this post was submitted on 09 Jan 2025
84 points (98.8% liked)
Privacy
32653 readers
467 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I wrote a longer one here: https://dessalines.github.io/essays/why_not_signal.html
The short version is, that it's a centralized, US hosted service. All of those are subject to National Security Letters, and so are inherently compromised. Even if we accept that the message content is secure, then signal's reliance on phone numbers (and in the US, a phone number is connected to your real identity and even current address), means that the US government has social connection graphs: everyone who uses signal, who they talk to, and when.
Man I don't even have the time to break down all these very clearly wrong insinuations. There's no reason to believe Signal collects metadata, and every reason to believe they don't. They've been served subpoenas and they shared them, as well as their responses, publicly, and the only thing they included was when the last time the user connected to their server.
Edit: tl;dr this person believes that Signal is inherently insecure because they use servers and require a phone number, despite the fact that there is zero information connected to your phone number.
Security cannot be based on trust. Period. If an actor is in a position to collect data then it must be assumed that they do so. You either do not understand the subject you're opining on, or you're intentionally spreading misinformation here.
It is not based on trust. It's called "zero knowledge encryption" for a reason. You don't have to trust them, because you give them nothing to trust them with.
Except that it is based on trust because you have to use your phone number to create the account, and you have to trust the company operating the server in regards on how that information is used. What part of this are you struggling to understand specifically?
What part of "there is zero data associated with your phone number" are you struggling to understand, specifically?
The part that this is a false statement that you keep repeating. The phone number is associated with your account, that's why it's required to make the account.
The phone number is not associated with your account, it IS your account. In order for there to be metadata, there would have to be other data associated with it, which we've already established that there is not.
Your phone number is an identifying piece of information about the person who is sending and receiving messages. That's what metadata is. The content of the message is the data, the identifying information is metadata. Maybe spend a bit of time actually learning about the subject instead of trolling here.
@yogthos @Ulrich It is also besides the point because whether he wants to call it metadata or not, Signal still has that information.
Signal might well share every subpoena they can. However, NSLs can come with gag orders. Even if they wanted to tell you what was going on, they couldn't.
Do you think if they were giving away extra information in NSLs and witholding that information in public subpoenas that no one would ask questions or hold them accountable for that?
Exactly, what we call this information is entirely besides the point. What matters is that it's being collected, and nobody outside the people operating the server knows how this information is used. If somebody says they trust Whisper and make a conscious choice to share that information with the company that's perfectly fine. However, telling people that the problem doesn't exist is dangerously dishonest.
It's not. And I'm tired of repeating myself.
Once again, no one has access to the content of the messages. Ergo, there is no metadata. Maybe spend a bit of time actually learning about the subject instead of trolling here.
For like 99.9% people, it definitely is.
What is what?
Yes, you continue repeating a demonstrably false statement. A very astute observation on your part.
Once again, nobody is talking about content of the messages. What's being said is that the identifying information about people sending and receiving messages is available to the server routing them. The fact that you continue ignoring this basic fact clearly shows that you're the one who's doing the trolling.
Trolling or ignorant. Or a secret third thing.
JWZ has had to go through the same kinds of circular conversations.
Neither. I explained my/our rationale above. Your disinformation is making people unsafe.
Signal does not leak your phone number to anyone. You/they are just ignorant as to how the service works. Signal will notify you if someone YOU HAVE IN YOUR CONTACTS joins the network. It will not give you any of their personal information. Their ID will show up as whatever is already in your contacts.
How much personal information Signal does or does not reveal to other Signal users is not relevant to this conversation.
Then why did you bring it into the conversation?
I didn’t.
This conversation is about the the US security state. It’s about the CIA, NSA, FBI, etc.
LOL you did. The title of the link you shared is "signal leaks your phone number to everyone in your contacts".
I didn’t say that. You must be confusing me with someone else in this thread. But since you brought it up: https://www.jwz.org/blog/2017/03/signal-leaks-your-phone-number-to-everyone-in-your-contacts/
But I’m more concerned about the security state angle.
Edit to add: I see, yes, one of the links I posted did say that, which I highlighted above. But again I’m more interested in the fact that Signal is a product of Radio Free Asia, which is a US security state outfit. https://english.almayadeen.net/articles/analysis/signal-facing-collapse-after-cia-cuts-funding
....who are you trying to fool? It's there for everyone to see...?
As I already stated, this is incorrect. It's not how it works. And after publishing such obviously incorrect information, I wouldn't trust anything they said.
If you’re going to continue denying our lived experiences with Signal, why should we allow you continue commenting on our Lemmy instance?
Okay, so you are saying that now...? I honestly don't know how you expect anyone to take you seriously at this point.
I'm not denying your experience, I'm denying your interpretation of your experience. You don't get a special version of the app that's different from ours. They all work the same.
As I explained above, what you may have interpreted as Signal sharing your contact info was actually just Signal notifying all of the people that already have your contact information that you joined the service, using the information those people already have...
Given than I deleted Signal years ago now, I don’t much care about this phone number sharing/not sharing aspect.
But in case anyone does care, Moxie responded to jwz’s concerns in that ancient post: https://www.jwz.org/blog/2017/03/signal-leaks-your-phone-number-to-everyone-in-your-contacts/#comment-172865
If you don't care then stop arguing about it. Personally, I care very much about people spreading disinformation.
Yeah sorry: my bringing up JWZ as an example of past circular arguments I’ve come across devolved into a whole tangent thread I never meant to have.
I find it fascinating that these people show up in every thread about Signal, and they just spam the same nonsense.
I like to think that it’s usually just because they’re socially invested in it.
It does very much feel like a cult.
Okay, you've sufficiently demonstrated not only that you don't know what you're talking about but also that you have no evidence to back it up and your only recourse is repetition and personal insults so I'm gonna call it a night.
The only one making claims without evidence here is you bud. What I said is that Signal requires users to submit their phone numbers, and that only people operating the server know how that information is handled. These are objective facts.
You made a baseless claim that Signal does not retain the phone numbers or use them to build graphs of users. This is a claim that cannot be proven, and you keep repeating it as fact. Either you are clueless or you're intentionally spreading misinformation.
So you've run out of personal insults and repetition and are just moving on to blatant lies now...
What lies are you referring to, please be specific.
Building on this, I'd be curious to hear your thoughts on GrapheneOS as a whole. The OS recently bundled a new app "store"/repository, "Accrescent”, along with the usual basic apps like a calculator & camera. On Accrescent, the hardened fork of Signal, Molly, is offered on there. I've alsoheard one of the Graphene devs has voiced some chuddy politics.
I've still installed & use Molly to chat with my closest friends who I was able to get off of big tech platforms previously used for our group chats, but I have been aware of the RFA/Signal connection for several years (your blog post really ties it together) & I do try to remind these friends about it. Really we just use Signal to shitpost and organize hangouts, so I'm not yet locking myself in a bunker over using it for those purposes, but all this has got me considering building a server & hosting a different secure chat service on it.
I learned about possible Unit 8200 connections with the Matrix protocol within the past year or two, but don't recall exactly what that entails. I haven't heard much about Briar, but it being android only would make it a harder sell for getting people to switch over to it, so I suppose that leaves simpleX to proselytize.
I don't know enough about grapeneOS to comment on it.
Any signal app forks still have to use signals main servers, so they still got your phone number and identity.
Matrix was originally funded by an Israeli company until it spun off, but unlike signal, it's entirely open source, self-hostable, and can be run in a private manner. Phone numbers and identifiers are not required, so even if you connect to a malicious server, the most they get is your matrix id, and things you've explicitly leaked about your identity.
The most we could say is that specific servers are compromised, but its also possible to host it outside a five-eyes country, unlike signal.
Cheers, helpful stuff & thank you for developing Lemmy!
You are literally incorrect.
You have provided literally nothing to back up your assertion.
Signal does not know who talks to whom. It's kind of the main thing about the double ratchet.
Unless you compiled the app yourself from source code that you understand, you don’t really know what the app might be saying to Signal’s servers. Almost everyone just trusts that the pre-compiled app supplied by Apple or Google aren’t compromised. But we know from history that Big Tech and the military-intelligence-industrial complex are in bed with each other.
Okay. You tell me what the double ratchet is, since you're so smart.
The double ratchet algo is irrelevant if the app is doing something else altogether.
Compiling the app is irrelevant if I don't read the source.
That's nonsense, because many different people read the source and audit open source software. While it's certainly possible to sneak malicious code in, the trust doesn't depend on each single individual auditing it. It's a collective effort.