If it ask for your phone number its not private.
from lunatique@lemmy.ml to privacy@lemmy.ml on 08 Oct 21:29
https://lemmy.ml/post/37265031
from lunatique@lemmy.ml to privacy@lemmy.ml on 08 Oct 21:29
https://lemmy.ml/post/37265031
Nowadays, a majority of apps require you to sign up with your email or even worse your phone number. If you have a phone number attached to your name, meaning you went to a cell service/phone provider, and you gave them your ID, then no matter what app you use, no matter how private it says it is, it is not private. There is NO exception to this. Your identity is instantly tied to that account.
Signal is not private. I recommend Simplex or another peer to peer onion messaging app. They don’t require email or phone number. So as long as you protect your IP you are anonymous
threaded - newest
Signal is private, what you should differentiate is being anonymous or not. Using your usual phone number is NOT Anonymous but is PRIVATE, as in the content of your messages being only available to you and the person you’re talking to
The way you get a phone number depends on you too, so you can be very much be Anonymous even if signal requires a phone number.
People who actually care about privacy: the quality or state of being apart from company or observation (definition), wouldn’t want a company knowing their phone number and thus identity tied to their phone number. Maybe you believe in a lower level of privacy than I do. That’s fine but my post was for people who never thought about it but will care and those who should care.
Signal doesn’t know your phone number, though. It’s only used to identify other users in your contacts, and not a single thing about it is stored.
Wow. You give them your phone number to sign up. They text you a confirmation code but they don’t know your phone number. Magic
That’s not true. When asked to provide data, Signal is able to give your phone number and the last login time.
Signal stores the hash of the phone number. So you can query them for a specific phone number, but are unable to figure out phone numbers based on the hashes (outside of brute force - trying every 12-digit phone number).
And after doing that, you learn “this person uses/used Signal”, with no information about particular messages whatsoever.
Okay, I was not aware that it was only the hash of the phone number. I was under the impression that it was the phone number itself.
This is disturbing that this comment is down voted to -11, at the time of my reading, on a service that is specifically designed for people who value privacy. Is it because of some government bot, or are enough people really that emotionally attached to this product that despite the clear logic they are reacting in discomfort?
I don’t know which option is more disturbing.
I get that a lot of people don’t really value privacy that much, and are only interested in making a half hearted attempt. That is fine. But why the gross amount of denial? Why not just be honest that they think it is good enough for them, and not worth changing.
These people are sheep. It’s insanity. They worship these companies I feel like I’m arguing with cultist
You are very naive if you think that a company located un the US can provide an encrypted messaging service that can be used by anyone including terrorists, druglords and US enemies without the government being able to access the messages. Lavabit was a famous case and had to shutdown because its founder rejected to comply with an order from the US government to grant access to information. If you are using centralized communication service located in the US forget about privacy.
”Lavabit is believed to be the first technology firm that has chosen to suspend or shut down its operation rather than comply with an order from the United States government to reveal information or grant access to information.[3] Silent Circle, an encrypted email, mobile video and voice service provider, followed the example of Lavabit by discontinuing its encrypted email services.[25] Citing the impossibility of being able to maintain the confidentiality of its customers’ emails should it be served with government orders, Silent Circle permanently erased the encryption keys that allowed access to emails stored or transmitted by its service.[26]"
“Levison (founder) explained he was under a gag order and that he was legally unable to explain to the public why he ended the service.[21]”
en.wikipedia.org/wiki/Tor_(network)#History
The US has a law that applies to any US company operating within its borders: it is illegal to tell your users that the US government has asked your company to spy on their behalf. This is called a key disclosure law, and the US’s version of it, called National Security Letters, underwent an expansion with the PATRIOT act; by 2013, President Obama’s Intelligence Review Group reported issuing on average, nearly 60 NSLs every day.
Companies that don’t comply with this law are forced to shut themselves down, or remain open, and grant access to user communications to the US government. The Signal foundation is a US domiciled company and must comply with this law without being able to disclose that they have been issued an NSL letter.
Comply with the government order of granting access to messages or shut down implies that we are already in that world, long ago. What makes you think that what happened to Lavavit and Silent Circle would not happen to Signal? Only wishfull thinking can make you think that, evidence tells you otherwise.
Ok government here are the messages i’m legally required to provide you.
If it’s so easy why Lavabit and Silent Circle had to shutdown?
Do you understand what encryption means? Genuine question.
If a company is compelled to spy on its users, it doesn’t mean hack them. (although perhaps there are same edge cases where you have to wonder the exact definition of hacking)
Obviously you are missing the point. Even Gmail is private if you are going to do the job of encrypting your messages by yourself, but that’s irrelevant with what we are discussing here.
What we are discussing here is that if you are a company offering a service of encrypted communications located in the US, the government has all the power to force you to shut down if you don’t give them access to what they want. And that’s not speculation, they’re actively doint it because they are backed by the law.
Why people are so naive thinking that the government are not going to do something to get what they want when the law is on their side, when sometimes they don’t hesitate to do it even when it’s blatantly illegal?
The only way to avoid surveillance is with free, open source and descentralized software. If there is a company in charge of running the software that’s a vulnerability and, like the cases already mentioned, those in power are going to exploit it shutting the service down if the company doesn’t comply.
It doesn’t matter how much you like or trust the service, there’s simply no reason why they wouldn’t do it again when they already dit it successfuly. Why some people who care about privacy can’t see this obvious fact is beyond my understanding.
Alright I think I know what you mean, but I’m still not sure we’re actually on the same page regarding encryption.
If a company is forced to do whatever ths government commands it to do, that’s only valid within certain constraints.
For example, the company cannot be forced to grow wings snd fly to thr heavens. That’s physically impossible.
Similarly, it also cannot provide the decrypted messages of its users because it (like Signal) does not have the KEYS that are absolutely 100% necessary for decrypting the encrypted messages of its users. So, again, it’s physically impossible to hand over either the keys or the decrypted messages.
However, there is one remedy that Signal CAN do, if somehow forced. That’s changing the Signal program. It certainly can push an update that sends Signal the keys for decryption.
However, at that point, the source code at github doesn’t match the compiled binary of the program anymore, and very good chance people would notice, and thereby people would lose trust in Signal.
I’m not sure about the examples you gave about the government being successful in obtaining user details of a company. Were those details encrypted as well? Was the source code publically available? Was the program popular?
Just the fact that signal can, and we can assume, does share all the other data outside of the actual message content is a big deal.
You’re just not going to go to the extra effort of requiring a phone number and storing that information if your business model isn’t dependent on selling that information to parties who would want it. That takes a lot more effort than just giving out username/password pairs.
No there is good reason for requiring a phone number, it’s to reduce spam accounts.
Of course they can sell your phone number but that’s not the only good reason for requiring one.
You appear to be saying that like it is a bad thing, rather than a good thing. Easily making multiple accounts is a crucial part of anonymity and privacy.
Dude ever heard of a double edged sword? As I already stated, requiring a phone number HAS downsides but it also has upsides.
There will be more spam and scam accounts to worry about on Signal than on SimpleX, I can almost guarantee it! At least if simpleX gets more popular of course.
But yes, no phone number does indeed increase anonymity, but not so much privacy.
I view Signal as the bridge between absolute non-techies and me, so they can at least navigate and use the app, while I am not sacrificing too much privacy.
And I use simpleX with other people who are more tech inclined.
Pick your poison, that’s the bottom line.
Signal is free and open-source. It cannot be denied that basically everything, including minor details like usernames, is end-to-end encrypted and kept secure. The Signal protocol has been proven to be secure by many independent experts and thus it is mathematically impossible for Signal to gain access to your sensitive information (except for your phone number, obviously).
A phone number alone just won’t do much.
Signal is not open source, its a centralized US service, and you have no idea what their server is running. They even went a full year without publishing server code updates at one point, until it caused enough of a backlash that they started doing it again. But publishing that is no guarantee of anything, because you have no access to their server.
A phone number in most countries, including the US, means your real name and address.
And given their scale and length of time they have been around, it is guaranteed that they have been complying for some time.
It is so ironic that we run into so much cognitive dissonance on this issue. It is so weird that people have such an emotional attachment to this product.
Since when is encryption dependent on the service’s jurisdiction? When Signal has got subpoenaed it has always been incapable of providing data that involves the content of the conversation signal.org/bigbrother/
The app is also open source with reproducible builds (and you can use Molly instead, if you prefer) and when the clients of an end-to-end encrypted system are sound, that is all that matters to secure the content of the communication.
Audits are also performed as listed here community.signalusers.org/t/…/13243
I don’t understand where this doomerism comes from tbh, (online) privacy will cease to exist when either maths does or it becomes globally illegal to use encryption and the government’s intrusion is really so pervasive that they constantly know what you’re doing. Luckily we don’t yet live in that world, though the pressure is real and we are the first that have to fight for this basic human right
Email is a very different thing.
You can’t protect against emails being received in plain text.
Don’t know the technicalities of the specific case you are referencing, but I know that if the government wants to they can middleman any received email before the provider can encrypt it for storage on their servers (by forcing the provider to let them).
On the other hand, if you use an end to end encrypted chat app, you can’t middleman any messages from the providers side by force because the messages are always encrypted on the users device before being sent.
I don’t know about lavabit specifically, but typically encrypted emails are encrypted on your client computer and decrypted on the recipient’s computer. It is conceptually the same thing as an “end to end encrypted chat app”… just in email form.
Yes that works if both the sender and receiever encrypt the emails before sending them.
I specifically mentioned incoming plaintext (unencrypted) email.
Since mail is technically decentralised, not everyone is using protonmail for example, so protonmail can only perform e2e encryption on protonmail to protonmail email sending (they let you encrypt mail to people outside but it’s not as seamless).
Nevertheless, I was mentioning incoming plaintext emails, which email providers have to encrypt before storing. The government can middleman that procedure and read the incoming mail before it’s encrypted by your provider (protonmail, etc).
(This is one of the reasons why lavabit may have shutdown, you can’t protect against incoming plaintext mail)
Ah… I guess I didn’t understand how services like encrypted webmail worked. I’ve only ever used local pgp with thunderbird or whatever. I was assuming (incorrectly) that those services operated in the same manner. Thanks for explaining it to me.
You are correct, encrypted mail providers should encrypt on-device, before sending the mail, but there isn’t a solution to the unencrypted mail you could potentially recieve being intercepted.
the phone number drives me nut since mine changes every few months; everyone i know has my voip number that gets everything forwarded to each new number.
You can also get a phone number in a number of ways without it being connected to your identity. You can use voip services or buy a phone and a SIM in cash. I still think this is a good think to point out for all the people who use signal or other services with a phone number directly connected to their identity.
Depends where you live. I’m in Australia and phone companies aren’t allowed to activate a number without tying it to an ID. So criminals just use stolen IDs and regular people don’t get privacy. Also YMMV but virtually every service that needs phone verification won’t accept VoIP numbers anymore
I know telegram won’t accept voip numbers. I think I remember trying with signal as well with the same results. Clearly they attach enough importance to only having accounts with easily trackable devices like android and iphone devices that they are putting significant effort into blocking all other accounts.
You’d have to anonymously buy a preloaded sim and a burner droid phone to make the account. Its a lot less effort to use other more privacy friendly systems. Even more so if you’re making multiple temporary accounts, which is also an important part of reducing your trackability.
lol try signing up for an email account today without tying a phone number to it or another established email account. It’s incredibly difficult.
You might be able to create an account, but then all “3rd party services” (e.g. creating accounts on absolutely fucking anything) will be blocked and your account will be either restricted or forced to submit a kind of verification that doxes you to lift said block, probably.
I found a single sketchy provider that would take verifications from proton mail that allowed me to then create more accounts, but I had to try over a dozen mail providers before I found the obscure one that did not require any pre-existing accounts, phone numbers or identification documents to just create an email to simply sign up for any web forum, service or basically do anything most people do with email. Everything ends up linked to each other at some point.
There’s just no privacy anymore. The ones who think there is are probably not as private as they really think they are today.
Protonmail is highly accepted and tutamail didn’t ask for my number or another email. You are in a group called privacy but you think there is no privacy?
I just stop using those accounts that force me to give up my number. It’s called standards, YOU must have them and you will have more privacy than most.
This group function is to help increase privacy. That’s what I’m doing by letting you know not to use your phone number. If you have a defeatist ideology. You lose.
Sure, requires 3rd party email or cell phone to work though.
The last one, run by little over a dozen people as FOSS, and easily quashed by the long arm of the law or a pricey lawsuit. What happens then?
You still need an email that is completely associated to you for official things like medical interactions, government interactions, and stuff like sports tickets if you care about going to a sports game in a town like Boston. Hell, when you send resumes I assume you have a professional inbox for that too.
So how do you do it? Do you live in two worlds with a burner phone / never checking your ‘private’ stuff outside of some kind of proxy/vpn scenario where you remote into whatever box is handling your actual private online presence?
Geez. You just don’t get it. You don’t need your identity tied to your email. Proton mail didn’t ask me for a phone or email. But I’ve had it for years so maybe that changed. But you conceal your personal info when you sign up. Tutamail is used by many people. And you can email any other email provider with it
It changed. I made one in the past week. You can create an account, you cannot get any account verification emails from ANY other provider, they block them and then restrict your account until you verify with someone else.
I don’t know why you think I don’t get it though. The amount of metadata accessible when visiting a website is crazy nowadays. They can track things people never even imagined, like the arc of how your hand moves across the screen with a mouse, the cadence of how you type, and then tie those to profiles with any other details they have managed to scrape. Combine that with hours of activity, browser versioning addons etc, resolution and any number of other bits of metadata and suddenly someone has a shadow profile linking you to your proxy IPs or whatever else.
Sure, i’m more paranoid but I don’t believe anyone with a head on their shoulders would say privacy on the internet has ever gotten better.
I mean things are dire but it’s not as if nothing has improved. Even just 10-15 years ago most websites weren’t using any encryption (or if they did it was only for login pages). Anything you read or sent could be seen by your ISP or someone snooping on the network. Encrypted messaging basically didn’t exist or was very niche. VPNs weren’t nearly as widespread either. Go back another decade and Tor Browser didn’t yet exist (publicly) so there was no easy way to hide your location or stay anonymous online. Governments and companies have clamped down, yes, but our arsenal of privacy tools has never been bigger.
You can block a lot of this dynamic tracking with NoScript. This will break some websites but it’s worth the inconvenience of a messed up page or needing to find an alternate site
Tutamail is the only service I know of that still doesn’t need anything but I don’t expect it to last. Email providers that don’t make you verify anything end up being used for spam and then websites just start blocking their domain from being used for account creation
mailo.com
mailinator still works well for a lot of things.
And it really isn’t nearly as bad as you think it is. Most of those services that are locked down to that level (like signal) aren’t worth using. Hell, even reddit still doesn’t even require email. Although they pester you about it a little now.
lemmy.world/post/35730511
So, late to the party. Me Skuzi. This comment is more targeted towards your responses to user comments, but I would extend that to your entire thesis. So I decided to make an entirely new comment.
Honest questions/comments to follow:
Yes, the US govt can ‘compel’ a organization such as Signal to allow them to monitor/intercept encrypted messages, The government can even ‘compel’ a citizen to disclose their encryption key. The cost of non compliance varies from contempt of court to short term incarceration. United States v. Fricosu et al.
However, Signal would only shrug and hand them metadata. Even Signal can’t decipher your messages. There are other services unrelated to Signal that operate thusly, such as VPNs, that absolutely do not keep logs and run in RAM only. Some of those VPNs have been raided and servers confiscated by multiple governments with nothing to show for their efforts. If I recall correctly mega.nz and other storage facilities operate along the same lines.
As to the requirement for a phone number, yes they do require a phone number. However, unless they’ve changed something recently, you can use a free or paid for, burner phone number for verification. The caveat is that if you ever have to recover your account or future verification, you may or may not have access to that number if you used a free service. So, that might be a consideration.
Also, some free services might not work while others will. If signing up for a paid account, burnerapp.com for instance, will allow you to sign up via their website, however you can’t use a VPN. WiFi can be acquired at any coffee shop. If you prefer more private methods of payment for these services, there are those that accept crypto.
So, there are ‘options.’ You just might have to jump through a few hoops to get there.
Secondly, Signal is open source, no? The whole shebang including the protocol is open source. Where might ‘they’ be putting the backdoor to intercept encrypted messages? I can tell you this, the day the world finds out that the US govt has successfully cracked strong encryption ciphers, is the day you are going to see a lot of movement on this planet. From billion dollar corporations, private entities, governments, and even ne’er-do-wells on Signal.
I’m no ‘fanboy’, tho there is a lot to be a fan of. I’m not getting any kickbacks, compensation, or monetary advancements. If I need to be schooled, please do share.
Signal does plan to add a paid for service as well as their free service.
AES256 was broken the day it was released change my mind.
Well, I’m not trying to convince you of anything, however, you can convince me if you’d like. Do you have some substantiating evidence or documentation for such claims? I am aware of improvements to AES256 down through the years, and I am aware of side channel and timing attacks. Not to be discounted, but those are largely theoretical attacks. In addition, most modern computers have mitigated the possibilities of such attacks with hardware instructions for AES to protect against timing-related side-channel attacks.
The NSA reviewed all the AES finalists, including Rijndael, and reported that all of them were secure enough for U.S. Government non-classified data. However, in June 2003, the U.S. Government announced that AES could be used to protect classified information. Now you could conspiriaze that in 2003, the govt played dumb and said that AES was good enough for classified information when they knew they could blow through it like weak toilet paper, but then again, we (America) are not the only country on the planet despite what some people think, and I am quite certain that other governments have made certain their encryption techniques are 99.999% secure for classified documentation and data.
You make good points and I can’t provide any documentation. But the documentation won’t exist. It would be the closest guarded secret of all time. NSA only holds the upper hand if everyone thinks it’s secure. If the secret was out that that they could crack it no one would use it and the advantage is lost.
So at the very least by using Signal the government can know everyone you communicated with, at what time and where. And still is considered a private messenger. Amazing.
In reading about the Sealed Sender protocol, as I understand, it redacts whom you’ve contacted. However, the metadata does include timestamps. I have no dog in this hunt as 99% of my messages are whispered into someone’s ear. Still, one must implicitly trust the receiver of such whispered messages. I honestly don’t care what app you use. Those choices are ultimately yours and yours alone and hopefully dependent on who you entrust with your data. This is just an interesting dissection of Signal and privacy/anonymity for the muse.
In the end, we all trust some entity whether it be your ISP who has your bank account info and residential address and can tell when you’re downloading 150 gigs of Linux distros overnight even with a VPN, a bank with every last transaction you authorize, the time/date, or government to which we pay income taxes who has pretty much all the info they would need to show up at your doorstep. If your threat model precludes all the above, I would recommend whispering and disconnecting from society. I honestly do not see any other way.
Be specific: what does Signal divilge about me to outsiders besides “I have used Signal”?
Signal over the past few years has been exposed for having flaws in its security integrity. Even the president’s current administration has had a leak issue by using the platform, Signal.
Once again, they ask for your phone number. Anything they ask for your phone number, if your phone number is tied to your identity, can easily be revealed to reveal who you are.
This is the core of the issue, and it’s wild how many people don’t get it.
Your phone number is metadata. And people who think metadata is “just” data or that cross-referencing is some kind of sci-fi nonsense, are fundamentally misunderstanding how modern surveillance works.
By requiring phone numbers, Signal, despite its good encryption, inherently builds a social graph. The server operators, or anyone who gets that data, can see a map of who is talking to whom. The content is secure, but the connections are not.
Being able to map out who talks to whom is incredibly valuable. A three-letter agency can take the map of connections and overlay it with all the other data they vacuum up from other sources, such as location data, purchase histories, social media activity. If you become a “person of interest” for any reason, they instantly have your entire social circle mapped out.
Worse, the act of seeking out encrypted communication is itself a red flag. It’s a perfect filter: “Show me everyone paranoid enough to use crypto.” You’re basically raising your hand.
So, in a twisted way, Signal being a tool for private conversations, makes it a perfect machine for mapping associations and identifying targets. The fact that it operates using a centralized server located in the US should worry people far more than it seems to.
The kicker is that thanks to gag orders, companies are legally forbidden from telling you if the feds come knocking for this data. So even if Signal’s intentions are pure, we’d never know how the data it collects is being used. The potential for abuse is baked right into the phone-number requirement.
The leak from the administration was because Pete Hegseth included a journalist in a discussion about sensitive war plans. Trying to blame that on Signal is deceptive on your part.
If you are saying that Signal does not offer anonymity then you are right. Anyone I message on there knows it’s me. But Signal is still keeping my messages safe from monitoring and third-party surveillance, to the best of my knowledge.
Everyone you talk to and when you talked to them, with their real identities via phone numbers. Because signal is hosted in the US and subject to national security letters, you should assume the worst.
Are you talking about the client app, or about the service?
Much of what you said doesn’t apply to the service, which stores hashed phone numbers and first access / last access times and nothing else.
And the client does store these things, but also lets users delete messages and contacts. Your message deletions can propagate as well.
Even if this weren’t false (otherwise they wouldn’t be able to connect to your existing contacts), that’s a “just trust us” claim. You give them your phone number, you should assume they have it and not “trust them” to hash it like its a password.
Not that its that important, but its yet another just trust us claim.
You literally don’t understand how hashing works, got it. Please educate yourself on this topic. In short, “connecting your existing contacts” is ENTIRELY possible with hashed phone numbers; it’s not even complicated or tricky. To claim otherwise, as you just did, is nothing but trumpeting your own ignorance.
As for deleting (and propagating deletion of) messages, this is most definitely NOT a matter of “just trust us”. The client is open-source! We KNOW how it works. We KNOW that deletion propagates across devices when you tell it to. We KNOW that the service cannot see your unencrypted messages, and that the encrypted messages are made with AES so even quantum computers in the future can’t decrypt them. This is incredibly far from “just trust us”.
Who you are specifically (name etc) and the same amount of information on everyone you have talked to on signal and when you talked. Basically everything except for the actual content of the messages.
This is vastly different from every other piece of information I’ve read about Signal. Please link me to a source for your claims.
If it is tied to a phone number then any information connected to the phone account will be connected to the signal account identity. And any identifying information attached to the method used to pay for the phone account will be attached to the phone account and consequently the signal account.
Typically people pay using credit or debit cards, so the identifying information of those bank accounts become attached to your signal account.
So Signal doesn’t provide anonymity. Is that all you’re saying?
Yes… and if it needs to be said, I am also directly implying that anonymity is a large and crucial part of privacy.
It needs to be said. Because anonymity is only one part of privacy.
Security is another part - in messaging, this means that the message cannot be spied on in transit, and cannot be altered in transit.
Authenticity is another part - you need to know that the message came from who it claims to have come from, and not elsewhere.
Signal does not provide anonymity, basically. But it guarantees security and authenticity beyond doubt. And this is useful - you can exchange secure information with people using Signal, knowing that it’s not being spied on or altered, knowing that only the person you intend to see the data can see it, and knowing that they know that you sent it.
But yeah, if you want to send messages anonymously, other services are necessary.
Thank you! Finally someone that also sees Signal as privacy invasing!
Don’t need an ID to buy a burner phone/number
People dont realize that you may as well hand over your social security number when you pass out your phone number.
Indeed, I also don’t realize that. Please explain further.
Its very easy to dox someone with a phone number. Not sure about social but address and full name are easily available for free.
Yes, phone number should be optional for easy contact discovery, not mandatory. As Threema. You have to provide your ID when buying a sim card.
Not only that, but self-hosting should be an option. It isn’t with signal, which is based and hosted in the US, on amazon servers, and subject to national security letters .
I am a huge fan of SimpleX and their removal of user IDs. I think it’s a brilliant solution, and wish that SimpleX was recommended more than Signal.
If simplex used phone numbers and defeated the whole concept of privacy it would be recommended more.
You can use whatever app you like, but I think this adds confusion.
Signal is private because no one can see your messages except the people you are messaging. The government can’t, Signal themselves can’t.
Signal is not anonymous only in the sense that the government can check if you use Signal. That’s it. They can tell if you use Signal. They can’t link messages to your number in any way through data requests, etc.
Not forcing anyone to use Signal, but if you choose to, you can know it is private.
(So this post is confusing privacy with anonimity basically)
Its not private nor is it anonymous.
Try looking up “privacy vs anonimity” (or a similar search query). You may find that your post is talking about anonimity, not privacy.
Signal is private.
God damn. If you attach your phone number to it. It is not private in most users cases the identity it tied to the phone number. Signal knows the phone numbers and you better understand that they will reveal them if ever requested.
Did you look it up?
Yes, as I said, the government can tell if you use Signal or not by asking Signal (by providing Signal a phone number and asking if they have a record of it).
It’s not anonymous in that sense, but it is still private because your messages cannot be revealed by such data requests.
.
No you all are SIMPs for signal. You all are promoting it like you work for them. All because you’re too stupid (lack of having information) to understand they are a bad choice for privacy
Yep we’re all out to get you. We have meetings and everything. We have a pot luck on Sunday, and you cannot come.
How are you still unable to differenciate privacy and anonimity.
And you are calling us stupid for using Signal…
Seriously, use whatever you are comfortable with, but don’t spread misinformation and panic.
Privacy: You knowing who I am but not what I’m doing
Anonymity: You knowing what I’m doing but not who I am.
They know who you’re in contact with, who you communicate with the most due to the phone numbers being linked to your account. On their own website they say people can add you by searching your phone number in the search bar. If your phone number was not stored, this would not even be possible. A reference (like a phone but with your number on display) would have to be used in order to confirm that your account is the one that is being searched. The reference is the phone number. It is not private. I am not the one talking about anonymity over and over you are.
From the very beginning I have been speaking on privacy. If they know your number and know who your number is in communication with they now know what you’re doing (talking to person x)
Evennif it is encrypted the damn app is a worst choice than SimpleX the thing I recommended. You chumps want to argue so bad you are missing the point. PRIVACY. Like the name of the damn group you’re in. Why get compromised privacy when you can get comprehensive privacy (simplex)?
Answer you are a hypebeast promoing the most popular “privacy app”
I’ve already covered the phone number conundrum further in this thread.
Quite laughable. Have fun storming the castle bro.
Have fun when the signal data breach gets revealed SIS
What data breach could there possibly be? Phone numbers are already public information and that’s literally the only info Signal has. Oh no! My phone number that’s publicly available already has been released in a “breach”!
It’s already been mentioned numerous times but you’re confusing privacy and anonymity.
Per Cambridge Dictionary:
Privacy: someone’s right to keep their personal matters and relationships secret
Anonymity: the situation in which someone’s name is not given or known:
Using Signal, even after giving them your phone number, fits the definition of privacy in that matters discussed through the app are secret to anyone outside of the sender and recipient. Even if Signal is told to hand over messages, they can’t, there’s nothing to access on their end. Private? Yes. Anonymous? No.
How is someone having your real identity, and address, “private” ? This distinction is pointless.
My neighbor knows who I am and where I live…next door. He does not know what I do, other than observe that I ride a John Deer around in the fields and corn comes up shortly there after. Riding a John Deer in a field is observable by all public passers by. In public we are not guaranteed an expectation of privacy. He doesn’t know tho, that I run a private sex dungeon and crack still in my basement.
I’m a haxor diddling some server somewhere to gain access. The server admin can see what I’m doing and indeed would have a record of what I was up to including any associated IP addresses, but wouldn’t know me from Adam’s house cat if I were truly conducting my activities in an anonymous manner.
So because he knows only a limited amount, that’s the distinction between private and anonymous?
Signal is not your neighbor. Signal’s DB stores phone numbers and knows who you are, and who you talked to, and when. Are the people you talk to considered “public”, to a US-based corporation?
It is my distinction, yes. There are many other distinctions like it, but this one is mine based on my threat model. Now, if you’d supply your definition/distinction and threat model, then I can be pedantic about it as well. Or we can accept that, since we are talking about a wide swath of users, no one real definition suites all. If you’d like a similar exercise, hit Lemmy Self Host and pose the question, ‘What is self hosting? Is hosting on a VPS considered self hosting or is a home lab considered self hosting’. Report back please.
You know the part in the Signal setup where it asks you for your phone number for verification purposes? You do know Signal does not prohibit the use of temp phone numbers. You can try as many as you like until you get one to work (if you’re relying on free temp phone) One phone number not giving you any joy, tap ‘Wrong number’ and try again, or use a paid for burner phone service such as MobileSMS.io (which is specifically recommended for Signal), Burner, Quackr.io, Temp-Number.com, or there are reports of using Google Voice, if you dare tread those waters.
As I understand the Sealed Sender protocol, it does redact or seeks to redact the metadata of ‘whom you contact and who contacts you’. Since 2024, Signal has introduced usernames to reduce reliance on sharing phone numbers. You can set a username and hide your number from others, though it remains in the database for account purposes. Sooooooo…find you a temp burner phone number to use.
As I’ve said early on, I have no dog in this hunt. You can use Signal, Simplex, Smoke Signals, design a new enigma machine, whatever. My corn is going to grow regardless and my neighbor will still not know about my sex dungeon and crack still. LOL
.
I don’t consider it “private”, if you were to know the real identities of everyone I was talking to, and when I talked to them. I’m not telling any US corporation like signal that especially.
.
You keep saying this. But you never offer any proof. Everyone keeps telling you why there is a distinction but you keep conflating the two, and here you are flat out bullshitting. It is in fact private.
What is your point? I am beginning to think YOU are propaganda. Or an idiot.
Anonymity is a very big part of privacy and always has been. That is why you don’t write your name on your voting ballot.
They are conceptually quite different.
People use both the terms interchangeably, but they are not the same thing.
Voting ballots are anonymous because you didn’t write you name on them (and they can’t be linked back to you hopefully), but they are not private because you have no control over how the data is used (once you submit a balot you have zero control over what happens to it next).
I’m not finding any definitions of “privacy” that suggest the term refers to control of something. Regardless of whether that something is within or outside of your reach.
From the page you linked:
Signal conceals what you say.
In a data sense specifically, I believe privacy refers to your data being hidden from unwanted eyes (aka you have control over who can see your data).
Which is also what you do when you vote. You control who has your identifying information and who has the information on how you voted. Which I guess is still different from Signal if we are still talking about that. Since you cannot control who has your identifying information.
Started to write a long paragraph to explain the difference between privacy and anonymity but I now believe this new user is (no idea why) collecting engagement via rage bait. I won’t participate in their posts anymore.
It might even come from a good place, namely trying to always do “better” and be “more private” but in practice it’s just lead to confusion.
Privacy and anonymity is different things
When this US service has your phone number (meaning your real name and address), then what is the point of making this distinction? Is them having my address private?
No one should have this info, regardless of how you every person differently defines “privacy” vs “anonymity”
Just because you know where I live doesn’t mean you know what’s going on in my house
See the difference?
Words have meaning
Signal knows the real identities of everyone you talk to, and when. Is that not “knowing what’s going on in your house?”
The post office knows where I live too. And who I send messages to. Didn’t mean they read my mail
because they are completely different things
So its a “private” and “secure” US corporation that knows everyone I talk to and when? I’ve heard this one before.
No, it’s a private and secure protocol (not corporation) thanks to end to end encryption. You can evaluate the protocol yourself with your own eyes, except clearly you cannot read, but modulo that.
Newsflash, chuckles: your IP address IS NOT ANONYMOUS. Any private protocol you use without going through Tor, i2p, or some similar anonymizing network IS NOT ANONYMOUS.
You’re attacking a strawman. Neither Signal nor anyone else has claimed the protocol or the service are anonymous. Which, yes, is something that every user should know before trusting it. They should understand what it means and what the consequences are. I’m honestly not sure you’re even there.
This means nothing when you have no idea what code the server is running, they even went a whole year without publishing their server code updates, until they got a lot of backlash over it. Real security doesn’t require a “just trust us” claim.
Also, metadata is content. Even if they don’t have the message text, Signal still has the real identities of everyone you talked to, and when. With that you can build social network graphs, which are far easier to harvest and more useful anyway than trying to read through message content and determine meaning.
simplex is shady af and literally run by some sus crypto rugpull bums. best to use xmpp and irc. they have been existing for many years and still standing strong.
If you wanted to, you could put full control of your messages even on your own server by using Simplex. Of course, this comment you’re saying is a far cry from reality.
I’m ready to be called milquetoast, and while I see where this comes from, it comes off idealistic if we are to communicate with people in the present day in any practical way. Do not forget how much of an improvement it already is over the likes of proprietary messaging apps and how much effort it already is to move people to Signal. It is surprisingly difficult for common folk to grasp the concept of anything but a phone number when it comes to messaging apps.
Indeed, those who don’t have older friends totally underestimate how confused the oldies get by the concept of an alternative phone/messaging app.
Which definitely begs the question of why people put any effort into trying to move any of their contacts to signal in the first place. I believe the answer is that they didn’t value privacy either. Just the idea of it.
Signal allows you to speak confidentially, therefore it is private. It is not, by default, anonymous. Yes, this plus the centralized server mean that potentially dangerous metadata, like relationship maps, can be collected. All indications are this isn’t the case, but that’s not something you can count on.
If you need anonymity, which you probably do at least a bit, use simplex. And yes, having more people using anonymous services like simplex is a good thing for the community as a whole. That said, I’m not going to try to convince all of my friends to use simplex. It’s just too far from the mainstream, missing too many features. Signal is a sufficient compromise for most people, and it’s sufficient for me for most purposes.
Do you think your phone number is private?
it’s definetly not public information
It is at best slightly obscured information. If your life depends on a phone number never being associated with you, and you frequently use that phone number, you’re a dead person.
dw I don’t. My phone number was leaked, I don’t know how and it really sucks. It probably happened before I started caring about privacy. and all these phone number aliasing services either don’t operate in my region or cost too much money.
It wouldn’t work very well if it wasn’t.
I don’t have a phone number
This thread shows the success of Signal’s PR campaigns, and how a shiny app can get people to overlook all the privacy concerns. They’re just as successful as Apple at getting people to think that a US-based corporation hosted on Amazon’s servers and subject to national security letters, whose privacy model is “just trust us with your phone number”, is in any way secure.
precisely that’s why it’s become so popular and recommended and now these users are recommending it furthering the amount of people that will have their data exposed there was a leak I believe in 2022 and on signal a lot of customers had their phone numbers exposed if their phone numbers are not stored how did they get exposed? Clearly the answer is that they are stored.
Were there conversations exposed? Do you even understand the difference?
If Signal isn’t private, then why it is recommended over WhatsApp, Matrix and over SimpleX?
OP is confusing privacy with anonymity.
I’d say the two are different but related.
Seems OP is discussing the loss of anonymity, but the below ARE privacy concerns:
Granted that it is difficult to completely obfuscate some aspects of your identity.
Those two concerns has been fixed last year.
<img alt="" src="https://sopuli.xyz/pictrs/image/774c6322-5979-45f6-8f9f-2f813aa2f2cc.webp">
You misunderstand; regardless of what is shown to other users, the folks running the service know your number, and that you desire using encrypted chat.
Ah, that’s because of your use of someone, yes Signal still has that data.
Because it has become extremely popular, that’s just how it goes. At one point, even Telegram was recommended for being super secure or private, but the privacy is mild on Telegram at best.
But by comparison to Instagram or Whatsapp, it’s how the gram looks like Privacy Central, so it was recommended. Now, Signal is replacing that role.
Signal is more private than the sus apps like IG, Facebook, etc. Yes. But only because those apps are so bad.
No one should be recommending signal over matrix and simplex. It’s probably more secure than whatsapp, but both have social network graphs of everyone you talked to, and when.
Matrix’s encryption algorithm was broken for a while and when it was fixed it it took app devs years to migrate to the new requirements. It still might even be the case for a lot of them, I haven’t looked in a while.
SimpleX should be secure AFAIK though, but I’ve heard that it may not be able to scale well to larger user bases. It seems everything has pros and cons.
Because most people don’t consider the very basic concept made by op.
2FA is an important security layer, if the service, after sending you the activating SMS with the code, delete your number (normal in serious services), it’s also not an privacy problem. In big us corporations on the other hand, it is, eg.Google store tour number and also probably share it, there 2FA is not an option. Instead a number, some services also admit alternatively a second e-mail account to receive the activation code, there, if you have doubt, you can use an disposable mail, so there isn’t any privacy problem.
2FA is important, but if you use your phone number for anything, you have no idea how long they retain it, how they directly use it, if they sell it, etc. A real phone number can be mapped back to you trivially.
It should be standard to offer TOTP codes that can be used via an authenticator app, hardware key, etc. Aome places do, many do not.
But at the end of the day, they typically don’t ask for your phone number because they want to give you security, but rather as a proxy to ensure you have a unique identity. Most people will have only one phone number, and it will be more difficult / costly to get additional ones than burner emails, etc.
Yes, iy’s always to use with a grain of salt. As said, it ads a security layer, but can be an privacy hole, despte that mail directions are easier to track as phone numbers, at least in the EU, you can’t be mapped back to an user, this is only possible in crime investigations by the police with an court order. Mail adresses on the other hand are unique identifiers which are way easier th track, except you use an disposable mail or alias. Anyway, eg.in Vivaldi 2FA is safe and apart optional, as also the account itself, only needed when you want to use sync or the use of Vivaldimail, blog and other services it offers. In much other services it’s also only an option.
2FA helps with security concerns, not privacy concerns. They still would have your number. Also about Google, they have one of the widest spread and utilized 2FA authentication applications out there.
Been saying this for many many years and always get blank stares in response. All the more annoying when its for use in groups that are all about privacy and they only want to use telegram.
However, it does make me happy to finally see someone else say it. So, thanks for that.
We are the rarity. Lol people in the comments are glitching over this statement
Here, go argue with this guy for a few weeks, and give us a break for a while.
<img alt="" src="https://lemmy.ca/pictrs/image/5ff11fd5-5d5b-427d-9b01-3e61d66723ca.png">
Why is only message text considered “information / content / context” here. Signal has your real name and address via phone numbers, and has every other real person you talked to, and when. Why is “message text” considered context, but social networking graphs aren’t?
All these definitions are highly subjective, and the above one clearly considers social networking graphs to not be “content”. Basically they’ve re-defined privacy in a way that excludes highly sensitive information like everyone you talk to, and when.
.
…signal.org/…/4850133017242-Twilio-Incident-What-…
That is a compromise of privacy. If those hackers used those phone number to access any account by using unique methods those users privacy would be utterly lost.
Sounds like a lack of security rather than a lack of privacy.
It is certainly a lack of security. I wanted to emphasize how it’s also a problem for privacy. People in the thread are now having an imaginary argument about anonymity, even though this has never been something I’ve been confused about. However, it is something that one of the users pulled up, and now they all are harping on it over and over.
Since my phone number is one of my personal belongings, although abstract, if I hide it from you, it is private. If I reveal it to you, it is not. Since it is associated with me, revealing it to you lowers my privacy, as it is one more thing revealed that belongs to me.
These fools can’t even comprehend this, literally.