AmaryllisBlues [she/her]

All of those are valid concerns. I think this is more the answer I was looking for out of my initial question. I was concerned about people saying signal a large security risk or barely grants any privacy.

I think my understanding I have gotten out of has been issues related to metadata, signal’s poor record of open source, and I also agree that centralization is bad.

I’m hesitant to say that there isn’t an application for signal. I think I would still recommend signal to my family, who aren’t very tech savvy, as a drop in replacement for sms/whatsapp because the experience is largely what they would expect out of a messaging app. But I think going forward, I agree that matrix is looking like a good option. And briar is really good if anonymity is a concern.

I want to say thanks for your patience in talking with me. I did learn a lot.

So a compromised device is not unique to a US based company. A warrant can be issued to seize the device and that could happen with any other messaging service. It is fine to not like signal, and there are several reasons not to do so.

What I do have an issue with is the idea that signal is insecure or that federal agencies can very easily peek at your messages. Because that is not how encrypted messaging works. Signal does not have access to your private key. Your private key never makes its way to the signal server. Which even if the server was not running the code they have published, a NSL still wouldn’t let the government decrypt your message. Signal can be forced to disclose your public key, time stamps of your message, who you are texting, etc. But not the content of your message. Nor can they be forces to disclose anything that would give someone access to said content. Again because signal does not have access to that information. If you are concerned that signal could be publishing binaries that don’t reflect the source code, you can build the published source code and use that. But when your threat model is at that point you are beyond the scope of the original post.

The difference between signal and lavabit when it comes to key disclosure laws is how the services were set up. Lavabit required encrypted communication with the server to access, send, etc your emails. Which means the server side needed a private key that a NSL could force them to disclose. Signal is a little different. Private keys are held by the users and never make it to the server. Where yes a user could be forced to disclose that key, but again that could happen with any messaging server. It is not unique to the service you’re using being based in the US.

And this is also completely ignore the fact that signal utilizes double ratcheting which provides some inherent protection for compromised private keys (assuming you and the other person are deleting messages automatically). I would also like to mention that the signal protocol/double ratcheting/how signal does messaging is not unique to signal. It is utilized by a large number of services including matrix.

Don’t you need the private key to decrypt messages? Those never leave the device. That’s what happened with lavabit. They were forced to disclose the private key. But if that key isn’t leaving your device, you need a compromised device/person on the other end to decrypt your messages.

Buy that only applies to data signal collects correct? So we’re looking at metadata? The content of your message wouldn’t be compromised because signal doesn’t have access to it.

I guess the point I’m trying to make is signal isn’t good for anonymity, but is fine for privacy. As other people have mentioned you should be using a decentralized service if you’re organizing activism or whatever else your threat model demands. But as far as talking to friends/family about day to day stuff, it looks fine? So I think the question I’m really getting at is why isn’t signal good as a privacy friendly messaging service to replace what people were using telegram for? It’s been a minute since I used matrix, but I think the self hosting issue still applies there. Not many people are going to self host a matrix server to talk with friends.

So I read both articles and I’m still unsure as to why people are very anti signal? I get the it was/is funded by the US government. So was tor but that doesn’t make the network any less secure/bad for privacy. The code is open source so if it was phoning home it would be noticed. I understand that they did not release their source code for some time, and yeah that really is scummy and does not look good. As far as message content, there have been several warrants for signal data, but signal has been unable to provide your message’s content.

I get that it requires a phone number and you can use metadata to determine who you talk to. Signal is very much not anonymous and if you are a journalist/activist who deals with sensitive content, Signal is a bad option. But from a privacy/security standpoint it looks fine?

Not trying to be antagonistic. I am hoping for someone to elaborate on the articles more.

I also find it amusing that anything that mentions animal rights or factory farms is assumed to be a pushy vegan. I’ve met dozens of people who buy grass-fed flesh because “its better for the animals”. Ignoring that it isn’t

Waiting on lab grown meat to go vegan is the same thing as waiting on carbon recapture to solve climate change. We can, and must, do shit now but that requires inconvenient changes to out way of life. Instead we jump on half-baked bandwagons to tech ourselves out of a miserable future because we don’t want to be confronted with the idea that we might be wrong.

Pixels are really the only thing supported by the custom ROM community anymore. At least phone available in the US.

Wait 'til y’all learn the inhumane treatment of animals isn’t unique to the fur industry.