I don’t really like Apple, but once in a while they do the right thing. This comes from the App store’s new labels on apps.
Signal just has “Contact info” under the “Data NOT linked to you” category. This is just the phone number + contact discovery.
UPDATE
There’s another post adding telegram here. This is what it looks like:
Signal has mandatory phone numbers linked to you, which is probably the worst thing for privacy. In most countries phone numbers are tied to your identity, and you can easily find someone’s name and current address with a phone number.
Lets assume that signal is correctly e2ee encrypting message data, but their database can’t encrypt the sender and recipient phone numbers. Its hosted in the US in a centralized place, so we can assume the US government has sender and recipient phone numbers, and message timestamps, and from that can easily build a social graph of connections between people.
You and I can’t even use signal, because you’d have to tell me your phone number, which would give me your full name.
(Update: usernames are coming in 2021) As far as I’m concerned from lurking on their community forum over the last year, they’re actively working on it because many privacy advocates share the same feeling, inluding Snowden himself and their plan is to require it for signup (which is reasonable to prevent spam) but leave it as an option when it comes to contact discovery, but who knows, they may not require it all.
I shared your opinion when I first started using Signal, but as months have passed and I’ve been suggesting more people to use Signal and Element, everyone has chosen Signal as their way of communicating with me. When they install Signal, the first thing they point out is the ease of use, the resemblance to WhatsApp, being able to have group calls within the app in both mobile and desktop; in contrast, when they register a Matrix account, they are confused as to how to find me because of the fact that I’m using my personal Matrix homeserver, as well as pointing out how slow the message sending is in the main isntance and how unpolished the UI looks. Also, the fact that I have to use the Jitsi integration for a simple video call and therefore rely on selfhosting another service (Jitsi’s main instance video quality is very poor) is inconvenient IMO.
I’m not trying to argue whether one service is better than the other for anyone’s case, because at the end of the day I know Matrix is far superior if everyone was technically apt. However, that’s not the case with the majority of people, and relying on a phone as an option, which seems to be what Signal is aiming for with all their recent changes on groups and the introduction of PINs, is the best way to go, as people need simple privacy, and Signal is amazing at providing this.
Btw, if anyone’s fond of CLI clients (I believe you are, Dess), here are some for both services:
- scli (Signal)
- siggo (Signal)
- signal-weechat(Signal)
- gomuks (Matrix)
- matrix-weechat (Matrix)
Thanks for this. It’s a great explanation of why I recommend Signal more often than Matrix.
FluffyChat is making great strides in this space for Matrix in terms of UI quality. But agree it has the same problem as many open source projects, UI isn’t a priority and then people wonder why X project doesn’t take off.
I really like fluffychat!
Honestly Element looks and works so badly it always scares me off. It’s so slow, the formatting is fucked up and the app is very unintuitive.
Excellent post, thank you.
I’ve been suggesting more people to use Signal and Element, everyone has chosen Signal as their way of communicating with me.
Same here. I want Matrix to succeed more but the ease of setup for Signal is really the big deal breaker I imagine, plus not having to host or maintain a Matrix instance if you’re truly concerned about data management.
sender and recipient phone numbers
Only the recipient actually thanks to sealed sender. So if you’re using a VPN, they can’t build your social graph. There are services that also allow you to create a one time phone number, which you can then secure with a removed so that you Signal identifier doesn’t get taken over by someone else. They are working on making it possible to use usernames instead of phone numbers.
And if you’re using Matrix or something like that, you are still trusting the admins of both instances (sender and receiver) with your metadata (and matrix leaks more metadata than Signal). If you’re running your own small instance, they can easily build your social graph just by monitoring the connection to that instance.
Signal also has a much more straightforward UX, making it usable for non tech-savvy people, which is often overlooked by free software advocates.
They have a ton of very good arguments here. You can also find Matrix’s response.
Here’s a video of Moxie’s view on decentralization, highly suggest it, great points discussed.
This is why I favor Matrix, I don’t have to give anybody any info and it would be hard for the government to build a social graph of my contacts if we use VPN’s or Tor to connect.
afaik matrix stores your data, messages (often unencrypted) on the server you signed up on. signal doesn’t store anything
- source: i managed a matrix server
deleted by creator
that’s not actually the case, i read in the signal blog (if i find it i’ll link it) that no metadata travels unencrypted and no metadata is stored on the servers. even in groups, there is no database storing the list of members, as the exchange of keys happens only between devices with zero-knowledge. if all the members of the group reset their phones the group is non-existing anymore as it never was anywhere in the first place.
this is about metadata: there are no timestamps https://signal.org/blog/looking-back-as-the-world-moves-forward/
more on metadata: https://signal.org/blog/sealed-sender/
That gets linked all the time, even though its just a “proposal”. You don’t know if it works, because the signal back-end is closed source.
this is about the groups: https://signal.org/blog/signal-private-group-system/
this is against the social graph discovery: https://signal.org/blog/private-contact-discovery/ we are talking about a gem in the privacy landscape, there is no software dedicated like this to privacy at this time
The signal back end isn’t open source, so the source for that is “trust me bro”. XMPP and matrix back end is fully open source and self-hostable.
no metadata is stored on the servers
They have to store phone numbers, its their primary identifier and routing system.
Its also a single server / cluster all hosted in the US so by definition isn’t secure.
Signal backend is open source.
Edit: you might be thinking of telegram.
the sad part is a great amount of people don’t care about privacy at all. they won’t quit any of the zuck-apps.
As far as I know, Matrix also has no data linked to you, as long as the federated instances you use and communicate with are running as intended.
There seems to be a bit more than with Signal. I guess is highly depends on which instance you interact with. Matrix encrypts less metadata than Signal and not all conversations are E2EE.
The difference is that phone numbers are tied to your identity, while email addresses are not (at least if you use an email service that doesn’t require a phone number).
Signal has mandatory phone numbers, matrix has optional ones.
you should add telegram to that comparison
There’s another post adding telegram here. This is what it looks like:
Nice, as much attention we can gather, the better it is :)
That’s interesting. Doesn’t Signal require a phone number to create an account?
Yes, but that’s just it. They don’t link it to your name (The name you enter is only shared with the people you message, and is encrypted).
They also use your contacts contact discovery, so you can seamlessly start sending Signal messages to you address book. Once again they use the as little info as possible (the phone numbers are hashed). You can have more info about why private contact discovery is hard here and a potential solution here.
This is mentioned in the app store, but under the category “data NOT linked to you”
How is telegram holding up here?
Personally Signal seems the best, but I constantly have messages that get delivered like 12 hours late - which is a deal breaker.
Not very well. Telegram is not fully open source, E2EE is off by default, they use their own weird cypher, etc.
This thread has some very good suggestions, so if Signal isn’t your cup of tea, I’d suggest taking a look at one of them.
Honestly, if getting people to get a jabber account wasnt such a pain that would still be my go to solution.
None of the other apps really do it for me. I ran matrix/element for a year or two, was way to unstable for daily use and impossible to get friends to migrate.
Signal has the benefit of incorporating SMS as well, but it’s been fairly hit or miss with message delivery for me and some friends.
Telegram works fine but isnt fully open source
Yeah, there’s no perfect solution, unfortunately.
If you don’t mind me asking, what issues specifically did you encounter with Element/Matrix? I’m trying to get my friends on Element and was under the impression that it’s good enough? Haven’t used it in a while though, so I could be wrong.
When I used it last the homeserver issues were to frequent. Delays in delivery, service outages etc.
And it was difficult getting more than a couple of friends on board. So it fell to the side for me.
It might be better these days tho, I dunno.
I’m also not overly fond of Electron apps. (I mainly use desktop versions as I dislike smartphones in general;))
Oh, I feel you. I hate Electron apps with a fiery passion. Thankfully Element has tons of clients to choose from and if I ever get my friends on it, I will NOT be choosing the default desktop app. Anyway, thanks for the info!
I have toyed around with a couple of the other, actually native, apps. They were pretty nice back then but not really feature complete. I assume that has changed somewhat since I last used it. :)
Telegram is far far behind Signal. In terms of privacy, it’s not owned by a big Corp but Signal isn’t either, and from a technical perspective, Telegram has pretty no E2EE, while almost everything in Signal is E2E encrypted.
The issue with the messages being delivered late only happens when there are notifications issues too. Check your settings. Also, it seems that when an app isn’t opened for a while, it looses the notifications. I have that issue with element.
when there are notifications issues too. Check your settings.
for what? turn off notifications? thats pretty useless.
It’s happened quite regularly for me, and I mainly use the desktop version.
When I enabled it for SMS as well I missed several important texts for a day or so.
So all in all, I have not really been that impressed with it.
I’ve been using Signal (the apk downloaded from the site, not the play store one) for a long time, and I’ve never faced a delay when sending or receiving messages until the last few days. My dad started complaining that he hasn’t received any of my texts, and he is not able to send images to me either.
In this case, he just had to update the app.
But people face this issue when their phone itself decide to doze off Signal. If you are facing the issue, you might as well disablle battery optimizations, install APK directly (or build one yourself), or change your ROM.
What I am reading here is that it’s definitely not the app to get my non tech friends to install.
Notifications delay is a common issue for every messaging app relying on google’s push notifications, because based on the android specs, manufacturers are allowed to aggressively “battery-optimize” apps relying on FCM for push notifications. WhatsApp is not relying on them for example, and in a lot of cases OEMs specifically whitelist it from aggressive battery optimization. I’ve had this issues with friends that started to use Signal, Telegram, Wire and even Slack and DiScord. They were not receiving messages until I told them how to exclude the apps from aggressive battery optimization. Unfortunately there isn’t a common standard way to do that, but every OEM has its own place in the settings to check (and sometimes it’s more than one). You can refer to https://dontkillmyapp.com/ or to Slack’s help page about this issue, which is quite well explained
That explains a lot of things. I don’t receive notifications in apps I rarely use, but What’sApp always worked (while other widespread apps didn’t like Discord or Slack). The fact that it’s in an allow-list for this kind of stuff explains it. Fuck What’sApp!
For me, installing it on the play store worked fine for all of my family and friends.
deleted by creator
Wasn’t OpenWhisper Systems, the maintainer of Signal, acquired by Twitter?
According to the timeline on Wikipedia :
- Whisper Systems was founded by Moxie Marlinspike
- It was acquired by Twitter
- Moxie left Twitter and founded Open Whisper Systems
- Moxie and Brian Acton create the Signal foundation (a non profit) with founding by ex-What’sApp founder Brian Acton (What’sApp had already been bought by facebook).
The foundation is still here and relies on donations, to pay for development and hosting. So what your saying is near the truth (and I wasn’t aware of that actually) but today Signal is a fully independent non-profit.
Thanks, would that explain the change from TextSecure and RedPhone to their merger into Signal?
You can check out the Timeline on Wikipedia, they did change the name to Signal after merging RedPhone and TextSecure.
Check the signal app settings. The app should be allowed to use any battery it wants etc, many android flavors give it a battery restriction which inhibits signal from working in the background.
And the reason why should that matter for my desktop app is? If my phone is off won’t the desktop app run?
Is this considering the new privacy policy for WhatsApp? If both accounts from WA and FB are linked, then the ‘Data Linked to You’ from WA will be merged with those from FB Messenger, right?
Good to see those in a position to comprehensively know these details sharing in an easily consumable format.
(What they probably won’t show you as that just about every action on an iphone generates a phone-home event—as viewed through proxy logs)
This type of graphic might make a good standard for others to follow (looking at you alphabet google android)
