• Off TopicSolved

  • Signal and ProtonMail appear on list of sites used for govt surveillance tool

Murcielago that sounds about right and the article seems to indicate the type of data they get from each sites varies widely.

    Murcielago just an OSINT tool that scrapes publicly available data

    Yes

    But what is concerning -

    Why are Signal and Proton are on the list?
    What kind of publicly available data is scrapeable from Signal and Proton?

    Signal and Proton advertise as NON-public platforms for user data.
    Implies that ShadowDragon is reaching beyond just the "open source" in OSINT, scraping services that should have technical safeguards against scraping.

        03046512336612478855 You can correlate the phone number with signal. Phone numbers are pretty much public info nowadays, especially in US which this service is aimed at.

        Same for proton. They scrape the email from somewhere and correlate the data.

        All in all this is a fancy (and very) expensive osint tool aimed at US gov and US citizens. Nothing new to see here honestly.

            03046512336612478855 Why are Signal and Proton are on the list?

            Why not? Adding more services to the list, even though the public data they they are able to scrape from them is very limited, clearly can benefit sales. Air makes the list look longer ------> ignorant, potential customers who look at it feel more impressed ("oh wow, so many services!") -----> the company earns more money (from selling air)

            03046512336612478855 Signal and Proton advertise as NON-public platforms for user data.
            Implies that ShadowDragon is reaching beyond just the "open source" in OSINT, scraping services that should have technical safeguards against scraping.

            No it doesn't imply that. It makes the list look more impressive the more names are on it. That's what it implies. The article clearly states that the tool scrapes publicly available data. There's nothing in the article about breaking encryption or accessing non-public data.

                0xsigsev

                Thx for this, addresses the core question

                What kind of publicly available data is scrapeable from Signal and Proton?

                Sounds like the scrapeable data is plausibly just:
                Signal - phone # used on signup
                Proton - proton email address voluntarily entered into other services

                Got stressed for a moment imagining that more might be scrapeable

                    Would subpoenas count as 'working with the government'?

                    I expect Signal to answer subpoenas, after all.

                      03046512336612478855 Sounds like the scrapeable data is plausibly just:
                      Signal - phone # used on signup

                      If you have my phone number, and I have not marked it as hidden from search in my Signal account settings, then the phone number can be looked up by anyone from within the Signal app – The presence of a Signal account associated with a phone number can be established that way. But Signal doesn't otherwise publicly publish a list of phone numbers.

                          raccoondad they're in no position to issue subpoena or in any way be part of such process so no, it does not relate.

                            Signal complies with government requests , however , they likely can't provide much metadata.

                            Interestingly though, the FBI recently suggested to U.S. citizens to use signal app do to Chinese hacking of SMS network.

                              locked Every company does, those who claim they don't simply bullshit to the public to not lose their PR and/or reputation. There were only a small subset of events where company (as in a single person responsible for the service) would rather cease to exist than to comply.

                              • geko replied to this.

                                  03046512336612478855 However it was surprising for me to see Signal and Proton on the list.
                                  Does anyone know - what kind of data from Signal or Proton is harvestable like this?

                                  Hopefully its just a single field like:
                                  "has phone # registered on Signal - yes/no"
                                  or
                                  "list of proton addresses registered on other services"

                                  ProtonMail does have a public HKPS keyserver that distributes public PGP keys associated with accounts. It generates dummy entries to dissuade casual scraping, but importing a dummy key into gpg fails. So it does not surprise me seeing another entity attempt to enumerate it for 'research'.

                                    geko Yes, and truecrypt, as I said a handful of people responsible for various services decided to cease to exist rather than comply.

                                      fid02 which is why you should only use the number to sign up in Signal, and thereafter use a nickname, hiding your number from those outside of your circle

                                          locked Signal complies with government requests , however , they likely can't provide much metadata.

                                          Yes. They have released documentation before of what their response to a subpoena looks like.

                                            PaulDavis

                                            can you then sign on to Signal from another device using the nickname? I don't think a "secure" messaging service that requires a phone number is really any better than imessages for example