Nowadays, a majority of apps require you to sign up with your email or even worse your phone number. If you have a phone number attached to your name, meaning you went to a cell service/phone provider, and you gave them your ID, then no matter what app you use, no matter how private it says it is, it is not private. There is NO exception to this. Your identity is instantly tied to that account.
Signal is not private. I recommend Simplex or another peer to peer onion messaging app. They don’t require email or phone number. So as long as you protect your IP you are anonymous
Signal allows you to speak confidentially, therefore it is private. It is not, by default, anonymous. Yes, this plus the centralized server mean that potentially dangerous metadata, like relationship maps, can be collected. All indications are this isn’t the case, but that’s not something you can count on.
If you need anonymity, which you probably do at least a bit, use simplex. And yes, having more people using anonymous services like simplex is a good thing for the community as a whole. That said, I’m not going to try to convince all of my friends to use simplex. It’s just too far from the mainstream, missing too many features. Signal is a sufficient compromise for most people, and it’s sufficient for me for most purposes.
Here, go argue with this guy for a few weeks, and give us a break for a while.
what information is provided to an entity about whom.
“Content” and “Context”
Why is only message text considered “information / content / context” here. Signal has your real name and address via phone numbers, and has every other real person you talked to, and when. Why is “message text” considered context, but social networking graphs aren’t?
All these definitions are highly subjective, and the above one clearly considers social networking graphs to not be “content”. Basically they’ve re-defined privacy in a way that excludes highly sensitive information like everyone you talk to, and when.
You can use whatever app you like, but I think this adds confusion.
Signal is private because no one can see your messages except the people you are messaging. The government can’t, Signal themselves can’t.
Signal is not anonymous only in the sense that the government can check if you use Signal. That’s it. They can tell if you use Signal. They can’t link messages to your number in any way through data requests, etc.
Not forcing anyone to use Signal, but if you choose to, you can know it is private.
(So this post is confusing privacy with anonimity basically)
Anonymity is a very big part of privacy and always has been. That is why you don’t write your name on your voting ballot.
They are conceptually quite different.
People use both the terms interchangeably, but they are not the same thing.
Voting ballots are anonymous because you didn’t write you name on them (and they can’t be linked back to you hopefully), but they are not private because you have no control over how the data is used (once you submit a balot you have zero control over what happens to it next).
I’m not finding any definitions of “privacy” that suggest the term refers to control of something. Regardless of whether that something is within or outside of your reach.
From the page you linked:
noun Secrecy; concealment of what is said or done.
Signal conceals what you say.
In a data sense specifically, I believe privacy refers to your data being hidden from unwanted eyes (aka you have control over who can see your data).
Which is also what you do when you vote. You control who has your identifying information and who has the information on how you voted. Which I guess is still different from Signal if we are still talking about that. Since you cannot control who has your identifying information.
Its not private nor is it anonymous.
Try looking up “privacy vs anonimity” (or a similar search query). You may find that your post is talking about anonimity, not privacy.
Signal is private.
God damn. If you attach your phone number to it. It is not private in most users cases the identity it tied to the phone number. Signal knows the phone numbers and you better understand that they will reveal them if ever requested.
Did you look it up?
Yes, as I said, the government can tell if you use Signal or not by asking Signal (by providing Signal a phone number and asking if they have a record of it).
It’s not anonymous in that sense, but it is still private because your messages cannot be revealed by such data requests.
Removed by mod
No you all are SIMPs for signal. You all are promoting it like you work for them. All because you’re too stupid (lack of having information) to understand they are a bad choice for privacy
How are you still unable to differenciate privacy and anonimity.
And you are calling us stupid for using Signal…
Seriously, use whatever you are comfortable with, but don’t spread misinformation and panic.
Yep we’re all out to get you. We have meetings and everything. We have a pot luck on Sunday, and you cannot come.
You keep saying this. But you never offer any proof. Everyone keeps telling you why there is a distinction but you keep conflating the two, and here you are flat out bullshitting. It is in fact private.
What is your point? I am beginning to think YOU are propaganda. Or an idiot.
Signal is private, what you should differentiate is being anonymous or not. Using your usual phone number is NOT Anonymous but is PRIVATE, as in the content of your messages being only available to you and the person you’re talking to
The way you get a phone number depends on you too, so you can be very much be Anonymous even if signal requires a phone number.
the phone number drives me nut since mine changes every few months; everyone i know has my voip number that gets everything forwarded to each new number.
You are very naive if you think that a company located un the US can provide an encrypted messaging service that can be used by anyone including terrorists, druglords and US enemies without the government being able to access the messages. Lavabit was a famous case and had to shutdown because its founder rejected to comply with an order from the US government to grant access to information. If you are using centralized communication service located in the US forget about privacy.
”Lavabit is believed to be the first technology firm that has chosen to suspend or shut down its operation rather than comply with an order from the United States government to reveal information or grant access to information.[3] Silent Circle, an encrypted email, mobile video and voice service provider, followed the example of Lavabit by discontinuing its encrypted email services.[25] Citing the impossibility of being able to maintain the confidentiality of its customers’ emails should it be served with government orders, Silent Circle permanently erased the encryption keys that allowed access to emails stored or transmitted by its service.[26]"
“Levison (founder) explained he was under a gag order and that he was legally unable to explain to the public why he ended the service.[21]”
Since when is encryption dependent on the service’s jurisdiction? When Signal has got subpoenaed it has always been incapable of providing data that involves the content of the conversation https://signal.org/bigbrother/
The app is also open source with reproducible builds (and you can use Molly instead, if you prefer) and when the clients of an end-to-end encrypted system are sound, that is all that matters to secure the content of the communication.
Audits are also performed as listed here https://community.signalusers.org/t/overview-of-third-party-security-audits/13243I don’t understand where this doomerism comes from tbh, (online) privacy will cease to exist when either maths does or it becomes globally illegal to use encryption and the government’s intrusion is really so pervasive that they constantly know what you’re doing. Luckily we don’t yet live in that world, though the pressure is real and we are the first that have to fight for this basic human right
Email is a very different thing.
You can’t protect against emails being received in plain text.
Don’t know the technicalities of the specific case you are referencing, but I know that if the government wants to they can middleman any received email before the provider can encrypt it for storage on their servers (by forcing the provider to let them).
On the other hand, if you use an end to end encrypted chat app, you can’t middleman any messages from the providers side by force because the messages are always encrypted on the users device before being sent.
I don’t know about lavabit specifically, but typically encrypted emails are encrypted on your client computer and decrypted on the recipient’s computer. It is conceptually the same thing as an “end to end encrypted chat app”… just in email form.
Yes that works if both the sender and receiever encrypt the emails before sending them.
I specifically mentioned incoming plaintext (unencrypted) email.
Since mail is technically decentralised, not everyone is using protonmail for example, so protonmail can only perform e2e encryption on protonmail to protonmail email sending (they let you encrypt mail to people outside but it’s not as seamless).
Nevertheless, I was mentioning incoming plaintext emails, which email providers have to encrypt before storing. The government can middleman that procedure and read the incoming mail before it’s encrypted by your provider (protonmail, etc).
(This is one of the reasons why lavabit may have shutdown, you can’t protect against incoming plaintext mail)
Ah… I guess I didn’t understand how services like encrypted webmail worked. I’ve only ever used local pgp with thunderbird or whatever. I was assuming (incorrectly) that those services operated in the same manner. Thanks for explaining it to me.
You are correct, encrypted mail providers should encrypt on-device, before sending the mail, but there isn’t a solution to the unencrypted mail you could potentially recieve being intercepted.
Since when is encryption dependent on the service’s jurisdiction?
The US has a law that applies to any US company operating within its borders: it is illegal to tell your users that the US government has asked your company to spy on their behalf. This is called a key disclosure law, and the US’s version of it, called National Security Letters, underwent an expansion with the PATRIOT act; by 2013, President Obama’s Intelligence Review Group reported issuing on average, nearly 60 NSLs every day.
Companies that don’t comply with this law are forced to shut themselves down, or remain open, and grant access to user communications to the US government. The Signal foundation is a US domiciled company and must comply with this law without being able to disclose that they have been issued an NSL letter.
Luckily we don’t yet live in that world
Comply with the government order of granting access to messages or shut down implies that we are already in that world, long ago. What makes you think that what happened to Lavavit and Silent Circle would not happen to Signal? Only wishfull thinking can make you think that, evidence tells you otherwise.
And given their scale and length of time they have been around, it is guaranteed that they have been complying for some time.
It is so ironic that we run into so much cognitive dissonance on this issue. It is so weird that people have such an emotional attachment to this product.
Ok government here are the messages i’m legally required to provide you.
U2FsdGVkX1/FEry+/NeyfmzA3icvpchwSo5qySzajv87f9PwhJyog+zS1Qv+j8bzYXG5sCLZMbFqUJn9Cp7RkVY79wuUArUaxE59LtdO0LKT+0+d220DxFVioHe8Vlaq
If it’s so easy why Lavabit and Silent Circle had to shutdown?
Do you understand what encryption means? Genuine question.
If a company is compelled to spy on its users, it doesn’t mean hack them. (although perhaps there are same edge cases where you have to wonder the exact definition of hacking)
Obviously you are missing the point. Even Gmail is private if you are going to do the job of encrypting your messages by yourself, but that’s irrelevant with what we are discussing here.
What we are discussing here is that if you are a company offering a service of encrypted communications located in the US, the government has all the power to force you to shut down if you don’t give them access to what they want. And that’s not speculation, they’re actively doint it because they are backed by the law.
Why people are so naive thinking that the government are not going to do something to get what they want when the law is on their side, when sometimes they don’t hesitate to do it even when it’s blatantly illegal?
The only way to avoid surveillance is with free, open source and descentralized software. If there is a company in charge of running the software that’s a vulnerability and, like the cases already mentioned, those in power are going to exploit it shutting the service down if the company doesn’t comply.
It doesn’t matter how much you like or trust the service, there’s simply no reason why they wouldn’t do it again when they already dit it successfuly. Why some people who care about privacy can’t see this obvious fact is beyond my understanding.
People who actually care about privacy: the quality or state of being apart from company or observation (definition), wouldn’t want a company knowing their phone number and thus identity tied to their phone number. Maybe you believe in a lower level of privacy than I do. That’s fine but my post was for people who never thought about it but will care and those who should care.
This is disturbing that this comment is down voted to -11, at the time of my reading, on a service that is specifically designed for people who value privacy. Is it because of some government bot, or are enough people really that emotionally attached to this product that despite the clear logic they are reacting in discomfort?
I don’t know which option is more disturbing.
I get that a lot of people don’t really value privacy that much, and are only interested in making a half hearted attempt. That is fine. But why the gross amount of denial? Why not just be honest that they think it is good enough for them, and not worth changing.
These people are sheep. It’s insanity. They worship these companies I feel like I’m arguing with cultist
Signal doesn’t know your phone number, though. It’s only used to identify other users in your contacts, and not a single thing about it is stored.
That’s not true. When asked to provide data, Signal is able to give your phone number and the last login time.
Signal stores the hash of the phone number. So you can query them for a specific phone number, but are unable to figure out phone numbers based on the hashes (outside of brute force - trying every 12-digit phone number).
And after doing that, you learn “this person uses/used Signal”, with no information about particular messages whatsoever.
Okay, I was not aware that it was only the hash of the phone number. I was under the impression that it was the phone number itself.
Wow. You give them your phone number to sign up. They text you a confirmation code but they don’t know your phone number. Magic
Removed by mod
That is a compromise of privacy. If those hackers used those phone number to access any account by using unique methods those users privacy would be utterly lost.
This thread shows the success of Signal’s PR campaigns, and how a shiny app can get people to overlook all the privacy concerns. They’re just as successful as Apple at getting people to think that a US-based corporation hosted on Amazon’s servers and subject to national security letters, whose privacy model is “just trust us with your phone number”, is in any way secure.
precisely that’s why it’s become so popular and recommended and now these users are recommending it furthering the amount of people that will have their data exposed there was a leak I believe in 2022 and on signal a lot of customers had their phone numbers exposed if their phone numbers are not stored how did they get exposed? Clearly the answer is that they are stored.
Were there conversations exposed? Do you even understand the difference?
Started to write a long paragraph to explain the difference between privacy and anonymity but I now believe this new user is (no idea why) collecting engagement via rage bait. I won’t participate in their posts anymore.
It might even come from a good place, namely trying to always do “better” and be “more private” but in practice it’s just lead to confusion.
Thank you! Finally someone that also sees Signal as privacy invasing!
Don’t need an ID to buy a burner phone/number
I am a huge fan of SimpleX and their removal of user IDs. I think it’s a brilliant solution, and wish that SimpleX was recommended more than Signal.
If simplex used phone numbers and defeated the whole concept of privacy it would be recommended more.
I’m ready to be called milquetoast, and while I see where this comes from, it comes off idealistic if we are to communicate with people in the present day in any practical way. Do not forget how much of an improvement it already is over the likes of proprietary messaging apps and how much effort it already is to move people to Signal. It is surprisingly difficult for common folk to grasp the concept of anything but a phone number when it comes to messaging apps.
Which definitely begs the question of why people put any effort into trying to move any of their contacts to signal in the first place. I believe the answer is that they didn’t value privacy either. Just the idea of it.
Indeed, those who don’t have older friends totally underestimate how confused the oldies get by the concept of an alternative phone/messaging app.
Been saying this for many many years and always get blank stares in response. All the more annoying when its for use in groups that are all about privacy and they only want to use telegram.
However, it does make me happy to finally see someone else say it. So, thanks for that.
We are the rarity. Lol people in the comments are glitching over this statement
2FA is an important security layer, if the service, after sending you the activating SMS with the code, delete your number (normal in serious services), it’s also not an privacy problem. In big us corporations on the other hand, it is, eg.Google store tour number and also probably share it, there 2FA is not an option. Instead a number, some services also admit alternatively a second e-mail account to receive the activation code, there, if you have doubt, you can use an disposable mail, so there isn’t any privacy problem.
2FA helps with security concerns, not privacy concerns. They still would have your number. Also about Google, they have one of the widest spread and utilized 2FA authentication applications out there.
2FA is important, but if you use your phone number for anything, you have no idea how long they retain it, how they directly use it, if they sell it, etc. A real phone number can be mapped back to you trivially.
It should be standard to offer TOTP codes that can be used via an authenticator app, hardware key, etc. Aome places do, many do not.
But at the end of the day, they typically don’t ask for your phone number because they want to give you security, but rather as a proxy to ensure you have a unique identity. Most people will have only one phone number, and it will be more difficult / costly to get additional ones than burner emails, etc.
Yes, iy’s always to use with a grain of salt. As said, it ads a security layer, but can be an privacy hole, despte that mail directions are easier to track as phone numbers, at least in the EU, you can’t be mapped back to an user, this is only possible in crime investigations by the police with an court order. Mail adresses on the other hand are unique identifiers which are way easier th track, except you use an disposable mail or alias. Anyway, eg.in Vivaldi 2FA is safe and apart optional, as also the account itself, only needed when you want to use sync or the use of Vivaldimail, blog and other services it offers. In much other services it’s also only an option.
People dont realize that you may as well hand over your social security number when you pass out your phone number.
Indeed, I also don’t realize that. Please explain further.
Its very easy to dox someone with a phone number. Not sure about social but address and full name are easily available for free.
If Signal isn’t private, then why it is recommended over WhatsApp, Matrix and over SimpleX?
Because it has become extremely popular, that’s just how it goes. At one point, even Telegram was recommended for being super secure or private, but the privacy is mild on Telegram at best.
But by comparison to Instagram or Whatsapp, it’s how the gram looks like Privacy Central, so it was recommended. Now, Signal is replacing that role.
Signal is more private than the sus apps like IG, Facebook, etc. Yes. But only because those apps are so bad.
No one should be recommending signal over matrix and simplex. It’s probably more secure than whatsapp, but both have social network graphs of everyone you talked to, and when.
Matrix’s encryption algorithm was broken for a while and when it was fixed it it took app devs years to migrate to the new requirements. It still might even be the case for a lot of them, I haven’t looked in a while.
SimpleX should be secure AFAIK though, but I’ve heard that it may not be able to scale well to larger user bases. It seems everything has pros and cons.
Because most people don’t consider the very basic concept made by op.
Do you think your phone number is private?
I don’t have a phone number
it’s definetly not public information
It wouldn’t work very well if it wasn’t.
It is at best slightly obscured information. If your life depends on a phone number never being associated with you, and you frequently use that phone number, you’re a dead person.
dw I don’t. My phone number was leaked, I don’t know how and it really sucks. It probably happened before I started caring about privacy. and all these phone number aliasing services either don’t operate in my region or cost too much money.
