So basically copying telegram way. That being said, why does Signal still require a phone number in the first place? Exactly, because when needed, it will be used to be linked back to your real identity, it has nothing to do with spam or anything, Signal isn’t a social media with public posts and what not, it is a messaging app.
> We use third-party services to send a registration code via SMS or voice call in order to verify that the person in possession of a given phone number actually intended to sign up for a Signal account. This is a critical step in helping to prevent spam accounts from signing up for the service and rendering it completely unusable—a non-trivial problem for any popular messaging app.
I'm not sure why you need to assume that it will be linked back to your real identity; I haven't seen anything that indicates any motivation to do something like that. I'm all for being cautious, but being overly cynical can lead to letting perfect being the enemy of the good.
For the spam part, I commented below how’s that doesn’t work and it doesn’t even make sense for a messaging app.
> I'm not sure why you need to assume that it will be linked back to your real identity;
I’m not assuming, only North America (edit: and some European countries) doesn’t require an ID for a phone number (1), and even in here, you would use it in other services that are linked to your real ID like banks or paying the phone bill online. The concept simply boils down to as soon as you find an account’s phone number, it’s a game over for that said privacy.
> The concept simply boils down to as soon as you find an account’s phone number, it’s a game over for that said privacy
You completely misunderstand what kind of privacy Signal aims to achieve. Signal protects you from eavesdropping and data hoarding, two major privacy issues with solutions like Facebook Messenger for example.
They do not and have never claimed to offer a service where “privacy” means nobody knows who anyone is, it isn’t Tor and I wouldn’t want it to be.
If you don’t like the goals and design choices of Signal, just use another service.
There are benefits of the choices they’ve made, namely ensuring that most users of the service are “real people”, which I think is great. It’s not a social network, it’s a messaging app between friends that solves issues presented by alternatives like SMS or Instagram; that’s it.
It's a lot less like data hoarding than keeping a separate copy of your social graph. What is an adversary going to do with a list of phone numbers that are known to have signal accounts and nothing else?
Hoarding =/= collecting the bare necessities. Signal needs one piece of data to distinguish users from each other, and collects that. Hoarding would be to collect (significantly) more pieces of identifying data, more than needed to distinguish users. Signal does not appear to be doing that.
Because they don’t know anything except the phone number so all they have is a list of phone numbers which maybe people use. Quite different from Facebook reading everything you send, for example
And how to these black markets connect the phone numbers to names? I guess from data collected from more insecure sources. So I think Signal is being responsible with their data.
Also, you need some way to log in to your account. So you need an identifier and some way to validate that you are the owner of that identity. And next to that you want to prevent spam. So I think the choice to use a phone number as an identifier for a text-messaging app that is meant to be a secure replacement of SMS is not that weird.
But let's say they are data hoarding our phone numbers, and they can get other details about us through the black market because we use other more insecure services where we suddenly don't seem to care about privacy. Then what do you think Signal does with this data? They can't resell it because they don't have anything unique, they actually need to invest money to link their database of just phone numbers to something else. And then? What malicious things will they be able to do?
Ok, now you have a list of people's names and you know they have signal installed. Google and Apple also have this (presuming you installed it via a mobile app store). Your carrier has this (from the IP addresses on your messages).
What have you gained? What does the attack look like?
> On the opposite end of the spectrum, users who want to live on the edge can enable an optional setting that allows them to receive incoming “sealed sender” messages from non-contacts and people with whom they haven’t shared their profile or delivery token. This comes at the increased risk of abuse, but allows for every incoming message to be sent with “sealed sender,” without requiring any normal message traffic to first discover a profile key.
By default, the first message between someone and you clearly identifies who is communicating with whom. That's enough.
We don't know whether an intelligence agency is listening in on their servers and logging this data.
Assuming an eavesdropper that can defeat TLS or is listening via DMA attacks on the signal servers,
- you can log initial signup or login, which allows you to connect user id and phone number
- you can log the first time a chat is created, which allows you to build a social graph of which person is connected to which other people
- even with sealed sender, you still know the identity of the receiver and the IP address of the sender, which is often enough to figure out who is in contact with whom
This would be enough dragnet surveillance to automatically figure out the contacts of people you've already identified as threats. You'd also have enough evidence to get a sealed court order to do targeted surveillance on these people.
The news today is a step in the right direction for sure, but more needs to be done if they want more privacy and anonymity-focused people to use it. This section on what makes a good messaging platform still resonates: https://dessalines.github.io/essays/why_not_signal.html#what...
As long as you can’t host and use your own server, you should never assume that.
> There are benefits of the choices they’ve made, namely ensuring that most users of the service are “real people”
You communicate with your colleagues and clients over emails and you know they are real, you probably play games too and use discord and you know they are real, meanwhile you can be talking to bot in twitter that they are registered with a “real” phone number.
Focus on the issue, not the person (Tucker), you might not trust a person which is fair, but you are still trusting Signal’s server, you can NEVER know if they have a memory injection backdoor running in there, you can audit the code as much as you want and it still passes, yet, the messages are compromised.
There are ways of getting messages without breaking Signal or using a backdoor. One of them is getting the messages from the other party(ies) involved. You can't protect yourself from this even if you self host. Something else that might happen is you ending up with your phone hacked because you're talking with someone close to Putin.
The only way to know for sure is for you to create an alternative service, write all code yourself, and host everything without ever leaving your server alone. And even then you can't be sure you haven't been hacked.
On a side note, if we're getting information from someone that lies a lot and often leaves out details that don't fit the narrative, then perhaps we should also look at the person, not just the issue.
> One of them is getting the messages from the other party(ies) involved. You can't protect yourself from this even if you self host.
You certainly can, the self destruction messages are one of the ways, sure, it is not the only solution as you need to make sure the OS is secure itself too, but definitely helps in that case, no messages stored at rest and all are encrypted in transit.
> Something else that might happen is you ending up with your phone hacked
Which is essential to have a messaging platform that allows multi-client/cross platform, say running that app on a hardened OS is an option and possible compared to only iOS with a phone a number for example.
> write all code yourself, and host everything without ever leaving your server alone.
You don’t need to write it yourself, as long as you can read it, and host it knowing no other services are spying on that server, should be miles ahead of other apps like signal, sure, you can still have that server breached, but first you need to know where’s that server, or even you are using this messaging app in the first place, contrary to Signal for example, all I need is checking if you use it by the phone number. Not to mention it will make it harder for whoever is trying to spy on you, if most people ran their instances, but that’s a little bit more of a dream as the average person won’t, but at least the option should be provided.
Signal makes the app open source and you can build it yourself and use it. The messages are E2EE so we don't need to trust the server in the same way because they aren't being decrypted there. They can't have the key. They could be logging the messages and metadata, but that's a different argument. And it really would come down to the NSA being able to hack AES with a quantum encryption (though I don't think this was out at that time). So I have pretty good reason to trust signal despite there still being some gray areas that I could still want more light on. It's just that we're the shadows are I'm unconvinced it could undermine the whole system. You can't fit an elephant in the shadow of a mouse.
On the other hand Tucker isn't even being consistent in his telling of the story. He says that he hasn't told anyone and makes a big deal to even mention his wife, so we think even his closest confidants. But then what message did he send over signal that was extracted? The personal notes? There's also much more reasonable pathways for the NSA to get that information. If he's researching and just storing notes on signal he's still leaving breadcrumbs somewhere. He's a popular news host so I'd be surprised if the NSA hasn't tried to compromise his whole phone, and signal only protects your messages in transit. The only evidence we have is his word that someone from the NSA told him. Which itself would be really weird because it'd completely undermine that capability or imo a more likely explanation is someone is lying. Gov does disinformation all the time and convincing people a secure channel isn't seems pretty useful since they'll turn to easier methods.
So I don't have to rely on my distrust of Tucker or his history of misinformation. If this was my only and first encounter there's more than enough for me to be suspicious in just his telling.
Neither Signal nor Telegram allow to pay a small amount in cryptocurrency to prove you are not a spammer. This shows that they are really interested in knowing who is their user.
Sure, but that means that your phone number is linked to your identity even without Signal? There's no additional data that Signal links to it, other than that you're a Signal user and when you sent your last message.
Your previous question was "I'm not sure why you need to assume that it will be linked back to your real identity?"
If it's not possible to buy a phone without a strong attestation of identity, as is the general case in at least one country, then the identity relationship is baked in.
It's probably possible to buy a burner phone even in South Korea. But for those who are using their standard-issue phone with Signal, the problem most certainly exists.
And even in countries where there isn't some national phone-as-identifier policy, effectively most people's phone numbers tie them to their real-space identity even if there's no explicit personal data association[1], and in most cases, phone number, IMEI, AAID, and/or billing data (credit card payment authorisation) provide far greater assurance.
Point remains that 33 bits will identify any given person among the 8 billions now living, and a phone number itself, plus ancillary leakage (activity patterns, location) are an exceptionally poor basis for an anonymous or pseudonymous identifier.
Definitely not a copy of Telegram. I'm not actually sure what the draw is with Telegram but given it's origins I'll choose Signal over Telegram.
If you read the thread the linkage between a phone number and a Signal account cuts down on fake accounts significantly - which has nothing to do with "social media" but it does have a lot to do with SPAM as you've incorrectly stated. I understand why it's not ideal, but there are tradeoffs in both directions. It's unlikely that usernames are going to expose users more than they currently are if they're already using Signal. And it's also unlikely that this new feature changes much, but I welcome the ability to prevent users from associating my known number to my Signal account. In this way the security model has improved considerably.
Telegram has channels and groups that work in a weird but very useful way. That's mostly the draw for me, not really the private messaging. Though the UX is just amazing, even for private messages. Everything is just super neat and where you expect it to be. I'd still probably not use it if it wasn't for how channels work
I know right? Telegram is one of my favourite iPhone apps, hands down, purely on the basis of the interface. It’s also incredibly performant, which means a lot considering I use a 6S model from 2015. In comparison, the last discord update became literally unusable, for performance reasons (it was so bad, i ended up deleting it).
This feature requires you to press the button that says “make myself visible” — and then it shares location. Like most apps, you can deny the location access at a system level and never worry about it.
The interesting thing is that it does share your location when you open that screen even before you click that button. I don’t know why they did it, but it is definitely a shady thing.
It is a way to increase usability for casual users, decrease spam by requiring some other source of identity tied to real existence (emails are easier to generate than throwaway phone numbers).
It may decrease privacy philosophically, but it isn't nefarious.
If you want a private messaging platform with zero prerequisite identity, use Briar.
> It is a way to increase usability for casual users
You can keep it as an option.
> decrease spam by requiring some other source
Phone numbers never been a good way to counter spam, just look at social media, you can buy phone numbers in bulk these days, not to mention spam might work in social media because there’s the concept of “public space” where everyone shares and talk, so it does make sense for some bad actors to spam or even trying to influence others, that’s not the case in messaging app, because first I need to know your “unknown” username that I can’t see it elsewhere, and second, the efforts are worthy for such unsolicited message, which in case it was, you can get a burner to send it. The point is requiring a phone number to counter spam doesn’t work, and it doesn’t make sense either for messaging apps.
> If you want a private messaging platform with zero prerequisite identity, use Briar.
Well, personally I don’t use Signal, never will in its current state, but they always try to promote it as privacy messaging app while still relying on a broken system known as GSM.
A lot of spammers opt for media that does not require the effort of obtaining a phone number. It's the bike lock model: no bike lock is ever safe, but as long as your bike is parked next to bikes with a weaker lock, you have a pretty good chance of not having to walk home on foot.
> It may decrease privacy philosophically, but it isn't nefarious.
It doesn't decrease privacy. It decreases anonymity which is distinctly different.
> If you want a private messaging platform with zero prerequisite identity, use Briar.
Or Session which is a fork of Signal that runs it's own network using standard PKI instead of a phone number for identities and a decentralised message delivery/onion routing system.
> It is a way to increase usability for casual users, decrease spam by requiring some other source of identity tied to real existence (emails are easier to generate than throwaway phone numbers).
You either end up discriminating against users who have to use VOIP for whatever reasons (and there are legitimate reasons) by blocking VOIP numbers, or your barrier to entry for spammers is almost negligible. It's not a good system.
If you want to prove that users are humans, use a webcam and an id, or delegate the task to some bigcorp who already has a similar system. If that's too much for you in terms of privacy, you shouldn't be attempting to prove that users are humans in the first place. Maybe you should prevent spam via product driven solutions, e.g. whitelisted contacts.
Obviously doesn't include warrants they may have received where a gag order is in place, but you can see from the responses they do publish that they only store phone number, initial registration date, and last connection date.
They love to brag about the times when they were asked to hand over data and they had to tell the feds that they couldn't because that kind of data was never collected or stored in their systems in the first place. They still love to brag about it, but it's no longer true. They now collect and permanently store in the cloud exactly the kind of data that the police and feds were asking them to provide. Your name, your phone number, your username, your profile picture, and most importantly a list of everyone you have contacted with signal.
This is in direct opposition to the very first line of their privacy policy which lies when it states "Signal is designed to never collect or store any sensitive information." and they've refused for years now to correct that lie and update their policy to detail all the new data collection they're doing.
Do you have details on this? Given that usernames just came out, I don’t expect they’re storing many of them, but I’m interested in specifically a source for “a list of everyone you have contacted with signal”
This has been true for many years now. At the time it caused a major uproar among the userbase (myself included) whose concerns were almost entirely ignored. Their misleading communication at the time caused a lot of confusion, but if you didn't know that Signal was collecting this data that should tell you everything you need to know about how trustworthy they are.
Note that the "solution" of disabling pins mentioned at the end of that last article was later shown to not prevent the collection and storage of user data. It was just giving users a false sense of security. To this day there is no way to opt out of the data collection.
My personal feeling is that Signal is compromised and the fact that the very first sentence of their privacy policy is a lie and they refuse to update it to detail their new data collection is a big fat dead canary warning people to find a new solution for secured communication. Other very questionable Signal moves that make me wonder if it wasn't an effort to drive people away from the platform as loudly as they were allowed to include the killing off of one of the most popular features (the ability to get both secured messages and insecure SMS/MMS in the same app) and the introduction of weird crypto shit nobody was asking for.
I was a user and a fan. Spent years recommending Signal to others. People are pretty used to software turning to shit but it still sucks to have to reach out to tell people they should look for alternatives to the software I'd once recommended to them.
I swear if VLC ever turns evil I'm giving up on recommending software forever (in the meantime, check out VLC if you haven't already!).
> I was a user and a fan. Spent years recommending Signal to others.
I don’t blame you, I think it did start with a good promise initially, but I believe just like anything centralized that turns big, it will become evil.
> in the meantime, check out VLC if you haven't already!
The player? Or is that a new messaging app? For messaging I usually use Matrix/simpleX/Session.
Even before they added all the data collection and cloud storage 'sealed sender' didn't do much to protect users.
"Even under the sealed sender, observers said, Signal will continue to map senders' IP addresses. That information, combined with recipient IDs and message times, means that Signal continues to leave a wake of potentially sensitive metadata. Still, by removing the "from" information from the outside of Signal messages, the service is incrementally raising the bar." (https://arstechnica.com/information-technology/2018/10/new-s...)
A couple years after that "incremental" improvement Signal started keeping everything forever in the cloud which means that today governments can get a signal user's information just by brute forcing a PIN
At this point that's entirely unclear. Because they're keeping your data in the cloud my guess is that the US government can easily access that data and any other government can get anyone's data as long as they can guess the person's PIN. You can find a discussion on the problems with their security here: https://community.signalusers.org/t/proper-secure-value-secu...
As if you can't get a whole lot of information on most people with just their phone number. The number of people whose Signal ID is built off a burner phone ad no longer traceable back to them is miniscule.
> As if you can't get a whole lot of information on most people with just their phone number. The number of people whose Signal ID is built off a burner phone ad no longer traceable back to them is miniscule.
Yes, but what are you going to do with this information? All you know is how long they've been a signal user and when they last connected.
You're not thinking this through. You might have someone else's device with access to their signal chats, but need to confirm the identity of someone they're talking to. You might have been able to ID a person but only have had temporary access to the message data (eg undercover agents who sneak or are granted a look at someone else's Signal messages). You might have a Signal conversation with someone you suspect of crime, and want to establish correlation with their use of signal (by most-recently-accessed timestamps) and some other activity.
That doesn't explain why it has nothing to do with spam.
If you know how to build an anonymous communication platform, that is convenient to use, and is also spam resistant/proof, you have the miracle platform idea.
And then when you're faced with potential criminal suits and/or the security state coming after you for "national security" reasons, you implement the tracking the government wants so you don't potentially go to trial and/or prison.
That's why Signal only stores your phone number (and when you last connected) - they know nothing about your real identity, so they can't link it back to you.
Because the social graph sitting in people's phone address books isn't easily replicated, and using phone numbers is basically the only chance of overcoming the chicken-and-egg problem with network effect.
