The encrypted messaging app Signal has stopped responding to requests from Ukrainian law enforcement regarding Russian cyberthreats, a Ukrainian official claimed, warning that the shift is aiding Moscow’s intelligence efforts.
According to Serhii Demediuk, deputy secretary of Ukraine’s National Security and Defense Council, Signal remains one of the most exploited messaging apps for Russian espionage operations targeting Ukrainian military personnel and government officials.
“With its inaction, Signal is helping Russians gather information, target our soldiers and compromise government officials,” Demediuk said at the Kyiv International Cyber Resilience Forum on Tuesday.
Signal, a U.S.-based nonprofit platform known for its commitment to privacy, has not publicly commented on Demediuk’s claims and did not respond to a request for comment. Demediuk suggested that the shift in Signal’s policy may be linked to political instability in the U.S., adding that cooperation could resume soon.
Is there any reason for Signal to respond to Ukraine specifically? I feel like this was a special treatment and information regarding how Signal accounts are being targeted + ways to counter them should be public (if not already is)?
It’s simple, they just announced as official representatives of the authorities that Signal shared some data with them. This will be a bit of a blow to Signal, because its privacy will be called into question.
How is metadata not protected?
Signal has no Metadata to go off of anyone. (Only the phone number but even then if you use a VoIP or prepaid number, it’s not tied to your identity).
As others said, opsec is the problem here, not signal.
It’s simple, they just announced as official representatives of the authorities that Signal shared some data with them. This will be a bit of a blow to Signal, because its privacy will be called into question.
I suspect than it is more about requesting additional help to secure existing accounts in order to avoid impersonation (which can lead to soldiers/officials to communicate with Russian agents).
It’s briefly mentioned in the article and it can absolutely be a real problem (for example when a soldier family member’s account is compromised and manages to coerce intel via impersonation).
I have no reason to believe that Signal is giving the SBU more info than any other country.
Signal’s metadata is protected by policy of not collecting any, of which we have court docs: https://signal.org/bigbrother/
I’m unsure how well all different clients handle remote attestation of verifying the source the server is running, but unless that’s done by all clients, in theory, a rootkit could lie about the code the server is running, even to the Signal developers, and it could collect and exfiltrate metadata in secret. I have no evidence of this, and just because it’s possible in theory, doesn’t mean it’s actually happening.
What Signal does not do, is protect your metadata by design. The by design means that the client - the source code, compilation, and execution of which you have control over - protects your privacy.
Metadata privacy by design would require something like Cwtch that uses Tor for message routing, and that doesn’t have a server collecting metadata in the first place.