It sounds like he's being held liable for sending a private message that scared the people spying on him into arresting him unnecessarily.
It never occurred to me that end to end encryption would eventually have the use case of preventing security services from scaring themselves and then blaming you for a false alarm...
> It never occurred to me that end to end encryption would eventually have the use case of preventing security services from scaring themselves and then blaming you for a false alarm...
It never occurred to you that incompetence/stupidity is rampant?
> He said that the plane's pilot made an announcement, telling passengers that the fighter jets had been scrambled because of a distress signal that had been sent by mistake.
> Mr Verma's message was picked up by the UK security services who flagged it to Spanish authorities while the easyJet plane was still in the air.
> A court in Madrid heard it was assumed the message triggered alarm bells after being picked up via Gatwick's Wi-Fi network.
Emphasis mine. Something is really fishy here. We know that a fighter escort was dispatched for this flight, but it sounds like no one is on record that his message is what actually triggered the escort or how they would have even found it.
There's a non-zero chance that the Spanish authorities themselves do not know where the distress signal came from, and only found out about the message after they searched his phone. And they are trying to pin the cost of scrambling the jets on him when they really should be ringing up the UK government.
While everything was TLS encrypted between all conversation participants and the Snapchat server (airport Wi-Fi is a non-sequitur here), Snapchat has some kind of PRISM-style setup that at least starts with a global keyword scanner for natsec-related triggers.
That alone seems unlikely to have resulted in fighter jets scrambling. More likely, that keyword system feeds into a much more complex Palantir deployment or something that's cross-referencing a bunch of other factors and assigning a risk score. In this case, it was enough to get flagged for immediate review, someone thought the contextual elements were enough to escalate, and this set off a chain of actions leading to the fighter jets.
There are likely thousands of terrorism jokes made over back-doored messaging systems every day, but sending one of those messages buys you a lottery ticket you certainly don’t want to win.
And in this scenario, it might not even have been an assessment of risk, but rather "just to mess with him". The reporting person may have thought it would be a funny prank to have him questioned by police over the message and that would be the end of it.
It doesn't seem so likely that a human in the airport happened to read his message, or that surveillance cameras at that airport OCR all peoples' phones (although I wouldn't be completely surprised if they did)
Snapchat does not encrypt text messages only photos and video.
Also the question of how many of those joke messages are being sent from an airport and have account meta data that can be tied to travel information (name, email, phone number). I wager far fewer that it may not make it into as much of a game of chance as you think.
Huh? Snapchat uses TLS encryption for all data in transit, regardless of whether it's text, photos, or videos. This means that all forms of data are encrypted when they are being transmitted between your device and Snapchat's servers.
I think you’re confusing transport layer security with end to end encryption.
TLS prevents the people who run Gatwick airport wifi from reading the messages. E2EE would also do that, and would additionally prevent Snapchat themselves from reading the messages.
I am not, no E2EE means that Snapchat can view text messages, hopefully the endpoint does use TLS but even if they do you assume that there is no MITM throughout the chain at all and that the app employs public key pinning to detect such attempts.
That kind of an MITM attack would require both a lack of public key pinning from Snapchat _and_ a compromised certificate authority issuing bogus Snapchat TLS certificates that were trusted by common consumer devices. It's possible for a state level actor, sure, but it's unlikely that kind of countermeasure is being deployed in a blanket over every device connected to the Gatwick airport wifi.
The parent post said (emphasis mine):
> While everything was *TLS* encrypted between all conversation participants and the Snapchat server
To which you replied:
> Snapchat *does not encrypt* text messages only photos and video.
Which isn't true. TLS is encryption, and provides effective protection against an MITM attack from the provider of the Gatwick airport wifi. Sure, E2EE encryption may provide better privacy. It's only providing a meaningful improvement against a certain group of adversaries, though. That's the set of attackers who have the resources to defeat TLS, even without public key pinning, yet who do not have the resources to compromise/keylog one or more of the devices or compel cooperation from Snapchat.
Even if Snapchat did E2EE their messages, you would be very unlikely to have certainty that _your_ messages were secure. All it takes is `shouldE2EE := username != 'dogma1137'`. Or more likely `shouldCCTheNSA := username == 'dogma1137'`. The only defence against that kind of coerced cooperation is a full source code audit, confidence that there's no obfuscated code fooling your auditor, reproducible builds of the app, an ongoing assurance of some kind that the installed build's checksum matches that of the audited code, and finally full and ongoing confidence that none of the other vendors involved in the production of your device from the OS software stack right down to the baseband chip, have been similarly coerced.
tl:dr, TLS is probably all you need. For the cases where TLS legitimately isn't sufficient, you should be assuming that any conversation within 100m of any electronic device has been compromised.
When you are talking about message encryption it’s rather clear, transport encryption can happen regardless of message encryption and overall is more easily defeated.
It's a very odd story. The major intelligence services can be very capable but the idea that a person presumably not under surveillance would have a random chat message trigger the dispatch of two fighters in, what?, maybe two hours is hard to believe. I mean, how many messages a minute (second?) contain some keyword that would trigger filterss?
I can believe someone in the Snapchat group took it seriously and called whatever the Brit equivalent of 911.
Probably more than you imagine. The sheer volume of Snapchat messages means that I can't imagine fewer than hundreds and maybe many more people being arrested/questioned for suspicious private messages from near sensitive locations on an annual basis.
I'm being deliberately conservative. My basic point is that if the big governments were flagging everything that passed some threshold of possible threat, you'd have a volume of false positives that it's really hard for me to imagine being way under the radar.
I have trouble believing that the intelligence services are so masterful at parsing threats--within the hour--with almost nary a false positive.
I feel like they are being vague on how the message was sourced purposefully.
It's a shame it's a kid that doesn't have the resources to fight this, the UK public has already been conditioned to expect that all their messages are being tracked and read it seems.
> I feel like they are being vague on how the message was sourced purposefully.
I'm reminded that, years ago, an unsecured MongoDB instance was discovered on the internet, and it turned out be part of a feed of private social network activity to the Chinese police/government agencies.
I wonder if the UK government has a similar feed of Snapchat messages.
I'm also reminded of a video (apparently originally posted to Chinese social media by the police), of some schmuck locked in a tiger chair at a police station being forced to apologize for talking smack about the police in a private WeChat group (it was nothing political, the police were apparently confiscating motorcycles or something at the time and he didn't like it).
"Mr Verma's message was picked up by the UK security services who flagged it to Spanish authorities while the easyJet plane was still in the air.
A court in Madrid heard it was assumed the message triggered alarm bells after being picked up via Gatwick's Wi-Fi network."
Agree, seems pretty odd that a court is told to assume something and not given the full story.
The article states that the Spanish courts assumed his message was intercepted in the airport, not over the in-flight wifi.
It’s complete speculation anyway. As others have pointed out, the likely route the message took to the British intelligence services is via Snapchat disclosing it directly, not through some edge-network magic TLS-breaking packet sniffer.
The message was sent privately. After reading about Snapchat security at https://courses.csail.mit.edu/6.857/2016/files/11.pdf, it's clear that even in the absence of E2E encryption, all message are sent to the Snapchat API using TLS and even if using a public airport Wifi, this message should not have been easy to intercept.
This leaves only a few options about what is happening here:
Option 1: Big Intel has totally broken TLS and can see all TLS traffic in the clear in real-time
Likelihood: very unlikely, I don't think this would stay secret for long.
Option 2: Big Intel got itself a certificate for the Snapchat domains and use it to MITM Snapchat traffic.
Likelihood: very possible but unlikely to be the source as I don't think they would use it too openly on random users as it's too easy to get noticed if used widely.
Option 3: Snapchat is actually monitoring all messages and reported the message to authorities themselves. Alternatively, Big Intel is in bed with Snapchat and all message get processed by an intelligence system.
Likelihood: I think this is the only explanation that makes sense.
Since it would not be very good PR for Snapchat to admit that they are monitoring all messages, the authorities must have invented that airport wifi monitoring story. Who even use an airport wifi in their home country anyway... Pretty sure he had 4G and no need to use the crappy airport wifi.
Anyway, that's the only way I can make sense of that story.
Option 4: there is zero privacy and security on devices, as many vital parts of their OS are closed source, from firmware to apps through the OS. It takes only one rogue closed program with the right permissions to render insecure a 99.9% open phone and read data before it is being encrypted or after it is decrypted, then send it somewhere.
Likelihood: Certainly possible (and out in the wild, see Triangulation and Pegasus), but it seems brazen to waste 0-days and PR issues on the low chance someone might text a bomb threat.
> Option 1: Big Intel has totally broken TLS and can see all TLS traffic in the clear in real-time
> Likelihood: very unlikely, I don't think this would stay secret for long.
Also, I doubt they would let the fact they have a technical capability like that leak out for something as stupid as this. If they totally broke TLS (and can do it near real-time), it would be a very, very tightly held secret. Probably the kind they'd let a plane blow up to protect.
It's Option 3. The Gatling Wi-Fi is most likely a red-herring to prevent a Snapchat PR nightmare, that somehow even Reddit and Hackernews have fallen for. I imagine a layperson would be none the wiser.
> Option 1: Big Intel has totally broken TLS and can see all TLS traffic in the clear in real-time
> Likelihood: very unlikely, I don't think this would stay secret for long.
People smart enough to break TLS at scale wouldn't be dumb enough to reveal their cards on a false alarm, that would be a massive blunder. Yes it wouldn't stay secret for long, which is why you must use it with impeccable deliberation.
That's an interesting point. That's sound at least plausible that mobile notifications could be monitored by intelligence.
Still, the point would be the same: they are likely inventing a story around the airport wifi, and someone/something is watching messages directly on the provider side.
Seems like charging people for what they write or say in a private setting is like ThoughtCrime.
Monitoring all communications for keywords and reacting is going to throw up a lot of false positives, that is in the nature of casting a wide net. Persecuting the victims of this snooping (the defendant in this case) seems a bit harsh.
i don't understand. i thought TLS or some other form of end-to-end encryption would prevent this sort of thing from happening. it seems like someone has access to the plaintext message other than the participants of the conversation.
how does this happen? (i am not a snapchat user)
not even to begin talking about the political ramifications...
Snapchat texts are not end to end encrypted. I think we know exactly how that happens since Snowden.
There won’t be political ramifications. Though this might be more tangible to the average users that don’t care about privacy.
Snapchat messages being surreptitiously downloaded and monitored by the NSA at some point where they are unencrypted (possibly only within Snapchat's datacenters) is consistent with what was revealed in Prism. I know that most companies have updated their standards to treat any network traffic as insecure since Prism but it's possible Snapchat doesn't.
Also as I understand it the NSA also has no legal issues with sharing any messages intercepted with the UK so long as one of the parties to the conversation is not a US national or on US soil.
Errr phones aren't safe. They are backdoored up the wazoo. Same with all your messaging companies. Any that are decent in size have had a visit from authorities and aren't allowed to disclose to you they have.
Iphones, android it doesn't matter. Your phones about the least safe tech device you own. It literally hacks itself if sent the right messages.
Edit: OK so it seems a fair few folks don't understand how spying across borders and things like the 5 eyes mean your tracked without a warrant legally.
So here's how it works. All 5 eyes countries are not allowed to spy on their own citizens in their countries without a warrant. All 5 eyes countries are allowed to surveil info about foreign individuals without a warrant. 5 eyes intel agencies basically just have to pipe a copy of local data say fb or in this case snapchat out via a friend in a another country then back to themselves and they don't need a warrant. As the data has now come from Intel sharing from your 5 eyes peers. The 5 eyes intel agencies between them all have deals and flex with just about every other intel agency in the world except the obvious few.
Intel sharing these days is as much as a treasure hunt for legal loopholes to get the data as it is hunting the data itself.
Its stuff like this. Phone recieves message, runs code embedded in msg for nfi reason why literally starting off the chain of events/exploits to hack yo device.
We've had a few of these types of entry points in phones now over the years. Enough that if its still happening its probably by design as a favor to a 3 letter agency.
For that matter, you send something to someone as a joke. Maybe they think you're serious. Maybe they tell a friend. Maybe you sent it to the wrong person. Etc. Who knows what happens here.
The article somewhat suggests that the guy used the airport's wifi. In this case and assuming that the wifi network supports government surveillance by design, end-to-end encryption does not help.
That is simply not correct. With properly implemented E2EE, you can communicate confidently over a completely insecure channel. You could post the entire data stream publicly on the internet with no loss of privacy.
I would still assume that with apps like Snapchat, there are inherent problems on meta-level (from an E2EE view) because for the users, Snapchat is essentially a trusted third party, providing governance/management features. But it can well be that Snapchat does not provide E2EE; I cannot see any remarks about it on their webpage.
"WhatsApp _considers_ chats with businesses that use the WhatsApp Business app or manage and store customer messages themselves to be end-to-end encrypted."
And later, they write that in many cases, Meta can actually read the messages.
I guess Snapchat isn't E2EE. There are various articles online that say it is, but if you view their privacy stuff, the have nothing about it and in this video they say they share your private messages with law enforcement when required: https://www.youtube.com/watch?v=0lj4xjCaCXU
Interesting that the British government is packet sniffing at airports. Imo they should pay the $90k to the Spanish government.
assuming TLS isn't broken and E2E is working as intended...
isn't it more likely that someone saw the message while looking over their shoulder, was reasonably worried and alerted a security officer: "hey someone over there is messaging about harming the plane", and then things got muddled from there about technology?
even going past a ceiling camera pointing down straight at you writing a message would probably give enough resolution to see an emoji.... but it's not like airport security wants to reveal their abilities
The headline here is very misleading and different from the article - has the article changed or been editorialised here?
"On my way to blow up the plane (I'm a member of the Taliban)."
British man, but - going by the name - presumably of Indian (?) heritage.
The article doesn't give his actual background (which seems like craven reporting), but crap joke or not you don't get to make those comments as a young British Asian male in a "private" group chat (neither are the number of individuals in the group described) in that context and not expect there to be repercussions.
I'm suspicious also of the idea this was intercepted by gchq, it's quite believable that's a cover for somebody in the group being (rightfully) worried and doing their civic duty.
Perhaps it's an overreaction and security overreach but there's more complexity than indicated in the simplistic headline here.
He says it was an in-joke with his friends about the way he looked.
From that I would like to abduce the fact that the friends the message was addressed to were not in the airport (at least not all of them) otherwise he wouldn't be informing them he's going to his flight.
Based on that, I have a hunch the message was "intercepted" by one of his friends' parents who freaked out and told the cops who raised the alarm. That would be the easiest way to explain how the message was "picked up" in the first place.
Snap explicitly claims to "work to proactively escalate any content that could involve imminent threats to life" [1]. Given this, it seems almost certain that the Wi-Fi explanation is miscommunication, misunderstanding, or misdirection.
On a broader note, two days in jail, two years in courts, and possibly over $100k in fines will make a mess out of a college kid's life. All that for a common joke is downright negligence on the part of the authorities simply because of the high risk of instilling a resentment toward society in the accused. Ugh.
For those who have said that text messages aren't encrypted, I'm pretty sure this is inaccurate. You can almost guarantee the big social media platforms used TLS encryption on all their data in transit. A quick and dirty packet capture confirmed this, no messages can be seen in plain text. Also, a quick test sending messages from an iPhone with the latest iOS through Burpsuite will cause the app to not work properly. Messages aren't sent or received, and we can see the logs in SSL fatal errors "certificate_unknown". This is even after the cert was installed as a Trusted Root CA. This seems to be evident of SSL pinning, also as expected. There are many variables here, way too many to account for, but I would probably rule out the "This was captured on Airport wifi". With this and the information from the other messages here, I'm personally going to lean towards it was an internal Snapchat flag that alerted law enforcement, or GCHQ has a Snowdenesque backdoor.
It's incredible that even on Hacker News so many people expect that Snapchat messages are not monitored
I guess that explains why it's so used.
It's a centralized, non E2EE system, you don't expect them to flag something with "blow up", "plane" and "taliban" in the same message?
It's more likely than one of the group members reported it, but if it got flagged, sent to some five eyes system and there they noticed (manually or automatically) that the guy just boarded a plane, it doesn't sound surprising !
And actually Snapchat gets the users' position as well, it might well be that a reviewer at Snapchat itself saw that he was in an airport and reported it.
Being an immediate threat it's not surprising they acted like that.
The weird wifi story means that they know people expect privacy on Snapchat, I guess.
I’m guessing this wouldn’t have had the same response if the guy was white. Feels like the guy should be due compensation by the Spanish government. Is there really a law that prohibits private jokes that may alarm an unknown surveillance system?
>Mr Verma's message was picked up by the UK security services who flagged it to Spanish authorities while the easyJet plane was still in the air.
It sounds like the UK government is spying on citizens’ private messages to each other. The article says it was sent only to people he was traveling with on the day of his flight.
This strikes me as extremely authoritarian and scary.
Europeans: why are there not mass protests about this? Is this the kind of world that you actually want to live in? Is it just apathy? Or is this seen as a good thing?
It's extremely likely this information was provided to the UK government via a 5 eyes agency (probably the US), and that the UK are capturing data on US citizens to send to the US government.
Because we hadn’t heard about this case before. — At all. If the vague information in this article is actually corroborated there’ll be an outcry alright.
"The message was picked up by their mobiles on Gatwick airport's Wi-Fi servers and immediately triggered alarm bells with security because of the sensitive words used."
I thought that was weird then and I still think it's weird now, either there is a pretty big problem or the daily mail is inaccurate. This whole article is lala land from a tech perspective and I'm quite curious about it.
From that article it seems like it's the kid who assumed it was the WiFi that caused the leak.
'But I was using the data on my phone and they were using the Wi-Fi at Gatwick and so the message was picked up by the security people.'
As far as I know, it doesn't seem like anyone in the UK has said where they got the info from. And the Daily Mail may just be assuming the kid's right and is jumping to a conclusion.
> Shortly after, the court was told two Spanish F-18 fighter jets were sent to flank the aircraft.
Genuine question: what's the point of scrambling fighter jets to escort a passenger one? Is the intent to shoot the plane down, if it comes to that? But if the bomb were to go off, what are the fighter jets supposed to do? Won't they, too, get damaged in the blast?
This is quite dumb, if he was actually going to do it he wouldn't announce it so clearly on a non-encrypted channel. Does the UK really think state supported agents talk on snapchat?
A private Snapchat. If someone dobbed him in it would have to have been one of his friends which assuming those friends know him well would be an even crazier thing to do than to make the joke.
Them being a group of friends doesn't rule out the possibilities. I've seen stupid pranks being played between friends; sometimes people are curious to see if the consequences are real
Right, so either the airport is running something that can break TLS, or snapchat is feeding a stream of private messages to the government with location information provided.
I’m not saying this doesn’t happen but I can’t remember ever having been asked to install a root certificate when joining an airport wifi. And I am confident that this has never happened when I’ve flown out from Gatwick.
It never occurred to me that end to end encryption would eventually have the use case of preventing security services from scaring themselves and then blaming you for a false alarm...