I think there are different ways that could be done:
Putting a backdoor in the Signal FOSS software that everyone is using, including tinfoil-hat-wearing extremists like a Librem 5 user who builds everything from source. This would affect everyone, but it should be possible to detect it by looking at the source code. Of course, if the code is big and complicated, they could succeed anyway if nobody is auditing the code carefully enough.
or
Putting a backdoor not in the Signal FOSS software itself, but in the versions of the Signal app that is distributed throuch closed iOS/Android âapp storesâ, where only Google/Apple knows what is actually installed, so they can install a version built from modified source code that is different from the official FOSS code. The FBI or other 3-letter agency could do this by only pushing Google/Apple to go along with it, the Signal organization would not need to be in on it. That should only affect those who use closed iOS/Android things, Signal could still be used safely between users who use Signal apps built from the proper FOSS source code.
Do you know which one of the above the guy was claiming was happening?
Thereâs a third option that doesnât require any backdoor in Signal. All of the Signal messages are stored locally on the device in an encrypted SQL database, and the encryption key is stored on the device as well. If the database and key files are extracted from the device, the database of messages can be decrypted and read. On a non-free device, the designer of the OS could easily extract these files. The extraction could be done as part of a service to back the device up in the cloud. Everything needed to read the messages would then be on the cloud server of the service provider. Snowden revealed in 2013 that government agencies regularly collect data from the servers of collaborating service providers.
I think these systems are built so that we do not learn more. I have no affiliation with the US government and have not worked for them for at least 8 years, (and when I did work for them it was in no way related to this topic.) It may be quite reasonable if you donât want to concern yourself with my opinions. The following are only opinions / thoughts:
Here are some of my conspiracy theory ideas with citations:
An opinion piece about why one person sees issues with Signal:
Signal founders say that even though Signal is âopen sourceâ they are not OK with you changing the code and using it / distributing it, using a legal loophole in their allegedly âopen sourceâ license (link is from the above opinion piece but this link is a primary source link to Signalâs founder on GitHub): Please add LibreSignal to f-droid ¡ Issue #37 ¡ LibreSignal/LibreSignal ¡ GitHub
Link to where in the source code the Signal app generates metadata at Google when you try to compile it, by way of âautomatic dependency downloadâ from Google and others: Signal-Android/build.gradle.kts at main ¡ signalapp/Signal-Android ¡ GitHub (obviously any project on GitHub, when you download it, is creating metadata at Microsoft of your decision to download it, but that problem applies much more broadly than to Signal â this citation simply indicates that Google is getting a piece of your metadata pie when you try to download and compile this app)
Signal for Android is built on Google Firebase Messaging (link to dependency section of app source code: Signal-Android/app/build.gradle.kts at main ¡ signalapp/Signal-Android ¡ GitHub ). When I pointed this out on Signal forums, they deleted my post for spreading information that âeverybody already knows.â So I assume you already know that when you send or a receive a message through Signal, if one of the ends is Android then metadata is sent to Google via their messaging systems. If you register for your Signal account using an Android device that has no Google Play Services, then this system allegedly turns off, but itâs not possible to turn it off from any setting section in the Signal app (so you would have to register from an Android device that was intentionally extremely privacy conscious, where many âmodernâ things do not work).
Now that we have some evidence that Signalâs open source nature is a hoax, and that it notifies Apple and/or Google of the messages being sent, we could venture more into conspiracy theory. Here is an alleged leaked text session that alleges that the FBI has compromised Signal: https://www.reddit.com/r/UFOs/comments/1nhigo7/leaked_texts_between_fmr_senate_intel_committee/ . As a note, this is likely referring to a different problem than the Metadata leak. It may be for your threat model in your life that having Signal tell Google whenever you send a Signal message is not a problem â since Signal says they do not tell Google the contents of those messages. This âconspiracy theoryâ link here on some other non-reputable site called âredditâ which links to other non-reputable sites such as âxâ is basically alleging that the FBI has some backdoor into the actual message contents on Android and iOS, possibly for all apps on those systems.
