Link to article from main Lemmy❤️ developer about Signal privacy. Mostly fair points. I kinda distrust so centralized services but basically we have no other options (Matrix is buggy in many aspects). What can you say about this article?

  • This is posted relatively often, and every time it is posted I feel compelled to note that said dev has not articulated any real reason to consider Signal insecure beyond an implicit conspiracy theory with no real meat to it.

    “Signal’s use luckily never caught on by the general public of China (or the Hong Kong Administrative region), whose government prefers autonomy, rather than letting US tech control its communication platforms, as most of the rest of the world naively allows.”

    When you’re holding up China as an example for the world to follow for privacy, I have a hard time taking ANYTHING else you’re claiming seriously.

    • I don’t agree with the Lemmy dev and won’t read his stuff, but I also stopped using Signal years ago. First they won’t allow third party appa or self hosted servers, then they got into Crypto and were building a wallet and currency, which is their right, then they announced a proprietary closed source part of their application that can’t be auditted in the name of fighting spam. Yes there’s a blog post out there about it that they themselves posted and no I can’t look it up atm. I’m personally tired of sacrificing privacy for the name of security so I left.

      I moved to Matrix and Element. I have my entire family on it, all nontech folks except me, and none of them have any issues. We use it for text and video constantly and have for years. It’s gotten very intuitive.

      To each their own, but Signal isn’t the bastion of free open source privacy anymore imo.

  • This same thing has been reposted here so much. So I am going to copy-paste my original response once again.

    Governments routinely fund the development of secure and open communication systems because they themselves benefit from having such communication tools which can be trusted. By the logic presented in this “essay”, one shouldn’t be using the internet at all. What you need to check is whether Signal’s technical claims about its encryption is true or not. There is nothing in this article that raises any question on Signal’s encryption. We already know how much data Signal has on its users through their responses to various legal subpoenas over the years (spoiler: its pretty much nothing).

    Here are some cool links for you to check out:
    https://signal.org/bigbrother/
    https://www.aclu.org/news/national-security/new-documents-reveal-government-effort-impose-secrecy-encryption

  • I’m just waiting for the EU’s Digital Markets Act (DMA), that requires interoperability between protocols (messenger, whatsapp, that apple thing, signal, matrix, etc., to kick in. Once that happens, I’ll take a closer look at matrix.

    Matrix is also being rewritten in Go and one day, they’ll hopefully support decentralised identities (aka your identity isn’t tied to a server). When both are implemented, I think they’ll be superior to many things out there.

    As to the article: yawn. Proof is lacking everywhere and the “it requires a telephone number” argument just keeps cropping up. Without a telephone number, what is the best way to discover your friends and family on a new network? If someone can respond with a viable alternative that doesn’t involve sending a message to everybody over some insecure medium, I’m all ears.

    •  mb_   ( @mb_@lemmy.ml ) 
      link
      fedilink
      2
      edit-2
      1 year ago

      As much as I love and follow matrix closely, I can’t fully trust developers who aren’t capable of deploying SSO in their product (look at dendrite mess). Unfortunately, following their SSO ticket chain was a mess and disappointment.

  • In January 2021, after WhatsApp, the most popular messaging app in the world, became acquired by Facebook, and announced its sharing of data with its new parent, Signal became the top downloaded app in > 70 countries.

    Errr…

    WhatsApp was acquired by meta back in 2014.

    2021 was when WhatsApp released updated terms of service that allowed them to connect to Facebook servers and share the data they needed/wanted to.

    This article seems like the average low effort hit piece against signal that keeps on popping up.

    I still think signal is the easiest messaging app out there for the average user to gain a little more privacy in their digital lives.

  • I think a lot of these points have been made better elsewhere.

    The extended discussion of hypothetical US interference just because of a tenuous chain of connection to the CIA is just typical US-badism. The US frequently funds tools which they think further geopolitical goals and this doesn’t inherently mean its untrustworthy, just that their methodology of control is more resilient to uncensored speech; the best example of this is TOR, decentralized, anonymous, and created by Naval Research and DARPA. The author can’t concede this point as it’d bring up they’re unsubtly simping for a different colonial power, one who does require such censorship.

    Signal’s centralized nature has always been a major criticism (and it’s reasonable), however as a trade off it’s easy to on-board the tech illiterate. It’s nontrivial to set up a Matrix server and I’ve seen the difficulty of migrating activist groups there. It’s good as a long term goal, but one also has to recognize that a person struggling with housing has different concerns and will prefer to use whatever their friends and family do.

  • I disagree with a lot of things in this message, a server will always know who communicates with whom and when, because it needs to deliver these messages.

    We know that Pegasus can infect any device without anyone really noticing and fully taking over. No message service could ever get around that meaning that as long as you use a phone you could always be the target of surveilance.

    That means there is an inheritated problem with privacy on phones because no matter what a app will never be safe.

    End to end encryption just ensures that there wont be a party constantly monitoring all data and enable mass surveilance.

    In theory they infected everyone with Pegasus send the traffic somewhere whwre they could analyze that traffic.

  • Many great answers in here but can someone address this point?

    Signal could very well be another Crypto AG-style honeypot: the Swiss company which provided secure communications services to ~120 governments throughout the 20th century, and was secretly ran by the CIA and West German Intelligence.

    • I think if we assume that we run on our devices code that is public we are safe (without additional built in things, backdoors). This code is checked many times so it is good. If you use Android you can use some forks of official Signal client (Molly, Signal-FOSS) and be safe 🙂

  • I personally recommend Session. Which is like signal but better. It is 100% zero user knowledge with no accounts emails or phone numbers. It just goes “here’s your ID have fun” and that’s it. Love it.

    • Sessions developers dropped Signal’s Perfect Forward Secrecy (PFS) and deniability [0] security features. Personally I would not trust a product that drops an end-user security feature for the sake of making the developer’s life easier [1] .

      Using existing long-term keypairs in place of the Signal protocol massively simplifies 1-1 messaging.

      For those unaware, PFS protects your data/messages from future exploits and breaches. With PFS, each message’s encryption is isolated, preventing compromise of current and past interactions [2].

      A simple example to illustrate why PFS is beneficial. Lets assume any 3 letter agency is collecting all Signal/Session messages - on top of the tons of data they’re already capturing. The great thing is that your messages are encrypted, they can’t see anything - YAY - but they’re storing them basically forever.

      Two ways they may be able to compromise your privacy and view ALL your messages:

      1. A flaw is discovered that allows them to crack/brute force the encryption in weeks instead of years/decades/eternity. If you were using Sessions, because you use the same key for every message, they now have access to everything you’ve ever said. If you were using Signal, they have access to that one message and need to spend considerable resources trying to crack every other message.

      2. Your phone is compromised and they take your encryption keys. If you were using Sessions, this again gives them access to your entire message history. If you were using Signal, because the keys are always rotating (known as ephemeral) they can only use them to unlock the most recent received messages.

      It’s important to state that both cases above only really matter if you delete your messages after a certain time. Otherwise, yes, all they have to do is take your phone and get access to your entire message history - which is why ephemeral messaging (i.e. auto deleting messages after a certain time) is crucial if you suspect you may be targeted.

      [0] https://getsession.org/blog/session-protocol-explained

      [1] https://getsession.org/blog/session-protocol-technical-information

      [2] https://www.signal.org/blog/advanced-ratcheting/

    • I believe even those threads touched many topics(listed below) it does not give you the whole overview so I highly recommend you guys to check out the article that OP mentioned. It is the most comprehensive article criticize Signal I was able to found but if you dig hard you may see some user specific problem on some forums. If we come to my opinion use matrix, run your server with and for your family and friends(I am aware the challenge of convincing them to use such “technically hard to understand” platform but you have to if you care their and your privacy; you have no idea how hard it was for me to convince my wife and teach her)

      Funding and Privacy: Some users contend that Signal’s financing sources, such as the Open Technology Fund (OTF), do not jeopardize the company’s privacy features. They point out that the OTF also supports a wide range of other privacy-related technologies, and claim that just because a project receives financing from one source does not imply that the initiative is compromised by that source.

      Trade-offs: Signal creates trade-offs that are understandable to the common individual. While some of these trade-offs, such as the necessity of a phone number, may be unappealing to privacy purists, they do make the app more accessible to a wider audience. Some users regard this accessibility as a plus, believing that the benefits of broad encryption exceed the possible privacy problems.

      Phone Number Requirement: Some customers are concerned about Signal’s demand for a phone number in order to utilize the service. They contend that this requirement might be used to monitor individuals or connect their identities across sites. Others claim that for most users, who use Signal to connect with people for whom they already have phone numbers, this isn’t an issue.

      Centralization and Jurisdiction: Concerns have been raised concerning Signal’s centralized design and its US jurisdiction. Some users believe that these considerations may jeopardize user privacy since the US government may hypothetically compel Signal to send over user data. Others, though, believe that Signal’s end-to-end encryption would restrict the use of any data transferred.

      Alternatives: Signal alternatives such as Matrix, Tox, and Jami are examined. These solutions, however, have drawbacks, such as a lack of usability or a smaller user base. Some users say that, while not ideal, these options provide more control and privacy than Signal.

      Government Surveillance: Some users say that while Signal is adequate for safeguarding against casual third-party inspection, it may not be the greatest alternative for people who need to protect themselves from government surveillance. They claim that, while Signal’s encryption is excellent, its centralization and jurisdiction in the United States might make it a target for government monitoring attempts.

      MobileCoin: The rollout of MobileCoin, a cryptocurrency integrated into Signal, was criticized for being poorly done and communicated. Some users felt that this integration was unnecessary and potentially harmful to Signal’s reputation as a privacy-focused app.

      Government: The idea that the US government hasn’t sought to restrict or obstruct Signal because it is happy with the quantity of information it can supply is debatable. Some people find this assertion unsatisfactory and think that further evidence is required. They argue that the absence of action by the US government against Signal might be due to other causes, such as a desire to promote the use of encryption.

      Lack of Federation: Signal’s lack of federation is a source of concern. Some users believe Matrix’s case for federation, which would allow multiple servers to speak with one another, is more compelling than Signal’s centralized model. They suggest that federation may provide greater resilience and control than a centralized arrangement.

      Hope this was helpful(I know you will continue with whatsapp)