[seanlinmt]

What bothers me is that if Facebook has to reengineer messenger to comply with the government then what’s stopping signal having to reengineer its infrastructure to comply with government demands?

And wouldn’t it be more secure to setup your own infrastructure instead of depending on someone else’s infrastructure where you are unable to determine with certainty that serverside code is unmodified?

[tialaramex]

The article explains that courts have concluded these Acts in particular don't give the government carte blanche, it doesn't get to destroy your business to achieve its goals under the Acts, and obviously allowing wiretapping in Signal's app that exists specifically so that they nobody can wiretap you would destroy Open Whisper Systems' business.

So Facebook's Messenger is made more vulnerable by the fact that "Also the government can't wiretap this" isn't a prominently advertised feature. In fact, prior to this article if you'd asked if they can do so I'd have guessed "Yes" and recommended Signal instead.

Why not set up your own infrastructure? Well that does come with a significant downside. "Don't Stand Out" is one of the principles we've learned is important for real world communications security. Once you set up your own secure systems, while everybody else keeps using Messenger, you are marked out, your communications label themselves as especially interesting. So _once you do that_ you have to be sure that two things are true:

1. Your technical systems are 100% secure. No adversary has a backdoor to your GPU firmware, a laser microphone listening to your keypresses, a black bag team who can break in and silently copy your data when you're out shopping, a zero day exploit for your browser, or whatever. If your adversary is "Bob from next door" this seems plausible. But if it's the government of your country you are probably in deep shit immediately.

2. Your society has both norms and strongly enforced laws that will ensure it's not just easier and cheaper to bypass all this technology and get what they want from you anyway.

But so long as you Don't Stand Out all this fades into the background. If we make _everybody's_ communications secure, yours won't Stand Out and a powerful adversary (such as the US Government) can't target you.

[filleokus]

If I understood the article properly, this is about Messenger voice calls, which are not E2E encrypted:

> However, end-to-end encryption is not an option for Messenger voice calls.

Hence, the FB infra is in a position where they can actually retain the key, which Signal is not:

> This differs in a major way from other secure messaging applications like Signal, WhatsApp, and iMessage. All of those apps use protocols that encrypt that initial session key—the key to the voice data—in a way that renders it unreadable by anyone other than the intended participants in the conversation.

However, Signal could of course modify the client applications to siphon off the keys and send them wherever. Especially since it's hard/impossible to verify the source code running in the binary on your phone, this is somewhat scary and forces me to trust Signal.

But if I understand everything correctly, Signal could not be coerced into revealing keys from the backend side. (Please correct me if I'm wrong)