Why does Signal want a phone number to register if it's supposedly privacy first?
from 0101100101@programming.dev to privacy@lemmy.ml on 11 May 21:35
https://programming.dev/post/30162072
from 0101100101@programming.dev to privacy@lemmy.ml on 11 May 21:35
https://programming.dev/post/30162072
I remember a time when visiting a website that opens a javacript dialog box asking for your name so the message “hi <name entered>” could be displayed was baulked at.
Why does signal want a phone number to register? Is there a better alternative?
threaded - newest
Spam prevention
And discovery.
It’s not an argument. Think about regular mobile numbers, are they preventing spams? No.
.
What kind of spam are you talking about
Scams, girls wanting to chat with you, incredible money opportunities…
.
I misread the comment you replied to originally (thought they were referring to bot spam prevention)… Signal doesn’t work like the phone network, you can’t necessarily just “call” or “text” a random person. There’s also additional verification before you can send messages sometimes.
Are you seeing spam on signal? Do you even know why spam is possible on phone networks and what the difference is between phone networks and the internet?
Anti Commercial-AI license
I don’t know what is spam for you, but when you get three message requests from three girls respectively named Tania, Clara and Ella that are contacting you about you carrier or your management skills, I call it spam.
The way that Signal integrates phone number is odd because it opens up the spam door. O understand why Signal use phone numbers this way (to make “normies” adopt Signal more easily like WhatsApp would do) but it not the best to kind of contaminate the network with the traditional cell network
Because Signal has a low user base. Why Spam on Signal, if you can reach everyone with an SMS?
The point, I believe, wasn’t about spam but likely got derailed. It was probably about the phone number requirement being unnecessary. I’ll just add that even if it is, it’s a measure geared towards common users that often need to recover access to their accounts through means they’re already familiar with, as is a verification SMS. It’s not the safest nor the most private, but it’s easier to deal with for most people. Whoever wants something that doesn’t depend on a SIM or eSIM should try Briar and SimpleX. None of these will be a perfect solution for every single person though.
It’s focused on ensuring there is no middleman between you and the other party, but it does not have a goal to provide anonymous messaging. Sadly.
Signal is not P2P
No but it’s e2ee.
.
Of course. Sorry, but I meant no middleman as in minifying the role of the server in your messahing. Signal’s goal is to ensure the server cannot have access to your messages and its only role is to receive and send data.
Signal IS the middleman.
THATS WRONG! Signal Server can just do a man in the middle as you try connecting to your contact for the first time. You need to verify the fingerprint manually which is not very obvious and present in the UI. In SimpleX.chat you automatically verify the fingerprint, as its the way to establish the chat to your contact and is included in the way you distribute the contact to you.
I believe you can delete your phone number once you’re up and running, but yeah that seems like an anti-feature.
I’m sure that just sets the database column
hide_phonenumberto TRUE.I see an option to change it, not delete. It's still attached to a SIM card which requires identity verification in many states.
You’re right. That is odd.
When anyone get a copy of your data, nothing will bring it back.
signal.org/blog/phone-number-privacy-usernames/
One of the design goals is that they don’t have a user database, so governments etc can’t knock down their door demanding anything. By using phone numbers your “contacts” are not on their servers but local on your phone.
During registration they want a phone number to send a verification code. I know I am me. They don’t need to verify that.
They do. Otherwise anyone can register with your phone number and start messaging as if they were you.
If you want more privacy you’d need something like Simplex.
… but why require numbers in the first place.
.
Signal’s internal identifiers are, of course, not phone numbers. And you can download their server and host it without requiring phone numbers for registration. Just they simply can’t afford it, they need to prevent bots from registering and sending messages somehow. A group message is stored in Signal as many times as there are group members, for example.
They need to verify using a phone number because otherwise other people could sign up using your phone number and pretend to be you? What?
They can only sign up using your phone number if they do require a phone number. If they didn’t ask for a phone number then how would people sign up using your phone number?
But your phone number is, and thus every agency can get your full name and address and location.
and then every phone number on your phone by arresting you and searching your phone.
.
This sounds like it’s a problem no matter what method of communication you use, unless you keep no address book and memorize everything.
Yes but only yours. That’s still better and only having to knock on one door to get everything.
You are not the only person using Signal.
If I’m the target, then this is enough.
That’s WRONG they have a Database of every Phone number registered to them and metadata like the last time they logged in. You send all your contacts numbers to signal so they can respond who is also using Signal.
If you want to be mainstream a) you can’t have spammers, scammers, and all the other scum of the earth and b) finding your contacts in the app HAVE TO be plug and play. Literally no normie will bother adding with usernames or whatever.
Wrong, it is not optional, does not stop spam and the worst way to try.
Do not let this derail us. Escaping to libre software is the best return on investment.
Nothing is derailing you personally. Why are you repeating this to others?
To avoid any misunderstanding discouraging others from using Signal over apps like WhatsApp, while commenting on areas where it could improve. Privacy has never been single player.
They implemented an alt method IIRC but you must go out of your way to search and find it. I just recall seeing a bunch of post headlines about using email or something like that a year or so back.
They send an initial SMS message that is a main expense and funded by some rich person and donations. I think that has some significance to encryption or something but I’m not sure of the details. I could be wrong on that one, it has been years since I read the details.
Your wrong, except the rich person part. That rich guy is the WhatsApp founder, who got the money by selling their users to Facebook.
Everything is a balancing act. Privacy, anonymity, and security aren’t the same things. They’re sometimes, and in some aspects always, difficult to achieve without compromising one of the other two.
When you add in the goal of quick, easy setup to make the service useful in the first place. Doesn’t matter how good the service is at the trinity if nobody is willing to use it. Signal just errs on security first, privacy second, anonymity third.
Signal is not perfect but we control its app, libre software. See SimpleX Chat.
Escaping WhatsApp and Discord, anti-libre software, is more important.
Why we need to defeat those first? We can go straight to SimpleX?
You can go to Simplex (for sure a lot of people here already done it) but if only privacy nerds get to this place this is not a great solution. We (I’m talking about us using Lemmy and chatting on SimpleX) must convince people, starting by friends and family to stop using these fucking socials then at this point SimpleX will be considered as a viable alternative
.
.
Escaping WhatsApp and Discord, anti-libre software, is more important.
What SimpleX, Signal, or any app like this need first and foremost is traction, as new users generate more new users. One of Signal’s goals is usability (usually achieved by being simple, as in no complexity for the end user). In my opinion SimpleX lacks that. This is the same reason Signal needs a phone number: populating your contact list with users already on the platform
Wrong, it is not optional.
Despite this, escaping WhatsApp and Discord, anti-libre software, is more important.
Because the entire point of using communication programs is to communicate with people other than yourself.
My conspiracy theory brain goes:
Its funded by the government.
Yes, the messages themselves are encrypted, but they don’t need that, they have access to all the useful metadata.
They can find everyone near the site of a protest (via cell tower data), then find their signal accounts, then see who they are contacting, potentially revealing who the the other protestors and protest organizers are.
And if you need access to the messages, they don’t need to crack the encryption, they could just send pegasus to your phone (and they already have you phone number to do so), and they’ll have access to every message.
Then they just find those other protestors, also send pegasus to their phones.
I mean, the Signal code is technically legit, they just used a side channel (zero day exploits) to gain access.
But this is just a theory, I don’t have any evidence supporting this hypothesis.
Your theory sounds legit
This is what the UK police do with WhatsApp data. Even though they can’t read the messages, they do use the connections of messages to suspicious characters as evidence including date and times, which also puts these other people in the spotlight, opening further investigations.
The UK police can also use ‘stinger’ devices that are “fake” mobile data towers to intercept mobile communications.
They don’t need Signal to do any of this though, so this doesn’t seem like a very plausible theory.
True, they don’t exact need signal. But the thing with exploits is that, once found, they would be patched and they can’t use the same exploit again. So they can’t just be sending everyone in the country Pegasus. That would make it easier for it to be detected.
So with Signal’s help, they have a easier time to select a few targets. They can find out who is using Signal, and correlate that with other data like being near a protest site. Then they only need to target a few Signal users, instead of like sending Pegasus to 5000 protestors, they could find out that everyone is talking to this “John Smith” person, then send pegasus to that user and obtain a lot info And since its only few users being infected, its less likely for the fact that the conversations are comprpmised to be known.
I mean, without requiring phone numbers for Signal, they would have a harder time knowing who is using Signal, and they would end up having to infect all 5000 phones in the protest area, which mean now its much more likely for the spyware to be detected. With infecting just a few of the organizers, their spying can remain undetected for a long time.
As for everyone else not using Signal, they are likely to be using unencrypted messaging, so its not even necessary to infect their phones.
Why can't they send Pegasus to everyone?
If they can create a fund and invent Signal, they can just make Pegasus part of AOSP and have every manufacturer be forced to install it silently
They could, but again, its easier to detect.
But if we are already under the assumption that Pegasus is so sophisiticated that it’s un-detectable. Its possible all this privacy talk is futile and they already have access to every device, which means Graphene OS is also pointless.
I honestly don’t know. If you are planning any anti-government activities, the only way to be totally safe is to not carry a smartphone (and obviously wear a mask to conceal your identity and all that) and use One Time Pad encryption and deaddrops for communications.
Seems like a lot of unnecessary steps there
What are you doing to help others escape WhatsApp, anti-libre software?
Obviously Signal is the lesser evil, but don’t use Signal if you are planning a revolt is what I’m saying.
Put that at the start. This is c/privacy, not c/revolt.
or if you’re the US’ secretary of defense and you’re going to bomb Houthis
🤷
🤣 Absolute shitshow lmfao. Signal is not approved for war communications, that was a security breach (not to mention, adding the journalist), and he risked jepardizing his entire mission.
But on the other hand, having such incompetent fascists is a good thing for the resistance.
Because they’re building a private, not anonymous, instant messenger. They’ve been very open about this.
Our phone numbers are not private from them.
Despite this, escaping WhatsApp and Discord, anti-libre software, is more important.
Nothing “derailing” us. Not everyone has the same threat model. The messages are private and that’s what’s most important. Signal can only provide phone number and last connection time to the feds. If that’s too much information for you, then you’re not the target group and have a different threat model.
Anti Commercial-AI license
No, that isn’t true. WhatsApp has the same lies. Law enforcement connect communication between users at key times and use it as credible evidence. Why would drug exporter 1 be communicating with drug buyer 1 at the exact time the delivery arrives in the country? Law enforcement doesn’t need to know what was written.
What are you talking about? Are you saying sealed sender is a lie? If so, I want some proof.
Anti Commercial-AI license
They are referring to message metadata.
Even if they don’t show the content of messages, if they can show that phone number A is sending messages and getting replies to number B then that’s all the government needs.
signal.org/legal/
They store metadata, which is distinct from encrypted data.
signal.org/blog/sealed-sender/
They have a list of encrypted messages, who it’s from and who it’s to, based upon the sealed sender description. If you are using phone numbers then you are not anonymous, and a TLA agency can search known bad numbers even if Signal does not try to build that graph.
The ONLY data Signal stores about you is your phone number, most recent registration time/date and most recent login time/date. They don’t know who you’re messaging or when you’re messaging them AFAIK.
You can see this for yourself at signal.org/bigbrother
I am really frustrated when this is brought up, since it only shows what they have been collecting so far, not what they’re capable of collecting. The government agencies can force them to do whatever modifications to the server AND to keep completely silent about it. I am still trying to understand whether Sealed Sender would protect from a server collecting and recording ALL the data it possibly can.
Also if anyone else wrote it, there would be so much savaging of weasel words.
They brag that they don’t retain this data, so when governments request historical data they don’t have it.
They don’t say that they don’t provide it for anyone else to retain, so if they are given the to and from to process the message, and provide this to the CIA to retain then all of this security would be useless but would also fulfill all of the claims here.
Did… Did you just read the problem they were trying to solve, and just, skip the solution?
No.
They haven’t hidden it yet. It’s a goal.
What?
That blog entry is almost 7 years old. Sealed Sender came a long time ago.
The literal quote you provide has a link on “exploring techniques” that you didn’t click. It takes you to another blog post for the launch of Private Contact Discovery, which takes you to a repo of the service, but because your cutting and pasting such old stuff even that’s been replaced by a V2.
Please take a step back and read the technical docs, or at least more recent info.
As ratcheting and chaining are used, messages are sent with rotating keys on ebery message as the sender/recipient identifiers for the messages, not the phone number. It would be way easier to tap Google for Firebase notifications to get to what you are talking about.
And the capability argument is moot if it’s been proven in court to not be done today. You could say that about any service that uses push notifications that go through cloud providers.
Tagging @onlinepersona@programming.dev
thousands of threads on this topic since decades ago.
it’s an eternal debate (since signal has no plans to change)
just read the history and join the rest of us waiting for them to change. using signal before that change is completely optional. go ahead and don’t use it. no problem.
opening the discussion again is just tiring.
so tiring that i opened it and read it, then typed a long response.
Fuck haterz, these are valid questions and there no answers.
Signal did its job. I am waiting for simplex to mature.
Is there a url for the history? Or for a good answer about the phone numbers? If the topic keeps recurring and the answers don’t satisfy people, that suggests that there is no good answer, and that there are possibly misaligned interests between Signal and its users.
don’t be like one of the now!now!now! types (i.e. OP) and treat every new discovery (personal first encounters with existing tech, situations) as the final nail in the coffin. there are other messengers available while waiting for signal to change.
just saying, acknowledge that many others have arrived at the same problem years before you and they are not your enemy. so yelling at the choir is counter productive.
Session is an alternative that does not require, or request, your phone number (or any other identifying information). Honestly, I have no idea why Signal got popular and Sessions did not. As soon as Signal asked for my phone number that set off alarm bells for me and I’ve never really trusted it since.
Isn't Session the one with insane username strings?
Session is the one with broken security.
I don’t know that their security is “broken”. It may be, I don’t know. But also without anything that connects you to any particular message, it seems that – in itself – is a pretty good form of security.
I just don’t get why people accept Signal’s justification for requiring a phone number. They absolutely don’t need to (session proves that). It is certainly possible for them to say, “If you register without a phone number and access to your phone book then you will lose automatic discoverability by other users of Signal — meaning that you need to find another (physical) way to exchange your Signal username with your contacts”. They CAN do this. I think many users, like myself, would be fine with this tradeoff for greater anonymity. For some reason, they have steadfastly refused. The reasoning behind this refusal is what bothers me.
Yes. That was how they avoided using identifying information from their users.
So the reason Session never took off is probably because exchanging contact information is a big hassle, effectively barring users looking for convenience?
No, it had and has other problems
According to privacyguides.org, Session is listed under this message:
Link: www.privacyguides.org/…/real-time-communication/#…
This is incredibly important. Signal is considered the “gold standard” of encrypted and private communication for a reason.
Thanks for this link but your username also makes this pretty sus. 😜
This is a privacy community lol, I think you know why people use throwaways.
privacyguides.org have been a reputable source of information, also you aren’t suppose to just click hyperlinks without hovering over it and verifying that it is a trustwothy link anyways.
Ya. It was a joke.
Bots. If it makes you feel better, you can disable other people finding you via phone number and just give them your username. All messages are private.
But the police request the meta data of all messages from your phone number that the company has and they’re required by law to give them it.
Its encrypted
Messages are e2e encrypted. Metadata is not encrypted.
Edit: I feel the need to qualify this statement. Metadata about your connection may be encrypted at rest but is decryptable given that signal is released metadata to authorities with a warrant/subpoena.
Yes it is. Signal isnt PGP email. A lot of work went into protecting metadata.
what? can you show a source? I think you mixed it up with Matrix
People told you a few times to go look for yourself what Signal can give away. Its protocol descriptions are pretty understandable.
The whole bloody reason it’s always recommended is because it’s absolutely the best thing in terms of yes, encrypting metadata. It’s state of the art, level above that bullshit you’re thinking.
Unfortunately, that also means that hosting it takes lots of resources, which means they have to screen bots and mults somehow. Phone numbers are one way. Paid accounts are another.
Rubbish. How would this stop bots? Bots are created to make money. What makes you think creators don’t have a phone number, or be prepared to pay to spam.
Phone numbers cost money, which means they’re not easy to create in bulk, and therefore banning or blocking spam numbers is much easier than if it was open sign up.
One account per phone number versus infinity of accounts without.
signal accounts… signal accounts everywhere!
These are all the court orders Signal has complied to and details all the information they give up
signal.org/bigbrother/
TLDR; they only give the last time the account connected to Signal servers and the time of account registration or re-registration
Secret sender stops any real amount of information about messages being connected to you
You should go properly read the requests from law enforcement they have received and exactly what information it contains. It’s public. Then evaluate if it matters for yur threat model. Security doesn’t exist in a vaccum.
They can “request” it all day long. Signal doesn’t store them beyond the time needed to deliver to the end user device, and while (temporarily) stored, it’s encrypted in a way Signal’s service cannot read.
The phone carrier at least here in the US is required to store the call data for 18 months, according to the one that I use.
What does that have to do with Signal?
The claim is that Signal’s phone verification step doesn’t cause privacy problems because Signal (purportedly) doesn’t retain the phone numbers after verification. That claim is falsified because the phone carrier stores the call record even if Signal doesn’t. They store it because of the same law that makes them turn it over to Big Brother on demand. The phone verification step is, therefore, a privacy problem. Obviously there are similar issues with IP routing, but at least I can use a VPN with an endpoint in another country.
No, that wasn’t the claim. Phone numbers are used for sign up, but the post’s OP was talking about messaging meta data. Messaging meta data doesn’t go through your carrier and is encrypted.
If you check the publication of signal’s cases where they had to hand out data, and in reverse the FBI leak that listed analysis of all messenger apps by what data they were able to acquire in most cases, Signal came out as one of the top options.
Oh I see what you mean. But a big enough data dump from the phone carriers identifies all of Signal’s users, not good.
The “record” is a SMS verification code. All that will tell the government is that you registered for Signal, nothing else.
Telling the govt that you registered for Signal sounds like a bad failure as far as I’m concerned, e.g. if you are a user in a repressive regime. Do you think Trump would like to get his hands on a list of all the Signal users in the US? Probably yes. What would he do with the list? IDK but it has to be bad. So it should be an objective of Signal to make it impossible for anyone to create such a list.
Anyway, it sounds like Signal has wised up and is getting rid of the phone number requirement. I don’t understand why people here keep defending the misfeature. I’ve heard such things explained as “system justification” but I still don’t understand it. All of us make poor decisions all the time, but we should at least make some effort to recognize them, and fix them when possible.
en.wikipedia.org/wiki/System_justification
huh? so the phone number is encrypted in a way that can’t be read, but an sms is sent to the phone? … a separate company sends the text on behalf of signal? so that separate company logs the phone number, the timestamp and who knows what else.
What are you on about right now? I don’t mean that sarcastically, I really am wondering what your concern is. Are you concerned that because your phone number is associated with Signal that police will know you use Signal?
Signal doesn’t use SMS anymore, and all messages are sent over encrypted Internet protocol. Any servers in between won’t see the phone number, it’s not needed to deliver the message, it’s using an IP address at that point and the entire message metadata is encrypted. Signal is the only one that can see the phone numbers, which they use to identify multiple clients as a single user and route messages accordingly.
Signal doesn’t use SMS at all, once you have enrolled. The phone number is used to validate people and exclude bots, during registration. As others have noted, you can hide your number from other users, as well.
Is there a quick explanation of what signal actually does? I don’t understand the need for a phone number either. Jami doesn’t ask for a phone number. It has other deficiencies that make me not want to use it, but those are technical rather than policy, more or less. Similarly, irc (I’m luddite enough to still be using it) doesn’t ask for a phone number either. So this is all suspicious. There are a bunch of other things like this too (Element, Matrix, etc.) that I haven’t looked into and tbh I don’t understand why they exist.
Signal is a messenger service. You can expire messages after a certain amount of time.
They ask for a phone number to limit bots. I used my Google voice number and it worked fine. I like Telegram which banned me after a day of use for using Google Voice.
I get that Signal is a messaging system (not sure if “messenger service” has a specific meaning). What I don’t understand is why I’d want to use it instead of any of the million others that are out there. I’ve never used Signal and don’t have the slightest clue about how it operates, but apparently it tries to mess with the contact list on your phone? That sounds bad. I use Nextcloud Chat sometimes and its web design is ugly, but it works ok and you can self-host it fairly easily. It doesn’t do anything with your phone contacts. Jami is distributed but (maybe unrelated) I often have trouble getting it to work at all.
It doesn’t “mess with your contacts”. You can choose to give contacts access if you wish to have secure contact discovery. Contacts are not uploaded.
It’s robustly encrypted and quantum secure, without metadata leaks like the sender of a message.
It’s recommended by Edward Snowden.
If you want to message someone, have the ability to verify there is no man in the middle attack, have perfect forward secrecy, very strong crypto, use open source software and still have all the conveniences of a modern message app, use signal.
Do you mean the client side is open source? What about the server? If you’re required to use Signal’s server, how do you know it’s not disclosing metadata? If you can self-host it, why the phone number?
The idea is you don’t need to trust the server
Messages sent don’t contain a readable sender field
Mobile numbers may not be necessary long term, architecture depends on accounts being created Witt phone numbers. Usernames were very recently introduced. Soon we may see requirement for phone number dropped, unless related to spam control
The wikipedia article looks informative and I will read through it: en.wikipedia.org/wiki/Signal_(software)
Is spam a serious problem on other messaging systems?
I have received maybe 3 spam messages in many years of use
Spam is a huge problem on other messaging apps I have tried
You trust the server if you don’t verify fingerprints. Signal makes that too difficult.
Sealed sender is a theater that you can enable but still have to trust Intel, aws and the signal server.
CONTACTS ARE UPLOADED
Robust encryption isn’t useful if you don’t verify the fingerprint and signal makes that not intuitively.
SIGNAL CLIENT HAS UNFREE SOFTWARE INCLUDED
Contacts are never uploaded
Hashes of some numbers are if you enable contact discovery
Verifying keys is easy, what are you talking about?
It’s not suspicious. It’s been talked about for years. People know exactly what the phone number is used for. Easy discoverability, quick and seamless onboarding of new users by providing a way to bootstrap their social graph, and it being very similar to the process of the other biggest player that people just understand. And spam prevention. The phones are not leaked or used for anything else. The other alternatives exist and you are welcome to onboard the people you want onto them if you think it’s simpler.
The code is open, if you don’t trust other people and can’t read the code to understand then hire someone you trust to validate the claims and assure you. But spreading FUD and saying it’s suspicious is not productive to anyone.
I don’t understand what you mean about discoverability: is my presence on the network advertised to strangers and spammers? That doesn’t sound good. What does the onboarding process look like?
You still haven’t said what Signal’s advantages are supposed to be over alternatives, though I can guess some (e.g. better/more crypto than irc has). Jami seems conceptually ok, but buggy in implementation. Nextcloud Talk works but is kind of clunky. Matrix is popular though I’ve never used it: is it the main alternative to Signal these days? I thought it was what all the hipsters had migrated to while luddites like me were still on irc. Jitsi Meet looks nice though again I haven’t explored it much. I’ve been puzzled for a long time that there is so much work in this area yet everything has deficiencies. Are there difficult problems to solve?
If Signal’s code is open then of course I’d want to self-host the server. Can I do that? Does that get in the way of the onboarding process you mention? Where does the phone number come in, in that case? If I to use Signal’s server, that doesn’t sound so open, and normally there’s no way for me to verify that it’s running the same code that they claim.
I don’t see where I’m spreading FUD. Ignoring a question and calling it FUD doesn’t invalidate the question.
Thanks. The more I think about it, the more this seems like outright evil behaviour on Signal’s part to pursue user growth, similar to Facebook etc. Imagine that you and your boss are in each other’s contacts for obvious work-related reasons. Do you really want Signal notifying your boss that you registered for Signal? For some of us it’s fine, but in general it seems like a terrible idea.
You can’t easily selfhost Signal. They engineered it purposefully to only run on Big Tech Clouds with specific Intel CPUs they put (too much) trust in.
Very interesting, thanks. Do you mean they use SGX (Intel’s buggy secure enclave feature)? Any idea what they use it for? If not SGX, do you know what the issue is? AMD Epyc processors have something similar but different, fwiw. If there is such highly secret info on the server though, that makes self-hosting even more important. It also makes the architecture suspect.
Yes SGX, they use it for sealed Sender, contact discovery and mobilecoin.
Because their founder (Marlinspike) is probably under a National Security Letter, maybe it’s just that, maybe he’s done some crimes they’re also holding over him. If you look at his behavior it’s that of someone very paranoid that they’re going to be found out to be cooperating with the feds and get hit with charges for not upholding the bargain, someone straddling one or two big lies that have to be maintained to keep their life going. Very controlling of things they should be open about if they care about privacy as they claim. But exactly the behavior of someone under an NSL who’s terrified of getting hit with charges for that and maybe other things but who is expected to front and run a purported privacy first messenger. The secrecy, the refusal to allow others to operate their own servers, the antagonism towards federation, the long periods without publishing source code updates.
This doesn’t necessarily mean that signal message content is compromised, the NSA primarily scrapes metadata and would most care about knowing who is talking to who and to put real names to those people and building graphs of networks of people. Other things like what times they talk can be inferred from upstream taps on signals servers without their knowledge or cooperation via traffic observation and correlation especially when paired with the fourteen eyes global intercept network. With a phone number it’s also a lot easier to pinpoint an exact device to hack using a cooperating (or hacked) telecom. Phone numbers can also be correlated to triangulated positions of devices, see who in a leftist protest network was A) heavily sending messages and B) attended that protest and left last and begin to infer things about structure and particular relationships.
And those saying it has to do with spam prevention, that’s kind of nonsense. First I still get the occasional spam, second a phone number that can receive a confirmation text is something all these criminal organizations have access to which the average person doesn’t. Third it’s possible to prevent spam just by looking for people (especially new accounts under 120 days old) sending very small amounts of messages (1-3) to a very large amount of other users especially in a short amount of time. Third there’s no reason to keep the phone number tied to the account, a confirmation text could be required with a promise to delete the phone number immediately after (would still be technically useful to the NSA though less useful for keeping track of people changing numbers or using a burner for this who might be higher value targets).
I have never received spam on Signal.
I got one one time, been using it for years. Fuckin’ weird to try on people who are privacy and security conscious. My guess is that they were attempting to see what numbers are using signal in the first place if someone responds with a “fuck off” then the spammer knows they use signal.
I have exactly once as did a couple of my friends from the same stranger.
Secret sender invalidates your metadata argument
That is a pretty weird post that doesn’t make much sense, but I remember meeting Moxie and asking him about Android security and being surprised at how defensive he was about it. Is Signal the app he was working on? That helps somewhat. I get them confused with each other.
The Signal app doesn’t appear to be on F-droid, which is a bit discomforting.
Is it possible to use a voip based SMS for registration?
Those are a little easier to get anonymously then physical sim cards.
Too many steps.
Despite this, escaping WhatsApp and Discord, anti-libre software, is more important.
Privacy ≠ anonymity
Our phone numbers are not private from them.
Despite this, escaping WhatsApp and Discord, anti-libre software, is more important.
It’s libre software. Go host the server and change the clients to connect to your custom server and distribute to the users you need.
edit: nvm i re-read what you wrote
i agree it does mostly fulfill the criteria for libre software. perhaps not in every way to the same spirit as other projects, but that is indeed a separate discussion.
h̶o̶w̶ ̶m̶a̶n̶y̶ ̶c̶o̶m̶m̶u̶n̶i̶t̶i̶e̶s̶ ̶a̶r̶e̶ ̶d̶o̶i̶n̶g̶ ̶t̶h̶a̶t̶ ̶r̶i̶g̶h̶t̶ ̶n̶o̶w̶?̶ ̶i̶ ̶s̶u̶s̶p̶e̶c̶t̶ ̶y̶o̶u̶ ̶m̶a̶y̶ ̶b̶e̶ ̶d̶r̶a̶s̶t̶i̶c̶a̶l̶l̶y̶ ̶u̶n̶d̶e̶r̶s̶t̶a̶t̶i̶n̶g̶ ̶t̶h̶e̶ ̶b̶a̶r̶r̶i̶e̶r̶s̶ ̶f̶o̶r̶ ̶t̶h̶a̶t̶.̶ ̶b̶u̶t̶ ̶w̶o̶u̶l̶d̶ ̶b̶e̶ ̶d̶e̶l̶i̶g̶h̶t̶e̶d̶ ̶t̶o̶ ̶b̶e̶ ̶p̶r̶o̶v̶e̶n̶ ̶w̶r̶o̶n̶g̶.̶.̶.̶
The barrier is that only you and your friends would be using that Fignal or Xignal or whatever home installation, and for that practically, for ease of use, it’s simpler to host Matrix which even a complete idiot can do.
.
You could change it to use multiple servers but changing app is faster.
So, escaping WhatsApp and Discord, anti-libre software, is the most important part.
Are you saying I have to literally rebuild and distribute my own client APK if I want to use my own server? There’s no “settings” in the existing client where you say what server you want to use, like every email client has? That sounds obnoxious.
If you don’t trust Signal to run an unmodified server without malicious modifications, then why would you trust their build of the APK?
To truly be safe from Signal’s influence you would need to audit the source code and build it yourself.
Personally I have no problem using Signal’s servers
Usually I only install APK’s from F-Droid, which always builds its apps from source, rather than using the developer’s APK. I’m uncomfortable that Signal doesn’t seem to be on F-droid, and I’m in fact hesitant to install it from anywhere else. I’m not currently set up to build Android apps myself. I’m a fairly unsophisticated Android user.
You can use Obtainium and get it straight from Github.
I just checked and I installed Signal from F-Droid.
It says Repository: Guardian Project on the app page.
Interesting, I wonder why it’s not in the main F-droid repo. Thanks.
Tons of stuff are not on fdroid due to requirements by fdroid, a longer process to push releases, etc…
It works for many apps, but there is IzzyOnDroid for much faster releases as well as dozens of fdroid repos for specific projects by default available on NeoStore.
I am not experienced enough to know the ins and outs of why fdroid is so difficult and slow for some devs, but it has been someone limited in apps at times because of it.
Hmm ok, though if a security program needs frequent updates, that’s a cause for concern in its own right… :/
I also wondered who builds it from source.
Apparently it is this development team, which, I must say, has several interesting projects active:
guardianproject.info
Signal on Android has had reproducible builds for years now.
Sources: Github Readme, Official blog post
Thanks. I’m not a sophisticated Android user and so far have just stayed with installing stuff from F-droid. If the official build matches the F-droid build, that’s great. At some point I want to spend some time bringing up Android build tools, but I have too much other stuff going on right now.
Agreed, escaping WhatsApp and Discord is the most important part.
How? i wanted to do that but the client doesn’t let you use another server? Host file ?
Maybe I am being too simplistic here. But I have never received a spam message to my XMPP account and I don’t know how a spammer would find it.
In a phone-based system a spammer can spam a list of numbers, or use contact lists that are easily shared via phone permissions. There are several low-effort discovery processes.
For e-mail, you get spam when you you input your personal e-mail into forms, websites, or post it publicly.
But for something like XMPP… It seems rather difficult to discover accounts effectively to spam them. And, if it is an actual problem, why not implement some kind of ‘identity swap’ that automatically transmits a new identity to approved contacts? A chat username does not need to be as static as an e-mail or a phone number for most people.
I just don’t see ‘spam’ as such a difficult challenge in this context, and not enough in my view to balance out requesting a phone number. Perhaps a spammer can chip-in?
SimpleX is coming nicely along. Should be good to switch next year once they got their desktop apps polished up
Simplex has a bad user experience and needs a lot of work before it’s ready for normies.
Last time I tried Simplex, the battery drain was unbelievable. Maybe I’ll give it another go and see what happens, but I’m not optimistic.
SimpleX
And it uses same tech as Signal.
However getting friends to join Simplex is complicated by two annoyances:
(1) It gets confused by an invite URL coming from facebook (it doesn’t know to strip the appended Facebook tracking code - as trivial as it is).
(2) When the invite is via a QR code you must scan it with SimpleX not your native camera app. Invitees just give up.
Isn’t the QR Code a link you could also open in a web browser?
No it isn’t a URL. But that would indeed be the way they could make it work. If they did that, then…
If you don’t have the app installed it installs it from the web site. If you have it installed then the app takes over instead of the web browser. That is how many apps work (eg Reddit).
I hope it gets multi device support and sync one day, in a way that just works
You can just make a group for each contact with all of your (and their) devices in it.
It’s still a shitty workaround
If people contact me, I can’t expect them to create a group…
You can configure one or more of your profiles’ addresses to be a “business address” which means that when people contact you via it it will always create a new group automatically. Then you can (optionally, on a per-contact basis) add your other devices’ profiles to it (as can your contact with their other devices, after you make them an admin of the group).
It’s not the most obvious/intuitive system but it works well and imo this paradigm is actually better than most systems’ multi-device support in that you can see which device someone is sending from and you can choose to give different contacts access to a different subset of your devices than others.
Indeed, didn’t know that.
I prefer having the possibility of having multiple devices under the same profile 🤷
Tried session? Anyone have comments on it? Nice to be able to skip the phone and easily use vpn, though I haven’t spent enough time on that.
I think the people behind Session cares for their mission, and it might align with OP’s, so maybe. Although I personally am not too fond of about all their choices.
The omission of Forward Secrecy for instance doesn’t sit well with me. Each to their own though, and they do go into their reasoning on their blog: getsession.org/session-protocol-explained
Likewise their last audit from 2021, lists quite a handful of critical/moderate issues in their apps, hopefully they’ve fixet it. Afterall it’s been a while since 2021. getsession.org/faq#security-audit
Session is a Signal fork and they removed forward secrecy which makes them vulnerable to Key Compromise Impersonation attacks.
Jami.net
Ignore the comment saying signal is “end to end encrypted” “private” etc They are simply stuck in a delusional state where they try to convince themselves that signal is the best option so they can continue using it. Nothing is private if it isn’t fully libre because you never know what the proprietary code is doing. The signal protocol itself has its source code released, and the encryption and security code is publicly available, but the signal Foundation has stated that it uses both free code and proprietary code. Their reason is UI, but it’s hard to make sure whatever proprietary code is being used for because you simply can’t see it. As GNU puts it: “You’re walking in a pitch black cave”. Jami is fully libre and is a GNU project. You don’t even need any phone number!
You should have visited Signal’s github page first, I dunno. Before talking. Made up a lot of stuff.
They do have proprietary code for that crypto wallet they have there, well hidden, and for, eh, phone number registration, but other than that module it’s all released, I think.
The server and the client applications are FOSS. You can host it for yourself, patching out the domain names and registration parts the way you like it more.
I didn’t actually know the server code was published. It’d be cool if the client allowed multiple servers so you could talk to people on the “normal” master while also thing a private instance
I think choosing a server, like in some ICQ clients, is not a complex modification.
They had it implemented but discarded it out of stupid centralization ideology. Moxie said it on a Chaos communication Congress presentation he held but which he didn’t wanted to be recorded, as the stuff he said was stupid and wrong.
Well, some of the stuff they wrote, not said, wasn’t stupid and wrong.
This is why escaping WhatsApp and Discord, anti-libre software, is most important part.
That’s not the full picture. That’s exactly the problem I was highlighting. The issue isn’t whether some of the code is “FOSS”, it’s about whether all of it is. If even small parts remain proprietary (as you mentioned), then we can’t verify what those parts are doing. And those parts could theoretically significantly affect the data collection. Also, I didn’t make up a lot of stuff. The Signal Foundation themselves have confirmed that certain UI and build components are not fully libre. As the GNU project puts it, if part of your system is closed, then you’re trusting a black box, no matter how well-lit the rest of it is.
Signal protocol guarantees that what’s on the server we can discard in your suspicions, it doesn’t matter, because you are not trusting it.
The client is fully open.
You are trusting the server, or do you verify the fingerprint of EVERY contact of yours? The normal people don’t, as Signals UI purpusfully doesn’t encourages it.
Normal people don’t anyway.
If it’s not fully free, I don’t trust it. I don’t understand how someone in a privacy community doesn’t understand how much a few lines of code can track someone so easily no matter how much of the program is free software.
Server code openness doesn’t matter other than functioning at all. For a system acceptable in a privacy community.
They also have Google Play Libraries included for Push Notifications and Maps.
Jami, as much as I prefer it on various philosophical grounds, simply doesn’t work very well at the moment. :(
And we should report problems and fix them ourselves to make it better
Based
Yeah I’m on their Discourse forum, but the situation isn’t that great, and it’s unclear to me if the problems are fixable. Particularly when there are incompatibilities between version X and version Y, where both versions are already in the wild. You can’t travel backwards in time to fix those versions, and this (like email clients or telephones) is an application area where you can’t tell people to update their clients all the time. You have to keep things interoperable.
It’s also often inconvenient to reproduce bugs like that in order to diagnose them. If you try to talk to someone over Jami and it doesn’t work, you generally can’t borrow their phone to analyze the issue. If you’re one of the core developers, maybe you have access to a room full of different kinds of phones and OS versions to test with, but a typical user/contributor won’t have anything like that.
Yeah, this is just the reality of unpaid free software developers, they don’t have the recourses to work on every single bug as quick as a paid developer, but that doesn’t justify not reporting bugs and working with the developers to fix them. Like you said, Jami is grest ethically so why not make it great function? Also, don’t you have a computer and a phone? Test on those. I don’t own a phone, so I can’t test the phone, but I do gladly test on my laptop.
Those are nice generalities but I think they ignore reality. Jami seems like sort of a side project to its developers. Bug reports often are answered with a suggestion to make sure everyone is running the latest version of Jami, which is often useless advice. Like if you try to call your friend with your new phone and the call doesn’t complete, it’s unhelpful for your phone manufacturer to say your friend should get a new phone. You might be interested in helping fix the problem but your friend just wanted to have a phone conversation and doesn’t want to get dragged into a debugging project. It’s even worse if the other person is not your friend but rather is someone you just met and exchanged numbers with. If you try to follow up with a phone call and there is a problem, GAME OVER. You permanently lose contact with that person. You can’t possibly suggest Jami as a Skype replacement after that happens to you once or twice.
Another thing with comms programs in general is you really can’t debug them with just one computer. Their whole function is to let two computers talk to each other, so you need two computers where you control both ends and ideally control the network as well, so you can insert delays, network faults, etc. If the Android version has trouble talking to the Iphone version, you need both kinds of phones. I’m not sure if Jami’s devs really understand that. I’ve worked on telecom stuff in the past and it’s just the reality of that field.
Yet another (I’m not sure of this) is that Jami is a peer to peer program so I suspect some of the problems revolve around firewall traversal gotchas of various types. I don’t know if there is a cure for this while keeping the basic architectecture intact. I do like it in principle and I know that people get BitTorrent working reliably without too much trouble, so maybe Jami is just missing some trick.
Finally, Jami is pretty old and back in those days, people hadn’t really thought about the subtleties of encrypted group chats. Signal does a better job, and these days there is a standard (RFC 9420) for how to do it (I don’t know if Signal follows this standard). It would be good if Jami were revamped for that, but 1) that would break interoperability again, and 2) I don’t know if it’s workable at all with Jami’s architecture (serverless, using a distributed hash table for peer discovery).
For now I’ve sort of given up on Jami and am trying to figure out what to use instead. It’s unfortunate that the main devs don’t seem to have that much interest in making Jami reliable. Randos like me capable of making small contributions can’t really help much with more involvement from the experts.
You make amazing points, and I completely agree with you. I will continue to use Jami since it’s good enough for me to talk with my friends. I mean now the only replacement which is not a replacement just another thing I use to chat is GNU Emacs. I hope the development speed and motivation increases and please do inform me if you found an alternative
You can easily verify the keys of the person you’re speaking with, and they’re generated locally… so technically speaking, even if their servers are leaking, your messages are still unreadable, but yea that’s not ideal
Not when it’s backdoored. So, tell the guy above there’s a fully libre copy.
? Even if the servers are backdoored, your messages are still encrypted by your key - as long as the server didn’t manipulate the keys at the first exchange, which you can check by verifying the security code
If it matches, then it’s okay. Such features exist in all encrypted messenger apps
The app, not the server.
I think they have reproducible builds on Android. iOS doesn’t allow that though.
There’s also a fork named Molly on Android. It’s nice.
Molly.im is a Signal Client fork with Security enhancements and the possibility to install a version with only free software.
Great, but it relies on signal’s servers, so it’s centralised. Also, Moly merely removes proprietary parts from Signal, but that’s a workaround (same thing for linux-libre kernel, it’s free software, but just a workaround which is why I’m looking to help with HyprbolaBSD). I’m not coming here to say Molly isn’t an improvement, but being centralised and relying on a non-tully-free program’s servers is a huge red flag for me :)
It doesn’t matter whether a server claims to run free software or not. You can’t verify what it’s running. That’s why E2EE is designed entirely around the client. You can’t trust the server no matter what.
Did anyone say that was the problem? It will not matter how encrypted your messages are when the centralised service gets easily banned.
Yeah the comment I responded to did
Directly above, doesn’t look like it.
k
Do not trust signal. Mosk advertised it on twitter.
Edit: I only got 11 downvotes yet, so i have to add:
Signal is not allowed in Russia, guess why. Telegram is. yes yes try harder. THINK mf
WhatsApp is obviously not recommended.
I’m not saying don’t use. I’m saying do not trust.
And then went back on it to advertise telegram lmao
Btw don’t use computers, Musk use them
Computers don’t steal your data for musk regime tho. Signal does. Telegram does not.
Telegram leaks your data, including to France, which is my country, so they can go fuck themselves.
Telegram isn’t even E2EE. It’s like recommending Russia’s Discord over Signal…
I guess Microsoft isn’t a USA company. And Signal is apparently for-profit. And ICANN isn’t in the USA…
I love how Signal (doesn’t, according to you) takes months to invent a proxy to load GIFs and link previews through, so as not to leak your IP to the (American) companies.
Where does its software license stop us controlling it?
as I see it, Signal tried to fit that privacy gap for a standard centralised messenger, if you think about it, that might have made it easier to non-tech-savvy people to adopt it (even if it was as a request from a contact), decentralisation is not remotely appealing to them
Wrong, they care what it does, not how it works.
Yes, and in that time you would visit a website with your own IP address likely, likely over HTTP without SSL/TLS, likely with your vulnerable browser fingerprint. Point?
Privacy, not anonymity. Two completely different things.
Because the way Signal is built hosting it requires a lot of resources (storage especially), so they want spam prevention and fewer accounts per person.
I haven’t seen a non-TLS website in years.
Your asserting “two completely different things” doesn’t make it true. Privacy and anonymity are not synonyms but they are overlapping areas. Also ISTM you are redefining terms to suit your purposes. Anonymity to me means the message recipient can’t tell who you are. If a THIRD PARTY (the server operator) can ALSO tell who you are, that’s a privacy failure, not just an anonymity one.
Why does it take so much storage per user? Does it have video uploads or anything like that? A user account should basically just be a row in a database.
From en.wikipedia.org/wiki/Signal_(software) :
They are overlapping areas, but they are “two completely different things”. They overlap by sharing common goals, not by being interchangeable.
Right. And Signal doesn’t provide that at all, it ties your private messages to your identity (phone number), it explicitly does not provide anonymity. In fact, it proudly advertises you as a signal user to other signal users that have your number saved. It allows you to post public status updates, it encourages you to save your first and last name on your account.
Okay? And? In this hypothetical world where Signal offered anonymity but still tied you to your number for other practical reasons, then you’re be correct that it would be a privacy concern.
But they don’t offer anonymity, they offer private conversations.
They aren’t interchangeable but they intersect. Completely different means they are disjoint.
That sounds terrible, a private message service shouldn’t advertise anything to anyone. If I subscribe to a subversive magazine, it shouldn’t advertise me to other subscribers. It’s a terrible invasion if they do. Signal and PGP are both comparable to subversive magazines in that regard, even if the PGP manual tried to say the opposite.
I think most of us these days recognize that the whole concept of public key directories and signature chains on PGP keys was a conceptual error in how people thought about privacy back then (they only cared about encrypting message content). We like to think we know better now, but maybe we don’t.
According to Wikipedia, they do record some of that info and report it to the government when required. In fact there is further disclosure to them (they might not retain or use the info, but they do receive it) every time you connect to the Signal server.
Anyway the Wikipedia article indicates they have introduced usernames as an alternative to phone numbers, so they have finally acknowledged the problem and done something about it.
It’s okay to be wrong.
I’d like to see a numerical estimate of how much data this is. But, it sounds to me like more reason to want to self-host.
I don’t see any point to rehashing the other stuff. Non-TLS websites mostly went away once DNS spoofing at wifi hotspots became widespread.
So do that. You can do that with Signal.
Maybe I wasn’t clear, someone said that back in the day registration on a website was a new and bad thing, connecting it with privacy and comparing to Signal asking for phone number. I answered with the idea that not much commonly thought from that time about privacy has aged well. You wouldn’t register on websites, but you would communicate with them over plaintext. I hope that makes it clearer.
Do you know of anyone doing it? Other people have said there are difficulties.
It is ok, in that era (dialup or wired internet) unencrypted http was basically as secure as unencrypted landlne phone calls. People still have unencrypted phone calls all the time. Typicalally sites would show public content (like product pages on an e-commerce site) by http, then switch to https for checkout to protect stuff like credit card numbers. Encrypting everything became important when wifi became widespread. Wifi hotspots would hijack DNS and spoof entire web sites to steal credentials. Also, LetsEncrypt made it possible to bypass the CA scam industry, making https-everywhere more popular. Public awareness also increased due to Snowden’s disclosures.
The RSA encryption patent also expired in 2000. Before that, US website operators were potentially exposed to hassle if they didn’t use a commercial server with an RSA license ($$$). But, it didn’t apply outside the US and FOSS SSL servers existed for those wanting them.
Our phone numbers are not private from them.
Despite this, escaping WhatsApp and Discord, anti-libre software, is more important.
jami.net
Offers the same privacy but is not centralised. it’s peer to peer
But like TOR, can entry / exit nodes be used to tie the two ends together through e.g. timing attacks?
Has any app fixed this?
Simplex?
github.com/simplex-chat/…/overview-tjr.md#threat-…
I fogot it does that.
There is a lot of FUD here. It’s just like anti-vaxxers claiming vaccines make you autistic or have microchips in them: they don’t understand what they’re talking about, have different threat models, and are paranoid.
Messages are private on signal and they cannot be connected to you through sealed sender. There have been multiple audits and even government requests for information which have returned only the phone number and last connection time.
Anti Commercial-AI license
No. Signal’s sealed sender has an incoherent threat model and only protects against an honest server, and if the server is assumed to be honest then a “no logs” policy would be sufficient.
Sealed sender is complete security theater. And, just in case it is ever actually difficult for the server to infer who is who (eg, if there are many users behind the same NAT), the server can also simply turn it off and the client will silently fall back to “unsealed sender”. 🤡
The fact that they go to this much dishonest effort to convince people that they “can’t” exploit their massive centralized trove of activists’ metadata is a pretty strong indicator of one answer to OP’s question.
So, they do not need our phone numbers but they still demand it.
Despite this, escaping WhatsApp and Discord, anti-libre software, is more important.
Signal fills an incredibly important spot in a spectrum of privacy and usability where it’s extremely usable without sacrificing very much privacy. Sure, to the most concerned privacy enthusits it’s not the best, but it’s a hell of a lot easier to convince friends and family to use Signal than something like Matrix.
Because they’re lying. Corporations, governments, and just people in general tend to do that, ya’know.
The amount of trolls in this thread that either try to spew false information intentionally or just have no idea what they are talking about is insane.
If you are worried about what data (including your phone number) law enforcement can recieve (if they have your specific user ID, which is not equal to your phone number) from the Signal company check this: propertyofthepeople.org/document-detail/?doc-id=2… Tldr: It’s the date of registration and last time user was seen online. No other information, Signal just doesn’t have any other and this is by design.
If you want to know more about how they accomplish that feat you can check out the sealed sender feature: nerdschalk.com/what-is-sealed-sender-in-signal-an…
or the private contact discovery system: signal.org/blog/private-contact-discovery/
Also as Signal only requires a valid phone number for registration you might try some of these methods (not sure if they still work): theintercept.com/…/signal-app-privacy-phone-numbe…
False.
edit: it’s funny how people downvoting comments about signal’s sealed sender being a farce never even attempt to explain what its threat model is supposed to be. (meaning: what attacks, with which adversary capabilities specifically, is it designed to prevent?)
it’s being answered in the github thread you linked. Sorry that this is not enough for you but it’s enough for most people: “For people who are concerned about this sort of thing, you can enable sealed sender indicators in the settings”
The answers there are only about the fact that it can be turned off and that by default clients will silently fall back to “unsealed sender”.
That does not say anything about the question of what attacks it is actually meant to prevent (assuming a user does “enable sealed sender indicators”).
This can be separated into two different questions:
The strongest possibly-true statement i can imagine about sealed sender’s utility is something like this:
This is a vastly weaker claim than saying that “by design” Signal has no possibility of collecting any information at all besides the famous “date of registration and last time user was seen online” which Signal proponents often tout.
Downvoted as you let them bait you. Escaping WhatsApp and Discord, anti-libre software, is more important.
I don’t know what you mean by “bait” here, but…
Escaping to a phone-number-requiring, centralized-on-Amazon, closed-source-server-having, marketed-to-activists, built-with-funding-from-Radio-Free-Asia (for the specific purpose of being used by people opposing governments which the US considers adversaries) service which makes downright dishonest claims of having a cryptographically-ensured inability to collect metadata? No thanks.
(fuck whatsapp and discord too, of course.)
When it’s libre software, we’re not banned from fixing it.
SimpleX is better
Escaping WhatsApp and Discord, anti-libre software, is most important part.
Signal is a company and a network service and a protocol and some libre software.
Anyone can modify the client software (though you can’t actually distribute modified versions via Apple’s iOS App Store, for reasons explained below) but if a 3rd party actually “fixed” the problems I’ve been talking about here then it really wouldn’t make any sense to call that Signal anymore because it would be a different (and incompatible) protocol.
Only Signal (the company) can approve of changes to Signal (the protocol and service).
Here is why forks of Signal for iOS, like most seemingly-GPLv3 software for iOS, cannot be distributed via the App Store
Apple does not distribute GPLv3-licensed binaries of iOS software. When they distribute binaries compiled from GPLv3-licensed source code, it is because they have received another license to distribute those binaries from the copyright holder(s). The reason Apple does not distribute GPLv3-licensed binaries for iOS is because they cannot, because the way that iOS works inherently violates the “installation information” (aka anti-tivozation) clause of GPLv3: Apple requires users to agree to additional terms before they can run a modified version of a program, which is precisely what this clause of GPLv3 prohibits. This is why, unlike the Android version of Signal, there are no forks of Signal for iOS. The way to have the source code for an iOS program be GPLv3 licensed and actually be meaningfully forkable is to have a license exception like nextcloud/ios/COPYING.iOS. So far, at least, this allows Apple to distribute (non-GPLv3!) binaries of any future modified versions of the software which anyone might make. (Legal interpretations could change though, so, it is probably safer to pick a non-GPLv3 license if you’re starting a new iOS project and have a choice of licenses.) Anyway, the reason Signal for iOS is GPLv3 and they do not do what NextCloud does here is because they only want to appear to be free/libre software - they do not actually want people to fork their software. Only Signal (the company) is allowed to give Apple permission to distribute binaries to users. The rest of us have a GPLv3 license for the source code, but that does not let us distribute binaries to users via the distribution channel where nearly all iOS users get their software.
Yeah, iOS is not libre software.
This shows they do not need our phone numbers but they still demand it.
Despite this, escaping WhatsApp and Discord, anti-libre software, is more important.
No it doesn’t. What is a need? It is for troll and spam and bot protection. How does the links show that there is no need for it?
Reduce spam bot accounts and other malware, as well as to allow for user discovery so you can find your contacts more easily. It’s not designed to be an anonymous service, just a private one.
I think this needs to be said a lot more often and a lot louder. Anonymous and private are NOT necessarily the same thing, nor should the expectation be that they are. Both have a purpose.
in the end of the day, the end user needs an id. this is perfect for the everyday user, but obviously if you are writing anti regime articles, you might want to look around for more anonim apps.
…because of course, they don’t need privacy, do they now. “Nothing to hide” and all that jazz.
We have to assume we are all writing anti regime articles … In the future
I think it’s important to remember de difference between being private and being anonymous. Signal IS private. It’s not anonymous. The same is true for many other apps/services.
Personally I like to be private. I don’t really need to be anonymous.
Privacy ≠ Anonymity ≠ Security
Because it’s centralized, I prefer SimpleX.
What an answers. Comoletely nonsense
Privacy is not necessarily anonymity. Signal uses a phone number to prevent spam and DDOS attacks on their network. Session doesn’t do this and got wrecked by DDOS attacks to the point where most of the major groups are pretty much dead.
Use Signal to talk to people you know. That’s what it’s for. You don’t use it for anonymous chats.
It’s private but it’s not anonymous. they know who is talking to who, but not what they are talking about.
That’s not exactly true. See Sealed sender: signal.org/blog/sealed-sender/
So, you’re going to get two schools of thought on this, and one of them is wrong. Horrendously wrong. For perspective, I was a certified CEHv7, so take that for what its worth.
There’s a saying in security circles “security through obscurity isn’t security,” which is a saying from the 1850s and people continually attempt to apply the logic to today’s standards and it’s–frankly stupid–but just plain silly. It generally means that if you hide the key to your house under the floor mat, there’s no point to having the lock, because it doesn’t lend you any real security and that if you release the schematics to security protocols and/or devices (like locks), it makes them less secure. And in this specific context, it makes sense and is an accurate statement. Lots of people will make the argument that F/OSS is more secure because it’s openly available and many will make the argument that it’s less secure. But each argument is moot because it deals with software development and not your private data. lol.
When you apply the same logic to technology and private data it breaks down tremendously. This is the information age. With a persons phone number I can very likely find their home address or their general location. Registered cell phones will forever carry with them the city in which they were activated. So if I have your phone number, and know your name is John Smith, I can look up your number and see where it was activated. It’ll tell me “Dallas, Texas” and now I’m not just looking for John Smith, I’m looking for John Smith in Dallas, Texas. With successive breakdowns like this I will eventually find your home address or at the very least your neighborhood.
The supposition made by Signal (and anyone who defends this model) is that generally anyone with your private number is supposed to have it and even if they do, there’s not much they can do with it. But that’s so incredibly wrong it’s not even funny in 2025.
I’ve seen a great number of people in this thread post things like “privacy isn’t anonymity and anonymity isn’t security,” which frankly I find gobstopping hilarious from a community that will break their neck to suggest everyone run VPNs to protect their online identity as a way to protect yourself from fingerprinting and ad tracking.
It frankly amazes me. Protecting your data, including your phone number is the same as protecting your home address and your private data through redirection from a VPN. I don’t think many in this community would argue against using a VPN. But why they feel you should shotgun your phone number all over the internet is fucking stupid, IMO, or that you should only use a secure messaging protocol to speak to people you know, and not people you don’t know. It’s all just so…stupid.
They’ll then continue to say that you should only use Signal to talk to people you know because “that’s what its for!” as if protecting yourself via encryption from compete fucking strangers has no value all of a sudden. lol
You have to be very careful in this community because there are a significant number of armchair experts which simply parrot the things that they’ve read from others ad-nauseam without actually thinking about the basis of what they’re saying.
OK. That’s my rant. I’m ready for your downvote.
The only thing I’ll tack onto this is that with the introduction of Signal usernames, you still have to give Signal your number to verify that at least on some level, you probably are a real person. As someone with 5 different phone numbers, probably doesn’t stop spam as much as they’d hoped, but more than they feared, but at least now you don’t have to give that Craigslist guy who uses Signal your phone number, just your username. Is that the best method? I dunno, but but it is something.
I was unaware of this change, and it’s perfectly acceptable. No one has any ground to lambast Signal for requiring phone numbers to get an account. I think that’s a perfectly reasonable spam mitigation technique. The issue is having to shotgun your phone number to every Howard and Susan that you want to use Signal to communicate with.
This was honestly the only thing holding me back from actually using Signal. I’ll likely register for an account now.
Spam accounts are clearly the biggest factor for not letting anyone just sign up with an email. Although getting a new email without a phone verification is getting increasingly hard now.
If you are even remotely involved in any activist type of things, you certainly don’t want this US government honeypot have your phone-number and device id.
At least in theory, this is mitigated. The signal activation server sees your phone number, yes. If you use Signal, the threat model doesn’t protect you from someone with privileged network or server access learning that you use Signal (just like someone with privileged network access can learn you use tor, or a vpn, etc).
But the signal servers do not get to see the content of your group messages, nor the metadata about your groups and contacts. Sealed sender keeps that private: signal.org/blog/sealed-sender/
You would obviously want to join those groups with a user Id rather than your phone number, or a malicious member could out you. It’s not the best truly anonymous chat platform, but protection from your specific threat model is thought through.
edit: be sure to go to Settings > Privacy > Phone Number. By default anyone who already has your phone number can see you use signal (used for contact discovery, this makes sense to me for all typical uses of Signal), and in a separate setting, contacts and groups can see your phone number. You will absolutely want to un-check that one if you follow my suggestion above.
There are some mitigations in place, yes, but Sealed Sender on a centralized platform is snake-oil as someone with server access can easily do a timing attack and discover who communicated with whom.
That a timing attack could be successful is not a given. It’s a possibility, yes, but there is very likely sufficient mixing happening to make that unrealistic or unreliable. An individual doesn’t create much traffic, and thousands are using the server constantly. Calling it a honeypot or claiming the phone number and device is are available is a stretch.
Timing attacks can work in tor when you are lucky enough to own both the entrance and exit node for an individual because very few people will be using both, and web traffic from an individual is relatively heavy and constant to allow for correlation.
A timing attack is extremely realistic when you control one of the end devices which is a common scenario if a person gets arrested or their device compromised. This way you can then identify who the contacts are and with the phone number you can easily get the real name and movement patterns.
This is like the ideal setup for law inforcement, and it is well documented that honeypot “encrypted” messengers have been set up for similar purposes before. Signal was probably not explicitly set up for that, but the FBI for sure has an internal informant that could run those timing attacts.
You are talking out of your ass. First, a timing attack requires numbers to correlate - reasonable numbers of people using a node or server and a LOT of packets going back and forth. Neither are true for a Signal server. Second, they don’t get the phone numbers if contacts are using only their username (with phone number sharing disabled). Your criticisms are over the top and not at all nuanced to the degree of protection of metadata that was built into signal. If it was as bad as you imply, a whole heck of a lot of the most respected security researchers would have to be complete idiots.
Lol, confidently saying stuff you obviously have no idea about and just believing Signal’s “trust me bro” nonsense. Have fun using that honeypot.
(Those “security researchers” you are referring to have no access to the Signal infrastructure and usually only look at the cryptographic algorithms used by Signal, which are indeed good and used by other systems as well these days).
I assume ease of use and spam prevention.
I think Signal tries to be at least somewhat attractive to the average person who wants more privacy than just using WhatsApp or whatever. Making it easy to message existing contacts helps a lot with adoption.
To prevent spam and to allow people who already know each other’s number to easily contact over signal. If you want an anonymous account use an online sms activation service paid with monero, personally I recommend smspool.net .
I think you can use a pay phone to sign up.
Session is what you want. But you have to directly shares each others public keys to connect
Haven’t seen anyone link this here so I’ll link it myself
dessalines.github.io/essays/why_not_signal.html
Some things are outdated, like how you had to give others your phone number (although it’s still necessary for signup) but most of these still hold up
Privacy: they know who you are but they don’t know what are you doing/when are you doing. Anonymity: they don’t know who you are.