Signal: We can't include a backdoor in our app for the Australian government

The Signal app's design and open source code policy makes this impossible.
Written by Catalin Cimpanu, Contributor

Signal, the instant messaging app that made end-to-end encryption apps cool, said in a statement yesterday that it "can't include a backdoor" in its product at the behest of the Australian government.

The Signal team went on record after the Australian elite passed the Assistance and Access Bill (AAB) last week, a law that allows the Aussie government to demand the introduction of secret surveillance capabilities in the source code of online services. [Everything you need to know about the AAB]

"The end-to-end encrypted contents of every message and voice/video call are protected by keys that are entirely inaccessible to us," said Signal developer Joshua Lund in a blog post yesterday.

The AAB also allows the Australian government to put a gag on companies that the government approaches with orders to backdoor its product. Lund's comments also address the issue, pointing out that backdooring Signal is near impossible.

"Everything we do is open source and anyone is free to verify or examine the code for each release," Lund said. "We can't include a backdoor in Signal."

Lund and the Signal team both expect any interaction with the Australian government to end up in a stalemate where the app is blocked inside the country.

"Although we can't include a backdoor in Signal, the Australian government could attempt to block the service or restrict access to the app itself," the developer said. "Historically, this strategy hasn't worked very well."

The Signal developer said users would usually use VPN services to hide their web traffic from government-mandated web filters, and any attempts to restrict the app wouldn't do the government any good.

Lund also doesn't fear the Australian government putting pressure on other companies to blackball Signal.

"If a country decided to apply pressure on Apple or Google to remove certain apps from their stores, switching to a different region is extremely trivial on both Android and iOS," he said. "Popular apps are widely mirrored across the internet. Some of them can even be downloaded directly from their official website."

Signal's stance against the Australian's government law came after a conglomerate of the world's largest tech companies put out a similar statement decrying the AAB's adoption.

The group, named "Reform Government Surveillance," was set up in the early 2010s to fight against the US government's PRISM program, and its members include some of the biggest names in tech, such as Apple, Evernote, Dropbox, Facebook, Google, LinkedIn, Microsoft, Oath, Snapchat, and Twitter.

"The new Australian law is deeply flawed, overly broad, and lacking in adequate independent oversight over the new authorities," the group said in a press release last week. "RGS urges the Australian Parliament to promptly address these flaws when it reconvenes."

But despite complaints from tech companies, experts don't see the Australian government backing down from the AAB. Instead, they see other governments part of the Five Eyes intelligence group abusing AAB provisions to funnel backdoor requests to online services via the Australian government.

Many of 2018's most dangerous Android and iOS security flaws still threaten your mobile security

More cyber-security coverage:

Editorial standards