California Prosecutors Are Still Trying To Get Signal To Hand Over User Info It Simply Doesn't Possess

from the keep-burning-that-toner,-g-men dept

Encrypted messaging app Signal is slowly educating federal prosecutors on the meaning of the idiom “blood from a stone.” Usually this refers to someone who is judgment-proof (or extortion-proof or whatever), since you can’t take money a person doesn’t have.

This would be the digital equivalent. Prosecutors in California have tried three times this year to obtain data on Signal users that Signal never collects or retains. Issue all the subpoenas you want, Signal says, but don’t expect anything to change. We can’t give you what we don’t have. (h/t Slashdot)

Here we are in the second half of 2021, Signal still knows nothing about you, but the government keeps asking.

Because everything in Signal is end-to-end encrypted by default, the broad set of personal information that is typically easy to retrieve in other apps simply doesn’t exist on Signal’s servers. Once again, this request sought a wide variety of information we don’t have, including the users’s name, address, correspondence, contacts, groups, call records.

As usual, we couldn’t provide any of that. It’s impossible to turn over data that we never had access to in the first place. Signal doesn’t have access to your messages; your chat list; your groups; your contacts; your stickers; your profile name or avatar; or even the GIFs you search for. As a result, our response to the subpoena will look familiar. It’s the same set of “Account and Subscriber Information” that we can provide: Unix timestamps for when each account was created and the date that each account last connected to the Signal service.

That’s it.

That handles one request from prosecutors in Santa Clara County, California. Another one was greeted with the same response a few days later — this time from the Central District of California. Apparently the lesson wasn’t learned back in April, when the same district made the same request for data and got the same answer from Signal. Two grand jury subpoenas and one search warrant later and the answer remains the same.

The search warrant had a few more wrinkles of the government variety, even if the end result was Unix timestamps. According to the Signal post, the government attached a gag order to this warrant and renewed it four times while being told by Signal that the company had nothing more to turn over in response. There was nothing remotely adversarial about this process. The government made four secrecy requests, got all four granted — all without acknowledging Signal’s motion to unseal. The court also refused to schedule a hearing or even return phone calls from Signal’s legal reps.

It seems like the government will keep trying, though. Signal doesn’t get hit with many requests for user info, but prosecutors spending the public’s money seem willing to define insanity through their ineffective actions. And for companies providing encrypted communications, the best way to protect users is to gather as little info about them as possible. When the government comes knocking, it’s sometimes best to have nothing to give it.

Filed Under: , , , ,
Companies: signal

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “California Prosecutors Are Still Trying To Get Signal To Hand Over User Info It Simply Doesn't Possess”

Subscribe: RSS Leave a comment
Discuss Itsays:

Re: Take a page from libraries

Libraries learned this long ago.

I used to run an OPAC over a decade ago. The Chief Technical Archivist had me purge all check out data for a book once it was checked back in, including the transaction backups. That meant I had to make "cold" backups each night. I finally got funds to make a RAID 50, then break the RAID for backups, then re-sync it after the backup.

That Anonymous Cowardsays:

"The court also refused to schedule a hearing or even return phone calls from Signal’s legal reps."

Well its good to see that the ‘justice’ system is balanced.

Once does wonder why those who have sent more than 1 request are still employed. They company told them here is 2 dates, its the ONLY information we have to give you… and they still send requests demanding data they imagine has to exist.

One also wonders what these investigations were & why super secret don’t tell anyone about this was required.

That One Guysays:

Re: Re: Re:

Signal lawyer(s): You and what law?

Forcing a company to hand over data they already have is one thing, demanding that they shoot their own business in the back by crippling the encryption they use so that they start collecting that data explicitly so that you can demand it from them might be a bit higher a legal hurdle to pass, though given how eager the court was to sign off on the gag orders it also wouldn’t surprise me if they gave that the green-light too.

John Gilmoresays:

Signal actually DOES have more info than what they claim. Their app has forced every user for a year to upload all their contacts into an SGX instance run by Signal, “in case you lose your phone”. See: . These contacts are protected by a short easy-to-brute-force PIN. The only thing that keeps Signal from being able to trivially decode these contacts is a small bit of code in their SGX enclave that won’t let you try endless PINs. ( ) They can easily remove that code and decrypt your contacts. I suspect that they are required to do so when subpoena’d for the info.

Signal has been duplicitous about exactly what this PIN is for and how much user information they keep. They pitch it as “allowing” people to back up their contacts, but their app instead “required” people to create a PIN and upload their contacts to Signal’s servers. Now, under legal process, they may have to stop lying to courts about it. Or even, in a better world, they’d stop forcing the users to store things in Signal’s servers that can be subpoena’d.


Gag order constitutionality

Last I checked, gag orders were only (barely) constitutional because they are limited in time, limited in scope, and can be challenged in court.

If they can be extended indefinitely by ex parte proceedings, and the court simply ignores attempts to challenge one, then they lose whatever constitutionality they ever had.

What’s the penalty for ignoring an order a court has no authority to make in a court proceeding you aren’t a party to?

That One Guysays:

Re: Gag order constitutionality

What’s the penalty for ignoring an order a court has no authority to make in a court proceeding you aren’t a party to?

Vastly more than the prosecutor and/or judge would face for asking for/issuing those gag orders.

It’s one thing to say that gag orders are already on shaky constitutional ground and that unchallengable gag orders should be treated as well into unconstitutional territory but you still need to get one or more judges to agree with that and have the money needed to do so, until you do that you’re going to leave yourself wide open for penalties for violating what will be treated as a valid court order.


Probably a checklist at the prosecution office

Public servants are generally required to prove that they have done the job. This is generally through checklists; given situation X, do A, B, C….

This is even more true for criminal prosecutions, because defence lawyers can use any gap in the evidence to suggest that perhaps there is something exculpatory being hidden (which never happens of course {sarcasm}).

For a prosecution involving the Internet, no doubt the checklist involves a subpoena for account information from all providers. So when a suspect has a Signal account, Signal gets hit with a subpoena that is doubtless identical to the one being served on Facebook.

Of course the prosecutors know that Signal doesn’t keep that information. But they have to ask so that they can stand up in court, or before an internal quality audit, and say “We followed the standard procedure, here is the response from Signal, and as you can see they don’t keep any relevant information”.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Older Stuff
13:40 It's Great That Winnie The Pooh Is In The Public Domain; But He Should Have Been Free In 1982 (Or Earlier) (35)
12:06 Norton 360 Now Comes With Crypto Mining Capabilities And Sketchy Removal Process (28)
10:45 Chinese Government Dragnet Now Folding In American Social Media Platforms To Silence Dissent (14)
10:40 Daily Deal: The 2022 Ultimate Cybersecurity Analyst Preparation Bundle (0)
09:29 A Fight Between Facebook And The British Medical Journal Highlights The Difficulty Of Moderating 'Medical Misinformation' (9)
06:29 Court Ruling Paves The Way For Better, More Reliable Wi-Fi (4)
20:12 Eighth Circuit (Again) Says There's Nothing Wrong With Detaining Innocent Minors At Gunpoint (15)
15:48 China's Regulatory War On Its Gaming Industry Racks Up 14k Casualties (10)
13:31 Chinese Government Fines Local Car Dealerships For Surveilling While Not Being The Government (5)
12:08 Eric Clapton Pretends To Regret The Decision To Sue Random German Woman Who Listed A Bootleg Of One Of His CDs On Ebay (29)
10:44 ICE Is So Toxic That The DHS's Investigative Wing Is Asking To Be Completely Separated From It (29)
10:39 Daily Deal: The 2022 Complete Raspberry Pi And Arduino Developer Bundle (0)
09:31 Google Blocked An Article About Police From The Intercept... Because The Title Included A Phrase That Was Also A Movie Title (24)
06:22 Wireless Carriers Balk At FAA Demand For 5G Deployment Delays Amid Shaky Safety Concerns (16)
19:53 Tenth Circuit Denies Qualified Immunity To Social Worker Who Fabricated A Mother's Confession Of Child Abuse (35)
15:39 Sci-Hub's Creator Thinks Academic Publishers, Not Her Site, Are The Real Threat To Science, And Says: 'Any Law Against Knowledge Is Fundamentally Unjust' (34)
13:32 Federal Court Tells Proud Boys Defendants That Raiding The Capitol Building Isn't Covered By The First Amendment (25)
12:14 US Courts Realizing They Have A Judge Alan Albright Sized Problem In Waco (17)
10:44 Boston Police Department Used Forfeiture Funds To Hide Purchase Of Surveillance Tech From City Reps (16)
10:39 Daily Deal: The Ultimate Microsoft Excel Training Bundle (0)
09:20 NY Senator Proposes Ridiculously Unconstitutional Social Media Law That Is The Mirror Opposite Of Equally Unconstitutional Laws In Florida & Texas (25)
06:12 Telecom Monopolies Are Exploiting Crappy U.S. Broadband Maps To Block Community Broadband Grant Requests (7)
12:00 Funniest/Most Insightful Comments Of 2021 At Techdirt (17)
10:00 Gaming Like It's 1926: Join The Fourth Annual Public Domain Game Jam (6)
09:00 New Year's Message: The Arc Of The Moral Universe Is A Twisty Path (33)
19:39 DHS, ICE Begin Body Camera Pilot Program With Surprisingly Good Policies In Place (7)
15:29 Remembering Techdirt Contributors Sherwin And Elliot (1)
13:32 DC Metro PD's Powerful Review Panel Keeps Giving Bad Cops Their Jobs Back (6)
12:11 Missouri Governor Still Expects Journalists To Be Prosecuted For Showing How His Admin Leaked Teacher Social Security Numbers (39)
10:48 Oversight Board Overturning Instagram Takedown Of Ayahuasca Post Demonstrates The Impossibility Of Content Moderation (10)
More arrow
This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it