I have a question about the privacy of the Sender.
Let’s take an imaginary situation:
There exists a totalitarian regime-driven country that opreses all channels of communication. Somehow, it finds your Delta Account contact and that you have used relay XYZ.
This country issues a court request and states that what Sender have sent are strictily Illegal materials.
Can relay owner disclose the IP or any details about the Sender? It will of course have to respond to an official Court of this country, here is only the questions on:
How much data will be disclosed if it will happen?
Is there more data stored on the Relay if Multi-Device enabled?
Let’s limit the question on the idea that the Sender is using one of the official / Chatmail relays and not an email relay.
Governments (and cooperating foreign intelligence) can always gag order the host to enable full logging. They can stream the logs live to an external collection site - no need to store it on disk either.
The data center and ISP of the server can log all connections and can correlate incoming and outgoing connections based on the timing and size of the payload without cooperation with or even tipping off the host itself.
You don’t even need to send forbidden materials to get in trouble - joining a group or channel where others either attach or link to such content or just include it in their avatar or profile bio would already suffice.
Unfortunately Ian is right. Even if the relay owner does not normally store the IP address, the court can force it to secretly start logging the IP address and you won’t know until it is too late. This is what happened when Swiss courts forced Proton Mail to start logging the IP address of a climate activist which lead to the activist’s arrest.
Unfortunately, even when people get arrested or worse when their IP is exposed in cases like these, Delta Chat does not acknowledge this risk or take the risk seriously, as you can see from the FAQ which downplays the risk of exposing your IP address and wrongly suggests that it can’t be used to identify you:
IP Addresses are needed for connectivity and efficiency. They are neither persisted nor exposed. Note that the IP Address is not like a detailed address you give to a delivery service, but much more coarse, often defining region or country only.
As this is just how the internet and other messengers work by default, we do not offer options here or ask upfront questions.
Ian is also right about traffic correlation analysis attacks.
You can read more about some real world traffic analysis threats here, which pose a threat to many messaging apps:
About your other question
If Multi-Device is enabled then messages will not be deleted from the server immediately when you download them so there can be a few weeks of message metadata on the server like message size and timestamps when the relay is served the court order or the police seize the server. But the police can’t read your messages unless they also get your key for example by stealing your phone.
Right. One more aspect of enabling multi-device mode is that it might facilitate in someone installing further devices to easily listen-in on all your conversations without you noticing (such as when you left one of your devices unattended and they scan a QR). We have lots of topics about this, let me just link one this time:
Whereas, if you have an always-on device in single-device mode, your messages are practically “burn upon reading” - either the snoop will interfere with your own reception, hence trigger red flags or you always slurp up the incoming message before others could get to it (well, a better funded actor might still be able to get the payload through MITM by hacking any of the mail servers). Even if they can’t decrypt all the ciphertext they gather this way without setting up a second device, they might be able to decrypt it later on as long as they collect them all as you receive them. (At least until forward secrecy is implemented)
It is always interesting to read this kind of discussions.
I was also wondering about this scenario…
If I am located and I operate in country XYZ, but in my DC app I use a chatmail/relay located in another country/continent YBC.
For whatever reason, my XYZ’s government doesn’t like what I do and they want to track my activity. Shouldn’t XYZ ask access my data (via police/law enforcement, or whatever) to the other country YBC? And if yes, would this be smooth or not? Also taking in consideration that I can choose a relay based in a country not collaborative to the country I live in.
In conclusion, giving that DC is decentralised, it should be way harder for a government to find info… right?
Like the example you mentioned about Proton… that is still a centralised system, with a company based in Switzerland and an order requested by the Swiss government.
However, if the host has vulnerabilities (either 0-day or past ones that the owner did not fix quick enough), they can access the remote servers without cooperation.
And again, it’s easier to approach the data center or ISP in many cases first before trying to access the host.
By the way, the jurisdiction of the building that houses the chatmail server that you see in the chart is only one part of the equation.
If multiple people or legal entities have either physical or remote access to the server, they can force any one of them to either backdoor it, give them a data dump or outright provide access to it depending on which jurisdiction the given person resides in under criminal penalties in many cases. I.e., it would also be useful to know the place of residence and nationality of the operators of each server, but that’s much more difficult to verify than its IP address.
All these things Ian is bringing up makes me think that SimpleX Chat is probably safer, even if a government can ban the whole protocol (which is dubious because SimpleX also has packet obfuscation to make the traffic look like normal HTTP).
But since developers still believe in Delta Chat, there must be some plans to address these issues
I am going to qualify what Ian said. If a country has decent privacy protections, getting access to data requires a warrant, which requires presenting evidence to a court which may well not trust an authoritarian country. The old remailers onion-routed mail through multiple countries (which you could do in DC by setting a series of classic mail accounts to forward all messages), in some cases with varying delays. In practice, the remailers found that the cost and effort involved in going through the legal process in multiple countries was enough protection to avoid censorship.
There are currently many efforts to have all communications logged and backdoored, and unrestricted international government sharing of information, and use of logs for training LLMs. The US CLOUD Act, for instance, allows the US gov secret warrantless access to any data a US service has, and the US is currently trying to impose this on foreign services using trade agreements. In the EU the courts have found that any service complying with the CLOUD Act is in violation of EU privacy law, but enforcement has been non-existent, and some EU governments keep patient medical records in US clouds! Most democratic countries have or used to have a right to private communications.
You can also use Deltachat via a proxy (including Tor and I2P). There are proxy settings in the app. However, there are parts of DC (involved in calls and real-time apps) which ignore the proxy and leak your IP address anyway, and there is no easy way to disable them.
On my phone at least, it makes me input my pin before showing the Add Device QR, so even if I left it unlocked they could only add devices if they know my pin. Not sure if it asks for root to do it on linux but that might be a good idea if not.
email relays are central nodes that manage infrastructure. Delta Chat, even position itself as a decentralized messager, still sticks to central nodes - relays. If there would be any way how to pass messages without relays. Or even better - if the message would have to travel automatically through N relays without our interference - that would be perfect.
By that:
we could achieve a TOR-like decentralized infrastructure that would be resistant to any kind of relays that will be down; tracking, spyware.
Maybe imaginary scenario, but I would wish that on the exchange of the messages neither my IP nor any metadata of my device would be passed to the server. The P2P would be an interesting choice, but it has its own downsides and technical difficulties
That’s how SimpleX works. To be honest, it might be possible to build something like a SimpleX style mixnet over Chatmail… I don’t think it would be off the table.
Its hard to predict how smooth the process will be if you don’t know all the variables (like Ian said “it would also be useful to know the place of residence and nationality of the operators of each server”) but in general the process will be less smooth if you are sure the country is not collaborative to the country you live in (compared to a relay in a collaborative country), but this is not always guaranteed and it is good to take additional precautions if you can.
Like Minim said, it also helps to use a proxy like Tor or I2P if this is available to you and safe to use in your country, as long as you don’t use features like webxdc apps or calls which don’t respect the proxy and can leak your IP.
To make it slightly harder for your government to track your activity, you could also regularly rotate your relays, but obviously this is not so convenient, and this is not a guaranteed way to prevent tracking, only to make it slightly harder.
Yes but technically the order wasn’t requested by the Swiss government, the request originated with French police, which used the Swiss courts to force Proton to comply. There is much international cooperation between authorities which is not always obvious at first. In a more recent example, Proton handed over activist data to the FBI.
All the info and comments you have shared are really interesting and I now feel more knowledgeable, so I really thank you for that. I also didn’t know about the “five eyes international cooperation”, and it is really good to know.
Now I am wondering if it could even exist a way to send a message to another device in a real safe/private way…?
I was thinking if maybe it could be something like a p2p approach, where there is no server o relay, but the messages are sent, synced and chronologically ordered only when the devices have both an internet connection available. And users can have multiple devices, so it can give a bit more opportunities that the “send/receive - sync - sorting” process happens… But yes, it could take time before at least one device of sender and one device of the receiver are both online at the same time. So, maybe this goes against the concept of a messaging app…
Or I was also wonder, if I have multiple relays in my DC account, it can randomise what relays is used for each individual sent/received message. So, that if I have multiple relays (based in multiple countries), it could become at least more difficult and time consuming if a government wants to “solve the puzzle” and puts together the whole conversation. I believe this is already in DC roadmap…?? But it would anyway work only if all the users in the chat use multiple relays.
Well there are messaging apps like Briar, Cwtch, and Ricochet Refresh which work like this (some optionally support servers as well). As you already said, it could take time before at least one device of sender and one device of the receiver are both online at the same time, and these messaging apps maybe don’t have the same feature set or cross platform like DC.
I don’t know if this is in DC roadmap or not but its a very cool idea and @ethanc8 suggested something similar here before DC supported multiple relays: