New documents obtained by the ACLU reveal a secret subpoena to Open Whisper Systems (OWS), the maker of the end-to-end encrypted Signal chat application. In the first half of this year, the U.S. government sought information related to two phone numbers, one of which belonged to a Signal user.
However, because OWS has a policy of collecting only absolutely necessary information and discarding what they don’t need, the government could only find out when the user created the account and when they last connected. In a time of gag orders becoming the rule rather than the exception, OWS shows that minimal data collection may be the most important strategy against abusive gag orders and even data breaches.
Gag Orders As The Norm
As Microsoft unveiled earlier this year, the U.S. government has begun making secret gag orders more of a rule than the exception that such orders should be. The company sued the U.S. government because almost half of the data requests from federal agents are secret. Companies such as Microsoft can afford to fight back against abuse of secret orders, but this is likely not something all small companies can afford to do.
OWS Fights Back
Open Whisper Systems, with the ACLU's assistance, is one of the few small companies that made the decision to fight what it considers an over-broad gag order. The government requested all information associated with the two phone numbers, including web browsing history and data stored in tracking cookies of the web browsers associated with the two accounts.
However, Signal doesn’t collect much user information at all, and it discards most of the information it does collect after use. Therefore, the U.S. government was only able to recover the date the user created the account and when the Signal user last connected to the Signal servers.
Most Gag Orders Violate First Amendment
The gag order that accompanied the subpoena was supposed to keep the company silent about the user data request for at least a year. ACLU got the government to quickly admit that most of the information under seal didn’t need to be secret after all.
According to the nonprofit, this is just more proof that the government creates many of these gag orders without too much thought into what actually needs to be secret. However, because not everyone has the resources to fight back, most of these gag orders remain secret by default, sometimes even indefinitely.
ACLU argued, just as Microsoft did earlier this year, that the overly broad gag orders are a violation of the First Amendment. ACLU believes that the government should only use secrecy for truly sensitive information, and not for anything that it thinks could “jeopardize its investigation” if the information became public.
Necessity Of Minimal Data Retention
When companies use strong encryption so users can protect their own files or communications with their own keys, the government knows there isn’t much it can ask of those companies, so it doesn’t bother them as much as it does other companies that have access to all user data.
In the same way, when the companies collect and store only minimal amounts of records on the servers, there are fewer reasons for the government to visit and ask for user data. As a bonus, minimal data collection also protects companies from having to make embarrassing data breaches public.
OWS, an organization that is a few years old, has only received a single subpoena so far, likely because authorities already know their strong privacy stance. OWS recently helped companies such as WhatsApp, Facebook, Silent Circle, and Google implement its open source end-to-end encryption protocol into their own chat applications. Its own open source chat application, Signal, is also often used by activists, journalists, and even U.S. presidential candidates.
Even after the subpoena, the only thing the government could uncover was the account creation date and when it connected last. The chances are that in the future OWS will try to erase those records for its users as well, given that they don’t seem to be critically important for running the Signal service.
That means, there would be no reason whatsoever for the government to serve the company another subpoena unless some anti-encryption law passes. However, until that happens, companies that only keep minimal amounts of user data around should have to deal with fewer abusive gag orders or embarrassing data breaches.