vellocet Posted January 2, 2022 at 11:22 AM Report Share Posted January 2, 2022 at 11:22 AM Is there any way to communicate securely inside China? Wechat might as well be an open book. A friend of mine got her husband's complete chat history, and that was only from a tiny police chief, and all she had to do was ask nicely. QQ and Weibo are just as bad. Perhaps security through obscurity? Send messages through a fishing spot sharing app that has a social media function? A knitting app for sharing patterns? Yes, the solution is probably "get your hands on other person's phone, install an APK of a secure Western messaging app and then go through the steps of setting up an account for them." But what about people who are geographically distant? And especially the (majority of Chinese) people who have iPhones. They can't install anything that's not approved by Apple, and by extension the government. Quote Link to comment Share on other sites More sharing options...
889 Posted January 2, 2022 at 12:14 PM Report Share Posted January 2, 2022 at 12:14 PM Think of it more as an issue of logic than fancy computer tech. So long as the hardware's not secure you're wasting your time. Quote Link to comment Share on other sites More sharing options...
alantin Posted January 2, 2022 at 12:31 PM Report Share Posted January 2, 2022 at 12:31 PM Depends on what kind of messaging you have in mind. If it's with random acquaintances across China, you can probably forget it. As you said, they use the Chinese apps and they not built with security as a priority. With some people you could remedy this by setting up pgp keys and exchanging encrypted messages over WeChat. Just make sure the equipment you use to store the keys and encrypt the messages is clean. An interesting question however is, would exchanging such messages over WeChat draw attention? Skype seems not to be blocked in China and being owned by Microsoft it shouldn't be subject to the same security concerns as WeChat etc. and should be ok for setting up dates with a mistress. I haven't looked into what kind of encryption it does or what they have published on the the policies they have for handling the messages. Signal and VPN could be a good option. Signal has E2E encryption, but it requires access to it's servers outside of China and I think it may be blocked in the GFW. For business I recommend using the tools that your company provides. In the west more and more o365 (Teams, Exchange Online, OneDrive, etc.) which work passably in China. The security is pretty good from the company's point of view and the company IT admins will have access to messages by jumping through some technical and legal hoops. If you need to transmit state secrets, get equipment from outside of China for both ends, install Tails on them, use Proton email, encrypt all messages with pgp and route all traffic through tor. Note: just listing available options for securing communication and all information for these is readily available in the interwebs. Not to be taken as encouragement to do anything illegal. Check with your local laws what you are and are not allowed to do. Quote Link to comment Share on other sites More sharing options...
杰.克 Posted January 2, 2022 at 09:50 PM Report Share Posted January 2, 2022 at 09:50 PM I honestly don't think in todays age there is a "secure" messaging app. In both China and the West - governments/police/national security services can read your messages if they think it pertinent. I just think the measure of what might be pertinent is wildly different - ie local police head can willy nilly read wechat messages vs need a few signatures and jump through a through legal loopholes. Best policy is to not send anything you wouldn't want others reading. 1 Quote Link to comment Share on other sites More sharing options...
alantin Posted January 2, 2022 at 10:28 PM Report Share Posted January 2, 2022 at 10:28 PM Technically public key cryptography provides the tools to encrypt messages transmitted over any medium, but it's often relatively cumbersome to use if you don't trust the medium to do the end-to-end encryption for you, and if your medium is monitored, messages that can't be read may (and likely will) attract attention. It is a good point that an app being "western" does not necessarily mean it's secure. Think the mass exodus from WhatsApp to Signal when facebook announced their changed policies some time ago. When you use an app, you are trusting the company that creates the app to treat your messages the way they tell you they will. In addition you'll need to think about how the messages are technically delivered, what kind of encryption (if any) is applied, and who maintains the encryption keys and where they are maintained (On your device by you? On the servers by the company? Somewhere else? Are you sure?). Quote Link to comment Share on other sites More sharing options...
vellocet Posted January 3, 2022 at 05:05 AM Author Report Share Posted January 3, 2022 at 05:05 AM As long as it's not trivial for some podunk police chief to lay open anyone's Wechat. Let's not go for 100% theoretical quantum security. Just keep the data out of the hands of snoopers in China is fine. Sure, your data can be spied on - but it's open to few people who probably don't care about you. Nobody wants the paichusuo keeping tabs on you, as they well can. Quote Link to comment Share on other sites More sharing options...
Demonic_Duck Posted January 3, 2022 at 05:35 AM Report Share Posted January 3, 2022 at 05:35 AM On 1/2/2022 at 5:22 AM, vellocet said: A friend of mine got her husband's complete chat history, and that was only from a tiny police chief, and all she had to do was ask nicely What in the actual F̵̥͚̣̥̟͎͙̬͊͗̓͛̿͘͜͠͠U̸̡̡̱̽̋͜C̴̨̭͉̥̦̖̪̻̮͉͂̃̈́̊̎̓͑̑͌̕̚͝͝K̶̪͓̲͕̞̭̣͖̥͖͎͚͋̇̏͋̅̆̏̈̋͊̕ Can you give more details? Quote Link to comment Share on other sites More sharing options...
markhavemann Posted January 3, 2022 at 05:56 AM Report Share Posted January 3, 2022 at 05:56 AM Unpopular opinion here, but what's the obsession with having your text messages encrypted? If you're not doing anything illegal then you don't really need to worry, surely? Personally I don't really mind if somebody in some government office can read my messages. If they care about the message I sent to my friend about what I had for dinner or the giant dump I just took (sorry to be crude) then power to them. Probably worth it to be able to easily catch people doing actual crimes, or at least deter them to some extent. Honestly, the only exception to this that I can think of is sending nudes or passwords, but a voice message or phonecall is probably more than ok for the latter. Quote Link to comment Share on other sites More sharing options...
alantin Posted January 3, 2022 at 07:42 AM Report Share Posted January 3, 2022 at 07:42 AM On 1/3/2022 at 7:35 AM, Demonic_Duck said: On 1/2/2022 at 1:22 PM, vellocet said: A friend of mine got her husband's complete chat history, and that was only from a tiny police chief, and all she had to do was ask nicely What in the actual F̵̥͚̣̥̟͎͙̬͊͗̓͛̿͘͜͠͠U̸̡̡̱̽̋͜C̴̨̭͉̥̦̖̪̻̮͉͂̃̈́̊̎̓͑̑͌̕̚͝͝K̶̪͓̲͕̞̭̣͖̥͖͎͚͋̇̏͋̅̆̏̈̋͊̕ Can you give more details? Did that really surprise you? A year or two ago I read some article about how a company can make a contract with Tencent to get access to all their employees' WeChat messages. Of course law enforcement would have access to average citizens' messages. And if you don't prioritize privacy of people's communications in their training, I don't doubt for a second you wouldn't get helpful police officers acting like this. What the officer did would be a criminal offense here, but I don't know about China. Quote Link to comment Share on other sites More sharing options...
alantin Posted January 3, 2022 at 07:58 AM Report Share Posted January 3, 2022 at 07:58 AM On 1/3/2022 at 7:56 AM, markhavemann said: Unpopular opinion here, but what's the obsession with having your text messages encrypted? If you're not doing anything illegal then you don't really need to worry, surely? Personally I don't really mind if somebody in some government office can read my messages. If they care about the message I sent to my friend about what I had for dinner or the giant dump I just took (sorry to be crude) then power to them. Probably worth it to be able to easily catch people doing actual crimes, or at least deter them to some extent. Honestly, the only exception to this that I can think of is sending nudes or passwords, but a voice message or phonecall is probably more than ok for the latter. Text messages aren't encrypted, at least in GSM/UMTS networks. If I remember correctly, neither are phone calls in the network except between the phone and the cell tower. It is a different paradigm. In here the privacy of mail is probably one of the oldest and most important privacy laws we have and it is extended to cover all electronic communication as well. If anyone with money/means can read anyone's messages, that has huge implications on national security, corporate espionage, freedom of speech, average citizens rights. etc. You may not need to be afraid of government misusing your messages, but if the security around them is that lax, there will be other parties too who will be able to gain access to them and if the messages can be read, they can also be altered or parts can be omitted to give more convenient impressions. I heard of a university professor who got cancelled in China for giving a lecture on some parts of history between China and Japan. Some student took a video of the lecture and posted parts of it online that made it look like the professor was pro-japan in some way. But if you had a chance to listen to a little more, I think the professor was bringing up some issue with victim counts in the Nanjing massacre or something. tl,dr; It's best to stick to describing your dumps anyway, lest you get in trouble.. 1 Quote Link to comment Share on other sites More sharing options...
Insectosaurus Posted January 3, 2022 at 12:04 PM Report Share Posted January 3, 2022 at 12:04 PM On 1/3/2022 at 6:56 AM, markhavemann said: Probably worth it to be able to easily catch people doing actual crimes Crimes like wanting regime change and reporting on human rights violations? 2 Quote Link to comment Share on other sites More sharing options...
Demonic_Duck Posted January 3, 2022 at 07:27 PM Report Share Posted January 3, 2022 at 07:27 PM On 1/3/2022 at 1:42 AM, alantin said: Did that really surprise you? Yes, that surprises me. The fact that national government agencies have ways of obtaining WeChat messages doesn't (I think that's been widely known for a long time); but the fact that local law enforcement can easily access that information and hand it out to ordinary citizens is pretty shocking. On 1/3/2022 at 1:42 AM, alantin said: A year or two ago I read some article about how a company can make a contract with Tencent to get access to all their employees' WeChat messages. ...But not quite as shocking as this. What's the source? And does this mean private WeChat accounts, or just 企业微信 accounts under the company's organization? If it's the former, how would Tencent even verify that the account in question belongs to an employee of the company? 1 Quote Link to comment Share on other sites More sharing options...
alantin Posted January 3, 2022 at 11:12 PM Report Share Posted January 3, 2022 at 11:12 PM @Demonic_Duck, I read that years ago so l’m very vague on the details and I don’t have a source. I believe the idea was to register the users separately as some kinds of enterprise accounts so a company apparently wouldn’t get access to just anyones messages. Without going some back door at least. a quick google search retyrned this introduction to wechat work which it has apparently become since. https://wechatwiki.com/wp-content/uploads/wechat-work-version-3-enterprise-account-features-benefits-business-backend-grata.pdf Quote Link to comment Share on other sites More sharing options...
Demonic_Duck Posted January 4, 2022 at 01:35 AM Report Share Posted January 4, 2022 at 01:35 AM Yeah if it's just 企业微信 accounts under the employer's organization then I'm not surprised at all. In an ideal world corporations would have much less power to spy on their employees, but given the world we actually live in, you can expect that many employer-endorsed channels (email, 企业微信, Slack, etc) will be transparent to the employer if they decide to snoop. Quote Link to comment Share on other sites More sharing options...
markhavemann Posted January 4, 2022 at 05:21 AM Report Share Posted January 4, 2022 at 05:21 AM On 1/3/2022 at 8:04 PM, Insectosaurus said: Crimes like wanting regime change and reporting on human rights violations? Since a surprisinly large number of Chinese have VPN's, Facebook, Instagram, etc, anyway, I don't think this is really an issue, is it? I mean mostly things like scams, drugs, prostitution etc. the crimes and problems that actually exist in society, and not the ones that are convenient for selling newspapers and getting people to watch Fox news... On 1/3/2022 at 3:58 PM, alantin said: I heard of a university professor who got cancelled in China for giving a lecture on some parts of history between China and Japan. Some student took a video of the lecture and posted parts of it online that made it look like the professor was pro-japan in some way. I guess I can see your point to some extent, but I'm pretty sure if you can get hold of someone's profile picture you could easily make "screenshots" of just about any wechat conversation you want, so I'm not sure if this is enough to make me want my wechat conversations to be encrypted. On 1/3/2022 at 3:58 PM, alantin said: If anyone with money/means can read anyone's messages, that has huge implications on national security, corporate espionage, freedom of speech, average citizens rights. etc. Apparently it is possible to buy database copies of account information and (usually encrypted) passwords that have been stolen from all kinds of online platforms. Source: I know someone who works in the "internet company" circle who has bought all his own information out of curiousity. I'm sure it's possible to get access to people's conversations if you know where to look, I can see why it could make some people uncomfortable. I personally don't care and think it should be freely available to law enforcement, but I guess it's something that should be regulated pretty strictly. Quote Link to comment Share on other sites More sharing options...
alantin Posted January 4, 2022 at 07:48 AM Report Share Posted January 4, 2022 at 07:48 AM On 1/4/2022 at 7:21 AM, markhavemann said: I guess I can see your point to some extent, but I'm pretty sure if you can get hold of someone's profile picture you could easily make "screenshots" of just about any wechat conversation you want, so I'm not sure if this is enough to make me want my wechat conversations to be encrypted. Encryption is a lot more than just making messages unreadable to third parties. One big part of it is non-repudiation allowed by the cryptographic signatures involved and they basically tie each message to a certain device or person. If in use, like with WhatsApp, Signal, Line, etc. apps, you can basically look at a message and tell if it was written using someones account or not. It doesn't really matter if you want to cancel someone but it is legit in western courts for example. On 1/4/2022 at 7:21 AM, markhavemann said: I'm sure it's possible to get access to people's conversations if you know where to look, I can see why it could make some people uncomfortable. I personally don't care and think it should be freely available to law enforcement, but I guess it's something that should be regulated pretty strictly. That regulation implies that some people are allowed to view the messages and others aren't. This requires encryption and extremely tight procedures for the key management by the service provider. On 1/4/2022 at 3:35 AM, Demonic_Duck said: Yeah if it's just 企业微信 accounts under the employer's organization then I'm not surprised at all. In an ideal world corporations would have much less power to spy on their employees, but given the world we actually live in, you can expect that many employer-endorsed channels (email, 企业微信, Slack, etc) will be transparent to the employer if they decide to snoop. My personal experience comes from administering O365. At-least European laws are quite strict on such spying, I expect the US laws to be too, and it reflects in the way the tools are set up by the western service providers. Microsoft provides the tools for accessing employee's email boxes for example, but it's not as simple as just opening the box and looking. There is tight access control and every action is logged so you can go and check who did what. I've also administered some other on-premises systems in the past for company email and also providing email boxes for external customers and with those less developed systems I was in theory able to just open anyone's email box and check the emails without them knowing it. Of-course, how a company uses those tools is up to them, but it depends on the legislation and the local law enforcement in how much trouble the company will find itself if it disregards those laws. But all in all, if you don't know how your setup protects the privacy of your messages, it is best to just assume that at-least your employer and/or your service provider will be able to read the content if they want to. And email particularity has always technically resembled more sending post cards than letters. The content of a letter is covered by the envelope and the recipient will likely notice if it was open by someone else before reaching it's destination, but what's written on a post card can be read by anyone who can lay hands on it while in transit. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and select your username and password later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.