A month ago I just bought a xiaomi tablet for my main work machine. Full android, with no google play / google play services, and it runs f-droid and all the apps fine. Haven’t missed any app on the google play store, or that require play services.

If google keeps on alienating people, people will move over to HarmonyOS, or a lot of the larger chinese companies making android devices will maintain their own AOSP fork, and google will be as irrelevant worldwide as apple is.

There’s a lot of dead accounts downvoting you BTW.

Even with full e2ee, they still have

• Your real identity (via phone numbers)
• The real identities of everyone you talk to
• Who you messaged, and when

With this its easy to build social networking graphs, and tag everyone implicated with a targeted account as an accomplice. Reading and trying to build meaning from the e2ee message content is almost less important than social graphs.

They went a whole year without publishing updates to repo a few years back, until there was a big community backlash over it. Also you have no guarantee that’s what they’re running other than: “just trust us”.

Matrix, SimpleX, Briar(not a huge fan of this one since its android only), XMPP (only if you have encryption addon).

shouldn’t we focus on making sure everyone can access Signal without issues?

I’d rather ppl not use US-based centralized services, hosted on amazon’s servers, and subject to national security letters.

There are far better self-hostable alternatives that aren’t hosted in burgerland.

Signal is secure, not fully private or anonymous.

Why do people think this secure vs private distinction is in any way meaningful. I don’t want a US service to have my phone number, or spy on me, and have social network graphs, period.

Why is the US government being able to spy on me considered “secure”?

even though the server is open source, it isn’t self hostable

Since its a centralized server that isn’t self hostable, you have no idea whats running on their server. Signal even went a whole year once without publishing any server back end code updates, until it raised a lot of hackles so they started adding to it again.

But the signal foundation is a non profit with external audits and a proven track record with law enforced requesting data and getting basically nothing (If i remember correctly they only have your user to phone number relation and the last time you were online)

You have no idea what they give to authorities: in fact with NSL’s, its illegal for them to tell you. Signal’s response to this is “just trust us”.

It’s a centralized, US-based service running on AWS, that’s not self-hostable, requires phone numbers, and you have no idea what code their server is running.

Whether the app you use for it is open source, is entirely irrelevant for them building social network graphs, considering they have your real identity via phone numbers.

If the answer is “I just trust them”, then you’re not doing security correctly.

Matrix, simpleX. Both have apps on f-droid, are federated, E2EE, and the servers are self-hostable anywhere in the world. Neither require phone numbers or identifiable info.

So just give up and use signal then?

You’re not going to convince me to use US-domiciled services.

Since I don’t use comms platforms they have jurisdiction over, I lessen the risk.

They store your phone number, and have to route all the messages you created to the other phone numbers / user IDs in their database. This means anyone with access to signal’s centralized database has social network graphs: who talked to who, and when.

If your threat model is “I just trust them”, then its not a good one.

Privacy advocates have been raising the alarms about signal forever, but like apple, their fanbase just feels the security “in their gut”, and think that because it has a shiny interface, it must be secure.

Signal is a US-based entity subject to warrantless NSLs, with all the data hosted on AWS. Its not giving your phone number to your mom. Its giving your phone number to amazon and most likely a US surveillance government agency.

For a threat model you should assume the worst and never trust any US-domiciled data service or platform.

No because I don’t think centralized services are a good idea for communications platforms.

Simple: I don’t use any US-based service due to NSLs

I especially don’t use any us-based service that asks for my phone number.

Hosted in the US on amazon servers, subject to national security letters.

All the signal fans here should give me your phone number if you think its a secure service. All of them are hosted on AWS btw.

Of the largest android sellers, only samsung requires gplay. Xiaomi, vivo, oppo, realme, honor, are all chinese companies that require non-bundled google play for their domestic (and maybe other countries?) releases. Google can’t alienate these sellers, and if they did, all of these companies would create their own AOSP fork (or just switch to HarmonyOS)

I recently bought a xiaomi android tablet that doesn’t have google play services luckily.

I do this, but just torrent music.

Even with a dumb phone, they have

• Your identity, IE real name and address.
• Location history
• Contacts (since you’re forced to use SMS)
• Message history in plain text

So I don’t doubt that they’re at least aggregating message history and selling data/trends about certain topics to advertisers and anyone who will buy it.

Plus if they know that your most contacted person is also texting/searching about certain things, they can safely sell that also and present ads to you based on their interests.

100% agree. Browsers don’t need to, and shouldn’t be reporting all Javascript attributes that make us unique, especially things like canvas.

You can test this out here, but nowadays its rare for any out of the box browser to be anonymous.

https://www.amiunique.org/fingerprint

“Authoritarianism” is usually just coded language to demonize anti-colonial countries. It’s almost never used to refer to the “civilized” capitalist metropoles like the US and Europe, who have done their best to strangle every country that dares to exist outside their orbit.

Which country? Plenty of countries have at least a nominal right to privacy, but it doesn’t end up meaning much when US companies own your country’s communications platforms.

Snowden doesn’t even think the NSA is evil:

The lesson of 2013 is not that the NSA is evil. It’s that the path is dangerous. The network path is something that we need to help users get across safely. Our job as technologists, our job as engineers, our job as anybody who cares about the internet in any way, who has any kind of personal or commercial involvement is literally to armor the user, to protect the user and to make it that they can get from one end of the path to the other safely without interference,” he told an auditorium filled with the world’s foremost computer and network engineers at a 2015 meeting of the Internet Engineering Task Force in Prague.

He reaffirmed his view a year later at Fusion’s 2016 Real Future Fair in Oakland, California. “If you want to build a better future, you’re going to have to do it yourself. Politics will take us only so far and if history is any guide, they are the least reliable means of achieving the effective change.… They’re not gonna jump up and protect your rights,” he said. “Technology works differently than law. Technology knows no jurisdiction.”

Snowden is a brave guy in some ways, but even in spite of his leaks, he’s remained a naive US-supremacist libertarian, who evangangelizes tech over political action, defends the OTF, silicon valley, and US-DoD funded crypto tools and privacy apps.

The lesson of 2013 is not that the NSA is evil. It’s that the path is dangerous. The network path is something that we need to help users get across safely. Our job as technologists, our job as engineers, our job as anybody who cares about the internet in any way, who has any kind of personal or commercial involvement is literally to armor the user, to protect the user and to make it that they can get from one end of the path to the other safely without interference,” he told an auditorium filled with the world’s foremost computer and network engineers at a 2015 meeting of the Internet Engineering Task Force in Prague. He reaffirmed his view a year later at Fusion’s 2016 Real Future Fair in Oakland, California. “If you want to build a better future, you’re going to have to do it yourself. Politics will take us only so far and if history is any guide, they are the least reliable means of achieving the effective change.… They’re not gonna jump up and protect your rights,” he said. “Technology works differently than law. Technology knows no jurisdiction.”

I do this too, keepassdx form filling works really well on android.

Same. It’s so hard to get ppl to switche

Matrix is also missing.

1. With a long enough passphrase, your keepass db is uncrackable by any current tech.
2. If you have 50 accounts using the same password, if any one of those websites get hacked, they now have access to every other account.

dev here, glad you like!

Not just lemmy, but every fediverse platform can and should be trying to do better than centralized social media when it comes to mentally harmful / addictive patterns in our apps. I’ve tried to do some things to minimize addiction, but there’s a lot more we could be doing.

If you were to rank the things about lemmy that are most addictive, what would they be? Then we can think of ways to minimize or subvert them, where feasible.

IMO infinite scrolling, seeing the same things over again, and wanting to check like your own content likes / dislikes, are the worst offenders.

And signal, considering its a centralized US company that has your phone number.

I’d really love an open-source WYSIWYG for android, but I’m stuck with obsidian currently.

Thx! Never knew about this one before.

Matrix, xmpp, simplex. Do not use Signal or any service with centralized servers hosted in a 5 eyes country.

Chinese company uses servers located in China. More news at 11.

Lemmy has nothing in its code that blocks VPNs. Unfortunately a lot of instances use cloudflare and other man-in-the-middle services that do block VPNs.

Syncthing, its a self-run dropbox. Apps for every platform.

Then you can use whatever editors on any device you like. Markor is a good open source one for android.

I don’t doubt it. Those NSLs would have returned zero information from Signal because, as Signal has repeatedly demonstrated, and I have repeatedly stated, they don’t have any information to share.

Part of the stipulation of NSL’s, is that its illegal to disclose that you’ve been issued one. You are gagged, and you can’t even criticize that gagging publicly, or you will face criminal charges. You can read more about that here: https://www.eff.org/issues/national-security-letters

Not my name, email, birthdate, nothing.

Your phone number is already linked to all that info. I, even as a private person, could type in your phone number right now and get all that information about you in seconds. So you can stop saying “my phone number doesn’t have that information”, because it 100% does. And signal stores it as their primary identifier.

Again, if you really believe what you’re saying, you’ll give me your phone number, and the phone numbers of your friends. If this is a secure identifier, that contains none of the information above, then why not? Put up or shut up.