Currently, Telecoms and Nation States are able to see direct correlations between the source and destination of Signal messages via MetaData of those communications. However, this is also what gives those same entities power to figure out exactly which individuals to target by tracking down the source and destinations of those messages.
However, I propose that we change this to incorporate additional methods of anonymity that have become common place in other technologies for other software. More specifically the following.
Idea – Sticking Closer to the actual SMS/MMS protocols
- User sends a message they intend another Signal user to receive.
- Signal messages have a separate envelope attached to
store the recipient number in its own public key encrypted envelope that
gets attached to the messages.
- This is padded to the max MMS size limit so the actual message size is difficult to determine.
- This new routing would help remove direct metadata correlation.
- The recipient number thats visible in the metadata is for a Signal server instead of the actual message recipient.
- This is then sent to the Signal servers.
- This gets routed through a signal server and Signal can only decrypt this new envelope to retrieve what the destination number is.
- Signal then removes the old envelope and attaches a new
public key encrypted envelope in its place.
- This new encrypted envelope contains the source phone number of the text message and is public key encrypted so that the text message recipient at the end of this process can decrypt who sent the message.
- This envelope is padded as well to meet the maximum MMS size limit as well.
- Signal then waits between 5-10 seconds to send this latest text message to the recipient.
- Signal sends this message in bulk along with other messages that are received around the same time. To help add more complexity to timing based tracking.
- This message’s sender number in the cleartext metadata is for the Signal server sending the message instead of the original sender.
- Recipient’s signal instance receives the message decrypts the Signal envelope to determine who the source is, then decrypts the end to end encrypted content.
- Signal processes everything the same way within the recipients app like it normally would.
Known Problems That would still exist:
- Time and repeated communication based tracking is still
possible. (IE same weakness TOR has)
- This could be fought by potentially sending of “false” messages that the signal servers would drop. This would happen periodically or intermittently between messages.
- Even with a short random delay between messages if a user keeps talking via SMS/MMS eventually the source and recipient can be linked together.
I think the long term way to make metadata tracking as difficult as possible would be to migrate Signal into more of an end to end encrypted chat application. The constraints of the SMS/MMS protocols make identify safe communications nearly impossible. I am sure someone could invent a method, however currently I don’t believe SMS/MMS is the identity safe way of communicating even with End to End encryption.
- That would put more risk of government pressure on Signal itself, however the reason being is because en masse unlimited metadata collection would no longer be possible. Then the onus is on the government to have to file actual requests for metadata in targetted manners.
- Eventually, with the increase of nation state based pressure on companies to allow for “Backdoors” in encryption that not only allow metadata tracking but content review as well. I see open source solutions (which will likely be deemed illegal) as the only means to privately communicate. Especially in countries like China and Russia where zero privacy is expected or legally allowed on personal or business devices/communication.