Nowadays, a majority of apps require you to sign up with your email or even worse your phone number. If you have a phone number attached to your name, meaning you went to a cell service/phone provider, and you gave them your ID, then no matter what app you use, no matter how private it says it is, it is not private. There is NO exception to this. Your identity is instantly tied to that account.
Signal is not private. I recommend Simplex or another peer to peer onion messaging app. They don’t require email or phone number. So as long as you protect your IP you are anonymous
Here, go argue with this guy for a few weeks, and give us a break for a while.
what information is provided to an entity about whom.
“Content” and “Context”
Why is only message text considered “information / content / context” here. Signal has your real name and address via phone numbers, and has every other real person you talked to, and when. Why is “message text” considered context, but social networking graphs aren’t?
All these definitions are highly subjective, and the above one clearly considers social networking graphs to not be “content”. Basically they’ve re-defined privacy in a way that excludes highly sensitive information like everyone you talk to, and when.
Been saying this for many many years and always get blank stares in response. All the more annoying when its for use in groups that are all about privacy and they only want to use telegram.
However, it does make me happy to finally see someone else say it. So, thanks for that.
We are the rarity. Lol people in the comments are glitching over this statement
Signal allows you to speak confidentially, therefore it is private. It is not, by default, anonymous. Yes, this plus the centralized server mean that potentially dangerous metadata, like relationship maps, can be collected. All indications are this isn’t the case, but that’s not something you can count on.
If you need anonymity, which you probably do at least a bit, use simplex. And yes, having more people using anonymous services like simplex is a good thing for the community as a whole. That said, I’m not going to try to convince all of my friends to use simplex. It’s just too far from the mainstream, missing too many features. Signal is a sufficient compromise for most people, and it’s sufficient for me for most purposes.
2FA is an important security layer, if the service, after sending you the activating SMS with the code, delete your number (normal in serious services), it’s also not an privacy problem. In big us corporations on the other hand, it is, eg.Google store tour number and also probably share it, there 2FA is not an option. Instead a number, some services also admit alternatively a second e-mail account to receive the activation code, there, if you have doubt, you can use an disposable mail, so there isn’t any privacy problem.
2FA is important, but if you use your phone number for anything, you have no idea how long they retain it, how they directly use it, if they sell it, etc. A real phone number can be mapped back to you trivially.
It should be standard to offer TOTP codes that can be used via an authenticator app, hardware key, etc. Aome places do, many do not.
But at the end of the day, they typically don’t ask for your phone number because they want to give you security, but rather as a proxy to ensure you have a unique identity. Most people will have only one phone number, and it will be more difficult / costly to get additional ones than burner emails, etc.
Yes, iy’s always to use with a grain of salt. As said, it ads a security layer, but can be an privacy hole, despte that mail directions are easier to track as phone numbers, at least in the EU, you can’t be mapped back to an user, this is only possible in crime investigations by the police with an court order. Mail adresses on the other hand are unique identifiers which are way easier th track, except you use an disposable mail or alias. Anyway, eg.in Vivaldi 2FA is safe and apart optional, as also the account itself, only needed when you want to use sync or the use of Vivaldimail, blog and other services it offers. In much other services it’s also only an option.
2FA helps with security concerns, not privacy concerns. They still would have your number. Also about Google, they have one of the widest spread and utilized 2FA authentication applications out there.
If Signal isn’t private, then why it is recommended over WhatsApp, Matrix and over SimpleX?
OP is confusing privacy with anonymity.
I’d say the two are different but related.
Seems OP is discussing the loss of anonymity, but the below ARE privacy concerns:
- Someone obtaining my number who does not absolutely need it
- Someone knowing who I am, and knowing I do or do not use a service
Granted that it is difficult to completely obfuscate some aspects of your identity.
Those two concerns has been fixed last year.
Because it has become extremely popular, that’s just how it goes. At one point, even Telegram was recommended for being super secure or private, but the privacy is mild on Telegram at best.
But by comparison to Instagram or Whatsapp, it’s how the gram looks like Privacy Central, so it was recommended. Now, Signal is replacing that role.
Signal is more private than the sus apps like IG, Facebook, etc. Yes. But only because those apps are so bad.
Because most people don’t consider the very basic concept made by op.
No one should be recommending signal over matrix and simplex. It’s probably more secure than whatsapp, but both have social network graphs of everyone you talked to, and when.
Matrix’s encryption algorithm was broken for a while and when it was fixed it it took app devs years to migrate to the new requirements. It still might even be the case for a lot of them, I haven’t looked in a while.
SimpleX should be secure AFAIK though, but I’ve heard that it may not be able to scale well to larger user bases. It seems everything has pros and cons.
Privacy and anonymity is different things
When this US service has your phone number (meaning your real name and address), then what is the point of making this distinction? Is them having my address private?
No one should have this info, regardless of how you every person differently defines “privacy” vs “anonymity”
what is the point of making this distinction
because they are completely different things
So its a “private” and “secure” US corporation that knows everyone I talk to and when? I’ve heard this one before.
No, it’s a private and secure protocol (not corporation) thanks to end to end encryption. You can evaluate the protocol yourself with your own eyes, except clearly you cannot read, but modulo that.
Newsflash, chuckles: your IP address IS NOT ANONYMOUS. Any private protocol you use without going through Tor, i2p, or some similar anonymizing network IS NOT ANONYMOUS.
You’re attacking a strawman. Neither Signal nor anyone else has claimed the protocol or the service are anonymous. Which, yes, is something that every user should know before trusting it. They should understand what it means and what the consequences are. I’m honestly not sure you’re even there.
thanks to end to end encryption. You can evaluate the protocol yourself with your own eyes, except clearly you cannot read, but modulo that.
This means nothing when you have no idea what code the server is running, they even went a whole year without publishing their server code updates, until they got a lot of backlash over it. Real security doesn’t require a “just trust us” claim.
Also, metadata is content. Even if they don’t have the message text, Signal still has the real identities of everyone you talked to, and when. With that you can build social network graphs, which are far easier to harvest and more useful anyway than trying to read through message content and determine meaning.
Just because you know where I live doesn’t mean you know what’s going on in my house
See the difference?
Words have meaning
mean you know what’s going on in my house
Signal knows the real identities of everyone you talk to, and when. Is that not “knowing what’s going on in your house?”
The post office knows where I live too. And who I send messages to. Didn’t mean they read my mail
You can use whatever app you like, but I think this adds confusion.
Signal is private because no one can see your messages except the people you are messaging. The government can’t, Signal themselves can’t.
Signal is not anonymous only in the sense that the government can check if you use Signal. That’s it. They can tell if you use Signal. They can’t link messages to your number in any way through data requests, etc.
Not forcing anyone to use Signal, but if you choose to, you can know it is private.
(So this post is confusing privacy with anonimity basically)
Its not private nor is it anonymous.
Privacy: You knowing who I am but not what I’m doing
Anonymity: You knowing what I’m doing but not who I am.
How is someone having your real identity, and address, “private” ? This distinction is pointless.
Removed by mod
I don’t consider it “private”, if you were to know the real identities of everyone I was talking to, and when I talked to them. I’m not telling any US corporation like signal that especially.
Removed by mod
-
My neighbor knows who I am and where I live…next door. He does not know what I do, other than observe that I ride a John Deer around in the fields and corn comes up shortly there after. Riding a John Deer in a field is observable by all public passers by. In public we are not guaranteed an expectation of privacy. He doesn’t know tho, that I run a private sex dungeon and crack still in my basement.
-
I’m a haxor diddling some server somewhere to gain access. The server admin can see what I’m doing and indeed would have a record of what I was up to including any associated IP addresses, but wouldn’t know me from Adam’s house cat if I were truly conducting my activities in an anonymous manner.
He does not know what I do, other than observe that I ride a John Deer around in the fields and corn comes up shortly there after. Riding a John Deer in a field is observable by all public passers by.
So because he knows only a limited amount, that’s the distinction between private and anonymous?
Signal is not your neighbor. Signal’s DB stores phone numbers and knows who you are, and who you talked to, and when. Are the people you talk to considered “public”, to a US-based corporation?
So because he knows only a limited amount, that’s the distinction between private and anonymous?
It is my distinction, yes. There are many other distinctions like it, but this one is mine based on my threat model. Now, if you’d supply your definition/distinction and threat model, then I can be pedantic about it as well. Or we can accept that, since we are talking about a wide swath of users, no one real definition suites all. If you’d like a similar exercise, hit Lemmy Self Host and pose the question, ‘What is self hosting? Is hosting on a VPS considered self hosting or is a home lab considered self hosting’. Report back please.
Signal is not your neighbor. Signal’s DB stores phone numbers and knows who you are, and who you talked to, and when
You know the part in the Signal setup where it asks you for your phone number for verification purposes? You do know Signal does not prohibit the use of temp phone numbers. You can try as many as you like until you get one to work (if you’re relying on free temp phone) One phone number not giving you any joy, tap ‘Wrong number’ and try again, or use a paid for burner phone service such as MobileSMS.io (which is specifically recommended for Signal), Burner, Quackr.io, Temp-Number.com, or there are reports of using Google Voice, if you dare tread those waters.
As clients upgrade, messages will automatically be delivered using sealed sender whenever possible. Users can enable an optional status icon that will be displayed in the detailed information view for a message to indicate when this happens. These protocol changes are an incremental step, and we are continuing to work on improvements to Signal’s metadata resistance. In particular, additional resistance to traffic correlation via timing attacks and IP addresses are areas of ongoing development. https://signal.org/blog/sealed-sender
As I understand the Sealed Sender protocol, it does redact or seeks to redact the metadata of ‘whom you contact and who contacts you’. Since 2024, Signal has introduced usernames to reduce reliance on sharing phone numbers. You can set a username and hide your number from others, though it remains in the database for account purposes. Sooooooo…find you a temp burner phone number to use.
As I’ve said early on, I have no dog in this hunt. You can use Signal, Simplex, Smoke Signals, design a new enigma machine, whatever. My corn is going to grow regardless and my neighbor will still not know about my sex dungeon and crack still. LOL
-
They know who you’re in contact with, who you communicate with the most due to the phone numbers being linked to your account. On their own website they say people can add you by searching your phone number in the search bar. If your phone number was not stored, this would not even be possible. A reference (like a phone but with your number on display) would have to be used in order to confirm that your account is the one that is being searched. The reference is the phone number. It is not private. I am not the one talking about anonymity over and over you are.
From the very beginning I have been speaking on privacy. If they know your number and know who your number is in communication with they now know what you’re doing (talking to person x)
Evennif it is encrypted the damn app is a worst choice than SimpleX the thing I recommended. You chumps want to argue so bad you are missing the point. PRIVACY. Like the name of the damn group you’re in. Why get compromised privacy when you can get comprehensive privacy (simplex)?
Answer you are a hypebeast promoing the most popular “privacy app”
They know who you’re in contact with, who you communicate with the most due to the phone numbers being linked to your account. On their own website they say people can add you by searching your phone number in the search bar. If your phone number was not stored, this would not even be possible. A reference (like a phone but with your number on display) would have to be used in order to confirm that your account is the one that is being searched. The reference is the phone number. It is not private. I am not the one talking about anonymity over and over you are.
I’ve already covered the phone number conundrum further in this thread.
Answer you are a hypebeast promoing the most popular “privacy app”
Quite laughable. Have fun storming the castle bro.
Have fun when the signal data breach gets revealed SIS
What data breach could there possibly be? Phone numbers are already public information and that’s literally the only info Signal has. Oh no! My phone number that’s publicly available already has been released in a “breach”!
It’s already been mentioned numerous times but you’re confusing privacy and anonymity.
Per Cambridge Dictionary:
Privacy: someone’s right to keep their personal matters and relationships secret
Anonymity: the situation in which someone’s name is not given or known:
Using Signal, even after giving them your phone number, fits the definition of privacy in that matters discussed through the app are secret to anyone outside of the sender and recipient. Even if Signal is told to hand over messages, they can’t, there’s nothing to access on their end. Private? Yes. Anonymous? No.
Try looking up “privacy vs anonimity” (or a similar search query). You may find that your post is talking about anonimity, not privacy.
Signal is private.
God damn. If you attach your phone number to it. It is not private in most users cases the identity it tied to the phone number. Signal knows the phone numbers and you better understand that they will reveal them if ever requested.
Removed by mod
No you all are SIMPs for signal. You all are promoting it like you work for them. All because you’re too stupid (lack of having information) to understand they are a bad choice for privacy
Yep we’re all out to get you. We have meetings and everything. We have a pot luck on Sunday, and you cannot come.
How are you still unable to differenciate privacy and anonimity.
And you are calling us stupid for using Signal…
Seriously, use whatever you are comfortable with, but don’t spread misinformation and panic.
Did you look it up?
Yes, as I said, the government can tell if you use Signal or not by asking Signal (by providing Signal a phone number and asking if they have a record of it).
It’s not anonymous in that sense, but it is still private because your messages cannot be revealed by such data requests.
You keep saying this. But you never offer any proof. Everyone keeps telling you why there is a distinction but you keep conflating the two, and here you are flat out bullshitting. It is in fact private.
What is your point? I am beginning to think YOU are propaganda. Or an idiot.
Anonymity is a very big part of privacy and always has been. That is why you don’t write your name on your voting ballot.
They are conceptually quite different.
People use both the terms interchangeably, but they are not the same thing.
Voting ballots are anonymous because you didn’t write you name on them (and they can’t be linked back to you hopefully), but they are not private because you have no control over how the data is used (once you submit a balot you have zero control over what happens to it next).
I’m ready to be called milquetoast, and while I see where this comes from, it comes off idealistic if we are to communicate with people in the present day in any practical way. Do not forget how much of an improvement it already is over the likes of proprietary messaging apps and how much effort it already is to move people to Signal. It is surprisingly difficult for common folk to grasp the concept of anything but a phone number when it comes to messaging apps.
Which definitely begs the question of why people put any effort into trying to move any of their contacts to signal in the first place. I believe the answer is that they didn’t value privacy either. Just the idea of it.
Indeed, those who don’t have older friends totally underestimate how confused the oldies get by the concept of an alternative phone/messaging app.
Started to write a long paragraph to explain the difference between privacy and anonymity but I now believe this new user is (no idea why) collecting engagement via rage bait. I won’t participate in their posts anymore.
It might even come from a good place, namely trying to always do “better” and be “more private” but in practice it’s just lead to confusion.
Do you think your phone number is private?
it’s definetly not public information
It wouldn’t work very well if it wasn’t.
It is at best slightly obscured information. If your life depends on a phone number never being associated with you, and you use that phone number, you’re a dead person.
dw I don’t. My phone number was leaked, I don’t know how and it really sucks. It probably happened before I started caring about privacy. and all these phone number aliasing services either don’t operate in my region or cost too much money.
I don’t have a phone number
I am a huge fan of SimpleX and their removal of user IDs. I think it’s a brilliant solution, and wish that SimpleX was recommended more than Signal.
If simplex used phone numbers and defeated the whole concept of privacy it would be recommended more.
Signal is private, what you should differentiate is being anonymous or not. Using your usual phone number is NOT Anonymous but is PRIVATE, as in the content of your messages being only available to you and the person you’re talking to
The way you get a phone number depends on you too, so you can be very much be Anonymous even if signal requires a phone number.
the phone number drives me nut since mine changes every few months; everyone i know has my voip number that gets everything forwarded to each new number.
You are very naive if you think that a company located un the US can provide an encrypted messaging service that can be used by anyone including terrorists, druglords and US enemies without the government being able to access the messages. Lavabit was a famous case and had to shutdown because its founder rejected to comply with an order from the US government to grant access to information. If you are using centralized communication service located in the US forget about privacy.
”Lavabit is believed to be the first technology firm that has chosen to suspend or shut down its operation rather than comply with an order from the United States government to reveal information or grant access to information.[3] Silent Circle, an encrypted email, mobile video and voice service provider, followed the example of Lavabit by discontinuing its encrypted email services.[25] Citing the impossibility of being able to maintain the confidentiality of its customers’ emails should it be served with government orders, Silent Circle permanently erased the encryption keys that allowed access to emails stored or transmitted by its service.[26]"
“Levison (founder) explained he was under a gag order and that he was legally unable to explain to the public why he ended the service.[21]”
Email is a very different thing.
You can’t protect against emails being received in plain text.
Don’t know the technicalities of the specific case you are referencing, but I know that if the government wants to they can middleman any received email before the provider can encrypt it for storage on their servers (by forcing the provider to let them).
On the other hand, if you use an end to end encrypted chat app, you can’t middleman any messages from the providers side by force because the messages are always encrypted on the users device before being sent.
I don’t know about lavabit specifically, but typically encrypted emails are encrypted on your client computer and decrypted on the recipient’s computer. It is conceptually the same thing as an “end to end encrypted chat app”… just in email form.
Yes that works if both the sender and receiever encrypt the emails before sending them.
I specifically mentioned incoming plaintext (unencrypted) email.
Since mail is technically decentralised, not everyone is using protonmail for example, so protonmail can only perform e2e encryption on protonmail to protonmail email sending (they let you encrypt mail to people outside but it’s not as seamless).
Nevertheless, I was mentioning incoming plaintext emails, which email providers have to encrypt before storing. The government can middleman that procedure and read the incoming mail before it’s encrypted by your provider (protonmail, etc).
(This is one of the reasons why lavabit may have shutdown, you can’t protect against incoming plaintext mail)
Since when is encryption dependent on the service’s jurisdiction? When Signal has got subpoenaed it has always been incapable of providing data that involves the content of the conversation https://signal.org/bigbrother/
The app is also open source with reproducible builds (and you can use Molly instead, if you prefer) and when the clients of an end-to-end encrypted system are sound, that is all that matters to secure the content of the communication.
Audits are also performed as listed here https://community.signalusers.org/t/overview-of-third-party-security-audits/13243I don’t understand where this doomerism comes from tbh, (online) privacy will cease to exist when either maths does or it becomes globally illegal to use encryption and the government’s intrusion is really so pervasive that they constantly know what you’re doing. Luckily we don’t yet live in that world, though the pressure is real and we are the first that have to fight for this basic human right
Since when is encryption dependent on the service’s jurisdiction?
The US has a law that applies to any US company operating within its borders: it is illegal to tell your users that the US government has asked your company to spy on their behalf. This is called a key disclosure law, and the US’s version of it, called National Security Letters, underwent an expansion with the PATRIOT act; by 2013, President Obama’s Intelligence Review Group reported issuing on average, nearly 60 NSLs every day.
Companies that don’t comply with this law are forced to shut themselves down, or remain open, and grant access to user communications to the US government. The Signal foundation is a US domiciled company and must comply with this law without being able to disclose that they have been issued an NSL letter.
Luckily we don’t yet live in that world
Comply with the government order of granting access to messages or shut down implies that we are already in that world, long ago. What makes you think that what happened to Lavavit and Silent Circle would not happen to Signal? Only wishfull thinking can make you think that, evidence tells you otherwise.
And given their scale and length of time they have been around, it is guaranteed that they have been complying for some time.
It is so ironic that we run into so much cognitive dissonance on this issue. It is so weird that people have such an emotional attachment to this product.
Signal is free and open-source. It cannot be denied that basically everything, including minor details like usernames, is end-to-end encrypted and kept secure. The Signal protocol has been proven to be secure by many independent experts and thus it is mathematically impossible for Signal to gain access to your sensitive information (except for your phone number, obviously).
A phone number alone just won’t do much.
Signal is not open source, its a centralized US service, and you have no idea what their server is running. They even went a full year without publishing server code updates at one point, until it caused enough of a backlash that they started doing it again. But publishing that is no guarantee of anything, because you have no access to their server.
mathematically impossible for Signal to gain access to your sensitive information (except for your phone number, obviously).
A phone number in most countries, including the US, means your real name and address.
Ok government here are the messages i’m legally required to provide you.
U2FsdGVkX1/FEry+/NeyfmzA3icvpchwSo5qySzajv87f9PwhJyog+zS1Qv+j8bzYXG5sCLZMbFqUJn9Cp7RkVY79wuUArUaxE59LtdO0LKT+0+d220DxFVioHe8Vlaq
If it’s so easy why Lavabit and Silent Circle had to shutdown?
Do you understand what encryption means? Genuine question.
If a company is compelled to spy on its users, it doesn’t mean hack them. (although perhaps there are same edge cases where you have to wonder the exact definition of hacking)
Obviously you are missing the point. Even Gmail is private if you are going to do the job of encrypting your messages by yourself, but that’s irrelevant with what we are discussing here.
What we are discussing here is that if you are a company offering a service of encrypted communications located in the US, the government has all the power to force you to shut down if you don’t give them access to what they want. And that’s not speculation, they’re actively doint it because they are backed by the law.
Why people are so naive thinking that the government are not going to do something to get what they want when the law is on their side, when sometimes they don’t hesitate to do it even when it’s blatantly illegal?
The only way to avoid surveillance is with free, open source and descentralized software. If there is a company in charge of running the software that’s a vulnerability and, like the cases already mentioned, those in power are going to exploit it shutting the service down if the company doesn’t comply.
It doesn’t matter how much you like or trust the service, there’s simply no reason why they wouldn’t do it again when they already dit it successfuly. Why some people who care about privacy can’t see this obvious fact is beyond my understanding.
People who actually care about privacy: the quality or state of being apart from company or observation (definition), wouldn’t want a company knowing their phone number and thus identity tied to their phone number. Maybe you believe in a lower level of privacy than I do. That’s fine but my post was for people who never thought about it but will care and those who should care.
This is disturbing that this comment is down voted to -11, at the time of my reading, on a service that is specifically designed for people who value privacy. Is it because of some government bot, or are enough people really that emotionally attached to this product that despite the clear logic they are reacting in discomfort?
I don’t know which option is more disturbing.
I get that a lot of people don’t really value privacy that much, and are only interested in making a half hearted attempt. That is fine. But why the gross amount of denial? Why not just be honest that they think it is good enough for them, and not worth changing.
These people are sheep. It’s insanity. They worship these companies I feel like I’m arguing with cultist
Signal doesn’t know your phone number, though. It’s only used to identify other users in your contacts, and not a single thing about it is stored.
That’s not true. When asked to provide data, Signal is able to give your phone number and the last login time.
Signal stores the hash of the phone number. So you can query them for a specific phone number, but are unable to figure out phone numbers based on the hashes (outside of brute force - trying every 12-digit phone number).
And after doing that, you learn “this person uses/used Signal”, with no information about particular messages whatsoever.
Okay, I was not aware that it was only the hash of the phone number. I was under the impression that it was the phone number itself.
Wow. You give them your phone number to sign up. They text you a confirmation code but they don’t know your phone number. Magic
So, late to the party. Me Skuzi. This comment is more targeted towards your responses to user comments, but I would extend that to your entire thesis. So I decided to make an entirely new comment.
Honest questions/comments to follow:
Yes, the US govt can ‘compel’ a organization such as Signal to allow them to monitor/intercept encrypted messages, The government can even ‘compel’ a citizen to disclose their encryption key. The cost of non compliance varies from contempt of court to short term incarceration. United States v. Fricosu et al.
However, Signal would only shrug and hand them metadata. Even Signal can’t decipher your messages. There are other services unrelated to Signal that operate thusly, such as VPNs, that absolutely do not keep logs and run in RAM only. Some of those VPNs have been raided and servers confiscated by multiple governments with nothing to show for their efforts. If I recall correctly mega.nz and other storage facilities operate along the same lines.
As to the requirement for a phone number, yes they do require a phone number. However, unless they’ve changed something recently, you can use a free or paid for, burner phone number for verification. The caveat is that if you ever have to recover your account or future verification, you may or may not have access to that number if you used a free service. So, that might be a consideration.
Also, some free services might not work while others will. If signing up for a paid account, burnerapp.com for instance, will allow you to sign up via their website, however you can’t use a VPN. WiFi can be acquired at any coffee shop. If you prefer more private methods of payment for these services, there are those that accept crypto.
So, there are ‘options.’ You just might have to jump through a few hoops to get there.
Secondly, Signal is open source, no? The whole shebang including the protocol is open source. Where might ‘they’ be putting the backdoor to intercept encrypted messages? I can tell you this, the day the world finds out that the US govt has successfully cracked strong encryption ciphers, is the day you are going to see a lot of movement on this planet. From billion dollar corporations, private entities, governments, and even ne’er-do-wells on Signal.
I’m no ‘fanboy’, tho there is a lot to be a fan of. I’m not getting any kickbacks, compensation, or monetary advancements. If I need to be schooled, please do share.
Signal does plan to add a paid for service as well as their free service.
Signal would only shrug and hand them metadata
So at the very least by using Signal the government can know everyone you communicated with, at what time and where. And still is considered a private messenger. Amazing.
As clients upgrade, messages will automatically be delivered using sealed sender whenever possible. Users can enable an optional status icon that will be displayed in the detailed information view for a message to indicate when this happens. These protocol changes are an incremental step, and we are continuing to work on improvements to Signal’s metadata resistance. In particular, additional resistance to traffic correlation via timing attacks and IP addresses are areas of ongoing development. https://signal.org/blog/sealed-sender
In reading about the Sealed Sender protocol, as I understand, it redacts whom you’ve contacted. However, the metadata does include timestamps. I have no dog in this hunt as 99% of my messages are whispered into someone’s ear. Still, one must implicitly trust the receiver of such whispered messages. I honestly don’t care what app you use. Those choices are ultimately yours and yours alone and hopefully dependent on who you entrust with your data. This is just an interesting dissection of Signal and privacy/anonymity for the muse.
In the end, we all trust some entity whether it be your ISP who has your bank account info and residential address and can tell when you’re downloading 150 gigs of Linux distros overnight even with a VPN, a bank with every last transaction you authorize, the time/date, or government to which we pay income taxes who has pretty much all the info they would need to show up at your doorstep. If your threat model precludes all the above, I would recommend whispering and disconnecting from society. I honestly do not see any other way.
AES256 was broken the day it was released change my mind.
Well, I’m not trying to convince you of anything, however, you can convince me if you’d like. Do you have some substantiating evidence or documentation for such claims? I am aware of improvements to AES256 down through the years, and I am aware of side channel and timing attacks. Not to be discounted, but those are largely theoretical attacks. In addition, most modern computers have mitigated the possibilities of such attacks with hardware instructions for AES to protect against timing-related side-channel attacks.
The NSA reviewed all the AES finalists, including Rijndael, and reported that all of them were secure enough for U.S. Government non-classified data. However, in June 2003, the U.S. Government announced that AES could be used to protect classified information. Now you could conspiriaze that in 2003, the govt played dumb and said that AES was good enough for classified information when they knew they could blow through it like weak toilet paper, but then again, we (America) are not the only country on the planet despite what some people think, and I am quite certain that other governments have made certain their encryption techniques are 99.999% secure for classified documentation and data.
You make good points and I can’t provide any documentation. But the documentation won’t exist. It would be the closest guarded secret of all time. NSA only holds the upper hand if everyone thinks it’s secure. If the secret was out that that they could crack it no one would use it and the advantage is lost.
Thank you! Finally someone that also sees Signal as privacy invasing!
Don’t need an ID to buy a burner phone/number
People dont realize that you may as well hand over your social security number when you pass out your phone number.
Indeed, I also don’t realize that. Please explain further.
Its very easy to dox someone with a phone number. Not sure about social but address and full name are easily available for free.
