Plenty of messaging apps use strong encryption to make it next to impossible for law enforcement officers or other potential adversaries to read communications sent between parties. Often, however, unencrypted metadata—such as the sender, receiver, and time a message is sent—is all the sensitive data an adversary needs. Now, the Signal app is testing a new technique called “sealed sender” that’s designed to minimize the metadata that’s accessible to its servers.
A beta release announced Monday will send messages that remove most of the plain-text sender information from message headers. It’s as if the Signal app was sending a traditional letter through the postal service that still included the “to” address but has left almost all of the “from” address blank.
Like most messaging services, Signal has relied on the “from” address in message headers to prevent the spoofing of user identities and to limit spam and other types of abuse on the platform. Sealed sender, which puts most user information inside the encrypted message, uses two new devices to get around this potential privacy risk:
- Senders periodically retrieve short-lived sender certificates that store the sender’s phone number, public key, and expiration timestamp. The certificates are included inside the encrypted envelope, along with the message contents. Once the sender certificate is decrypted, message recipients can use it to mathematically verify the validity of the sender. But because this certificate is encrypted on the receiver’s device and isn’t decrypted until after it arrives on the receiver’s device, Signal servers have no way of knowing who has sent the message.
- Delivery tokens derived from the sender’s profile key are used to prevent abuse. Before a user can transmit a message that strips the “from” address out of the header, the user must prove she has access to the delivery token. Because Signal profiles are end-to-end encrypted, valid tokens can only be created by a person or group that’s already in the receiver’s contacts. In the event a sender starts sending spam or other types of abuse, the receiver can simply block that person.
Users who want to receive sealed-sender messages from non-contacts can choose an optional setting that doesn’t require the sender to present a delivery token. This setting opens a user up to the possibility of increased abuse, but for journalists or others who rely on Signal to communicate with strangers, the risk may be acceptable.
Too late for some
Signal’s beta comes 12 days after federal prosecutors revealed they were able to build a strong case against a US Treasury official by monitoring, in real-time, the messages she sent and received using an unnamed encrypted messaging app. On August 15, according to a criminal complaint, investigators used a court-issued pen register and trap and trace order to determine the official exchanged 10 messages with a BuzzFeed reporter using the encrypted app. Over the next two months, the same order showed the official and reporter traded 301 messages using the same app.
The account provided in the complaint was a reminder that encryption doesn’t always provide users with anonymity unless they take extra precautions. Signal’s privacy policy explicitly promises that sender and receiver data is never logged, and connections between end users and Signal servers are protected by TLS encryption. Those measures have caused many privacy advocates who were concerned about the dragnet to suspect Signal wasn’t the the unnamed messaging used in the case.
“To comply, Signal would have to change software running on its server,” Micah Lee, a journalist and security engineer at The Intercept, told Ars. “The software would have to log metadata sent between specific targets.” Signal lists government requests here and would almost certainly vigorously fight a court order requiring it to make such changes.
Sealed sender is designed to make the possibility of cooperation by Signal even less feasible. To assist law enforcement under the new process, Signal would not only have to change software running on its servers but also revert its client software to the old way it worked. Then law enforcement would have to wait for the targets in their investigation to install the updates.
“What they’re doing is moving from security by policy to security by technology, which I think is the whole point of encryption to begin with,” Lee said. “If you can trust that a company is not going to look at your data and not going to share your data, you don’t need end-to-end encryption.”
Even under the sealed sender, observers said, Signal will continue to map sender’s IP addresses. That information, combined with recipient IDs and message times, means the Signal continues to leave a wake of potentially sensitive metadata. Still, by removing the “from” information from the outside of Signal messages, the service is incrementally raising the bar.