Signal vs WhatsApp: Signal is still the most private by a long way

Users adding an incorrect user by mistake to a group is no reflection at all on the security of any app. This happens across all apps, as the user is the issue, not the app.

I had long ago deleted the WhatsApp app off my phone, mainly because of its metadata collection, and the sharing of that data with their upstream 'partners' including Facebook and others. This is clearly stated in WhatsApp's T&C's.

'In a statement, a WhatsApp spokesman said it relies on metadata to prevent spam and “keep the service safe from abuse”.' This is just not true, in that this is not the reason why WhatsApp collects metadata — their T&C's state it is to be shared elsewhere.

Yes, both Signal and WhatsApp keep the message content secure, and use the same encryption protocol. But WhatsApp is also collecting your location continuously, when you message who, for how long, when you wake up, when you go to sleep, where you shop, etc (and of course shares this with your consent).

This is not Signal's business model, nor do they obtain your consent to share this data. WhatsApp/Instagram/Facebook are all about targeting users for advertisers, and sharing data for that targeting (and of course being US owned they have to share that data under the CLOUD and Patriot Acts with the US government as well when requested).

What came out of the US Congressional hearing this week was also interesting to hear — the CIA have Signal installed on their desktops, and they use Signal themselves.

I'm not saying at all that Signal is perfect, as it still requires a verified phone number. So the user is still always identifiable (unlike other messengers such as Threema, SimpleX, Matrix, Session, etc).

It is about what data is collected, and what data is shared with anyone outside of the organisation. Between WhatsApp and Signal, Signal is the clear winner here.

For this reason, there is no WhatsApp app on my mobile phone. If organisations want to ensure better privacy, they should use Signal (like the CIA does) or go a step further and self-host a service like Matrix on their premises where they fully control the data as well as the user access verification.

WhatsApp was a very good app (I used to use it) before they got bought out by Facebook, and it is that business model that has ruined it.

🚨NEW REPORT: first forensic confirmation of #Paragon mercenary spyware infections in #Italy...

Known targets: Activists & journalists.

We also found deployments around the world. Including ...Canada?

So #Paragon makes zero-click spyware marketed as better than NSO's Pegasus...

Harder to find...

...And more ethical too!

This caught our attention at #Citizenlab. And we were skeptical.

So.. it was time to start digging.

We got a tip about a single bit of #Paragon infrastructure & my brilliant colleague Bill Marczak developed a technique to fingerprint some of the mercenary spyware infrastructure (both victim-facing & customer side) globally.

So much for invisibility.

What we found startled us.

We found a bunch of apparent deployments of Paragon's mercenary spyware in places like #Australia, #Denmark, #Israel, #Cyprus #Singapore and... #Canada.

Fun.

We also found interesting stuff at a datacenter in #Germany

Caveats: the methodology we use only surfaces a subset of customers at a particular time.

So ...about #Canada.

My colleagues on the legal side began digging. The more they pulled, the more questions surfaced about whether the Ontario Provincial Police is rolling mercenary spyware.

While investigating, we found signs #WhatsApp was being used as a vector for infections.

We shared our analysis with Meta which had an ongoing investigation into Paragon.

They shared findings with WhatsApp which discovered & mitigated a zero-click attack.

They went public, and notified ~90 users that they believed were targeted.

WhatsApp's notifications to targets turbocharged what we all knew about #Paragon.

Cases began coming out: an investigative journalist in #Italy and sea rescue activists were among the first. Francesco Cancellato. Editor in Chief of Fanpage.it, & Luca Casarini and Dr. Giuseppe “Beppe” Caccia of Mediterranea Saving Humans

They consented to us doing a forensic analysis...

Sure enough, we found traces of infection on several Androids.

We call the indicator #BIGPRETZEL & #WhatsApp confirms that they believe BIGPRETZEL is associated with #Paragon's spyware.

In the weeds a bit: Android log forensics are tricky. Logs get overwritten fast, are captured sporadically & may not go back very far. So, not finding BIGPRETZEL on a targeted phone wouldn't be enough to say it wasn't infected. In such a case, the only safe course of action for a notified Paragon target would be to presume they had been infected.

Our analysis is ongoing.

.... but There's more!

There's more! We'd been analyzing the iPhone of human rights activist David Yambio, who is focused on abuses against migrants in Libya (they are often victims of torture, trafficking, and killings) who works closely with the other targets.

Last year he got notified by Apple that he was targeted with sophisticated spyware.

We've forensically confirmed the infection & shared details with Apple.

Apple confirms they fixed the vectors used to target him as of iOS 18.

We're not doing a full technical attribution of this novel spyware to a particular company yet. But it's not like anything we've seen.

Troublingly, timeline of David's spyware targeting lines up with when he was providing information to the International Criminal Court about torture by human traffickers in #Libya.

But there's even more spying afoot against this cluster of activists!

Luca also got a notification last February about targeting with a different kind of surveillance tech.

He wasn't alone. Father Mattia Ferrari, chaplain of Luca's lifesaving organization' also got a notification.

#Italy's response to the unfolding #Paragon scandal has been exceptionally chaotic. So we included a little timeline.

Denials, then admissions, then refusals to say more citing secrecy.

Honestly, deja vu of how Pegasus-abusing governments have handled PR...

TAKEAWAYS:

TAKEAWAY 1: you can't abuse-proof mercenary spyware. Selling just democracies won't prevent abuses. Most democracies have plenty of historic examples of surveillance abuses. Why should spyware be different?

TAKEAWAY 2: #Paragon's technical tradeoffs to be less detectable didn't prevent them getting discovered.

Just made it harder.

TAKEAWAY 3: I think we're only looking at the tip the #Paragon hackberg

For example, the ~90 notification number from #WhatsApp

only represents 1 infection vector that got caught & notified.

There may be non-notified spyware victims walking around right now who were infected via a different mechanism.

In #Italy, too we also need to better understand the other surveillance technologies pointed at this cluster of people.

Finally, we gave #Paragon room to respond to a summary of our key findings.

Their US Executive Chairman, a 30+ year #CIA veteran, responded in a way that sounded very familiar to how NSO Group did PR.

1 - Say there are inaccuracies..

2- ..But refuse to specify them

3-Cite customer confidentiality as a reason to not say more.

We welcome any clarifications they have now that they've read our full report.

FINAL NOTES: our #citizenlab investigations are usually big, collaborative team productions. Smart co-authors, awesome collaborators.

The key to nearly all our research into spyware is targets' brave choice to speak out.

And work with us to forensically analyze their devices... We are very grateful to them.

This is how we collectively get a better understanding of mercenary spyware abuses.

And journey towards accountability.

Thanks for reading! Drop questions in the replies!

How #bluesky users air their tires.