Confused U.S. Feds Subpoena Signal for Data It Doesn’t Collect

Confused U.S. Feds Subpoena Signal for Data It Doesn’t Collect
Photo: Lionel BONAVENTURE / AFP, Getty Images

For the second time in several years, Signal has been subpoenaed by U.S. federal investigators for data that the encrypted chat app company doesn’t actually collect.

In a statement published Wednesday, the company disclosed that it had recently received a summons from the U.S. Attorney’s Office in the Central District of California. The request comes from investigators with the U.S. Department of Homeland Security and asks for data on half a dozen Signal users — including their addresses, “their correspondence, and the name associated with each account,” along with other subscriber data.

Apparently, the investigators who filed the subpoena aren’t too familiar with the company. All Signal can actually do is provide them with Unix timestamps for when each user account was created and the date when each account last connected to Signal’s servers — because that’s all the company actually collects. As a recent comparison between different data collection practices by various chat apps shows, Signal is in a league of its own when it comes to respecting users’ privacy. Whereas something like WhatsApp, despite offering encryption, still hoovers up a host of analytics and user information including your name, location, contacts, user and device ID, etc., Signal retains pretty much zilch.

This same sort of thing happened during a different grand jury investigation in 2016, when the FBI asked the company to deliver to them a scattershot of user information, including “name, addresses, telephone numbers, email addresses, method of payment, IP registration, IP history logs and addresses, account history, toll records, upstream and downstream providers, any associated accounts acquired through cookie data.”

Then, like now, Signal decided to link forces with the American Civil Liberties Union to tell the feds that they just simply did not have the data that investigators were looking for. A new letter from the ACLU on the recent request states: “The only information Signal maintains that is responsive to the subpoena’s inquiries about particular user accounts is the time of account creation and the time of the account’s last connection to Signal servers.”

Whenever something like this happens, it’s basically just a huge, free advertising opportunity for Signal — because it gives the company an opportunity to trot out blurbs reminding users of its unique business practices. See below, culled from the company’s recent statement, for example:

It’s impossible to turn over data that we never had access to in the first place. Signal doesn’t have access to your messages; your chat list; your groups; your contacts; your stickers; your profile name or avatar; or even the GIFs you search for. As a result, our response to the subpoena will look familiar. It’s the same set of “Account and Subscriber Information” that we provided in 2016: Unix timestamps for when each account was created and the date that each account last connected to the Signal service.

It’s also interesting that these requests keep coming in. Did the feds not bother to read the company’s product description before they fired off a legal summons? One of the ACLU attorneys attached to the case, Jennifer Granick, said that police don’t always heavily research companies before making information requests.

“I think that a lot of law enforcement agencies don’t necessarily understand or pre-educate themselves about what is available,” Granick said, via phone. “I’ve seen this with other companies, too. Agencies may have a template or something [for data collection], particularly at the state level, and they just ask for all kinds of stuff that may or may not exist.”