Hitting the use of warrants, Signal has released details of a search warrant from police in Santa Clara, California. Quoting ZDNet:
In the search warrant, Santa Clara Police sought to get the name, street address, telephone number, and email address of a specific Signal user. It also wanted billing records, the dates of when the account was opened and registered, inbound and outbound call detail records, voicemails, video calls, emails, text messages, IP addresses along with dates and times for each login, and even all dates and times the user connected to Signal.
In response to the search warrant, Signal provided law enforcement authorities with timestamps regarding the account specified in the search warrant. The timestamps showed the dates that the account last connected to Signal.
Signal said in a blog post that, by default, it does not collect the requested information from users.
The company’s interaction with Santa Clara County police didn’t end there, however, as the law enforcement authorities then issued a non-disclosure order that required Signal to not publicly disclose that it received the search warrant.
The non-disclosure order was then extended four times, which resulted in Signal’s request to unseal the search warrant being repeatedly pushed back. In total, it took Signal almost a full year before the company was able to legally publicly disclose the process it underwent when it received the search warrant.
Why do we care?
IT providers are going to need more legal expertise, that’s for sure. I talk about data management as a service – use Signal as an extreme example. They don’t collect much information at all about users, yet are also under pressure when law enforcement comes knocking.
I’m “pro warrant” as an approach, in that I believe requiring justified, public documentation for the why of data collection is important. In a business context, I still believe there should be justified documentation for the why of data collection because it minimizes risk to the business. The risk of that data getting out – ransomware – or even damaging customer trust is a risk to offset. Ask why a customer (or yourself) is collecting all that data.