If he says anything even slightly negative about NYC’s police force, I could see him getting Huey Long’d pretty quickly.

I’m betting on absolutely nothing happening to the NYC prison camp complex, especially rikers island.

Signal’s server is open-source

Prove it, give me ssh access to their centralized server so I can verify that they’re running the code they’ve published. Otherwise this is a “just trust me” claim.

Also, I don’t think Signal can get your name without a government to look it up.

There are 10 websites that publicly publish phone number and identity info, right now. Not even a government, but a random stranger can convert your phone number to your real identity.

what information is provided to an entity about whom.

“Content” and “Context”

Why is only message text considered “information / content / context” here. Signal has your real name and address via phone numbers, and has every other real person you talked to, and when. Why is “message text” considered context, but social networking graphs aren’t?

All these definitions are highly subjective, and the above one clearly considers social networking graphs to not be “content”. Basically they’ve re-defined privacy in a way that excludes highly sensitive information like everyone you talk to, and when.

thanks to end to end encryption. You can evaluate the protocol yourself with your own eyes, except clearly you cannot read, but modulo that.

This means nothing when you have no idea what code the server is running, they even went a whole year without publishing their server code updates, until they got a lot of backlash over it. Real security doesn’t require a “just trust us” claim.

Also, metadata is content. Even if they don’t have the message text, Signal still has the real identities of everyone you talked to, and when. With that you can build social network graphs, which are far easier to harvest and more useful anyway than trying to read through message content and determine meaning.

Signal is not open source, its a centralized US service, and you have no idea what their server is running. They even went a full year without publishing server code updates at one point, until it caused enough of a backlash that they started doing it again. But publishing that is no guarantee of anything, because you have no access to their server.

mathematically impossible for Signal to gain access to your sensitive information (except for your phone number, obviously).

A phone number in most countries, including the US, means your real name and address.

No one should be recommending signal over matrix and simplex. It’s probably more secure than whatsapp, but both have social network graphs of everyone you talked to, and when.

mean you know what’s going on in my house

Signal knows the real identities of everyone you talk to, and when. Is that not “knowing what’s going on in your house?”

So its a “private” and “secure” US corporation that knows everyone I talk to and when? I’ve heard this one before.

I don’t consider it “private”, if you were to know the real identities of everyone I was talking to, and when I talked to them. I’m not telling any US corporation like signal that especially.

This thread shows the success of Signal’s PR campaigns, and how a shiny app can get people to overlook all the privacy concerns. They’re just as successful as Apple at getting people to think that a US-based corporation hosted on Amazon’s servers and subject to national security letters, whose privacy model is “just trust us with your phone number”, is in any way secure.

He does not know what I do, other than observe that I ride a John Deer around in the fields and corn comes up shortly there after. Riding a John Deer in a field is observable by all public passers by.

So because he knows only a limited amount, that’s the distinction between private and anonymous?

Signal is not your neighbor. Signal’s DB stores phone numbers and knows who you are, and who you talked to, and when. Are the people you talk to considered “public”, to a US-based corporation?

How is someone having your real identity, and address, “private” ? This distinction is pointless.

When this US service has your phone number (meaning your real name and address), then what is the point of making this distinction? Is them having my address private?

No one should have this info, regardless of how you every person differently defines “privacy” vs “anonymity”

stores hashed phone numbers and first access / last access times and nothing else.

Even if this weren’t false (otherwise they wouldn’t be able to connect to your existing contacts), that’s a “just trust us” claim. You give them your phone number, you should assume they have it and not “trust them” to hash it like its a password.

And the client does store these things, but also lets users delete messages and contacts. Your message deletions can propagate as well.

Not that its that important, but its yet another just trust us claim.

Not only that, but self-hosting should be an option. It isn’t with signal, which is based and hosted in the US, on amazon servers, and subject to national security letters .

Everyone you talk to and when you talked to them, with their real identities via phone numbers. Because signal is hosted in the US and subject to national security letters, you should assume the worst.

A month ago I just bought a xiaomi tablet for my main work machine. Full android, with no google play / google play services, and it runs f-droid and all the apps fine. Haven’t missed any app on the google play store, or that require play services.

If google keeps on alienating people, people will move over to HarmonyOS, or a lot of the larger chinese companies making android devices will maintain their own AOSP fork, and google will be as irrelevant worldwide as apple is.

There’s a lot of dead accounts downvoting you BTW.

Even with full e2ee, they still have

• Your real identity (via phone numbers)
• The real identities of everyone you talk to
• Who you messaged, and when

With this its easy to build social networking graphs, and tag everyone implicated with a targeted account as an accomplice. Reading and trying to build meaning from the e2ee message content is almost less important than social graphs.

They went a whole year without publishing updates to repo a few years back, until there was a big community backlash over it. Also you have no guarantee that’s what they’re running other than: “just trust us”.

Matrix, SimpleX, Briar(not a huge fan of this one since its android only), XMPP (only if you have encryption addon).

shouldn’t we focus on making sure everyone can access Signal without issues?

I’d rather ppl not use US-based centralized services, hosted on amazon’s servers, and subject to national security letters.

There are far better self-hostable alternatives that aren’t hosted in burgerland.

Signal is secure, not fully private or anonymous.

Why do people think this secure vs private distinction is in any way meaningful. I don’t want a US service to have my phone number, or spy on me, and have social network graphs, period.

Why is the US government being able to spy on me considered “secure”?

even though the server is open source, it isn’t self hostable

Since its a centralized server that isn’t self hostable, you have no idea whats running on their server. Signal even went a whole year once without publishing any server back end code updates, until it raised a lot of hackles so they started adding to it again.

But the signal foundation is a non profit with external audits and a proven track record with law enforced requesting data and getting basically nothing (If i remember correctly they only have your user to phone number relation and the last time you were online)

You have no idea what they give to authorities: in fact with NSL’s, its illegal for them to tell you. Signal’s response to this is “just trust us”.

It’s a centralized, US-based service running on AWS, that’s not self-hostable, requires phone numbers, and you have no idea what code their server is running.

Whether the app you use for it is open source, is entirely irrelevant for them building social network graphs, considering they have your real identity via phone numbers.

If the answer is “I just trust them”, then you’re not doing security correctly.

Matrix, simpleX. Both have apps on f-droid, are federated, E2EE, and the servers are self-hostable anywhere in the world. Neither require phone numbers or identifiable info.

So just give up and use signal then?

You’re not going to convince me to use US-domiciled services.

Since I don’t use comms platforms they have jurisdiction over, I lessen the risk.

They store your phone number, and have to route all the messages you created to the other phone numbers / user IDs in their database. This means anyone with access to signal’s centralized database has social network graphs: who talked to who, and when.

If your threat model is “I just trust them”, then its not a good one.

Privacy advocates have been raising the alarms about signal forever, but like apple, their fanbase just feels the security “in their gut”, and think that because it has a shiny interface, it must be secure.

Signal is a US-based entity subject to warrantless NSLs, with all the data hosted on AWS. Its not giving your phone number to your mom. Its giving your phone number to amazon and most likely a US surveillance government agency.

For a threat model you should assume the worst and never trust any US-domiciled data service or platform.

No because I don’t think centralized services are a good idea for communications platforms.

Simple: I don’t use any US-based service due to NSLs

I especially don’t use any us-based service that asks for my phone number.

Hosted in the US on amazon servers, subject to national security letters.

All the signal fans here should give me your phone number if you think its a secure service. All of them are hosted on AWS btw.

Of the largest android sellers, only samsung requires gplay. Xiaomi, vivo, oppo, realme, honor, are all chinese companies that require non-bundled google play for their domestic (and maybe other countries?) releases. Google can’t alienate these sellers, and if they did, all of these companies would create their own AOSP fork (or just switch to HarmonyOS)

I recently bought a xiaomi android tablet that doesn’t have google play services luckily.

I do this, but just torrent music.

Even with a dumb phone, they have

• Your identity, IE real name and address.
• Location history
• Contacts (since you’re forced to use SMS)
• Message history in plain text

So I don’t doubt that they’re at least aggregating message history and selling data/trends about certain topics to advertisers and anyone who will buy it.

Plus if they know that your most contacted person is also texting/searching about certain things, they can safely sell that also and present ads to you based on their interests.

100% agree. Browsers don’t need to, and shouldn’t be reporting all Javascript attributes that make us unique, especially things like canvas.

You can test this out here, but nowadays its rare for any out of the box browser to be anonymous.

https://www.amiunique.org/fingerprint

“Authoritarianism” is usually just coded language to demonize anti-colonial countries. It’s almost never used to refer to the “civilized” capitalist metropoles like the US and Europe, who have done their best to strangle every country that dares to exist outside their orbit.