Tag: signal

Posted on

WhatsApp now lets users encrypt their chat backups in the cloud

WhatsApp is beginning to roll out a new feature that will provide its two billion users the option to encrypt their chat history backup in iCloud or Google Drive, patching a major loophole that has been exploited by governments to obtain and review private communication between individuals.

WhatsApp has long end-to-end encrypted chats between users on its app. But users have had no means to protect the backup of those chats stored in the cloud. (For iPhone users, the chat history is stored in iCloud, and Android users rely on Google Drive.)

It has been widely reported that law enforcement agencies across the globe have been able to access the private communications between suspect individuals on WhatsApp by exploiting this loophole.

WhatsApp, which processes over 100 billion messages a day, is closing that weak link, and tells TechCrunch that it’s providing this new feature to users in every market where the app is operational. The feature is optional, the company said. (It’s not uncommon for companies to withhold privacy features for legal and regulatory reasons. Apple’s new encrypted browsing feature isn’t available to users in certain authoritarian regimes, such as China, Belarus, Egypt, Kazakhstan, Saudi Arabia, Turkmenistan, Uganda and the Philippines.)

Mark Zuckerberg, founder and chief executive of Facebook, noted that WhatsApp is the first global messaging service at this scale to offer end-to-end encrypted messaging and backups. “Proud of the team for continuing to lead on security for your private conversations,” he said in a post on his Facebook page.

WhatsApp began testing the feature with a small group of users last month. The company devised a system to enable WhatsApp users on Android and iOS to lock their chat backups with encryption keys. WhatsApp says it will offer users two ways to encrypt their cloud backups.

Users on WhatsApp will see an option to generate a 64-digit encryption key to protect their chat backups in the cloud. Users can store the encryption key offline or in a password manager of their choice, or they can create a password that backs up their encryption key in a cloud-based “backup key vault” that WhatsApp has developed. The cloud-stored encryption key can’t be used without the user’s password, which isn’t known to WhatsApp.

“While end-to-end encrypted messages you send and receive are stored on your device, many people also want a way to back up their chats in case they lose their phone,” the company wrote in a blog post.

As we wrote last month, the move to introduce this additional layer of privacy is significant and one that can have far-reaching implications.

Thoughts, governments?

End-to-end encryption remains a thorny topic of discussion as governments across the globe continue to lobby for backdoors. Apple was pressured to not add encryption to iCloud Backups after the FBI complained, according to Reuters, and while Google has offered users the ability to encrypt their data stored in Google Drive, the company reportedly didn’t tell governments before it rolled out the feature.

India, WhatsApp’s biggest market by users, has introduced a new law that requires the company to devise a way to make “traceability” of questionable messages possible. WhatsApp has sued the Indian government over this new mandate, and said such a requirement effectively mandates “a new form of mass surveillance.”

The UK government — which isn’t exactly a fan of encryption — recently asked messaging apps to not use end-to-end encryption for kids’ accounts. Elsewhere in the world, Australia passed controversial laws three years ago that are designed to force tech companies to provide police and security agencies access to encrypted chats.

WhatsApp declined to discuss whether it had consulted about the new feature with lawmakers or government agencies.

Privacy-focused organizations including Electronic Frontier Foundation have lauded WhatsApp’s move.

“This privacy win from Facebook-owned WhatsApp is striking in its contrast to Apple, which has been under fire recently for its plans for on-device scanning of photos that minors send on Messages, as well as of every photo that any Apple user uploads to iCloud. While Apple has paused to consider more feedback on its plans, there’s still no sign that they will include fixing one of its longstanding privacy pitfalls: no effective encryption across iCloud backups,” the organization wrote.

“WhatsApp is raising the bar, and Apple and others should follow suit.”

Posted on

Telegram says it added 70M users during day of Facebook and WhatsApp outage

Facebook’s hours-long outage on Monday may have hurt the company, its founder, shareholders, and many businesses that rely on the social juggernaut’s services. But for its instant messaging rivals, it was a very good day.

Telegram founder and chief executive Pavel Durov said on Tuesday that his instant messaging app added a staggering 70 million users yesterday in what he described as a “record increase in user registration and activity” for the service.

“I am proud of how our team handled the unprecedented growth because Telegram continued to work flawlessly for the vast majority of our users,” wrote Durov on his Telegram channel. But the day wasn’t so flawless.

“That said, some users in the Americas may have experienced slower speed than usual as millions of users from these continents rushed to sign up for Telegram at the same time,” he added.

Telegram, which recently topped 1 billion downloads, had 500 million monthly active users as of early this year.

Signal, which competes with both Telegram and WhatsApp, also added new users. It said yesterday in a tweet that “millions of new users” had joined the app.

This isn’t the first time Telegram and Signal have gained at the expense of their chief rival. The two added millions of users earlier this year as well when WhatsApp was struggling to explain exactly what its new privacy policy entailed.

“The smallest of events helped trigger the largest of outcomes,” said Brian Acton, the executive chairman of Signal’s holding company, of WhatsApp’s debacle earlier this year, in an interview with TechCrunch.

The headline was updated for clarity.

Posted on

Signal, the encrypted messaging app, is currently down for many users

Signal is down for many users right now. Its status website says the encrypted messaging app is “experiencing technical difficulties” and many people are getting an in-app error message that says the same thing. The company says it is “working hard to restore service as quickly as possible.” TechCrunch has contacted Signal for comment.

Signal's in-app error message

Signal’s in-app error message

According to Downdetector.com, users started reporting outages around 11:05 PM Eastern Standard Time this evening, and it appears to be affecting people around the world.

In January, Signal experienced a surge in downloads on the App Store and Google Play after WhatsApp changed its data-sharing policy.

Over the past few months, Signal has continued to build out its feature set, adding a default timer for disappearing messages that automatically applies the settings to all new conversations.

Posted on

WhatsApp will finally let users encrypt their chat backups in the cloud

WhatsApp said on Friday it will give its two billion users the option to encrypt their chat backups to the cloud, taking a significant step to put a lid on one of the tricky ways private communication between individuals on the app can be compromised.

The Facebook-owned service has end-to-end encrypted chats between users for more than a decade. But users have had no option but to store their chat backup to their cloud — iCloud on iPhones and Google Drive on Android — in an unencrypted format.

Tapping these unencrypted WhatsApp chat backups on Google and Apple servers is one of the widely known ways law enforcement agencies across the globe have for years been able to access WhatsApp chats of suspect individuals.

UK offers cash for CSAM detection tech targeted at E2E encryption

Now WhatsApp says it is patching this weak link in the system.

“WhatsApp is the first global messaging service at this scale to offer end-to-end encrypted messaging and backups, and getting there was a really hard technical challenge that required an entirely new framework for key storage and cloud storage across operating systems,” said Facebook’s chief executive Mark Zuckerberg in a post announcing the new feature.

Store your own encryption keys

The company said it has devised a system to enable WhatsApp users on Android and iOS to lock their chat backups with encryption keys. WhatsApp says it will offer users two ways to encrypt their cloud backups, and the feature is optional.

In the “coming weeks,” users on WhatsApp will see an option to generate a 64-digit encryption key to lock their chat backups in the cloud. Users can store the encryption key offline or in a password manager of their choice, or they can create a password that backs up their encryption key in a cloud-based “backup key vault” that WhatsApp has developed. The cloud-stored encryption key can’t be used without the user’s password, which isn’t known by WhatsApp.

Image Credits: WhatsApp/supplied

“We know that some will prefer the 64-digit encryption key whereas others want something they can easily remember, so we will be including both options. Once a user sets their backup password, it is not known to us. They can reset it on their original device if they forget it,” WhatsApp said.

“For the 64-digit key, we will notify users multiple times when they sign up for end-to-end encrypted backups that if they lose their 64-digit key, we will not be able to restore their backup and that they should write it down. Before the setup is complete, we’ll ask users to affirm that they’ve saved their password or 64-digit encryption key.”

A WhatsApp spokesperson told TechCrunch that once an encrypted backup is created, previous copies of the backup will be deleted. “This will happen automatically and there is no action that a user will need to take,” the spokesperson added.

Potential regulatory pushback?

The move to introduce this added layer of privacy is significant and one that could have far-reaching implications.

End-to-end encryption remains a thorny topic of discussion as governments continue to lobby for backdoors. Apple was reportedly pressured to not add encryption to iCloud Backups after the FBI complained, and while Google has offered users the ability to encrypt their data stored in Google Drive, the company allegedly didn’t tell governments before it rolled out the feature.

When asked by TechCrunch whether WhatsApp, or its parent firm Facebook, had consulted with government bodies — or if it had received their support — during the development process of this feature, the company declined to discuss any such conversations.

“People’s messages are deeply personal and as we live more of our lives online, we believe companies should enhance the security they provide their users. By releasing this feature, we are providing our users with the option to add this additional layer of security for their backups if they’d like to, and we’re excited to give our users a meaningful advancement in the safety of their personal messages,” the company told TechCrunch.

WhatsApp also confirmed that it will be rolling out this optional feature in every market where its app is operational.  It’s not uncommon for companies to withhold privacy features for legal and regulatory reasons. Apple’s upcoming encrypted browsing feature, for instance, won’t be made available to users in certain authoritarian regimes, such as China, Belarus, Egypt, Kazakhstan, Saudi Arabia, Turkmenistan, Uganda, and the Philippines.

At any rate, Friday’s announcement comes days after ProPublica reported that private end-to-end encrypted conversations between two users can be read by human contractors when messages are reported by users.

“Making backups fully encrypted is really hard and it’s particularly hard to make it reliable and simple enough for people to use. No other messaging service at this scale has done this and provided this level of security for people’s messages,” Uzma Barlaskar, product lead for privacy at WhatsApp, told TechCrunch.

“We’ve been working on this problem for many years, and to build this, we had to develop an entirely new framework for key storage and cloud storage that can be used across the world’s largest operating systems and that took time.”

Posted on

MobileCoin closes on $66 million in equity in Series B round

MobileCoin, a cryptocurrency business that counts founder Moxie Marlinspike of the encrypting messaging app Signal as its earliest technical advisor, has raised $66 million in Series B funding from a long list of investors, including Alameda Research, Berggruen Holdings, BlockTower Capital, Coinbase Ventures, Marc Benioff’s TIME Ventures, Vy Capital, and earlier backers General Catalyst and Future Ventures.

The all-equity round brings the four-year-old, San Francisco-based company’s total funding to $107 million altogether, including a $30 million round led by Binance Labs back in 2018. According to founder and CEO Joshua Goldbard, the newest round values the outfit at $1.066 billion.

As we reported earlier this year, MobileCoin is focused on enabling privacy-protecting payments made through “near instantaneous transactions” over one’s phone. Indeed, a month after we published that piece, Signal rolled out support for MobileCoin as a payment feature that its users (only in the UK for now) can use to pay for a service or product while enjoying greater privacy than might be possible otherwise.

Marlinspike told Wired back in April that because MobileCoin is a so-called privacy coin designed to protect users’ identities and the details of their payments on a blockchain, that it’s an ideal fit for Signal. “There’s a palpable difference in the feeling of what it’s like to communicate over Signal, knowing you’re not being watched or listened to, versus other communication platforms. I would like to get to a world where not only can you feel that when you talk to your therapist over Signal, but also when you pay your therapist for the session over Signal.”

According to Goldbard, MobileCoin is also being used to transact by users of Mixin Messenger, is a China-based open-source private messenger based on Signal Protocol that enables individuals to send cryptocurrencies to their phone contacts.

MobileCoin’s actual digital coins have fluctuated wildly in value since they began trading in December of last year on the cryptocurrency exchange, FTX, run by entrepreneur Sam Bankman-Fried, who also founded the quantitative crypto trading firm Alameda Research (which just invested in MobileCoin).

It is also available to buy and sell on the non-U.S. crypto trading platforms Bitfinex, BigOne, and HotBit. Goldbard says there’s no reason that U.S. exchanges couldn’t also list the coin for trade, though that’s not the case currently.

“It’s entirely up to [them] when they list assets, and no one knows ahead of time when your asset will be listed,” Goldbard offers, dismissing questions about U.S. regulators who’ve cracked down on similar efforts and pointing instead to MobileCoin’s relatively newness as its biggest challenge right now. “Most coins take a long time to list, to be honest.”

As for whether Goldbard or his early team members have sold some of company’s coins — they spiked in price this past spring — he says that “management has not sold any coins.” Asked whether the same is true of Marlinspike, Goldbard says that he “can’t speak for Moxie.” (Marlinspike told Wired in April that neither he nor Signal owned any MobileCoins at the time. We’ve since asked the company whether Marlinspike has ever owned any MobileCoins and also whether he owns or previously owned shares in MobileCoin as an early advisor to the company and have yet to hear back.)

Even assuming that MobileCoin is more secure than other options, it is still not foolproof. Among the risks involved in storing cryptocurrency on a phone are potentially losing it if the phone is left unlocked or the radio on the phone is hacked or if, say, iOS itself is hacked. 

It does offer another advantage, though, argues Goldbard. He says MobileCoin is more environmentally friendly than  cryptocurrencies like Bitcoin that rely on ‘proof of work,’ where individuals on a network compete with computing power to solve cryptographic puzzles and consume large amounts of electricity along the way.

MobileCoin instead relies on a mechanism called a “federated byzantine agreement,” wherein different validators —  people who agree to store data, process transactions, and add new blocks to the blockchain to earn more cryptocurrency — decide which other validators they trust, and when enough circles of trusted validators overlap, consensus is reached. The algorithm requires fewer people and less energy while remaining decentralized, says Goldbard.

MobileCoin currently has 40 employees and is “hiring as fast as possible,” says Goldbard. Tragically, the company’s head of engineering, Toby Segaran, who was previously an engineer with both Google and Reddit, passed away unexpectedly last week. Meanwhile, MobileCoin brought aboard is first head of compliance, David Ackerman, last month.

Posted on

Signal now lets you choose disappearing messages by default for new chats

The encrypted chat app Signal is adding a few new options for users looking to lock down their messages. The app will now allow anyone to turn on a default timer for disappearing messages, automatically applying the settings to any newly initiated conversations.

Signal’s disappearing messages option deletes chats for both the sender and receiver after a set amount of time passes. Previously, you had to toggle the option on and select an interval for each individual conversation, which made it easy to overlook the extra privacy feature if you had a lot of chats going at once.

Signal is also adding more options for how long disappearing messages stick around before evaporating. The app’s users can now select an interval up to four weeks and as low as 30 seconds. You can even lower than to a single second in the app’s custom time options.

On any chat app, it’s important to remember that disappearing messages vanish from the user interface but that doesn’t mean they’re gone for good. Anything you share online can live on indefinitely via screenshots or through someone taking a photo of an app’s screen with another device.

Signal wants its users to keep this in mind, noting that the disappearing message options are best for saving storage space and keeping conversation history to a minimum, just in case. “This is not for situations where your contact is your adversary,” the company wrote in a blog post.

The app remains one of the most popular end-to-end encrypted messaging options to date and earlier this year even managed to absorb some WhatsApp users who grew skittish over data sharing policy changes at Facebook.

The privacy-minded messaging app is very well regarded for its strong feature set and the company’s independence, though Signal remains relatively small compared to Facebook’s own end-to-end encrypted WhatsApp, which the company acquired in 2014. As of December 2020, Signal boasted around 20 million monthly active users, while WhatsApp hit 2 billion users early last year.

Signal’s Brian Acton talks about exploding growth, monetization and WhatsApp data-sharing outrage

WhatsApp hits 2 billion users, up from 1.5 billion 2 years ago

Posted on

Twitter now in compliance with India’s new IT rules, government says

Twitter is now complying with India’s new IT rules, New Delhi told a court Tuesday, in a move that is expected to ease months-long tension between the American social media network and the government of the key overseas market.

A lawyer representing the Indian government told the Delhi High Court that Twitter’s recent steps — appointment of chief compliance officer, nodal contact person and resident grievance officer in the country — have made the social network “prima facie” compliant with the new law.

A Twitter spokesperson in India didn’t immediately return a text.

India’s new IT rules, which were unveiled in February this year, mandates significant social media firms, among other things, to appoint officials to address on-ground concerns in the country.

Facebook and Google complied with this requirement in May, when the proposed rules went into effect in the South Asian market.

Twitter, which was facing heat from the Indian government for not blocking some tweets that the Indian government had deemed objectionable, had requested additional few months to comply with the new rules and in the meantime filled the required roles with temporary staff.

Tension has been brewing between the two for several months. Twitter labeled a tweet from Sambit Patra, the spokesperson of India’s ruling party BJP, in May as “manipulated media.” Days later, a special squad of Delhi police that investigates terrorism and other crimes made a surprise visit to two of Twitter’s offices in the country to seek information about Twitter’s rationale to term Patra’s tweets as manipulated.

Twitter at the time said it was “concerned by recent events regarding our employees in India and the potential threat to freedom of expression for the people we serve.”

The firm’s slow-efforts to comply with the new IT rules had cost the firm liability protection in the country last month, the Indian government said earlier. Separately, it warned Twitter that the firm was in “total noncompliance” with the law.

Internet services enjoy what is broadly referred to as “safe harbor” protection that say that tech platforms won’t be held liable for the things their users post or share online.

Twitter also received public criticism from several top Indian ministers.

“All social media platforms are welcome to do business in India. They can criticize Ravi Shankar Prasad, my Prime Minister or anyone. The issue is of misuse of social media. Some of them say we are bound by American laws. You operate in India, make good money, but you will take the position that you’ll be governed by American laws. This is plainly not acceptable,” Prasad, who was the IT minister of India until resigning from the position last month, said at a virtual conference early July.

The new rules also require significant social media firms operating encrypted messaging services to devise a way to trace originator of messages for special cases. Several firms including Facebook’s WhatsApp and Signal have not complied with this requirement. WhatsApp has sued the Indian government over this requirement.

This is a developing story. More to follow…

Posted on

A Silicon Valley VC firm with $1.8B in assets was hit by ransomware

Advanced Technology Ventures, a Silicon Valley venture capital firm with more than $1.8 billion in assets under its management, was hit by a ransomware attack in July that saw cybercriminals steal personal information on the company’s private investors, or limited partners (LPs).

In a letter to the Maine attorney general’s office, ATV said it became aware of the attack on July 9 after its servers storing financial information had been encrypted by ransomware. By July 26, the ATV learned that data had been stolen from the servers before the files were encrypted, a common “double extortion” tactic used by ransomware groups, which then threaten to publish the files online if the ransom to decrypt the files is not paid.

The letter said ATV believes the names, email addresses, phone numbers and Social Security numbers of the individual investors in ATV’s funds were stolen in the attack. Some 300 individuals were affected by the incident, including one person in Maine, according to a listing on the Maine attorney general’s data breach notification portal.

Venture capital firms often do not disclose all of their LPs — the investors who have thrown millions into an investment vehicle — to the public. A number of pre-approved names may be included in an announcement, but overall, a company’s private investors try to stay that way: private. The reasons vary, but it comes down to secrecy and a degree of competitive advantage: The firm may not want competitors to know who is backing them, and an investor may not want others to know where their money is going. This particular attack likely stole key information on a hush-hush part of how venture money works.

ATV said it notified the FBI about the attack. A spokesperson for the FBI did not immediately comment when reached by TechCrunch. ATV’s managing director Mike Carusi did not respond to questions sent by TechCrunch on Monday.

The venture capital firm, based in Menlo Park, California with offices in Boston, was founded in 1979 and invests largely in technology, communications, software and services, and healthcare technology. The company was an early investor in many of the startups from the last decade, like software library Fandango, Host Analytics (now Planfun) and Apptegic (now Evergage). Its more recent investments include Tripwire, which was later sold to cybersecurity company Belden for $710 million; Cedexis, a network traffic monitoring startup acquired by Cisco in 2018; and Actifo, which was sold to Google in 2020.

Natasha Mascarenhas contributed reporting. Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send TechCrunch files or documents using our SecureDrop.

To guard against data loss and misuse, the cybersecurity conversation must evolve

Posted on

WhatsApp is doing fine despite months-long backlash over policy update

It’s safe to say WhatsApp didn’t have the ideal start to 2021. Less than a week into the new year, the Facebook-owned instant messaging app had already annoyed hundreds of thousands of users with its scary-worded notification about a planned policy update. The backlash grew fast and millions of people, including several high-profile figures, started to explore rival apps Signal and Telegram.

Even governments, including India’s — WhatsApp’s biggest market by users — expressed concerns. (In case of India, also an antitrust probe.) The backlash prompted WhatsApp to offer a series of clarifications and assurances to users, and it also postponed the deadline for enforcing the planned update by three months. Now with the May 15 deadline just a week away, we are able to quantify the real-world impact the aforementioned backlash had on WhatsApp’s user base: Nada.

The vast majority of users that WhatsApp has notified about the planned update in recent months have accepted the update, a WhatsApp spokesperson told TechCrunch. And the app continues to grow, added the spokesperson without sharing the exact figures. The company also didn’t share how many users it has notified about the planned update.

Facebook’s recent earnings call gives us some idea: The company’s family of apps had 3.45 billion monthly active users as of March 31, 2021, up from 3.3 billion on December 31, and 3.21 billion on September 30.

Users who don’t agree to the new terms, as TechCrunch has previously reported, won’t lose access to their accounts or any feature on May 15, WhatsApp said. But after an unspecified number of weeks, such users will lose several core functionalities — though not at the same time.

“We’ll continue to provide reminders to those users within WhatsApp in the weeks to come,” the spokesperson added.

Since 2016, WhatsApp’s privacy policies have granted the service permission to share with Facebook certain metadata such as user phone numbers and device information.

The new terms allow Facebook and WhatsApp to share payment and transaction data in order to help them better target ads as the social juggernaut broadens its e-commerce offerings and looks to merge its messaging platforms.

Posted on

Signal tests payments in the UK using MobileCoin

Encrypted chat app Signal is adding payments to the services it provides, a long-expected move and one the company is taking its time on. A U.K.-only beta program will allow users to trade the cryptocurrency MobileCoin quickly, easily, and most importantly, privately.

If you’re in the U.K., or have some way to appear to be, you’ll notice a new Signal Payments feature in the app when you update. All you need to do to use it is link a MobileCoin wallet after you buy some on the cryptocurrency exchange FTX, the only one that lists it right now.

Once you link up, you’ll be able to instantly send MOB to anyone else with a linked wallet, pretty much as easily as you’d send a chat. (No word on when the beta will expand to other countries or currencies.)

Just as Signal doesn’t have any kind of access to the messages you send or calls you make, your payments are totally private. MobileCoin, which Signal has been working with for a couple years now, was built from the ground up for speed and privacy, using a zero-knowledge proof system and other innovations to make it as easy as Venmo but as secure as … well, Signal. You can read more about their approach in this paper (PDF).

MobileCoin, a cryptocurrency advised early on by Signal’s Moxie Marlinspike, has raised venture funding

MobileCoin just snagged a little over $11 million in funding last month as rumors swirled that this integration was nearing readiness. Further whispers propelled the value of MOB into the stratosphere as well, nice for those holding it but not for people who want to use it to pay someone back for a meal. All of a sudden you’ve given your friend a Benjamin (or perhaps now, in the U.K., a Turing) for no good reason, or that the sandwich has depreciated precipitously since lunchtime.

There’s no reason you have to hold the currency, of course, but swapping it for stable or fiat currencies every time seems a chore. Speaking to Wired, Signal co-founder Moxie Marlinspike envisioned an automatic trade-out system, though he is rarely so free with information like that if it is something under active development.

While there is some risk that getting involved with cryptocurrency, with the field’s mixed reputation, may dilute or pollute the goodwill Signal has developed as a secure and disinterested service provider, the team there seems to think it’s inevitable. After all, if popular payment services are being monitored the same way your email and social media are, perhaps we ought to nip this one in the bud and go end-to-end encrypted as quickly as possible.

Is rising usage driving crypto’s recent price boom?