When the developers at Open Whisper Systems, creators of the popular voice-and-text app Signal, were served a grand jury subpoena earlier this year, the writ demanded information related to two phone numbers. One was associated with a Signal account, and one wasn’t. Open Whisper Systems turned over all the information it had to the Assistant U.S. Attorney in the Eastern District of Virginia. It wasn’t much — and that was no accident.
Open Whisper Systems did provide the date the account was created, and the day that the user last connected to a Signal server. But what the government wanted was metadata — e.g., records of who the user contacted, when, how long a call lasted, and where a call took place — but the Signal app doesn’t collect that info. Open Whisper Systems could not be compelled to turn over what it didn’t have.
Recent revelations that Yahoo allowed the U.S. government to scan hundreds of millions of email accounts have reignited the debate about digital privacy and the role of tech companies in facilitating government surveillance. But just as important is a parallel debate about who is doing the most to protect privacy.
Among experts, the verdict is in: Signal is winning that debate. It’s no surprise, then, that it has attracted the attention of the U.S. government.
A “gag-first mentality”
During the investigation, Open Whisper Systems was placed under a gag order by a magistrate judge at the request of the government. The gag order, itself, was not unique. It’s common for prosecutors to issue sweeping bans on discussing on-going investigations, especially when telecommunications and tech companies are involved. Following the leaks from NSA-contractor Edward Snowden, companies have increasingly begun fighting that extreme secrecy, and Open Whisper Systems was determined to make its case public.
Brett Max Kaufman is a staff attorney at the ACLU, and represented Open Whisper Systems in its challenge of the gag order. “I think the gag-first mentality of the government is something that we hope this case has started a conversation about,” Kaufman tells Inverse. (Open Whisper Systems did not return interview requests from Inverse for this story.)
The U.S. Constitution is designed to default to openness and transparency in court proceedings, but that dynamic has largely been inverted when it comes to cases involving telecommunication and surveillance, Kaufman explains. Tailored secrecy can sometimes be necessary, but the government is supposed to be forced to narrowly define what should remain beyond the public’s view.
“It really is the government’s burden to justify secrecy in these cases, and I think the fact that a gag order was issued in this case, with very little justification, shows that the Constitutional rule has switched when it comes to what prosecutors are asking for and what the courts seem to be issuing,” Kaufman says. “Because there really was no justification for keeping any of the things that we’ve released secret.”
Department of Justice lawyers backed down after the ACLU’s challenge, which suggests that the government asking for total secrecy is a standard, reflexive position.
Kaufman published on the ACLU website, the seven documents from the case. “Indeed, that they are public at all is remarkable by itself,” he writes in a post that accompanies them.
As far as what the government was demanding, that too was controversial. The DOJ requested more information than it was allowed to by statute, seemingly with the hope of bullying Open Whisper Systems, Kaufman says.
“When the government is asking for more information than it is entitled to, with the hope that unsophisticated recipients provide it without bothering to question that or challenge it, that’s a major problem,” he said.
The Eastern District of Virginia did not respond to interview requests from Inverse.
Open Whisper Systems is far from the first communications company to be put in this position. The most high-profile demand the government has placed on a tech company was in asking Apple to break the encryption on the iPhone of one of the shooters in San Bernardino, CA, but there are plenty of other examples. Among digital privacy experts, the government’s demand for information from encryption email provider Lavabit about former NSA-contractor Edward Snowden, and the accompanying gag order, is one of the most chilling instances of government overreach and intimidation.
In 2014, Ladar Levison, Lavabit’s founder, shut down his service rather than comply with the government’s request. A day later, Silent Circle, another encryption firm, shut down its email services, preemptively, to prevent U.S. government spying.
Signal has become the communication app of choice for activists in the United States and abroad who need to be as confident as possible that their messages, both text and voice calling, are secure. There are several reasons for Signal’s popularity. One, is that the source code is open and available for security researchers to inspect and attempt to break into. Because there are so many eyes looking at essentially a worldwide, peer-reviewed system – vulnerabilities are spotted and fixed much faster than when code is sealed.
Freddy Martinez is the director of the Lucy Parsons Labs, a digital rights and transparency activist nonprofit, based in Chicago. He told Inverse why he uses Signal – over a Signal voice call, appropriately.
Metadata “paints an incredibly detailed picture”
“The amount of data that’s shared is minimal, and the encryption is top of the line,” Martinez says. When the U.S. government asks for large amounts of metadata, they can piece it together to paint an incredibly detailed picture of a person’s life: where you go, who you call and how often, what you spend money on, and any number of other telling details.
“In the aggregate, [metadata] tells you everything,” Martinez explains.
There’s a practical need for privacy in the work Lucy Parsons Labs does – it regularly talks with journalists and activists who could be targets for surveillance from any number of adversaries – but there’s a philosophical element to communicating securely as well.
“When you send a plain text message, everyone can see it, he says. “The federal government, your phone carrier, everyone. I generally dislike that premise. Everyone has rights to confidentially by nature.”
Will Hazlitt, of the North American Animal Liberation Press Office, says his group uses Signal exclusively, for all the reasons Martinez mentioned. For Hazlitt, Signal’s lack of retained metadata is one of the app’s most appealing features.
Metadata “can be readily used to piece together a narrative of an individual’s activities,” Hazlitt told Inverse over encrypted email. “As in our case, as animal rights activists, the safety and security of our communications, no matter how innocuous, is paramount.
As for what’s next on the digital privacy frontier, Martinez says email privacy is still an issue that nobody has fully solved. There are groups like ProtonMail trying to address these issues, he said, referring to the Switzerland-based secure email provider. Many journalists and activists send encrypted email using Enigmail, a security extension for the free email app Thunderbird. That setup will do the trick, but it is somewhat tedious to install initially, and even the slightest screw-up can open a user up to unwanted surveillance.
The most important battle Martinez sees is in the streets, literally.
“The real challenge for privacy is: are you being followed on CCTV, is your license plate being scanned,” he said. Digital privacy is important and necessary, “but the real advocacy has to be on street level.”