New Software Technique Can Disguise/Hide Your Digital Search Footprints

New Software Technique Can Disguise/Hide Your Digital Search Footprints

     Lily Hay Newman posted an October 29, 2018 article on the cyber security and technology website, about a new software technique that purports to disguise or hide your digital searches on the Internet. She writes that “a key part of what makes Signal the leading encrypted messaging app is its effort to minimize the amount of data or metadata each message leaves behind. The messages themselves,” she adds, “are fully encrypted as they move across Signal’s infrastructure, and the services don’t store logs of information — like who sends messages to each other,or when.” Late last month, Ms. Newman wrote that “Signal announced a new initiative to take those protections even further. Now, it hopes to encrypt even information about which users are messaging each other on the platform.”   “As much as it values privacy,” Ms. Newman noted, “Signal still needs to see where messages are going, so it can deliver them to the right account. The service has also relied on seeing what account a message came from, to verify that the sender is legit, limit the number of messages an account sends in a period of time, to prevent it from spewing spam, and offer other types of anti-abuse checks.”

     “But, having access to metadata about the sender and the recipient — offers a lot of information about how people use Signal, and with whom they associate,” Ms. Newman wrote. “Think of it as the address and the return address on the envelope of a physical letter. So, Signal developers created workarounds that will now allow the app to encrypt not just the content of messages but, the identity of the sender.”

     “While the service always needs to know where a message needs to be delivered, ideally, it shouldn’t need to know who the sender is,” Moxie Marlinspike, the creator of Signal wrote on a recent blogspot. “It would be better if the service could handle packages where only the destination is written on the outside, with a blank space where the ‘from’ address used to be.”

     “Currently, Signal is testing this “sealed sender” feature in its beta release,” Ms. Newman wrote. “Since the mechanism removes ‘Signal’s’ ability to validate senders, the service is adding workarounds that still let users verify who sent incoming messages, and reduce their chance of receiving abusive content. Most importantly,” Ms. Newman noted, “Signal will only allow “sealed sender” messages to go between accounts that have already established trust, particularly by being in each others’ contact lists. If you block someone Signal has made cryptographic tweaks, so they will still be barred from messaging you — even if you are in each others’ contact lists.”

     “Thanks to the change, if Signal is compromised, an attacker inside a service will only see encrypted messages going to their destinations, and won’t be able to see where they came from,” Ms. Newman wrote. “As “sealed sender” rolls out, users will be able to turn on a status icon if they want an indication of when messages have been send using the scheme.”

     “Sort of like open DMs on Twitter, Signal will also provide an option to receive sealed sender messages from anyone on the service, not just trusted accounts or contacts,” Ms. Newman wrote. “This comes at the increased risk of abuse, but allows for every incoming message to be sent with “sealed sender,” Ms. Marlinspike wrote.      “It’s a real step up,” said Johns Hopkins cryptographer Matthew Green. “The service will reveal IP addresses; but, those are probably not logged by Signal, whereas sender usernames probably were, at least for undelivered messages.”

     “Signal uses Amazon Web Services for hosting,” Ms. Newman wrote, “and says that it is still working on finding a viable way to encrypt IP addresses and other metadata that could theoretically allow an attacker to perform certain types of user traffic analysis. And, encrypted messaging still isn’t a magic bullet, especially if you leave message threads on your device,” or what is often referred to as ‘digital exhaust.’ But, Mr. Green “emphasizes that every incremental step is valuable. The difficulty of developing the technical frameworks for these steps is one reason WhatsApp Co-Founder Brian Acton donated $50M in February to support Signal’s development,” Ms. Newman noted. “The more of a barren data wasteland it is inside of Signal, the better.”

     As with almost anything these days, especially in the digital realm, there are trade-offs and unintended consequences.  This same technique/software will no doubt be used by the darker digital angels of our nature to conduct nefarious and potentially dangerous online activities. And, this Signal technique isn’t digitally bullet-proof.  Will it make it harder for law enforcement and intelligence agencies to conduct digital reconnaissance? No doubt. And, for the overwhelming majority of those just seeking some enhanced digital privacy – this new technique is probably a welcome respite. As the old saying goes, ‘don’t let the perfect be the enemy of the good enough.’ Having said that, if someone/adversary is determined enough to find you digitally, this new technique will be an impediment; but, it isn’t impregnable. Beware, and keep in mind, someone with the talent, skill-set, time, and determination, will eventually find a way around or through these barriers.  RCP,

Leave a Reply

Your email address will not be published. Required fields are marked *