Signal—the private, end-to-end encrypted messaging app that surged in popularity in recent months—once again reminded criminal investigators that it could not fully comply with a legal request for user records and communications because of what it asserts as a simple, unchanging fact: The records do not exist on Signal’s servers.
This is at least the second request of this kind that Signal has received in the last five years, and in the same time period, similar government demands to pry apart end-to-end encrypted communications have become commonplace. Every single time the government has tried this—from the FBI’s insistence in 2016 that Apple create new software to grant access to a device, to the introduction of the EARN IT Act in Congress last year—cybersecurity experts have pushed back.
The legal request to Signal came from the US Attorney’s Office in the Central District in California in the form of a federal grand jury subpoena. According to the subpoena, investigators sought “all subscriber information” belonging to what appeared to be six Signal users. The requested information included “user’s name, address, and date and time of account creation,” the date and time that the users downloaded Signal and when they last accessed Signal, along with the content of the messages sent and received by the accounts, described in the request as “all correspondence with users associated with the above phone numbers.”
Signal responded to the subpoena with help from lawyers from American Civil Liberties Union. According to the company’s response, Signal could only comply with two categories of information requested by the US Attorney’s Office.
“The only information Signal maintains that is responsive to the subpoena’s inquiries about particular user accounts is the time of account creation and the time of the account’s last connection to Signal servers,” wrote ACLU attorneys Brett Kauffman and Jennifer Granick. Kauffman and Granick also addressed some of the US Attorney’s Office’s questions about the physical locations of Signal’s servers and whether the technical processes of account creation and communication for Signal users in California ever leave the state of California itself.
In a blog published this week, Signal said why it again could not comply with a subpoena for user information, explaining that, because of the app’s design, such user information never reaches their hands.
“It’s impossible to turn over data that we never had access to in the first place,” the company wrote. “Signal doesn’t have access to your messages; your chat list; your groups; your contacts; your stickers; your profile name or avatar; or even the GIFs you search for.”
This lacking access, while excellent for user privacy, has frustrated law enforcement for years. It is a problem that is often referred to as “going dark,” in that the communications of criminals using end-to-end encrypted messaging apps are inaccessible to any third parties, including government investigators. Former Deputy Attorney General Rod Rosenstein has referenced the "going dark" problem, as has current FBI Director Christopher Wray. Many other representatives have, as well, and each time their refrain has stayed the same: End-to-end encrypted messaging apps provide a level of security that is too extreme to allow without a way for law enforcement to break through it.
As many cybersecurity experts have explained over literal decades, allowing third parties to access secure, end-to-end encrypted communications will, by definition, make them less secure, functioning in effect as a backdoor. And a backdoor, in and of itself, is a security vulnerability.
Signal’s efforts to publicize its grand jury subpoena are notable—these requests often come with an instruction that the recipient not disclose any details of the request, else they risk jeopardizing an ongoing criminal investigation. These are valid concerns, but so are the concerns raised by Signal, which are that, even after all this time, government agents still believe that evidence can be conjured out of thin air.