Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

>1) Make mass surveillance impossible.

By giving NSA the only thing what they want: metadata from Google

>2) Stop targeted attacks against crypto nerds.

Who don't have google services on their devices and don't use google chrome... yeah. Thanks for helping me so much.

The Senate is considering reauthorizing the law the NSA says authorizes it to collect hundreds of millions of online communications from providers like Facebook and Google as well as straight off the internet’s backbone:https://theintercept.com/2016/05/10/senate-kicks-off-debate-...



> By giving NSA the only thing what they want: metadata from Google

What metadata does Google get from Signal messages? The time/date you received a message, the size of the message... Is there anything else?


The person you are communicating with.


No, that's not how it works. The GCM message is empty, it just wakes up your device which then fetches the actual message from the Signal servers.


You don't think Google could correlate the two?

Google knows device A got messages at times X, Y, and Z, and device B got messages at times X+1, Y+2, and Z+1.5.

I'd be willing to bet with some statistical analysis over time, some pretty interesting data could be mined from that raw knowledge.


Why don't they know that anyways from basic traffic analysis?


This topic was about GCM specifically, which, since it goes through Google servers (unlike, say, my arbitrary browsing, or the network profile of my arbitrary apps), is directly available to Google.

Speculating that Google may have access to my full network profile is a little off-topic, but yeah, if they did have that data, they could certainly do similar analysis on it.

Did anyone say they couldn't?


So is the answer "there is nothing that GCM is revealing that NSA doesn't already get from simple traffic analysis"?


The answer is "GCM may reveal more to Google than one would expect from using an E2E encryption application (like metadata, and more than one would initially assume)".

The person I initially replied to was talking about Google, GCM, E2E encryption, and that metadata won't reveal anything to Google except time/date of a single message and the message size. I pointed out there may be more information there.

I have no doubt that the NSA can do traffic analysis, or may have some of this data already... I'm not sure why that is in the replies to my comments in this thread.


That's only a meaningful answer if simple traffic behavior wasn't already revealing the same information. Was it, or wasn't it? I feel like I'm having a hard time getting a straight answer.


Does Google already have simple traffic behavior? If yes, then this information is nothing new to Google. If no, then this information may be new to Google.

Form a straight question and you'll get a straight answer.


Again: what exactly is it that the NSA learns from the GCM messages that they can't learn from the message traffic itself?

I'm beginning to suspect the answer is "nothing", and that this whole thread is really just a superstitious allergy to GCM.


Are you in the right thread? The discussion here is about what information Google can get from GCM messages, not what the NSA can get from GCM messages.

And even though your question is off-topic, I already answered it above.

Why would you accuse someone of being allergic to a technology when they are simply answering questions about it? If you disagree with the actual topic of discussion - that Google (not the NSA) might get more than just "message sizes and timestamps" out of an E2E-encrypted app which uses GCM messages - then have a normal conversation about it instead of bringing up the NSA repeatedly.

And if not, then stop making baseless and inflammatory accusations.


> Are you in the right thread? The discussion here is about what information Google can get from GCM messages

The parent poster of the post you initially replied to asserted that Signal was "giving NSA the only thing what they want: metadata from Google", so I guess that's where tptacek is coming from.

On a side note, Google can't actually know the message sizes because GCM is used without a payload.


Yes, but they're right: we started talking past each other several comments ago. Sorry!


If tptacek wanted to reply to the NSA comment, that's fine, but that's not what happened.

Your side note also applies to that comment, but not mine, so I think it belongs there, not here.


More worried about NSA correlating the two after getting the data from Google, but the one good thing about their centralization model probably is that with millions of users to a central server (and something you do as often as texting) this makes timing analysis extremely difficult.


I have no data to back this up, but I bet patterns would reveal much more than you would intuitively think.


But the "observer" can still know which mobile phone is yours and who communicates with whom? Especially if the "observer" has the info from the Signal servers.

Edit (as i can't post you reply to your answer):

And based on the NSA principle of the "thee levels of distance" everybody is reachable as long as some common numbers are in our contact lists which we happily upload.


The question wasn't what metadata Signal gets, but what metadata Google gets on Signal messages. Yes, Signal servers know who communicates with whom.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: