Briar developer here. We weren't contacted by the Indian government and we haven't received a copy of the blocking order.
If anyone reading this works at Google or has a contact there, please put us in touch (contact@briarproject.org). We'd love to know whether Google has received a blocking order, and if possible get a copy of the order so we can challenge it in court.
In the meantime, the app remains available from our website and F-Droid (https://briarproject.org/download). The app can also create a wi-fi hotspot to share the APK with people nearby.
These things are typically bureaucratic security theater. Terrorists can sideload. The decision makers just care to be seen doing something, whether it's useful or not is not their problem.
You severely underestimate the people in power, and the people who stand behind them.
Such bans are deliberate attacks targeting (parts of) the general population. Terrorists have nothing to do with this.
"Hahaha those stupid bureaucrats, they have no idea what they are doing" is a popular meme, but it couldn't be further from the truth. They do know what they are doing, and it's working. If you believe it isn't, that's only because you misunderstand what the real goal is.
Absolutely. I know from personal experience that much of what remains of independent journalism in India, as well as some NGO work (long under government scrutiny) is conducted through Signal and Element.
Perhaps I should add that I do not wish to undermine the terrorism situation in India, which is very much real. Regardless, there is a paradox because at the same time the associated terrorism laws and hacking operations have been misused to target opposition, journalists, scientists, activists, and many others.
The amount of people who get caught on insecure communication, including some famous tech CEOs, is staggering. Most people, criminal or not, are completely security/tech illiterate. Changing the default has a huge impact. Webs in these investigations tend to be wide so it's not just about literal criminals, if one suspect leaks info to anyone that may be enough for authorities to catch on, it's a statistical game basically and the harder you make it to not mess up the higher your chance to catch someone.
Gentle reminder that the US intelligence leaker was caught because he distributed the material on a gaming discord on an account with user info that was one Google search away from his father's instagram and steam profile. And that guy was US National Guard tech support staff.
I disagree. This may or may not be effective, but it's not theatre.
Criminals, terrorists, dissidents, politicians, even intelligence people sometimes... they're users. Just because they can sideload, or otherwise use more sophisticated methods doesn't mean they will. The margins are wide.
Imo, same thing is happening in India as is happening in most places with an active security-intelligence service. They receive valuable intelligence from PMs. Then they fret about potentially losing access or want to increase access.
If you read HN/Reddit/Twitter, you'd get the impression that all this stuff is fake. It's not. Intelligence agencies in 2023 are all about these sources, and jelously guard them. Once they have a source, they're not giving it up willingly.
Certainly a ban like that, if it can be made at least somewhat effective, will prevent a lot of uses of encrypted messaging by less sophisticated users. I'm afraid it's not going to be effective against the stated targets, the well-prepared terrorists sponsored by a neighboring state. Those will be trained to sideload, or whatever else it takes.
Even "somewhat effective" is better than no ban. Given the state of terrorism in some parts, this is a crucial tool. For example in the aftermath recent terrorist bombing in Pulwama, clamping down on Internet had helped.
When this stuff started happening in Russia qlmost a decade ago, everybody was joking about bureaucrats instead of taking measures. Fast forward a few years, Internet access is not unlike cheese with holes in it, and a great number of people had to invest in VPN access.
Disagree - this is unsubstantiated and worthy of an Elon Musk style of how he stripped that BBC reporter down. If they were the targets, Journalists, dissidents would have completely dissappeared over time. They are active and vociferous.
They do deep packet inspection on the telco end and drop packets to the blocked servers. Sure there might a way to circumvent, especially if there’s a p2p app, but even those packets may be detected and dropped.
> the blocked apps include Crypviser, Enigma, Safeswiss, Wickrme, Mediafire, Briar, BChat, Nandbox, Conion, IMO, Element, Second line, Zangi, Threema, among others.
That is, anything that's easy enough to detect in the traffic, I suppose? Or does it just affect App Store / Play Store?
> The step was taken after multiple agencies found that these apps were being used by terrorists to communicate with their supporters and on-ground workers
I wonder if it applies to members of general public, or to trained agents. For the former, the ban may work. For the latter, I suppose, there's less chance: they must have other means to install apps, various VPNs set up, and some opsec training.
> The government found that these apps did not have representatives in India and they could not be contacted for seeking information as mandated by Indian laws.
This, of course, should be by design for any really secure communication app. A legal entity representing a secure channel is a people to press on in cases like that, ans such pressure from law enforcement is and will be inevitable. I think Tor network has no legal representative anywhere.
If the government doesn't allow to use these apps, ISPs probably also have to comply in some way (probably blocking URLs). And if not, app stores would probably need to hide these apps.
I mean, those are legal issues. The point is they're banning them and if you use them you go against the law.
I don't think this ultimately answers the question. It looks like I was incorrect and it is a national blocking order under Section 69A of the IT Act. This is the original news source everyone else is regurgitating: https://www.aninews.in/news/national/general-news/centre-blo...
Individual countries do stupid things from time to time, but what worries me is the global trend where countries are showing a desire to control communication. It comes in the form of encryption backdoors, age limits for social media, monitoring for child porn etc, but the end goal seems to be complete control of all communication channels between citizens.
The concept that governments will love to push for is where citizens need to provide identification for accessing all web services and all web activity is linked to their identification. Digital infrastructure these days is sophisticated enough to handle this and it only takes for one country to enact this and get the ball rolling for everyone else.
Governments are created to control, so they strive to grab more control, by their nature. There may be no nefarious intent behind that tendency, or any intent at all. If something is made round, it will have a tendency to roll.
This is why systems of checks and balances were invented, separation of powers, press freedoms, the democracy itself: these are systems that actively prevent the government from grabbing more and more power, just because it can.
When the government is able to suppress or diminish the influence of these counterbalances, usually on the grounds of enforcing security and safety of the citizens, the process can escalate and end up in an authoritarian rule.
Such (attempts at) power grabs will always happen, and will.always need a push back. It's a dynamic balance, when a balance can be achieved at all.
Briar can be banned, but for now it can't really be blocked though.
It's supposed to work in case the infrastructures are down by design.
So it can also work locally, meaning 2 Briar users can meet, and share messages from 1000 other users, and go on their way to propagate the update, without going trough the internet.
Now of course you can always enforce the ban, not through blocking, but through detection and punishment. However I doubt you want to spend that much resources for a single app.
Unless this is a feint, this seems like a dumb way to telegraph which apps you don’t have backdoor access to (the banned ones) and the ones you do (everything relevant enough to be considered that wasn’t banned).
Any client side ban can be easily circumvented with sideloading and network-level ban with a VPN (or less easily, TOR)
I’m sure in some cases these bans are indeed a feint but not everything is a game of 4d chess. I mean, look at the TSA in the US
I think that would prevent regular joes from accessing whatever it is the article is referring to as messages from terrorists to supporters. But I’d be surprised if terrorists are not organized enough to know to use VPNs
“Terrorists” is such a vague term in a lot of jurisdictions. Sometimes a “terrorist” might be someone peaceful but who doesn’t support the current regime.
So we aren’t always talking about comic book-style super villains here.
For a high profile app like Signal (which more than just the Indian government cares about) I assume there are security vendors or US intelligence solutions to get access. I mean, for one, the US government and EU can make Google and Apple do anything by showing up to their offices with guns. It’s also a high value target for whatever you call those security firms that sell exploits to nationstates.
For intelligence purposes you’d rather centralize targets on a small number of platforms that they think are safe and not give them a reason to leave, rather than have them be fragmented across many platforms which each require some kind of backdoor/additional work to get access to.
I guess I’m getting downvoted for insinuating Signal has a backdoor without evidence, but an iOS or Android level exploit or backdoor would easily function as a signal backdoor, and depending on its implementation (like peaking at process memory) could be hard to get working for each and every random app. There’s also the risk of an app store itself adding a backdoor or a Signal insider sneakily creating one to sell the exploit. These all seem highly possible given the various NSO exploits that have hit the news.
That only verifies that the app stores are not directly adding a backdoor to the APK. An exploit could still be hiding in plain sight within the code, or more likely added by the OS through various mechanisms like a direct OS exploit making it easy to read application memory, or the OS injecting an exploit while starting the app.
> As per a report by News18, based on source inputs, the blocked apps include Crypviser, Enigma, Safeswiss, Wickrme, Mediafire, Briar, BChat, Nandbox, Conion, IMO, Element, Second line, Zangi, Threema, among others
Are these more popular outside the US? Maybe I’m just out of touch? It looks like you asked ChatGPT to generate a bunch of fake app names.
Terrorist use crypto, they also use cash. Ban them too?
Doesn't make a lot of sense that something is banned just because it was used by a bad actor. Or this is just security theatre.
I suppose real secret agents run a VPN client that looks like a game of chess, or go, or something else innocuous, and playing a particular unpopular debut switches on the VPN, while fumbling with settings just so switches it off, etc. Otherwise it's a standard-enough chess program that can honestly play some chess.
I don't think that TLS to port 443 can draw too much attention, too.
as a kashmiri and someone interested in propagation of matrix as a protocol viz a viz EU dma with hopes of the spillover effect reaching the rest of the world and eventually my hometown, this is a spanner in the gears but no worries.
Most of the majoritarian extremism in India is spread through WhatsApp and Facebook. But these two are very close to ruling right wing govt with FB making huge investment in crony capitalists promoting the current govt.
Hi dang, this is a policy on this forum, and it's completely up to the site maintainers. But in that case I would rather you don't allow these articles on HN at all. I understand why this policy is there, but these are completely political policies and as an Indian you not letting us acknowledge that it is a political policy made by a certain kind of government seems... I don't know, I can't come up with a polite term.
That question has a long history on HN and we eventually arrived at a clear answer: the shallowest sort of political stories are offtopic here, but there are also interesting stories with political overlap, and it's neither possible nor desirable to exclude all of those. A great deal of past explanation about this can be found at https://hn.algolia.com/?dateRange=all&page=0&prefix=false&so....
When a story does have political overlap, it's incumbent on commenters to stay within the site guidelines regardless of how strongly they feel, or how wrong they feel other people are. This is in the site guidelines: "Comments should get more thoughtful and substantive, not less, as a topic gets more divisive." That's not easy, but it's possible. For this forum to succeed at its mandate, we all have to work hard at it.
I don't think we are getting a more substantive comment thread by banning people from acknowledging blatant truths about the political system. This isn't just me saying it, the BJP government itself prides itself as a Hindutva and Hindu Rastra (Hindu State) building party. I'm sorry, feels to me like you are making a "both sides" argument where reality on the ground is that there is no other sides.
It's not a 'both sides' argument to say that everyone needs to follow HN's rules.
What people call "acknowledging blatant truths" can mean a lot of different things depending on their passions about a topic. It's hard to perceive one's own expressions objectively. Even the users who post the worst flamebait typically feel like they're simply stating the truth in a straightforward way.
There are ways of acknowledging truths that are more likely to lead to flamewar, and other ways that are less likely to lead to flamewar. We need commenters here to do the latter, not the former. That's an ongoing process that takes a conscious effort, at least when one's emotions are engaged, and people need to do this regardless of how right they are or feel they are.
I'm sorry, flagging people for calling the current government crony capitalist and Hindu majoritarian is absolutely not fair. It is absolutely a both sides argument because you think there is any other way to put it. Especially when the current government welcomes rapists with flower garlands because they are upper caste and actively favors certain business groups openly. It's ok, I don't expect you to understand our politics.
A decentralized internet is the only way forward, at least if we want to maintain the level of freedom we have now. Too many countries are trying to lock too much stuff down.
Well they just banned the decentralized communication apps (like Element). Users can of course work around these bans, but many of them don't have the technical know-how or aren't going to bother.
<non-tech>
Cross-border terrorism is real. Real-time support (operational and financial) by foreign and local bad actors is real. Governments have a mandate to protect their citizens against them and have to keep up with the tactics, techniques and procedures of these bad actors. So, let's not be surprised or shocked when we see news like this.
</non-tech>
Many apps in this list are also highly vulnerable. Threema, for example, was found to have serious security vulnerabilities due to rolling its own crypto implementations.
It is interesting to note that Signal, WhatsApp, iMessage and soon Twitter DMs – all of which claim to have E2E encryption – are not on this list.
Does that mean these companies have a way to break encryption and provide access to government when they ask for it? I suspect metadata is definitely accessible via these companies.
Interestingly these are all messengers that have mobile phone numbers as primary user handles whereas a lot of the banned messengers are not. So, its possible that there are phone number based zero-click exploits for these popular apps that governments across the world use (remember NSO?) whereas not for less popular apps.
The difference probably is that they have Indian office and representatives. The article outlines that the ban happened after they were unable to reach out to any of these apps.
Govt don't need to break encryption technically. They just need to have lawful orders issued to the app or platform companies to comply to provide the information about the targets (1-1 chats or group chats). Question is - can the companies comply? Do the companies themselves have backdoors so they can comply? Btw, there are laws on the books that say they ought to have mechanisms such that they can comply.
The only way a company providing end to end encrypted messaging service can comply with such an order is to ship a backdoored version of their client software. This might send copies of the messages somewhere else as well, or use deliberately weakened keys, or something like that.
There is no way for the companies to break the encryption on their servers without compromising the client first.
Usually, each message is encrypted with a new symmetric key that's unique per message and that key is encrypted with the public key of the recipient and included in the envelope of the message. It isn't hard to ask the client to also encrypt the symmetric key to company's own monitoring public keys and include it in the envelope. Presumably this can be done dynamically on-demand (when a govt monitoring request comes in) by the company servers. It is also conceivable that all symmetric keys of past 30 days of messages are stored on the client and can be asked to be sent to server on-demand. If all this functionality ("backdoor") is already baked into the client, and carefully masked to look like legitimate functionality of the app, then there's no need to "compromise" the client afterwards.
We are talking about private, for-profit companies running closed-source service with closed-source client and with TLS-key-pinned client-server RPCs. And we are talking about closed-source phones running closed-source hardware, firmware, OS, and platform services. Even if the app was open-source (like Signal) there are plenty of injection points to do the above at the lower-levels.
However, I doubt that a private company whose business model was end to end encryption would secretly bake a back door into every client by default.
Any exposure of this by reverse engineering or whistle blowing would end the business. Why would a private company work against their own interests in that way?
I could imagine that specific clients got special back doored versions under some kind of secret court order, but I'm not sure what the delivery mechanism would be for that.
Edit: your final point that you could compromise a device independently of the app itself seems much more likely to me. Tools to do this exist and have been provided to governments.
If anyone reading this works at Google or has a contact there, please put us in touch (contact@briarproject.org). We'd love to know whether Google has received a blocking order, and if possible get a copy of the order so we can challenge it in court.
In the meantime, the app remains available from our website and F-Droid (https://briarproject.org/download). The app can also create a wi-fi hotspot to share the APK with people nearby.