So...assuming this bill passes and Signal pulls out of the U.S., what can the average person do to continue to access Signal's servers in other countries? Can we VPN into an Apple computer based in the EU, build our own Signal client, and then somehow scp the files back to the U.S.? I think TestFlight would be out of the question, since you probably would need to sign Apple U.S. Terms and Conditions, and because Apple Developer Program is $99 / year.
I don't think that's true. If the VPN is compromised then the Signal traffic over it should still be encrypted (that's the point of Signal). As long as the VPN doesn't block your access to Signal you should be fine, and there is no risk the VPN would read your messages.
On Signal you're encouraged to verify out-of-band (such as in person) with the "safety number" which allows users to verify each other's keys to prevent a man-in-the-middle attack. This way you'll notice if the initial key exchange has been compromised.
This is an incredibly complex problem and it really depends on the details. which keys are used, which are pinned. Which keys the government has, and which certificates it can and will issue itself. Which clients it will backdoor, and where will it attempt MITM attack if necessary.
Hmm, okay, so I can drive over to Canada, make a developer friend there, build an instance of the Signal iOS app using the licenses there, load it onto my phone via TestFlight or USB stick, then drive back to the U.S. and use it assuming TSA doesn't touch my phone?
After you load TestFlight and Signal build onto your phone, make a full encrypted local backup via iTunes.[0] Upload that backup image somewhere. Turn off Find My (iPhone) to disable activation lock. Restore iPhone to factory setttings. Return iPhone to factory sealed box. Optional: mail phone to self at destination or other location of your choosing in destination. Cross border. When at desired use location, unbox phone. Fetch backup you made earlier. Restore backup to iPhone. Use Signal.
Another tip is that it doesn’t have to be the same phone as far as the backup and restore is concerned. Enrollment of the TestFlight app might be impacted if the phone changes but that’s just my concern because I haven’t tested that part.
Here’s some links related to these ideas which may be relevant to your interests.
If Signal is end to end encrypted (or even just encrypted to a server that has no backdoors) then observing the network traffic towards that server (which is what the compromised VPN would do) wouldn’t help. This is how even “basic” HTTPS remains secure against malicious attackers.
> what can the average person do to continue to access Signal's servers in other countries?
I suspect once you get into "use a secure VPN in an EU country" you've already given up as far as the "average person" is concerned. You might as well recommend something like renting a VPS in a country with strong privacy laws and installing your own VPN on that, which is slightly more difficult but a much better security win if you're going that route.
Maybe I should get a Purism phone.