to wrestle with this, as we download fun apps like TikTok and FaceApp,” Carroll said. “That we are putting ourselves out of the jurisdiction of a constitutional republic into the jurisdictions of autocratic regimes. Is it worth the fun?”

All that being said, with the Snowden NSA leaks, it would be easy to argue the US and the 14-eyes are not better.

I don’t have much arguments for that, except that US is a democracy, while China and Russia are not. There exist far from perfect safeguards that simply don’t exist in China/Russia.

I’d just like to conclude that I have nothing against any Russian or Chinese individuals! I know this is a delicate topic, hopefully, we can all be respectful in exchanging opinions and promote courtesy while doing so.

My opinion is that the US is collecting less info about US citzens than the Russian, Chinese, or Iranian governments, but that doesn’t seem to be the case for those living outside. I don’t think that the the FISA court process, Constitution, or democratic process will prevent it from collecting as much bits and bytes as it can from someone living in Jordan, Belize, or Laos. It has the biggest and most advanced information collection system, and probably a bunch of backdoors in the biggest two messenger apps in the world (whatsapp and fb messenger). That’s why I always look at Tiktok and Instagram with the same eyes, spyware. The US might have more constrains, but it has a much bigger access (Google, Facebook, and Bing analytics are the biggest afaik).

I still think, however, that the most important thing is the criteria mentioned in every recommendations page. I don’t care too much about ente being based in the US because they are open source, audited, and end to end encrypted. The same goes to adguard adblock. Of course, that’s only the take of a newbie, so feel free to ignore it. Have a herb

My opinion that not only there is absolutely no difference, but also, that maybe, projects by well known but pseudonymous individuals should be somewhat preferred for these reasons. Can’t mandate or ““ask nicely”” for a backdoor on software with “anonymous” developers.

Small nitpick, but that’s a bit inaccurate. All 3 countries are (at least nominally) republics. Obviously China’s one-party republic is very undemocratic, given the party’s control over nominees. And it’s well documented that Putin’s elections are far from fair. But it’s worth noting that the U.S. is not a flawless example of functioning democracy, with political parties and donors wielding substantial influence, some academics consider the U.S.'s heavily financed elections and representatives to be essentially a form of oligarchy.

Thanks for quoting my message

Yeah, I agree with what you say. In fact, here is an example of how governments do affect applications.

Another example is China’s proposed National Internet ID system for Chinese citizens, which claims to “protection privacy and prevent online fraud”.

That’s why I reached the conclusion that initially, not forever, all applications should be met with skepticism and caution. That is, of course, unless there is clarification, safeguards, such as encryption, etc.

True, but, of course, we cannot deny that Western governments still do surveillance on the population, especially now with what I shared concerning the so-called “Online Safety Act”. China, Russia, Iran, and the like have more censorship and less freedom. Nevertheless, that’s not to say the West isn’t eroding into a milder or similar version of that.

This is typically why we focus on facts:

• Network audits (does the app call home to where and what is contained)
• Does it have E2EE
  • Has the E2EE been formally verified/audited
• Did the application or developers have prior reputation in the industry?

These things all give a more accurate picture, than “eyes countries” or “is it from CN/RU”. If it’s hosting then we would typically look at the legislation in place, for processing sensitive data.

@Astatine completely agree

@dngray But those are not criteria for a recommendation on PG right?

In some cases it’s not possible, as there may be no options that have audits, or E2EE may not be relevant/possible.

Obviously with all recommendations its what we consider is actually available.

It’s an open secret that the US intelligence services work pretty hard to downgrade security, or make things standard that they have some kind of exploit too. Look at the prime numbers in encryption where they pushed encryption but then pressed companies to only use a handful of prime numbers that conveniently the spooks had already solved or they figured out that encryption software used only a few prime numbers and solved it.

Can’t monitor phones but cell towers are open and they can simply scrap them and use triangulation to track anyone with a cell phone in real time if they want. Most phones keep data and wifi on by default

They pressured apple to not encrypt their at rest iCloud data so that even if they couldn’t read imessages, most people back it up in the cloud and they can just dump their iCloud.

They have side ways attacks on signal and WhatsApp.

What attacks do they have on Signal or Whatsapp? Is there any proof of these at all?

We know Signal desktop has known vulnerabilities, these been around for years. The Pegasus group has zero day exploits, which hacked Bezos phones a few years back through whatsapp.

Even if the encryption is sound, you would be pretty foolish to think that a state hasn’t found some exploit in the stack that they use, like what was discovered on WhatsApp.

If you look at historically the public is usually around 10 years give or take behind the government. The stuxnet virus was around for 10 years before it was discovered, Snowden leaks in 2013 we can see drag net data going back at least to 2005, in 2012 it was reported that NSA cracked prime and had been able to do so for several years. Here are more random exploits we know of Tor/Firefox, Commercial Encryption, Technology companies helping,

That require’s an already compromised machine to access, and is being patched.

I’m pretty sure this is just a non sequitur.

This isn’t an argument, it’s a statement claiming a fact based off of observations.

Now, do you have any REAL evidence of current exploits in Signal or Whatsapp, or are you just trying to spread FUD?

I think the point of going private is more a value and to some extent a political statement. A strong majority of people don’t like having their data taken or collected, but most don’t take actions to protect themselves for many different reasons.

But the privacy community do have a voice and by doing all the efforts to go private and by educating and making people aware that there are choices, the more people switch, the more it sends a message not only to the market, but to governments as well.

There’s always a risk of zero-day exploit on basically anything that could theoretically make anyone vulnerable. There could even theoretically be stuff installed on hardware that we wouldn’t know about and would make us all vulnerable. But even then, it’s worth it IMO, because the more people switch, the more it has an actual impact on society as a whole with the message it sends.

Here is a recently article about types of side ways that I was referring to. They don’t need to decrypt it if they knew the software used a specific method to come up with the 20 random characters. Your “FUD” would say that its impossible for the NSA to crack a 20 character randomly generated password, but apparently this guy did it without much difficulty

That’s a specific flaw in a single specific code generator. Does Signal or Whatsapp use that generator, or even that version of that generator since its since been patched. You’re using modern cryptography to argue against a flawed ten year old password generation model. This is still FUD.

Im saying that extraordinary claims require extraordinary evidence and so far, you have supplied no evidence to support your claim that they are backdoored, just claiming that they might be using fallacious arguments. I’m getting tired of being called a fed by you, and the repeated FUD.

Can a mod lock this thread? There’s nothing useful being contributed anymore

I think that in a thread dedicated to discussing government capabilities, it is reasonable to point out that the NSA almost certainly has capabilities beyond what the public is aware of or would expect.

Whether you should be concerned about them is a different story, but I’ll point out that nobody here seems to have suggested not using Signal or other apps because of this. I think that if you care about privacy and security it actually is important to have awareness of both historical and potential capabilities of the NSA and similar organizations, and I also think there’s no reason to believe the NSA has changed their behavior in the years following the stories linked in this thread.

These things can be true without preventing you from using what are still the best tools available, and indeed for most people even if you are aware of the potential capabilities of people like the NSA you can still ignore that when considering what to use, because most people aren’t targeted by the NSA to begin with.

Perfect should never be the enemy of the good, but at the same time I think we can acknowledge that good things out there (e.g. Signal) aren’t perfect.

I’ll reiterate another point made here for good measure:

there is a reason its best practice to operate in a zero trust environment. Reminds me of listening to a hospital IT admin tell me that the reason they don’t is because they pen test for all known attacks…I asked him about unknown unknowns or known unknowns…

Best practice and realistic for most people are two very different things. PG isn’t meant to help people avoid nation state actors, its meant to help guide MOST people.

I think superiority between pseudonymous developers and anonymous developers may depend on the project. Pseudonymous developers can build a reputation and trust, and anonymous developers have better protection. What is everyone’s thoughts?