After fighting a gag order, Moxie Marlinspike, the founder of Open Whisper Systems, went public with details of a federal subpoena (pdf) demanding Signal subscribers’ information and communication records.
Open Whisper Systems built the encrypted communication app Signal; the Signal encryption protocol is also used in Google’s Allo, WhatsApp and Facebook Messenger. If you know anything at all about Signal, then you know privacy and security are not just marketing buzzwords; end-to-end encryption is a feature to which OWS is deeply committed. Even Edward Snowden gave the thumbs up to use any OWS product.
Perhaps the government wanted to find out if Signal keeps it privacy and security promises, or perhaps the government was clueless about the Signal app and desperate for more information to help in a criminal case in Virginia. At any rate, when OWS received its first federal grand jury subpoena, the government demanded for OWS to cough up data associated with two subscribers, including phone numbers, name, address, email address, payment info, IP logs, web browsing histories, browser cookie data, as well as upstream and downstream providers.
The government tacked a gag order onto the subpoena served in 2016. It was meant to silence OWS about the surveillance for one year since the government claimed that if news about the subpoena got out, then it would “seriously jeopardize the investigation, including by giving targets an opportunity to flee or continue flight from prosecution, destroy or tamper with evidence, change patterns of behavior, or notify confederates.”
OWS turned to the ACLU for help. The ACLU said the government’s need for secrecy might have been legitimate, but the government tends to always fall back on secrecy.
ACLU attorney Brett Kaufman added:
To meet the stringent First Amendment standard, any gag must be justified by something much greater. The First Amendment requires that to close courtrooms or seal evidence—and especially to prohibit a party from speaking publicly on a matter of public concern—the government demonstrate a compelling interest in secrecy, and it must apply that secrecy in the narrowest possible way. But instead, the government appears to seek blanket gag orders by default, without considering precisely what information can be disclosed without harm to its interests.
OWS and the ACLU fought the gag order. Kaufman noted:
To its credit, the government quickly agreed with us that most of the information under seal could be publicly disclosed. But the fact that the government didn't put up too much of a fight suggests that secrecy—and not transparency—has become a governmental default when it comes to demands for our electronic information, and critically, not everyone has the resources or the ability to work with the ACLU to challenge it.
Marlinspike said OWS fought the gag order “because our interest is basically in transparency. We want our users to understand what's going on, and what kind of information we have to provide in situations like this.”
In the end, OWS couldn’t hand over Signal subscribers’ information because it doesn’t collect it in the first place. Marlinspike said, “The Signal service was designed to minimize the data we retain.”
The most the government got was a date when one account was created and when it last connected to Signal’s servers. The other suspect didn’t even have a Signal account.
Signal’s response to the government’s request is “a model for companies hoping to insulate themselves from the fraught process of handing over their customers' data,” according to the ACLU. Kaufman added, “We hope it's an example for other companies how they can continue to stand for customers' privacy.”
If you use Signal, then you trust its security, but now you know Signal also keeps its privacy promises.