Switching from WhatsApp to Signal, while being an improvement in the short term, is in the end the same story. You are still stuck in a centralized walled garden that falls under US jurisdiction and has clients that are controlled externally (and thus it is trivial for US intelligence services to force the Signal Foundation to push an update that kills all the privacy features without you ever knowing).
Edit: Probably FUD, but I wouldn’t be surprised if Signal is used as a honeypot by the NSA already. They did a similar game with a Swiss encryption product company for decades. And as much as I like Snowden, he is still very much a US intellgence service insider and can’t be fully trusted when it comes to recommendations for non-US citizens.
I like that it’s very easy to signup with a simple download, install, text code confirm.
I like the UI to an extent, it has nice features and looks nice enough. Text is text, pictures are pictures… we don’t need to obsess with “the shiny”.
I do not like that it’s hosted in the US
I do not like that it requires a phone number (for now)
I do not like that the servers are centralized, that the devs do not take decentralization into consideration, and that they are aggressive against alternative clients using their backend (which I am somewhat understandable on, servers ain’t cheap)
Which is why there are alternatives like Matrix, Session, and lots of others; however:
Matrix requires a bit more from the user to signup, such as username and email. This arguably is less worse than a phone number (although temporary or one-time phone numbers are available).
There’s also some shared disappointment around the web with the standard Element UI, can’t necessarily back those claims up though.
And to be really secure, you’d probably want to self-host a Matrix instance, which requires considerably more time, resources and effort to maintain, especially if you have poor internet at home, and feel that renting a VPS off-site would perhaps defeat the purpose of self-hosting (as I do).
Session is backed and developed by an Australian based company, which should immediately raise alarms for anyone familiar with Australia’s crazy backdoor encryption law [1] [2]
Obviously this is all personal anecdotes, my bottom line being that Signal is not perfect, far from it, but if you’re using Whatsapp, now is probably the easiest time to shift your contact groups off. It’s an equivalent that’s far better, while still having some usage pains.
If anyone wants sourcing on any of the above claims, please reply or otherwise offer a source up. I know they’re out there, I don’t have the energy right now for it. I do not intend to lie.
that they are aggressive against alternative clients using their backend (which I am somewhat understandable on, servers ain’t cheap)
This argument is very weak IMHO, as Signal is a free app and anyone using it with a 3rd party client puts the same load on the servers as someone signing up for free.
They do also say that having only a first party client allows them to quickly and easily change and innovate, but then why are they hostile to 3rd parties compiling and distributing the first party app?
If you think about it a bit more closely, then it becomes apparent that by forcing everyone to only use the 1st party client and distribution channel, they can keep control of the app and change it freely without most people noticing, especially if a modified version is only pushed to certain individual devices. And maybe I am a bit paranoid, but that is exactly how an intelligence service would operate in order to compromise the communication of selected individuals.
PS.: You should rather compare it to XMPP with the Conversations client (or the fork blabber.im). Works great, is fully e2ee and has a UI and functionality very similar to WhatsApp or Signal. And you can easily get it from Fdroid or compile it yourself, so the risk of the developers messing with the binaries is minimal.
they can keep control of the app and change it freely without most people noticing, especially if a modified version is only pushed to certain individual devices.
Is it possible though? like Google Play updates the modified app only for certain individual devices
Thank you for this reply, I did not consider that. The small unseen changes due to forced use of a single client.
I always want to use a decentralized platform if I can which is why Fediverses are so nice, but my friends are not as keen. Signal is the gap for now
Android builds are reproducible builds(download from website). As such I can be sure I get what it says, as for US jurisdiction I think it has been published extensively that they were only able to give account creation and deletion date.
It really isn’t, just read the below messages.
Switching from WhatsApp to Signal, while being an improvement in the short term, is in the end the same story. You are still stuck in a centralized walled garden that falls under US jurisdiction and has clients that are controlled externally (and thus it is trivial for US intelligence services to force the Signal Foundation to push an update that kills all the privacy features without you ever knowing).
Edit: Probably FUD, but I wouldn’t be surprised if Signal is used as a honeypot by the NSA already. They did a similar game with a Swiss encryption product company for decades. And as much as I like Snowden, he is still very much a US intellgence service insider and can’t be fully trusted when it comes to recommendations for non-US citizens.
I use Signal to chat with my friends and family.
I like the fact that it’s E2EE
I like that it’s very easy to signup with a simple download, install, text code confirm.
I like the UI to an extent, it has nice features and looks nice enough. Text is text, pictures are pictures… we don’t need to obsess with “the shiny”.
I do not like that it’s hosted in the US
I do not like that it requires a phone number (for now)
I do not like that the servers are centralized, that the devs do not take decentralization into consideration, and that they are aggressive against alternative clients using their backend (which I am somewhat understandable on, servers ain’t cheap)
Which is why there are alternatives like Matrix, Session, and lots of others; however:
Matrix requires a bit more from the user to signup, such as username and email. This arguably is less worse than a phone number (although temporary or one-time phone numbers are available).
There’s also some shared disappointment around the web with the standard Element UI, can’t necessarily back those claims up though.
And to be really secure, you’d probably want to self-host a Matrix instance, which requires considerably more time, resources and effort to maintain, especially if you have poor internet at home, and feel that renting a VPS off-site would perhaps defeat the purpose of self-hosting (as I do).
Session is backed and developed by an Australian based company, which should immediately raise alarms for anyone familiar with Australia’s crazy backdoor encryption law [1] [2]
Obviously this is all personal anecdotes, my bottom line being that Signal is not perfect, far from it, but if you’re using Whatsapp, now is probably the easiest time to shift your contact groups off. It’s an equivalent that’s far better, while still having some usage pains.
If anyone wants sourcing on any of the above claims, please reply or otherwise offer a source up. I know they’re out there, I don’t have the energy right now for it. I do not intend to lie.
[1] [2]
This argument is very weak IMHO, as Signal is a free app and anyone using it with a 3rd party client puts the same load on the servers as someone signing up for free. They do also say that having only a first party client allows them to quickly and easily change and innovate, but then why are they hostile to 3rd parties compiling and distributing the first party app?
If you think about it a bit more closely, then it becomes apparent that by forcing everyone to only use the 1st party client and distribution channel, they can keep control of the app and change it freely without most people noticing, especially if a modified version is only pushed to certain individual devices. And maybe I am a bit paranoid, but that is exactly how an intelligence service would operate in order to compromise the communication of selected individuals.
PS.: You should rather compare it to XMPP with the Conversations client (or the fork blabber.im). Works great, is fully e2ee and has a UI and functionality very similar to WhatsApp or Signal. And you can easily get it from Fdroid or compile it yourself, so the risk of the developers messing with the binaries is minimal.
Is it possible though? like Google Play updates the modified app only for certain individual devices
Sure that is easily possible. They can also push an update to everyone and a slightly modified version the same time only to certain devices.
In fact if this is still true then Google could even dynamically push a exploit into Signal without an update to the app itself.
Thank you for this reply, I did not consider that. The small unseen changes due to forced use of a single client. I always want to use a decentralized platform if I can which is why Fediverses are so nice, but my friends are not as keen. Signal is the gap for now
Android builds are reproducible builds(download from website). As such I can be sure I get what it says, as for US jurisdiction I think it has been published extensively that they were only able to give account creation and deletion date.