@Soeren_loeg the fact that @signalapp not only does "#KYC with extra steps" by mandating a #PhoneNumber to this day as well as being solely under #CloudAct whilst basically being a #centralized, #proprietary, #SingleVendor & #SingleProvider solution makes them the ideal candidate for a longterm #HoneyPot like #ANØM aka. #OperationIronside aka. #OperationTrøjanShield.

• By the sheer size of users, it's a statistical inevitability that they got #Subopena'd and since they don't implement real #E2EE (with #SelfCustody of all the keys!) @Mer__edith would be in jail *if there wasn't a #Govware #backdoor as mandated per telco laws in every juristiction (see "#LawfulInterception!")…

Not to mention #Signal ticks way too many "#sus" boxes…

Ireland plans legislation to formally permit law enforcement use of spyware, with court authorization and stated safeguards.

The move reflects a wider trend of governments updating interception laws to match modern technology, while attempting to preserve oversight and proportionality.

How should security professionals evaluate such frameworks from a risk and governance perspective?

Source: https://therecord.media/ireland-plans-law-enforcement-spyware

Share your view and follow @technadu for neutral cybersecurity and policy insights.

#InfoSec #CyberPolicy #Surveillance #PrivacyEngineering #DigitalGovernance #LawfulInterception

@lucasmz @fdroidorg @torproject

Let's just say @signalapp / #Signal is so good, it scratches that part of my mind that doesn't allow good to exist without precondition...

• Kinda like #ANØM & #EncroChat did.

But maybe that's just me flexing life experience and the fact that my paranoia always turned out to be justified.

• I don't trust anyone to actually save someone's ass and I'm convinced neither @Mer__edith nor #MoxieMarlinspike before her (who shoved the #MobileCoin #Shitcoin #scam into Signal) would risk jailtime for their users...

Given they offer their Services to people in #Russia, #Cuba and #Iran, thus being in clonflict with #ITAR, I'm pretty much convinced they had to have a deal with the U.S. Government to get that done.

• Espechally when #PayPal can't even legally process payments for products from Cuba that are ostensibly not "dual-purpose"...

So yeah, there will be some #LawfulInterception doodat and even if it's not within Signal's infrastructure, I'd call the #NSA "criminally stupid" if they didn't intercept all the "Verification #SMS" and all the data from and to Signal's Systems routinely to #BULLRUN against it...

@osxreverser or #Cisco for integrating "#LawfulInterception" #Backdoors or every vendor implementing #DUAL_EC_DRBG or equipping the #NSA?

@adisonverlice even if an #MVNO isn't demanding any #KYC whatsoever (i.e. #prepaid are offered OTC in most juristictions) it's NOT "#Anonymous" but merely #pseudonymous as it's trivial for governments to utilize existing and mandtory "#LawfulInterception" appliances to create that #PII chain.

#PhoneNumber <=> #ICCID (#SIMcard) <=> #IMSI (SIM profile) <=> #IMEI (Phone/...).

So if #Anonymity is important, NONE of these details have to be linked somehow even circumstantial.

• Bought/paid for the phone/SIM/ a single top-up with ec/CC/PayPal/SEPA/… = busted due to circumstantial connection.

• Use the SIM in any device? Consider them circumstantially connected forever: #ICCID <=> #IMEI.

• Same applies to #eSIM|s: #EID <=> #ICCID <=> #IMEI.

Add to the fact that most places have #CCTV, and assume that they'll keep recordings for the maximum permissible duration if not longer and oftentimes even use questionable cloud services and you get the picture.

• I.e. in Germany the maximum permissible storage duration is 72 hours (if nothing hapoens that warrants a longer storage i.e. burglary/theft/robbery/arson/...) so anonymous top-ups would necessitate paying cash at a place one's not been known at (i.e. some kiosk) and waiting at least >72 hours (and checking on the purchase location) before redeeming the top-up code (i.e. dialing *104*1234567890123456# )...

So any #privacy-based service should never ever & under no circumstances demand a Phone Number!

• Instead any privacy-focussed service should use #OnionServices, host their own #OnionService or at least #DontBlockTor and allow users to use it via @torproject / #Tor to use and signup. (But don't forget circumstantial connections there either!)

• Also the less details they want or store and the least traffic they generate the harder it is to correlate traffic & users.

@thygrrr @PallasRiot every provider WILL SNITCH if provided with a duely issued warrant.

• Not even @mullvadnet will refuse to comply, because investigators will only ask nice once, then they won't and instead kick in doors, start pointing guns with funswitches at staff and rip out hardware for evidence collection!

Granted #mullvad at least goes out of their way to minimize having any data they could hand over in the first place, but still: They too have #LawfulInterception boxes in place to isolate clients' and log their traffic.

• I've yet to hear of a juristiction with actual internet connectivity that doesn't mandate that #Govware in the form of appliances.

And yes, I worked for an ISP in the past and had to deal with said #logging and #monitoring infrastructure as in keeping it up and running...

@stman @Sempf @LaF0rge yes.

Because physical SIMs, like any "cryptographic chipcard" (i.e. @nitrokey ) did all that fancy public/private crypto on silicon and unless that was compromizeable (which AFAICT always necessistated physical access to the #SIM, espechally in pre-#OMAPI devices) the SIM wasn't 'cloneable' and the weakest link always had been the #MNO /.#MVNO issueing (may it be through #SocialHacking employees into #SimSwapping or LEAs showng up with a warrant and demanding "#LawfulInterception"):

• These "attack vectors" were known and whilst unfixable they could at least be mitigated by i.e. NEVER using a #PhoneNumber for anything and/or using anonymously obtained #SIMs. But more and more services like @signalapp did #regression demanding #PII and more and more nations criminalized #AnonymousSimCards under utterly #cyberfacist & #FalsePretenses!

Add to that the regression in flexibility:

Unlike a #SimCard which was designed as a vendor-independent, #MultiVendor, #MultiProvider, device agnostic unit to facilitate the the #authentification and #encryption in #GSM (and successor standards), #eSIMs act to restrict #DeviceFreedom and #ConsumerChoice, which with shit like #KYC per #IMEI (i.e. #Turkey demands it after 90 days of roaming per year) und #lMEI-based #Allowlisting (see #Australia's shitty #VoLTE + #2G & #3G shutdown!) are just acts to clamp down on #privacy and #security.

• And with #EID being unique per #eSIM (like the #IMEI on top!) there's nothing stopping #cyberfacist regimes like "P.R." #China, #Russia, #Iran, ... from banning "#eSIMcards" (#eSIM in SIM card form factor) or entire device prefixes (i.e. all phones that are supported by @GrapheneOS ), as M(V)NOs see the EID used to deploy/activate a profile (obviously they don't want people to activate eSIMs more than once, unless explicitly allowed otherwise.

"[…] [Technologies] must always be evaluated for their ability to oppress. […]

• Dan Olson

And now you know why I consider a #smartphone with eSIM instead of two SIM slots not as a real #DualSIM device because it restricts my ability to freely move devices.

• And whilst German Courts reaffirmed §77 TKG (Telco Law)'s mandate to letting people choose their devices freely, (by declarong #fees for reissue of eSIMs illegal) that is only enforceable towards M(V)NOs who are in #Germany, so 'good luck' trying to enforce that against some overseas roaming provider.

Thus #Impersonation attacks in GSM-based networks are easier than ever before which in the age of more skilled than ever #Cybercriminals and #Cyberterrorists (i.e. #NSA & #Roskomnadnozr) puts espechally the average #TechIlliterate User at risk.

• I mean, anyone else remember the #Kiddies that fucked around with #CIA director #Brennan? Those were just using their "weapons-grade #boredom", not being effective, for-profit cyber criminals!

And then think about those who don't have privilegued access to protection by their government, but rather "privilegued access" to prosecution by the state because their very existance is criminalized...

The only advantage eSIMs broight in contrast is 'logistical' convenience because it's mostly a #QRcode and that's just a way to avoid typos on a cryptic #LocalProfileAgent link.

European Commission- Call for applications - Expert Group for a Technology Roadmap on Encryption (E04005) ACTIVE - deadline 1 September 2025.
#dataretention #lawfulinterception #digitalforensics #encryption

"The selection shall prioritise experts with technical profiles, coming from either public or private sector, whilst aiming to ensure proportional representation across the following fields of expertise: • Home affairs, ideally with an experience in fighting high-tech crime, and/or a background in the area of decryption and artifact extraction, computer forensics, network forensics, smartphone forensics, cloud forensics, IoT forensics, memory forensics and/or lawful interception; • Cybersecurity. with diverse backgrounds including but not limited to vulnerability management, evaluation of cybersecurity risks and certification and encryption (including quantum and post-quantum cryptography); • Telecommunication, including with experience in computer networks/Internet, 5G/6G, IoT, VoIP, Satellite, Quantum communication and/or encrypted communication applications; • Big data analysis, including with expertise in AI technologies; • Standardisation, notably in relation with cybersecurity and/or telecommunication technologies, including protocol networks, exchanges of digital data, and lawful interception; • Justice and fundamental rights, including experience in data protection and privacy, as well as experience in criminal justice, such as cyber-enabled and/or cyber-dependent crimes"

https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?lang=en&groupID=4005

European Commission presents Roadmap for effective and lawful access to data for law enforcement - 24 June 2025
https://home-affairs.ec.europa.eu/news/commission-presents-roadmap-effective-and-lawful-access-data-law-enforcement-2025-06-24_en
#dataretention #lawfulinterception #digitalforensics #encryption #ai

@walkinglampshade @jrredho @fj It's basic #InfoSec, really:

• @signalapp has no "#LegitimateInterest" to demand #PII like a #PhoneNumber and they use and abuse that to restrict functionality of their App (it doesn't matter that they merely claim "comply with #sanctions" [their #MobileCoin #Shitcoin #Scam disqalifies them even more!] because they have the tech to distinguish and discriminate users)...

Thus #Signal fails at protevting #Journalists and theor sources because they do have that data and can be #subopena'd for it if they don't already provide #BulkSurveillance & #LawfulInterception #API|s to comply with #CloudAct. (Or are you guys so naive and believe @Mer__edith will risk dying of old age in jail for non-paying users?)

• This entire "thread vector" just doesn't exist with #XMPP+#OMEMO nor #PGP/MIME!

And if you believe "this won't ne used/abused me because I'm from 'Murica!" and point at #ANØM as an example, then you really ignored all tze #Cyberfacism since 9/11…

@kubikpixel yeah, for that money they can propably bribe half the security team at #Telegram and integrate custom #Govware #Backdoors or at least get the #API keys they have for #UAE's #Telco compliance to enable automatic "#LawfulInterception"...

@Sturmflut @fabiscafe @vkc

Or to put it more on the nose: You can be certain that i.e. @Mer__edith of @signalapp will talk cuz she can't pull the 5th on behalf of a user and won't go to jail for any of them.

Whereas if i.e. @monocles (or any #XMPP provider) got sent an order (and just like #Signal they'd comply if done so duely through legal channels, which is way harder in #Germany than the #USA cuz #GDPR & #BDSG & #LawfulInterception being way stricter than #CloudAct), if users used #OMEMO or #PGP/MIME, they (or any other provider) literally can't decrypt even when held at gunpoint, because asymetric public-private cryptography was literally designed to not be breakable unless someone managed to MITM comms from the first contact and any verification.

• Which is unlikely to impossible unless one's able to literally isolate and manipulate all comms and means to communicate of at least one party, at which point they'd already have warrants to search everything and don't even bother to try MITMing comms but instead kick in doors.

But that's a totally different subject of #OpSec & #InfoSec, not #ComSec & #ITsec on it's own...

@kubikpixel @malwaretech @tomscott or to put it into perspective:

I worked at a telco, and whilst clients were above-average in terns of bahaviour, one does get a high single digit or low double-digit amount of LEA requests per day per x million customers.

Now imagine the average #VPN has similar utilization as a #CGNAT, so easily they'll have #LawfulInterception going on 24/7 because logless VPNs are a lie and besides circumventing #Geoblocking they don't do anything else...

• In fact I'd argue it'll be more privacy friendly to self-host a VPN on-demand with flexible hoster or just having a fixed IP at home, simply because those usually have a higher bar for getting surveillance approved.

TLDR: Just get @torproject @tails_live @tails / #Tails and good.

@mattround same with any #Services and #Companies having an office in the #USA or being registered there or having a U.S. owner.

• #CloudAct will come after @signalapp and just like with "logless VPNs" I guarantee you @Mer__edith personally will rather implement #Givware #Backdoors (if they weren't there "for #compliance" re: "#LawfulInterception" and "#Sanctions" already), before spending a single day in jail!

Migrate to #XMPP+#OMEMO right now!

@ginaintheburg the sheer fact that #Chrome has that #functionality is #evidence for #Govware-Style #malware inside it.

• Whether that's just due to "#GAFAM doing #PRISM shite" or "#CloudAct / #LawfulInterception compliance" is irrelevant for that assessment!

SHITE LIKE THIS is why I use @torproject / #TorBrowser as my Default #Browser!

@AmbianceAsunder @cyberresearch nodds in agreement

"#LawfulInterception" IS the #IllicitActivity!

@deilann +9001%

Use actually secure comms instead that are #decentralized, #SelfHosting-capable, auditable and provide actual #SelfCustody of all the #Keys, so you can enforce your 5th Amendment!

• AFAICT #XMPP+#OMEMO it is, followered by #PGP/MIME #eMails. For both there are excellent clients like @monocles / #monoclesChat & @gajim (XMPP+OMEMO) and @delta / @thunderbird (PGP/MIME)...

• Use @torproject / #Tor and not #VPN as the latter one will snitch since #loglessVPN|s are basically illegal (every juristiction I know demands #LawfulInterception and #logging by #Telcos)!

@HackyScientress @zl2tod @fj

Remember:

• #Wiretapping is the illicit activity!

And yes, AFAICT this applies to all #Telcos which have to provide "#LawfulInterception" #Backdoors if not put #Govware in their core systems.

• And yes, speaking as an insider, this can happen in.any juristiction where said #API|s and systems are mandatory.

So like all #EU / #EFTA & #G20 members!

• I've yet to hear of any nation that doesn't demand such tech to be installed capable of both targeted and/or #BulkSurveillance.

-Just because laws demand a #judge to sign a #warrant doesn't mean said judge is actually in control or able to prevent someone from using it without permission!

#LawfulInterception is a #backdoor! 😠

China hacked Verizon, AT&T and Lumen using the #FBI's backdoor

"State-affiliated Chinese hackers penetrated AT&T, Verizon, Lumen and others; they entered their networks and spent months intercepting US traffic – from individuals, firms, government officials, etc – and they did it all without having to exploit any code vulnerabilities. Instead, they used the back door that the FBI requires every carrier to furnish"
https://pluralistic.net/2024/10/07/foreseeable-outcomes/

@oleschri
Wenn wir Huawei in unsere Netze lassen, überwachen uns die Chinesen!!11 Und dann war's doch wieder Cisco, die hundertdreiundvierzigste … 🙄

#cisco #lawfulInterception #SaltTyphoon