Nowadays, a majority of apps require you to sign up with your email or even worse your phone number. If you have a phone number attached to your name, meaning you went to a cell service/phone provider, and you gave them your ID, then no matter what app you use, no matter how private it says it is, it is not private. There is NO exception to this. Your identity is instantly tied to that account.
Signal is not private. I recommend Simplex or another peer to peer onion messaging app. They don’t require email or phone number. So as long as you protect your IP you are anonymous
Here, go argue with this guy for a few weeks, and give us a break for a while.
what information is provided to an entity about whom.
“Content” and “Context”
Why is only message text considered “information / content / context” here. Signal has your real name and address via phone numbers, and has every other real person you talked to, and when. Why is “message text” considered context, but social networking graphs aren’t?
All these definitions are highly subjective, and the above one clearly considers social networking graphs to not be “content”. Basically they’ve re-defined privacy in a way that excludes highly sensitive information like everyone you talk to, and when.
This thread shows the success of Signal’s PR campaigns, and how a shiny app can get people to overlook all the privacy concerns. They’re just as successful as Apple at getting people to think that a US-based corporation hosted on Amazon’s servers and subject to national security letters, whose privacy model is “just trust us with your phone number”, is in any way secure.
precisely that’s why it’s become so popular and recommended and now these users are recommending it furthering the amount of people that will have their data exposed there was a leak I believe in 2022 and on signal a lot of customers had their phone numbers exposed if their phone numbers are not stored how did they get exposed? Clearly the answer is that they are stored.
Signal allows you to speak confidentially, therefore it is private. It is not, by default, anonymous. Yes, this plus the centralized server mean that potentially dangerous metadata, like relationship maps, can be collected. All indications are this isn’t the case, but that’s not something you can count on.
If you need anonymity, which you probably do at least a bit, use simplex. And yes, having more people using anonymous services like simplex is a good thing for the community as a whole. That said, I’m not going to try to convince all of my friends to use simplex. It’s just too far from the mainstream, missing too many features. Signal is a sufficient compromise for most people, and it’s sufficient for me for most purposes.
Privacy and anonymity is different things
When this US service has your phone number (meaning your real name and address), then what is the point of making this distinction? Is them having my address private?
No one should have this info, regardless of how you every person differently defines “privacy” vs “anonymity”
what is the point of making this distinction
because they are completely different things
So its a “private” and “secure” US corporation that knows everyone I talk to and when? I’ve heard this one before.
No, it’s a private and secure protocol (not corporation) thanks to end to end encryption. You can evaluate the protocol yourself with your own eyes, except clearly you cannot read, but modulo that.
Newsflash, chuckles: your IP address IS NOT ANONYMOUS. Any private protocol you use without going through Tor, i2p, or some similar anonymizing network IS NOT ANONYMOUS.
You’re attacking a strawman. Neither Signal nor anyone else has claimed the protocol or the service are anonymous. Which, yes, is something that every user should know before trusting it. They should understand what it means and what the consequences are. I’m honestly not sure you’re even there.
thanks to end to end encryption. You can evaluate the protocol yourself with your own eyes, except clearly you cannot read, but modulo that.
This means nothing when you have no idea what code the server is running, they even went a whole year without publishing their server code updates, until they got a lot of backlash over it. Real security doesn’t require a “just trust us” claim.
Also, metadata is content. Even if they don’t have the message text, Signal still has the real identities of everyone you talked to, and when. With that you can build social network graphs, which are far easier to harvest and more useful anyway than trying to read through message content and determine meaning.
Just because you know where I live doesn’t mean you know what’s going on in my house
See the difference?
Words have meaning
mean you know what’s going on in my house
Signal knows the real identities of everyone you talk to, and when. Is that not “knowing what’s going on in your house?”
The post office knows where I live too. And who I send messages to. Didn’t mean they read my mail
So, late to the party. Me Skuzi. This comment is more targeted towards your responses to user comments, but I would extend that to your entire thesis. So I decided to make an entirely new comment.
Honest questions/comments to follow:
Yes, the US govt can ‘compel’ a organization such as Signal to allow them to monitor/intercept encrypted messages, The government can even ‘compel’ a citizen to disclose their encryption key. The cost of non compliance varies from contempt of court to short term incarceration. United States v. Fricosu et al.
However, Signal would only shrug and hand them metadata. Even Signal can’t decipher your messages. There are other services unrelated to Signal that operate thusly, such as VPNs, that absolutely do not keep logs and run in RAM only. Some of those VPNs have been raided and servers confiscated by multiple governments with nothing to show for their efforts. If I recall correctly mega.nz and other storage facilities operate along the same lines.
As to the requirement for a phone number, yes they do require a phone number. However, unless they’ve changed something recently, you can use a free or paid for, burner phone number for verification. The caveat is that if you ever have to recover your account or future verification, you may or may not have access to that number if you used a free service. So, that might be a consideration.
Also, some free services might not work while others will. If signing up for a paid account, burnerapp.com for instance, will allow you to sign up via their website, however you can’t use a VPN. WiFi can be acquired at any coffee shop. If you prefer more private methods of payment for these services, there are those that accept crypto.
So, there are ‘options.’ You just might have to jump through a few hoops to get there.
Secondly, Signal is open source, no? The whole shebang including the protocol is open source. Where might ‘they’ be putting the backdoor to intercept encrypted messages? I can tell you this, the day the world finds out that the US govt has successfully cracked strong encryption ciphers, is the day you are going to see a lot of movement on this planet. From billion dollar corporations, private entities, governments, and even ne’er-do-wells on Signal.
I’m no ‘fanboy’, tho there is a lot to be a fan of. I’m not getting any kickbacks, compensation, or monetary advancements. If I need to be schooled, please do share.
Signal does plan to add a paid for service as well as their free service.
Signal would only shrug and hand them metadata
So at the very least by using Signal the government can know everyone you communicated with, at what time and where. And still is considered a private messenger. Amazing.
As clients upgrade, messages will automatically be delivered using sealed sender whenever possible. Users can enable an optional status icon that will be displayed in the detailed information view for a message to indicate when this happens. These protocol changes are an incremental step, and we are continuing to work on improvements to Signal’s metadata resistance. In particular, additional resistance to traffic correlation via timing attacks and IP addresses are areas of ongoing development. https://signal.org/blog/sealed-sender
In reading about the Sealed Sender protocol, as I understand, it redacts whom you’ve contacted. However, the metadata does include timestamps. I have no dog in this hunt as 99% of my messages are whispered into someone’s ear. Still, one must implicitly trust the receiver of such whispered messages. I honestly don’t care what app you use. Those choices are ultimately yours and yours alone and hopefully dependent on who you entrust with your data. This is just an interesting dissection of Signal and privacy/anonymity for the muse.
In the end, we all trust some entity whether it be your ISP who has your bank account info and residential address and can tell when you’re downloading 150 gigs of Linux distros overnight even with a VPN, a bank with every last transaction you authorize, the time/date, or government to which we pay income taxes who has pretty much all the info they would need to show up at your doorstep. If your threat model precludes all the above, I would recommend whispering and disconnecting from society. I honestly do not see any other way.
AES256 was broken the day it was released change my mind.
Well, I’m not trying to convince you of anything, however, you can convince me if you’d like. Do you have some substantiating evidence or documentation for such claims? I am aware of improvements to AES256 down through the years, and I am aware of side channel and timing attacks. Not to be discounted, but those are largely theoretical attacks. In addition, most modern computers have mitigated the possibilities of such attacks with hardware instructions for AES to protect against timing-related side-channel attacks.
The NSA reviewed all the AES finalists, including Rijndael, and reported that all of them were secure enough for U.S. Government non-classified data. However, in June 2003, the U.S. Government announced that AES could be used to protect classified information. Now you could conspiriaze that in 2003, the govt played dumb and said that AES was good enough for classified information when they knew they could blow through it like weak toilet paper, but then again, we (America) are not the only country on the planet despite what some people think, and I am quite certain that other governments have made certain their encryption techniques are 99.999% secure for classified documentation and data.
You make good points and I can’t provide any documentation. But the documentation won’t exist. It would be the closest guarded secret of all time. NSA only holds the upper hand if everyone thinks it’s secure. If the secret was out that that they could crack it no one would use it and the advantage is lost.
If Signal isn’t private, then why it is recommended over WhatsApp, Matrix and over SimpleX?
OP is confusing privacy with anonymity.
Because it has become extremely popular, that’s just how it goes. At one point, even Telegram was recommended for being super secure or private, but the privacy is mild on Telegram at best.
But by comparison to Instagram or Whatsapp, it’s how the gram looks like Privacy Central, so it was recommended. Now, Signal is replacing that role.
Signal is more private than the sus apps like IG, Facebook, etc. Yes. But only because those apps are so bad.
No one should be recommending signal over matrix and simplex. It’s probably more secure than whatsapp, but both have social network graphs of everyone you talked to, and when.
People dont realize that you may as well hand over your social security number when you pass out your phone number.
Thank you! Finally someone that also sees Signal as privacy invasing!
2FA is an important security layer, if the service, after sending you the activating SMS with the code, delete your number (normal in serious services), it’s also not an privacy problem. In big us corporations on the other hand, it is, eg.Google store tour number and also probably share it, there 2FA is not an option. Instead a number, some services also admit alternatively a second e-mail account to receive the activation code, there, if you have doubt, you can use an disposable mail, so there isn’t any privacy problem.
2FA helps with security concerns, not privacy concerns. They still would have your number. Also about Google, they have one of the widest spread and utilized 2FA authentication applications out there.
Started to write a long paragraph to explain the difference between privacy and anonymity but I now believe this new user is (no idea why) collecting engagement via rage bait. I won’t participate in their posts anymore.
It might even come from a good place, namely trying to always do “better” and be “more private” but in practice it’s just lead to confusion.
Yes, phone number should be optional for easy contact discovery, not mandatory. As Threema. You have to provide your ID when buying a sim card.
Not only that, but self-hosting should be an option. It isn’t with signal, which is based and hosted in the US, on amazon servers, and subject to national security letters .
I’m ready to be called milquetoast, and while I see where this comes from, it comes off idealistic if we are to communicate with people in the present day in any practical way. Do not forget how much of an improvement it already is over the likes of proprietary messaging apps and how much effort it already is to move people to Signal. It is surprisingly difficult for common folk to grasp the concept of anything but a phone number when it comes to messaging apps.
