13 barn owls in a trenchcoatAug 16, 2023

I'd been wondering why I'd heard so little from Naomi Wu lately, and the reason is unhappily worse than Twitter breaking API based post mirroring to Mastodon.

(TL;DR, she's been silenced by the authorities.)

Worth reading in full, as the end includes a brief interview and suggests that her earlier highlighting of the security risks of compromised keyboards to E2E encrypted messaging turned out to be potentially relevant.

https://www.hackingbutlegal.com/naomi-wu-and-the-silence-that-speaks-volumes/

Naomi Wu and the Silence That Speaks Volumes

When China's prodigious tech influencer, Naomi Wu, found herself silenced, it wasn't just the machinery of a surveillance state at play. Instead, it was a confluence of state repression and the sometimes capricious attention of a Western audience that, as she asserts, often views Chinese activists more as ideological tokens

Hacking, but Legal
Show thread@[email protected]Aug 16, 2023
@HauntedOwlbear Also makes it very very important for @signalapp to be clear about the risks that she's highlighted numerous times.
Show threadMilesAug 16, 2023

@pettter @HauntedOwlbear @signalapp Signal has been pretty consistent in their position on this: it's not their problem.

To be fair, it's really an Android OS issue. Even so, people who are vulnerable to this issue are unlikely to understand how IMEs work and the risk of using one. A warning from Signal when an IME is in use could go a long way. I find their silence on this issue worrying. There's only this one support article, AFAICT.

https://support.signal.org/hc/en-us/articles/360055276112-Incognito-Keyboard

Incognito Keyboard

Signal uses the existing keyboard or Input Method Editor (IME) on your device. On some Android devices, you can turn on Incognito Keyboard to enable an optional keyboard privacy flag that is provid...

Show threadYrjänä Rankka 🌻
@cmiles74 @pettter @HauntedOwlbear @signalapp Risking stating the obvious here: Turning Signal into a full-on vuln scanner would definitely not be within their scope. If your OS - or any components handling I/O to-from the app - you use, it’s game over. Users should be made aware of the importance of general hygiene that messaging apps do not replace.
Aug 17, 2023 at 8:46amMastodon for iOS
Show thread@[email protected]Aug 17, 2023
@ghard There are grades between "full-on vuln scanner" and "completely agnostic" especially while being heavily marketed towards dissidents. @cmiles74 @HauntedOwlbear @signalapp
Show threadYrjänä Rankka 🌻Aug 17, 2023
@pettter @cmiles74 @HauntedOwlbear @signalapp Indeed, but I’m afraid this becomes a slippery slope. Next thing you know you’re checking for any ”accessibility” components, or screen capture packages that have access to the framebuffer. Now what would you as a dev manager rather allocate limited developer resources for?
Show thread@[email protected]Aug 17, 2023
@ghard "Stories" and cryptocurrency wallets, apparently. @cmiles74 @HauntedOwlbear @signalapp
Show threadYrjänä Rankka 🌻Aug 17, 2023
@pettter @cmiles74 @HauntedOwlbear @signalapp "Stories" and cryptocurrency wallets, apparently” <- shots fired 😀 and I agree!
Show threadYrjänä Rankka 🌻Aug 17, 2023
@pettter @cmiles74 @HauntedOwlbear @signalapp Maybe Signal could be more proactive with communicating the risks to their users - even adding some warnings in the onboarding process in locales with agencies that are likely to exercise privacy-intrusive practices. That would be pretty much the whole world though 
Show threadclacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛Aug 17, 2023

@ghard @pettter @signalapp @cmiles74 @HauntedOwlbear She makes a good point that according to her 90% of people in China use the vulnerable input method.

Even without any scanning that seems significant enough to warrant at least making the minimal effort of mentioning it during registration.

Show threadMilesAug 17, 2023
@clacke @pettter @ghard @HauntedOwlbear @signalapp Definitely! The lack of knowledge around what an IME is and how it works is a big part of the problem. People who are concerned about their privacy can get most of the way there with pointers to more information from a source they trust. In this case, Signal has a real advantage.
Show threadMilesAug 17, 2023

@ghard @pettter @HauntedOwlbear @signalapp Agreed, Signal doesn't want to be responsible for auditing all software on the phone.

The keyboard is a pretty big piece of the messaging puzzle, they do have some information on their website as well as the beginnings of a feature. Expanding the "App Security" section of the "Privacy" settings to include disabling IMEs or linking to a page with more detail (perhaps a link to a privacy respecting IME) might be a reasonable second step.