Ring has announced that it will soon offer the option to enable end-to-end encryption for the video feeds from its smart doorbells and connected home security cameras. This new higher level of security will be an optional feature and builds upon Rings existing encryption features. The company says it will be available for free to all Ring customers and plans to offer the feature by the end of this year.

With end-to-end encryption enabled, the video footage will be encrypted on the camera and can only be decrypted with a key stored on the mobile device used to view the recording. The setting is optional because once end-to-end encryption is enabled, certain features such as accessing the video feed through Alexa on an Echo Show or Fire TV device or sharing footage from the camera with others will no longer work. It essentially limits the Ring cameras feed to the app itself.

In addition to the stronger encryption, Ring is also updating its mobile app with more information on how videos are encrypted or stored. But more significantly, the company is finally allowing Ring owners to completely disable the controversial Neighbors feed from the app. The Neighbors feed is where Ring owners can share clips captured by their cameras and is ostensibly designed to alert others to possible crime or emergencies in their areas. But its long been criticized for being both fearmongering and an abuse vector for those in marginalized communities and hasnt been proven effective in reducing crime.

The other big criticism against Ring has been its close partnerships with police departments, which have been able to use Ring cameras as surveillance devices in hundreds of communities across the country. Todays announcements dont change any of this Ring will still partner with police departments and owners will have to manually opt out of being contacted by police for their camera footage if they dont want to participate in the program.

More:
Ring plans to offer end-to-end encryption by the end of the year - The Verge

Ring will be stepping up its efforts to make its security products secure for users by enabling end-to-end video encryption later this year. The company will be providing this toggle in a new page in tits apps Control Center, which will provide more information about Rings current encryption practices, and measures to keep user video secure, until the end-to-end encryption feature goes live. Ring is also taking the covers off a range of new devices today including its first drone but Ring CEO and founder Jamie Siminoff says that this new security measure could actually make the biggest difference to its customers.

[End-to-end encryption] could be our most important product that were sort of putting out there, because security and privacy, and user control are foundational to Ring, and continuing to push those further than even the industry, and really even pushing the res of the industry, is something I think that we have a responsibility to do.

Siminoff also points to Rings introduction of mandatory two-factor authentication earlier this year as something thats above and beyond the standard across the industry. I asked him them why not make end-to-end encryption for video on by default, with an opt-out option instead if users feel strongly that they dont want to take part.

Privacy, as you know, is really individualized we see people have different needs, he said. Just one example for end-to-end, is thatwhen you enable it, you cannot use your Alexa to say Show me whos at the front door, because of the physics of locking down to an end-to-end key. As soon as you do something like that, it would actually break what youre trying to achieve. So it really is something that is optional, because it doesnt fit every user in terms of the way in which they want to use the product. But there are some users that really do want this type of security so I think what youre going to see from us in the future, and I hope the industry as well, is just really allowing people to dial in the security that they want, and having transparency, which is also with the Video Control Center that weve launched today to provide you with the knowledge of whats happening with your data, in this case with Ring videos.

Overall, Siminoff said that the company hopes through all of its products, to be able to provide its users to build the system that they want to use, its the way that they want to use it. The Alway Home Cam drone, he points out, is another expression of that, since it provides the potential to monitor every room in your home but also the ability to be selective about when and where.

I think its just about building the options to allow people to use technology but use it comfortably, understand it, and control it, he said.

More:
Ring to offer opt-in end-to-end encryption for videos beginning later this year - TechCrunch

The mysterious death of Sushant Singh Rajput has kicked off debates on drugs, nepotism, and whatnot. The recent drug probe, which has summoned many celebrities like Deepika Padukone, Sara Ali Khan, and others, based on extracted WhatsApp chats, has raised concerns among the people.

The leaked WhatsApp chats have made people question WhatsApps security and its claim of end-to-end encryption. If WhatsApp chats are encrypted, then how are government agencies like NCB and CBI able to extract these chats?

WhatsApp is used by over two million users from more than 180 countries around the world. Being one of the widely used apps that connect people, doubts about privacy have raised fear among people.

WhatsApp says that only you and the receiver can read the messages you send. No one in between can access them, not even WhatsApp itself.

Each message you send has its unique lock and key, only you and the receiver have that unique key to open the messages and read them. As per WhatsApp, this encryption is automatic and can not be turned off manually.

For added protection, every message you send has a unique lock and key. All of this happens automatically. No need to turn on settings or set up special secret chats to secure your messages- WhatsApp.

Although even after encrypting the messages, WhatsApp indeed stores information in the form of metadata. Metadata is very little data stored in the apps server that can be your device configuration, mobile number, logins, profile photo, etc.

The messages you send are only stored on the apps server until they are delivered. So, all the chat data is stored in the form of chat backup in your Google Drive or iCloud. This data stored in cloud services is not properly encrypted and can be used by anyone who can access them.

Agencies such as the Central Bureau of Investigation (CBI) and the Narcotics Control Bureau (NCB) use complex software mechanisms to clone mobile data onto a different phone. Cloning is used to transfer data from a suspects phone to a different phone without using the phone that is being cloned.

This can be done using an app. Although mobile cloning or imaging is illegal for the general public, government agencies can freely use these services.

So, in a nutshell, anyone who has access to your Google Drive or iCloud can access your chats. One way to protect your chats is to turn off cloud backups. Use two-factor authentication on as many platforms as possible to add a layer of security to your personal information.

Image Sources:Google Images

Sources:ABP Live, Indian Express, Wired + More

Find Blogger:@mitalipatekar

This post is tagged under: Whatsapp encryption, WhatsApp Accounts, WhatsApp, WhatsApp cybercrime, NCB drug probe, NCB, SSR, End-to-end encryption, Deleted WhatsApp Messages, WhatsApp conversation, WhatsApp google drive, WhatsApp google drive backup, WhatsApp google drive chat backup, whatsapp chat backup, how to read whatsapp chats, how to access whatsapp chats, hacking whatsapp, hacking whatsapp chats

Conmen Are Hijacking WhatsApp Accounts & Blackmailing Users With Intimate Pictures, Texts And More

View original post here:
WhatsApp Encryption Is Not Foolproof; Chats Can Be Accessed In These Ways - Yahoo India News

from the security-through-encryption-and-security-despite-encryption dept

A few months ago, Techdirt wrote about a terrible bill in the US that would effectively destroy privacy and security on the Internet by undermining encryption. Sadly, that's nothing new: the authorities have been whining about things "going dark" for years now. Moreover, this latest proposal is not just some US development. In an official document obtained by Statewatch (pdf), the current German Presidency of the Council of the European Union (one of the key organizations in the EU) has announced that it wants to move in the same direction (found via Netzpolitik). It aims to prepare:

an EU statement consolidating a common line on encryption at EU level in the area of internal security to support further developments and the dialogue with service providers. It should seek to find a proper balance between the protection of privacy, intellectual property protection and lawful law enforcement and judicial access, thereby stressing security through encryption as well as security despite encryption

In other words, the EU is still chasing the unicorn of "lawful access" to encrypted material without somehow breaking encryption. An accompanying unofficial "note" from the European Commission services lists some of what it calls "key considerations", but these are still chasing that unicorn without explaining how that can be done (pdf):

Technical solutions constituting a weakening or directly or indirectly banning of encryption will not be supported.

Technical solutions to access encrypted information should be used only where necessary, i.e. where they are effective and where other, less intrusive measures are not available. They must be proportionate, used in a targeted and in the least intrusive way.

Slightly more detail about the options is found in another unofficial note exploring "Technical solutions to detect child sexual abuse in end-to-end encrypted communications" (pdf). Most of the solutions involve installing detection tools on the user's device. That can be circumvented by using devices without the detection software, or using a service that does not install them. Perhaps the most interesting technical approach involves on-device homomorphic encryption with server-side hashing and matching:

In this solution, images are encrypted using a carefully chosen partially homomorphic encryption scheme (this enables an encrypted version of the hash to be computed from the encrypted image). The encrypted images are sent to the [online service provider] server for hashing and matching against an encrypted version of the hash list (the server does not have the homomorphic encryption keys).

But this only works for services that implement such a scheme, and it only applies to existing images, not general messages or even videos. Moreover, the technology to implement such an approach is still under development.

Essentially, the EU, like the US, is telling people to "nerd harder", and come up with a solution that allows lawful access, but does not break encryption. Since hard nerding for many decades has failed to produce a way of doing that, maybe it's time for the authorities to accept that it just can't be done. The good news is that doesn't matter. Techdirt has been explaining why for years: there are encryption workarounds that mean law enforcement and others can get what they need in other ways. Indeed, one of the EU papers mentioned above provides perhaps the best example of this approach (pdf):

The recent dismantling of the EncroChat network in a joint investigation coordinated by Eurojust and Europol shows the degree to which those involved in criminal activity utilise all available technology, such as crypto telephones, which go well beyond publicly available end-to-end encrypted services.

Although it cites the case of EncroChat -- a Europe-based encrypted mobile network widely used by organized crime there -- in an attempt to prove how serious the problem is, it actually does the opposite. As the detailed explanation of how EU police managed to hack into the network and place malware on handsets explains, breaking the encryption proved irrelevant, because the authorities found a workaround.

The EncroChat bust demonstrates something else that is generally overlooked. It is already clear that far from going dark, the authorities today have access to unprecedented quantities of useful information that can be used to track down suspects and prevent crimes. That's from things like social media and e-commerce sites. But as the EncroChat materials show, when criminals use closed, encrypted channels to communicate, they paradoxically open up, speaking freely about their past, present and future crimes, naming names, and giving detailed information about their activities. That means it's actually in the interest of the authorities to allow criminals and terrorists to use encrypted services. When workarounds are found, these hitherto secret channels provide greater quantities of high-quality intelligence than would ever be obtained if people knew their communications had backdoors and were therefore not safe.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Thank you for reading this Techdirt post. With so many things competing for everyones attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise and every little bit helps. Thank you.

The Techdirt Team

Filed Under: encryption, eu, going dark, law enforcement, lawful access

Read more:
EU Still Asking For The Impossible (And The Unnecessary): 'Lawful Access' To Encrypted Material That Doesn't Break Encryption - Techdirt

The global Encryption Software market is carefully researched in the report while largely concentrating on top players and their business tactics, geographical expansion, market segments, competitive landscape, manufacturing, and pricing and cost structures. Each section of the research study is specially prepared to explore key aspects of the global Encryption Software market. For instance, the market dynamics section digs deep into the drivers, restraints, trends, and opportunities of the global Encryption Software Market. With qualitative and quantitative analysis, we help you with thorough and comprehensive research on the global Encryption Software market. We have also focused on SWOT, PESTLE, and Porters Five Forces analyses of the global Encryption Software market.

Our team of researchers have relied heavily upon all research-based conventions and internationally accepted practices to arrive at logical deductions that systematically tame favorable growth journey, despite challenges and odds. Researchers have significantly adhered to the primary and secondary research practices to arrive at logical conclusions in order to decipher the potential of various factors that steer relentless growth in global Encryption Software market.

Top Leading Key Players are:

IBM (US), Microsoft (US), Symantec (US), Thales e-Security (France), Trend Micro (Japan), Sophos (UK), Check Point (Israel), Micro Focus (UK), McAfee (US), Dell (US), WinMagic (US), ESET (US), Cryptomathic (Denmark), Bitdefender (Romania), Stormshield (France), and CipherCloud (US).

Get Sample PDF (including COVID19 Impact Analysis, full TOC, Tables and Figures) of Encryption Software Market @ https://www.adroitmarketresearch.com/contacts/request-sample/1055

COVID-19 Analysis: Global Encryption Software Market

Additionally, this report also includes substantial details on the pre and post COVID-19 scenarios, guiding report readers as well as market participants to comprehend the economic conditions and tangible implications upon business and growth prospects.

This high-end research report presentation governing the events and catalytic triggers prompting growth in the Encryption Software market is a detailed research initiative presented by our in house research professionals and seasoned analysts to unearth various developments and gauge their impact towards influencing the growth journey in global Encryption Software market. The report presentation takes note of the events and catalytical response that have crucially impacted the holistic growth journey.

Scope Evaluation: Global Encryption Software Market

Further in the subsequent sections of the report, report readers are equipped with ample understanding on various market derivers and barriers, regulatory protocols as well as prominent implementation models that evaluate new application potential as well as closely monitor the implementation models that collectively determine the future growth scope of the market, with dedicated references also of the past developments and events dominating forward journey in global keyword market.

This well integrated research report is aimed at offering report readers with holistic market specific knowledge sourced from primary and secondary research, highlighting minute details on prominent market developments, rendering a clear perspective of market valuation in terms of value and volume, with elaborate details on market trends, catastrophic market developments as well as a complete DROT analysis to harness profitable returns in global Encryption Software market.

Browse the complete report Along with TOC @ https://www.adroitmarketresearch.com/industry-reports/encryption-software-market

Based on application, the Market has been segmented into:

NA

Market Overview:

*Relevant detailing of competitive landscape, identifying top players and emerging ones are also included in the report to aid in successful evaluation of the market to encourage precise business discretion.*Further, the report houses crucial details on vital segment categorization of the global Encryption Software market, diversifying the market into types and application as dominant segment categories.*In the subsequent sections the report also adheres to the references of the various details on regional developments as well as country-specific nitty-gritty that document a steady growth prognosis in global Encryption Software market.*Additional information pertaining to sales channel optimization along with supply chain progresses and developments that relate to high potential growth in global Encryption Software market.*Other vital developments such as novel investment probabilities as well as success feasibility have also been minutely gauged in this report on global Encryption Software market.*The report has been systematically designed and presented in the form of tables and figures and other statistical to induce higher reader perception.*Relevant details on regional and country-wise details have also been included in the report to gauge into ongoing details that influence all-round growth in the global Encryption Software market.

The Encryption Software Market Report Consists of the Following Points:

1.The report consists of an overall prospect of the market that helps gain significant insights about the global market.2.The Encryption Software Market has been categorized based on types, applications, and regions. For an in-depth analysis and better understanding of the market, the key segments have been further categorized into sub-segments.3.The factors responsible for the growth of the market have been mentioned. This data has been gathered from primary and secondary sources by industry professionals. This provides an in-depth understanding of key segments and their future prospects.4.The report analyses the latest developments and the profiles of the leading competitors in the market.5.The Encryption Software Market research report offers an eight-year forecast.

For Any Query on the Encryption Software Market @ https://www.adroitmarketresearch.com/contacts/enquiry-before-buying/1055

About Us :

Adroit Market Research is an India-based business analytics and consulting company incorporated in 2018. Our target audience is a wide range of corporations, manufacturing companies, product/technology development institutions and industry associations that require understanding of a Markets size, key trends, participants and future outlook of an industry. We intend to become our clients knowledge partner and provide them with valuable Market insights to help create opportunities that increase their revenues. We follow a code- Explore, Learn and Transform. At our core, we are curious people who love to identify and understand industry patterns, create an insightful study around our findings and churn out money-making roadmaps.

Contact Us :

Ryan JohnsonAccount Manager Global3131 McKinney Ave Ste 600, Dallas,TX75204, U.S.A.Phone No.: USA: +1 972-362 -8199/ +91 9665341414

More here:
Encryption Software Market Report Examines Growth Overview And Predictions On Size, Share And Trend Through 2025 - The Daily Chronicle

Ama Russell and Evamelo Oleita had never been to a protest before June. But as demonstrations against systemic racism and police brutality began to spread across the U.S. earlier this year, the two 17 year-olds from Michigan, both of whom are Black, were inspired to organize one of their own.

Seeking practical help, Oleita reached out to Michigan Liberation, a local civil rights group. The activist who replied told her to download the messaging app Signal. They were saying that to be safe, they were using Signal now, Oleita tells TIME. It turned out to be useful advice. I think Signal became the most important tool for protesting for us, she says.

Within a month, Oleita and Russell had arranged a nonviolent overnight occupation at a detention center on the outskirts of Detroit, in protest against a case where a judge had put a 15 year-old Black schoolgirl in juvenile detention for failing to complete her schoolwork while on probation. The pair used Signal to discuss tactics, and to communicate with their teams marshalling protestors and liaising with the police.

I dont think anything we say is incriminating, but we definitely dont trust the authorities, says Russell. We dont want them to know where we are, so they cant stop us at any point. On Signal, being able to communicate efficiently, and knowing that nothing is being tracked, definitely makes me feel very secure.

Signal is an end-to-end encrypted messaging service, similar to WhatsApp or iMessage, but owned and operated by a non-profit foundation rather than a corporation, and with more wide-ranging security protections. One of the first things you see when you visit its website is a 2015 quote from the NSA whistleblower Edward Snowden: I use Signal every day. Now, its clear that increasing numbers of ordinary people are using it too.

Any time there is some form of unrest or a contentious election, there seems to be an opportunity for us to build our audience, says Brian Acton, the Signal Foundations co-founder and executive chairman, in an interview with TIME. Its a little bit bittersweet, because a lot of times our spikes come from bad events. Its like, woohoo, were doing great but the worlds on fire.

Indeed, just as protests against systemic racism and police brutality intensified this year, downloads of Signal surged across the country. Downloads rose by 50% in the U.S. between March and August compared to the prior six months, according to data shared with TIME by the analysis firm App Annie, which tracks information from the Apple and Google app stores. In Hong Kong they rose by 1,000% over the same period, coinciding with Beijings imposition of a controversial national security law. (The Signal Foundation, the non-profit that runs the app, doesnt share official download numbers for what it says are privacy reasons.)

Were seeing a lot more people attending their first actions or protests this yearand one of the first things I tell them to do is download Signal, says Jacky Brooks, a Chicago-based activist who leads security and safety for Kairos, a group that trains people of color to use digital tools to organize for social change. Signal and other end-to-end encryption technology have become vital tools in protecting organizers and activists.

Read more: Young Activists Drive Peaceful Protests Across the U.S.

In June, Signal took its most explicitly activist stance yet, rolling out a new feature allowing users to blur peoples faces in photos of crowds. Days later, in a blog post titled Encrypt your face, the Signal Foundation announced it would begin distributing face masks to protesters, to help support everyone self-organizing for change in the streets. Asked if the chaos of 2020 has pushed Signal to become a more outwardly activist organization, Acton pauses. I dont know if I would say more, he says. I would say that right now its just congruent. Its a continuation of our ongoing mission to protect privacy.

Brian Acton speaks at the WIRED25 Summit November 08, 2019 in San Francisco, California.

Phillip Faraone/Getty Images for WIRED

Signals user base somewhere in the tens of millions, according to app store data is still a fraction of its main competitor WhatsApps, which has some 2 billion users and is owned by Facebook. But it is increasingly clear that among protesters, dissidents and investigative journalists, Signal is the new gold standard because of how little data it keeps about its users. At their core, both apps use cryptography to make sure that the messages, images and videos they carry can only be seen by the sender and the recipient not governments, spies, nor even the designers of the app itself. But on Signal, unlike on WhatsApp, your messages metadata are encrypted, meaning that even authorities with a warrant cannot obtain your address book, nor see who youre talking to and when, nor see your messages.

Historically, when an investigative journalists source is prosecuted in retaliation for something they have printed, prosecutors will go after metadata logs and call logs about whos been calling whom, says Harlo Holmes, the director of newsroom digital security at the Freedom of the Press Foundation.

WhatsApp states on its website that it does not store logs of who is messaging who, in the ordinary course of providing our service. Yet it does have the technical capacity to do so. In some cases including when they believe its necessary to keep users safe or comply with legal processes, they state, we may collect, use, preserve, and share user information including information about how some users interact with others on our service.

Signal, by contrast, cannot comply with law enforcement even if it wanted to. (Its not clear that it does: in early June, Signals founder and CEO Moxie Marlinspike tweeted ACAB All Cops Are Bastards in response to allegations that police had stockpiled personal protective equipment amid the pandemic.) In 2016, a Virginia grand jury subpoenaed Signal for data about a user, but because it encrypts virtually all its metadata, the only information Signal was able to provide in response was the date and time the user downloaded the app, and when they had last used it. Signal works very, very hard in order to protect their users by limiting the amount of metadata that is available in the event of a subpoena, Holmes says.

The approach has not won Signal fans in the Justice Department, which is supporting a new bill that would require purveyors of encrypted software to insert backdoors to make it possible for authorities to access peoples messages. Opponents say the bill would undermine both democracy and the very principles that make the app so secure in the first place. Ironically, Signal is commonly used by senior Trump Administration officials and those in the intelligence services, who consider it one of the most secure options available, according to reporters in TIMEs Washington bureau.

Signals value system aligns neatly with the belief, popular in Silicon Valleys early days, that encryption is the sole key to individual liberty in a world where authorities will use technology to further their inevitably authoritarian goals. Known as crypto-anarchism, this philosophy emerged in the late 1980s among libertarian computer scientists and influenced the thinking of many programmers, including Marlinspike. Crypto-anarchists thought that the one thing you can rely on to guarantee freedom is basically physics, which in the mid 1990s finally allowed you to build systems that governments couldnt monitor and couldnt control, says Jamie Bartlett, the author of The People vs Tech, referring to the mathematical rules that make good encryption so secure. They were looking at the Internet that they loved but they could see where it was going. Governments would be using it to monitor people, businesses would be using it to collect data about people. And unless they made powerful encryption available to ordinary people, this would turn into a dystopian nightmare.

Signal's founder Moxie Marlinspike during a TechCrunch event on September 18, 2017 in San Francisco, California.

Steve Jennings/Getty Images for TechCrunch

As a young adult in the 1990s, Marlinspike who declined to be interviewed for this story spent his life on the fringes of society, teaching himself computer science, messing with friends machines, and illegally hitching rides on freight trains across the United States. A tall white man with dreadlocks, he always had a distrust for authority, but Snowdens leaks appeared to crystallize his views. In a post published on his blog in June 2013, which is no longer accessible online, Marlinspike wrote about the danger these new surveillance capabilities posed when exercised by a state that you could not trust. Police already abuse the immense power they have, but if everyones every action were being monitored then punishment becomes purely selective, he wrote. Those in power will essentially have what they need to punish anyone theyd like, whenever they choose, as if there were no rules at all. But, Marlinspike argued, this problem was not unsolvable. It is possible to develop user-friendly technical solutions that would stymie this type of surveillance, he wrote.

By the time hed written that blog post, Marlinspike had already made an effort to build such a user-friendly technical solution. Called the Textsecure Protocol (later the Signal Protocol), it was a sort of recipe for strong end-to-end encryption that could ensure only the sender and recipient of a message were able to read its contents, and not authorities or bad actors wishing to pry. In 2010 Marlinspike launched two appsone for text messaging and another for phone callsbased on the protocol. In 2014 he merged them, and Signal was born.

The app was kept afloat thanks to nearly $3 million in funding from the Open Technology Fund, a Congress-funded nonprofit that finances projects aimed at countering censorship and surveillance. In keeping with security best practices, the Signal Protocol is open source, meaning that its publicly available for analysts around the world to audit and suggest improvements. (Signals other main competitor, Telegram, is not end-to-end encrypted by default, and security researchers have raised concerns about its encryption protocol, which unlike Signals is not open source.) But although by all accounts secure, Signal back in 2014 was hardly user-friendly. It had a relatively small user base, mostly made up of digital security geeks. It wasnt the kind of influence Marlinspike wanted.

Read more: How the Trump Administration is Undermining the Open Technology Fund

So Marlinspike sought out Acton, who had co-founded WhatsApp in 2009 along with Jan Koum. The pair had since grown it into the largest messaging app in the world, and in 2014 Facebook snapped it up for a record-setting $19 billion. Marlinspikes views on privacy aligned with theirs (Koum had grown up under the ever-present surveillance of Soviet Ukraine) and in 2016, with Facebooks blessing, they worked to integrate the Signal Protocol into WhatsApp, encrypting billions of conversations globally. It was a huge step toward Marlinspikes dream of an Internet that rejected, rather than enabled, surveillance. The big win is when a billion people are using WhatsApp and dont even know its encrypted, he told Wired magazine in 2016. I think weve already won the future.

But Acton, who was by now a billionaire thanks to the buyout, would soon get into an acrimonious dispute with Facebooks executives. When he and Koum agreed to the sale in 2014, Acton scrawled a note to Koum stipulating the ways WhatsApp would remain separate from its new parent company: No ads! No games! No gimmicks! Even so, while Acton was still at the company in 2016, WhatsApp introduced new terms of service that forced users, if they wanted to keep using the app, to agree that their WhatsApp data could be accessed by Facebook. It was Facebooks first step toward monetizing the app, which at the time was barely profitable.

Acton was growing alarmed at what he saw as Facebooks plans to add advertisements and track even more user data. In Sept. 2017, he walked away from the company, leaving behind $850 million in Facebook stock that would have vested in the coming months had he stayed. (As of September 2020, Facebook still hasnt inserted ads into the app.) Im at peace with that, Acton says of his decision to leave. Im happier doing what Im doing in this environment, and with the people that Im working with, he says.

Soon after quitting, Acton teamed up with Marlinspike once again. Each of them knew that while encrypting all messages sent via WhatsApp had been a great achievement, it wasnt the end. They wanted to create an app that encrypted everything. So Acton poured $50 million of his Facebook fortune into setting up the Signal Foundation, a non-profit that could support the development of Signal as a direct rival to WhatsApp.

Actons millions allowed Signal to more than treble its staff, many of whom now focus on making the app more user-friendly. They recently added the ability to react to messages with emojis, for example, just in time to entice a new generation of protesters like Oleita and Russell. And unlike others who had approached Signal offering funding, Actons money came with no requirements to monetize the app by adding trackers that might compromise user privacy. Signal the app is like the purest form of what Moxie and his team envisioned for the Signal Protocol, Holmes says. WhatsApp is the example of how that protocol can be placed into other like environments where the developers around that client have other goals in mind.

Although it was meant to be an alternative business model to the one normally followed in Silicon Valley, Signals approach bears a striking similarity to the unprofitable startups that rely on billions of venture capital dollars to build themselves up into a position where theyre able to bring in revenue. It hasnt been forefront in our minds to focus on donations right now, primarily because we have a lot of money in the bank, Acton says. And secondarily, because weve also gotten additional large-ish donations from external donors. So thats given us a pretty long runway where we can just focus on growth, and our ambition is to get a much larger population before doing more to solicit and engender donations. (Signal declined to share any information about the identities of its major donors, other than Acton, with TIME.)

Still, one important difference is that this business model doesnt rely on what the author Shoshana Zuboff calls Surveillance Capitalism: the blueprint by which tech companies offer free services in return for swaths of your personal data, which allow those companies to target personalized ads at you, lucratively. In 2018, as the Cambridge Analytica scandal was revealing new information about Facebooks questionable history of sharing user data, Acton tweeted: It is time. #deletefacebook. He says he still doesnt have a Facebook or Instagram account, mainly because of the way they target ads. To me, the more standard monetization strategies of tracking users and tracking user activity, and targeting ads, that all generally feels like an exploitation of the user, Acton says. Marketing is a form of mind control. Youre affecting peoples decision-making capabilities and youre affecting their choices. And that can have negative consequences.

Grafitti urging people to use Signal is spray-painted on a wall during a protest on February 1, 2017 at UC Berkeley, California.

Elijah Nouvelage/Getty Images

An even more sinister side effect of Surveillance Capitalism is the data trail it leaves behindand the ways authorities can utilize it for their own type of surveillance. Marlinspike wrote in 2013 that instead of tapping into phone conversations, changes in the nature of the Internet meant that [now,] the government more often just goes to the places where information has been accumulating on its own, such as email providers, search engines, social networks.

It was a surveillance technique Marlinspike and Acton knew WhatsApp was still vulnerable to because of its unencrypted metadata, and one they both wanted to disrupt. Its impossible to know how much user data WhatsApp alone provides to authorities, because Facebook only makes such data available for all its services combined bundling WhatsApp together with Instagram and the Facebook platform itself. (WhatsApps director of communications, Carl Woog, declined to provide TIME with data relating to how often WhatsApp alone provides user data to authorities.) Still, those aggregate data show that in the second half of 2019, Facebook received more than 51,000 requests from U.S. authorities for data concerning more than 82,000 users, and produced some data in response to 88% of those requests. By contrast, Signal tells TIME it has received no requests from law enforcement for user data since the one from the Virginia grand jury in 2016. I think most governments and lawyers know that we really dont know anything, a Signal spokesperson tells TIME. So why bother?

Another reason, of course, is that Signal has far, far fewer users than WhatsApp. But Acton also puts it down to Signals broader application of encryption. They can do that type of stuff on WhatsApp because they have access to the sender, the receiver, the timestamp, you know of these messages, Acton says. We dont have access to that on Signal. We dont want to know who you are, what youre doing on our system. And so we either dont collect the information, dont store the information, or if we have to, we encrypt it. And when we encrypt it, we encrypt it in a way that were unable to reverse it.

Despite those inbuilt protections, Signal has still come under criticism from security researchers for what some have called a privacy flaw: the fact that when you download Signal for the first time, your contacts who also have the app installed get a notification. Its an example of one tradeoff between growth and privacy where despite its privacy-focused image Signal has come down on the side of growth. After all, youre more likely to use the app, and keep using it, if you know which of your friends are on there too. But the approach has been questioned by domestic violence support groups, who say it presents a possible privacy violation. Tools such as Signal can be incredibly helpful when used strategically, but when the design creates an immediate sharing of information without the informed consent of the user, that can raise potentially harmful risks, says Erica Olsen of the National Network to End Domestic Violence. Survivors may be in a position where they are looking for a secure communication tool, but dont want to share that fact with other people in their lives. Signal says that its possible to block users to solve problems like this. Its also working on a more long-term fix: allowing a user to connect with others without sharing their numberthough theyll still need a phone number to sign up to the app.

Since the 1990s, encryption has faced threats from government agencies seeking to maintain (or strengthen) their surveillance powers in the face of increasingly secure code. But though it appeared these so-called crypto wars were won when strong encryption became widely accessible, Signal is now under threat from a new salvo in that battle. The Justice Department wants to amend Section 230 of the Communications Decency Act, which currently allows tech companies to avoid legal liability for the things users say on their platform. The proposed change is in part a retaliation by President Trump against what he sees as social media platforms unfairly censoring conservatives, but could threaten encrypted services too. The amendment would mean companies would have to earn Section 230s protections by following a set of best practices that Signal says are extraordinarily unlikely to allow end-to-end encryption.

Read more: Facebook Cannot Fix Itself. But Trumps Effort to Reform Section 230 Is Wrong

Even if that amendment doesnt pass, the Justice Department is supporting a different bill that would force outfits like Signal to build backdoors into their software, to allow authorities with a warrant their own special key to decrypt suspects messages. While strong encryption provides enormous benefits to society and is undoubtedly necessary for the security and privacy of Americans, end-to-end encryption technology is being abused by child predators, terrorists, drug traffickers, and even hackers to perpetrate their crimes and avoid detection, said Attorney General William Barr on June 23. Warrant-proof encryption allows these criminals to operate with impunity. This is dangerous and unacceptable.

Theres no denying that encrypted apps are used for evil as well as good, says Jeff Wilbur, the senior director for online trust at the Internet Society, a nonprofit that campaigns for an open Internet. But, he says, the quirk of mathematics that guarantees security for end-to-end encryptions everyday usersincluding vulnerable groups like marginalized minorities, protesters and victims of domestic abuseis only so powerful because it works the same for all users. The concept of only seeing one suspected criminals data, with a warrant, sounds great, Wilbur says. But the technical mechanism youd have to build into the service to see one persons data can potentially let you see any persons data. Its like having a master key. And what if a criminal or a nation state got a hold of that same master key? Thats the danger.

Even in a world with perfect corporations and unimpeachable law enforcement, it would be a difficult tradeoff between privacy and the rule of law. Add distrust of authorities and Surveillance Capitalism into the mix, and you arrive at an even trickier calculation about where to draw the line. The problem is, ordinary people rely on rules and laws to protect them, says Bartlett, the author of The People vs Tech. The amount of times people get convicted on the basis of the government being able to legally acquire communications that prove guilt its absolutely crucial.

But at the same time, governments have regularly proved themselves willing and able to abuse those powers. I do blame the government for bringing it on themselves, Bartlett says. The revelations about what governments have been doing have obviously helped stimulate a new generation of encrypted messaging systems that people, rightly, would want. And it ends up causing the government a massive headache. And its their fault because they shouldnt have been doing what they were doing.

Still, despite the existential risk that a law undermining encryption would pose for Signal, Acton says he sees the possibility as just a low medium threat. Id be really surprised if the American public were to pass a law like this that stood the test of time, he says. If that were to happen, he adds, Signal would try to find ways around the law possibly including leaving the U.S. We would continue to seek to own and operate our service. That might mean having to reincorporate somewhere.

In the meantime, Signal is more focused on attracting new users. In August, the nonprofit rolled out a test version of its desktop app that would allow encrypted video calling an attempt to move into the lucrative space opened up by the rise in home working due to the pandemic. I try to use it to conduct my interview with Acton, but the call fails to connect. When I get through on Google Hangouts instead, I see him scribbling notes at his desk. Just this interaction alone gave me a couple ideas for improvements, he says excitedly.

The episode reveals something about how Acton sees Signals priorities. Our responsibility is first to maintain the highest level of privacy, and then the highest quality product experience, he says. Our attempt to connect on Signal desktop was to me, thats a fail. So its like, okay, well go figure it out.

Correction: Sept. 28

The original version of this story misstated Marlinspikes 1990s-era computer activity. He did not hack into insecure servers, he messed with friends computers as a prank. It also misstated an upcoming Signal feature. Signal is working on a way for users to contact others without providing their phone number, but users will still need to provide a phone number to sign up for the app.

Thank you! For your security, we've sent a confirmation email to the address you entered. Click the link to confirm your subscription and begin receiving our newsletters. If you don't get the confirmation within 10 minutes, please check your spam folder.

Write to Billy Perrigo at billy.perrigo@time.com.

Read more here:
The Inside Story of How Signal Became the Private Messaging App for an Age of Fear and Distrust - TIME

Photo illustration by Slate. Photos by Talaj/iStock/Getty Images Plus and Dmitry Astakhov/AFP via Getty Images. This article is part of the Free Speech Project, a collaboration between Future Tense and the Tech, Law, & Security Program at American University Washington College of Law that examines the ways technology is influencing how we think about speech.

On Wednesday, Sept. 30, at noon Eastern the Free Speech Project will host an hourlong online discussion about how the single global internet is splintering into smaller ones with geographic borders. For more information and to RSVP, visit the New America website.

Another component of internet-browsing is about to become criminal in Russia.

On Sept. 21, Russias Ministry of Digital Development, Communications, and Mass Media (Minkomsvyaz) released a draft law that would criminalize the use of internet protocols that, in its words, encrypt a website name. The specific protocols the law is targeting are a jargony alphabet soup: TLS 1.3, ESNI, DNS over HTTPS (DoH), and DNS over TLS (DoT). But theyre important encryption techniques that are already, to varying degrees, deployed online, including in Russia.

This marks another step in Russias push for a domestic internet that the state could tightly control and isolate from the world at will. (Thats the vision, anyway.) The draft law also highlights the authoritarian assault on the open internet playing out in the sometimes-overlooked domain of standards.

Shared protocols allow devices of all different types, produced by many different manufacturers, to communicate with one another through an agreed-upon set of technical rules for behavior. These standards are developed by a wide variety of experts in multistakeholder bodies. Whenever you log onto the internet, you receive an internet protocol addressa product of these kinds of shared protocols. Without said rules, internet communication would be a mess: Any time you landed in a country, youd have to head over to the airport gadget shop and make sure you didnt need a new, country-specific device to communicate with others. Similarly, if you and your friends didnt have the same kind of smartphone, thered be less guarantee of text or phone call compatibility.

Authoritarians, particularly in China and Russia, have long had qualms with these open and interoperable standards for those exact reasons: Its harder for governments to control data flows when there are no centralized chokepoints for authorities to seize, or when protocols themselves cloak user communications behind a veil of encryption, or when experts in some far-away meeting are deciding the technical protocols used to route data in their borders.

Thats why, in recent years, Moscow and Beijing have asserted more direct state control of internet standards domestically. Within Chinas borders, for instance, the state has altered key components of the internets data routing system to put the state more firmly in the drivers seat, sharply diverging from how internet routing functions outside China and on the Chinese internets periphery. Practically speaking, that means Beijing has more control over which data goes where. Russia and, in particular, China have also become more vocal in supporting their preferred, closed standards in international forumsones that could allow greater control. In other words, theyre working on exporting a model of closed standards. They hope that more state influence over internet standards development will help them advance their goals of creating greater sovereignty online.

This draft law is one of only many actions the Russian government has taken to undermine shared internet protocols within its borders. The Kremlin has been trying for yearsmost notably under a 2019 lawto wrest control within Russia of the Domain Name System, the internets phone book for addressing traffic. In the Kremlins view, controlling the Domain Name System would give it tighter rein over how traffic flows in the country as well as which devices are compatible with this envisioned Russian domestic internet. The specific protocols named with the recent draft law encrypt otherwise-visible information about a users destination thats linked to their data packets. For state authorities relying on access to that data for content censorship and surveillance, encryption is more than a mere thorn in the side.

Naturally, the draft law cites the enforcement of information control laws as justification for criminalizing these protocols use. These laws target child pornography, for instance, but they also target what many democracies would call protected political speech, like sharing knowledge of corruption or drawing attention to pervasive and often violent homophobia in Russian society. Russias internet and media regulator, the explanatory note says, has difficulty identifying the real network addresses of devices on external systems when these encryption protocols are used, reducing its ability to restrict online information.

In practice, surveillance, censorship, and internet isolation are deeply entangled in Russia. As with DNS, the Kremlin has made control of key internet protocols a central part of its plan for a domestic, isolatable internet in Russia. Part of that is moderating content, yes. But part of that is also being able to watch those communicating online, through pervasive surveillance add-ons to Russias digital infrastructure; its also about being able to develop key chokepoints for the internet in the country, so that its easier to exert control over the infrastructure than it is with a more decentralized system, both in software and in hardware. For a government with a far less technically sophisticated and established internet censorship system than the one run by counterparts in China, the Kremlins somewhat scattershot and roadblock-filled internet censorship approach depends on knowing who is saying what, when, and to whom. That allows the Russian state to use physical coercionshowing up and throwing someone in jail for saying the wrong thing onlinealongside technical internet restrictions.

Its extremely likely that the draft law will be enactedafter all, this is a country whose ruler once declared his plan to establish a dictatorship of the law. But internet control is a complicated wish, and this plan may not work exactly to the Kremlins liking. Historically speaking, when fine-grained filtering attempts have failed, the Kremlin has relied on sweeping techniques with collateral damage for citizens ability to access other websites. As the independent Russian news outlet Meduza reported, Russian internet and search giant Yandex already uses some of these protocols, which underscores the importance of company compliance here.

Standards are a growing point of conflict for the global internet, and they have been for some time. The multistakeholder bodies where these technical rules are developed are increasingly marked by a contest between a free, open, and interoperable internet model and one that prioritizes tight state control over information flows and internet architecture. Russia criminalizing the use of relatively agreed-upon internet protocols which directly employ encryption is just an illustration of this authoritarian movement against internet standards that underpin the web as we know it.

Future Tense is a partnership of Slate, New America, and Arizona State University that examines emerging technologies, public policy, and society.

Read more:
Russia Is Trying Something New to Isolate Its Internet From the Rest of the World - Slate

FREQUENTLY ASKED QUESTIONS

Q 1. Russian encryption regulations what is controlled?

The importation and exportation of encryption-based products in Russia is subject to import/export encryption clearance requirements set at the supranational level of the Eurasian Economic Union (EAEU).

Russian import/export encryption regulations are set by EAEU Decision No. 30 On Measures of Non-Tariff Regulations (Decision No. 30) dated 21 April 2015 and apply both to the importation and exportation of encryption-based products. Decision No. 30 established a list of encryption products classified by name and customs classification (HS) codes that covers almost all types of IT/telecom products.

The EAEU import/export encryption regulations apply with respect to all tangible (physical) cross-border shipments of goods. Intangible cross-border transfer of data (e.g., electronic downloading of software from a foreign server) is not controlled.

Q 2. What types of import/export permission documents are required?

Decision No. 30 establishes the following three types of permission documents required for the import/export encryption clearance of IT products:

(i) import/export encryption license

(ii) import/export encryption permit

(iii) registration of a notification

In order to determine the type of permission document, the following aspects should be analyzed:

Encryption functionality, including the following:

list of cryptographic algorithms and maximum key length (e.g., AES-256, RSA-2048, etc.)

list of implementing protocols (e.g., TLS, SSH, SSL, etc.) how the encryption is employed: at the level of software,

software operating system and/or hardware (if the hardware is used, whether the product has any TPM modules), etc.

what type of data is encrypted, i.e., technical/metadata, or customer/business data (e.g., media content, texts, etc.)

how the data is encrypted, i.e., at rest or in flight

Purpose of importation, which may include, for example:

local distribution importation for internal business needs of the importer

of record temporary importation, or importation for replacement of

local defective units

In addition, in the case of temporary importation, an ATA Carnet could be considered as an alternative type of import permission document. However, the use of an ATA Carnet should be discussed with the clearing customs post well in advance.

Q 3. When an import/export encryption license is required?

Generally, the import/export encryption licensing requirement applies to all types of imported IT/telecom products for B2B use with so-called strong/heavy encryption functionality capable of encrypting customer/business data (i.e., texts, images, video/audio files, etc.) at rest or in flight with the use of an encryption key length exceeding 56 bits for symmetric and 512 bits for asymmetric cryptographic algorithms.

Q 4. What is the procedure for obtaining an import/export encryption license?

The regulations provide that only the importer of record (i.e., a legal entity incorporated in an EAEU member state) may be an applicant for and a holder of an import/export license. There is a two-stage procedure for the issuance of import licenses:

(i) Issuance of a license approval the applicant should apply for a license approval with the competent authority (i.e., in Russia the Federal Security Service, FSS), which is a free of charge procedure taking approximately one to two months. The applicant must prepare and submit to the FSS an application form and a standard set of documents outlining all circumstances of the contemplated import/export transaction, including the purpose of end-use of the products, their encryption characteristics and the end-user details.

(ii) Issuance of an import license by the authorized state agency (i.e., in Russia the Ministry of Industry and Trade, MIT), which requires preparation of a standard set of documents and payment of a state duty in the amount of RUB 7,500 (approximately USD 110) and takes 15 business days.

Q 5. Practical peculiarities of the import/export licensing procedure.

(i) The importer of record (applicant for an import/export license) must have a local encryption license as a precondition. The local encryption licensing requirements are established by separate/stand-alone set of regulations on the local manufacturing, distribution/supply and repair/maintenance of encryption-based products, as well as provision of encryption- based services. For more details, please refer to Q9 below.

(ii) Each unit of heavy encryption-based products must be designated for and supplied to the particular end-user. The FSS does not permit the Russian importers of record/distributors to stock heavy encryption-based products (e.g., for replacement purposes).

Q 6. When can an import/export permit be applied and what is the procedure?

An import/export permit can be applied instead of an import/ export license in the following cases of importation/exportation of heavy encryption-based products:

repair or exchange based on the contractual obligations of the company

import/export for internal use without distribution of imported items to third parties and without provision of encryption-related services to third parties

temporary import for conducting scientific-technical expertise

temporary import for scientific research temporary import for showing in exhibitions transit of encryption devices through the territory

of the EAEU

The procedure is very similar to the procedure established for the issuance of a license approval by the FSS. Import permits can be obtained both by Russian entities and by local branches/ representative offices of foreign companies.

Q 7. What is the notification procedure?

Decision No. 30 establishes 12 exemption categories of goods that can be subject to the notification procedure, which is an alternative to the import/export license/permit (the 12 exemption categories are provided in Annex 2).

These are generally so-called mass market products (i.e., B2C goods designated primarily/basically for use by individuals rather than for business), as well as goods with light/limited encryption functions (i.e., goods that cannot encrypt customer/ business data at rest or in flight with the use of above- mentioned encryption keys exceeding 56/512 bits).

If a product, by its characteristics, falls under the notification criteria, the foreign vendor should issue a notarized and legalized (apostilled) authorization document to its local representative (i.e., a Russian legal entity or individual). The local applicant should complete and execute a notification form together with a set of supporting documents and submit them for registration to the FSS.

The statutory term for the consideration and registration of notifications is 10 business days, plus the time needed for the delivery of documents to the FSS.

Information on all the registered notifications is publicly available on the EAEU register at http://www.eurasiancommission.org. After a notification has been registered and placed on the EAEU register, the products can be freely imported/exported into Russia/EAEU by any importers and exporters of record.

Q 8. Specifics of importation of encryption- based products by individuals.

Decision No. 30 establishes a list of B2C encryption products that can be freely imported by individuals for their personal needs without the import/export encryption clearance formalities. This exemption list (List), among others, includes (i) software, (ii) means of electronic signature, (iii) computers and their parts, and (iv) electronic cards intended for public user (e.g., bank cards, SIM cards, discount cards), etc.

The importation of encryption devices by individuals for business purposes is legally viewed as a commercial supply that should be subject to an import/export customs declaration. From the practical perspective, if the commercial gadgets imported by employees fall under the List, they can be viewed as exempt from the import/export encryption clearance procedures, regardless of the B2B status. Otherwise, the necessity to perform an import/export customs declaration of such commercial products imported by business travelers should be determined separately, based on the type of product, its designation and sphere of application.

Q 9. What are the local encryption licensing requirements?

Russian Governmental Decree No. 313 dated 16 April 2012 (Local Encryption Regulations) established the list of 28 types of licensed activities. Generally, any activities related to the development/production of cryptographic products, technical maintenance of cryptographic products, provision of services in the sphere of data encryption, as well as distribution of cryptographic products, are subject to the local use licenses issued by the FSS.

The Local Encryption Regulations establish a list of the types of products that should be exempt from the local encryption licensing requirements, which are very similar to the exemption categories of goods that should be subject to the notification procedure under the import/export encryption clearance requirements set by Decision No. 30. Thus, if the importation of an encryption product is subject to the notification procedure, and such a product was properly notified, a local use or supply of the product will, most likely, not require a local encryption license.

Only Russian legal entities or individual entrepreneurs may apply for a local (domestic) encryption license. Representative offices of foreign companies registered in Russia cannot apply for a local license.

In order to be eligible to apply for a local encryption license, the applicant should meet certain established requirements (i.e., establish a division and premises for the performance of licensed activity, hire specifically qualified personnel and make certain additional arrangements).

If the applicant meets the local encryption licensing requirements, the FSS will issue a license for the relevant type(s) of activity for an unlimited term. The license should normally be issued within 45 business days after the submission of all required documents, including the document confirming the payment of the license fee (i.e., state duty in the amount of RUB 7,500 or approximately USD 110).

Key Contacts

Alexander Bychkov Partner +7 495 7872715 Alexander.Bychkov @bakermckenzie.com

Vladimir Efremov Partner +7 495 7870715 Vladimir.Efremov @bakermckenzie.com

Andrey Gavrilov Associate +7 495 787 5573 Andrey.Gavrilov @bakermckenzie.com

View post:
Importation and local use of encryption-based products in Russia and the Eurasian Economic Union - Lexology