It’s paywalled for me so can’t see this all. But does this mean signal, rcs and other encrypted messages are being logged? Kind of defeats the purpose of privacy based use cases if so
PSA: We’ve received questions about push notifications. First: push notifications for Signal NEVER contain sensitive unencrypted data & do not reveal the contents of any Signal messages or calls–not to Apple, not to Google, not to anyone but you & the people you’re talking to.
Doesn’t this mean there is nothing to log? You got me confused
You are trying to read what isn’t there. Push notifications just don’t contain any messages, at all, in any form, whether you want to call it data or metadata. They are just telling the Signal app to wake up, and then it securely checks with the server what’s up.
The only think authorities are getting then, is the fact your Signal app was told to wake up at time X. Not whether you actually received a message, let alone any information about any messages.
It is confusing the system is called “push notifications”, because it has nothing to do with the actual notifications you are seeing on your phone. It’s just a mechanism to wake up sleeping apps so that they can check up with their server.
Signal is E2EE. While it does use notifications, there is no meaningful unencrypted content in them. The content of the notification you see is decrypted on-device.
A push notification, from a technical standpoint, is just a way to wake up an app. It doesn’t have to contain any information.
So when you get a message, the messaging service sends a push notification through Apple/Google, which is a way of saying “Hey messaging app, wake up”. The app then starts running in the background on your phone, connects to it’s server, asks if there is anything new to know about, and the server tells it about a new message, if any. This can then generate a notification on your phone, but importantly what you are seeing in the notification did not come through Apple/Google, all that did was the “Hey messaging app, wake up!”.
If authorities then request this data from Apple/Google, all they can see is the times at which your messaging app was asked to wake up. Not whether any message was actually received, or what it contained, or from who. Because all that never touched Apple/Google’s systems, not even in an encrypted form.
That being said, some data can be sent directly through the Apple/Google system along with the wake up message, so it’s not impossible that some apps include some metadata there. In theory they shouldn’t. For example simple marketing notifications or ads often are just included with the push, because it’s simple to do.
I don’t know, are they? As far as we know they could only get unsent notifications, which are obviously still with Apple/Google because the target phone is offline and so they couldn’t be delivered yet. Which would explain why they only got thousands of them, not billions.
Yes, these are not “private” services, they are “secure messaging” services. Commonly confused issue. Privacy requires controlling the communication infrastructure. Security only requires controlling the items being shared.
It’s paywalled for me so can’t see this all. But does this mean signal, rcs and other encrypted messages are being logged? Kind of defeats the purpose of privacy based use cases if so
Removed by mod
Doesn’t this mean there is nothing to log? You got me confused
I guess it’s possible to log the fact that a push notification was received and the time of it?
Honestly I wouldn’t expect Signal to try and take care of this
Removed by mod
Removed by mod
You are trying to read what isn’t there. Push notifications just don’t contain any messages, at all, in any form, whether you want to call it data or metadata. They are just telling the Signal app to wake up, and then it securely checks with the server what’s up.
The only think authorities are getting then, is the fact your Signal app was told to wake up at time X. Not whether you actually received a message, let alone any information about any messages.
It is confusing the system is called “push notifications”, because it has nothing to do with the actual notifications you are seeing on your phone. It’s just a mechanism to wake up sleeping apps so that they can check up with their server.
Removed by mod
Yes it’s called metadata. I don’t know why they want it.
Removed by mod
Yes, I assume so.
Signal is E2EE. While it does use notifications, there is no meaningful unencrypted content in them. The content of the notification you see is decrypted on-device.
A push notification, from a technical standpoint, is just a way to wake up an app. It doesn’t have to contain any information.
So when you get a message, the messaging service sends a push notification through Apple/Google, which is a way of saying “Hey messaging app, wake up”. The app then starts running in the background on your phone, connects to it’s server, asks if there is anything new to know about, and the server tells it about a new message, if any. This can then generate a notification on your phone, but importantly what you are seeing in the notification did not come through Apple/Google, all that did was the “Hey messaging app, wake up!”.
If authorities then request this data from Apple/Google, all they can see is the times at which your messaging app was asked to wake up. Not whether any message was actually received, or what it contained, or from who. Because all that never touched Apple/Google’s systems, not even in an encrypted form.
That being said, some data can be sent directly through the Apple/Google system along with the wake up message, so it’s not impossible that some apps include some metadata there. In theory they shouldn’t. For example simple marketing notifications or ads often are just included with the push, because it’s simple to do.
Removed by mod
I don’t know, are they? As far as we know they could only get unsent notifications, which are obviously still with Apple/Google because the target phone is offline and so they couldn’t be delivered yet. Which would explain why they only got thousands of them, not billions.
Removed by mod
Removed archive link, also paywalled.
:(
Articles Found:
Edit:
Yes, these are not “private” services, they are “secure messaging” services. Commonly confused issue. Privacy requires controlling the communication infrastructure. Security only requires controlling the items being shared.