• ikidd@lemmy.world
    link
    fedilink
    English
    arrow-up
    19
    arrow-down
    5
    ·
    3 months ago

    It creeps me the fuck out. I do not get why a service that bills itself as secure needs to know something that can be traced back to my credit card and name. I won’t use Telegram or Signal because of this.

    • 𝕸𝖔𝖘𝖘@infosec.pub
      link
      fedilink
      English
      arrow-up
      36
      arrow-down
      1
      ·
      3 months ago

      It’s about your posture. Most people who use signal use it to have privacy from governments. They’re not hiding that they use signal, they’re hiding what they write on signal. In this case, using your phone number isn’t a big deal.

      Some people, have a tighter posture, which could translate to your position. In that case, something like Briar could fit the bill.

      Lastly, security and privacy are not the same thing. Google products are secure, but they are not private. Self hosted sftp, for example, is private, but may not be secure. Signal is definitely secure, at least enough for general and governmental use. So, it seems, is telegram. Signal is more private than telegram in many ways, but it is not the gold standard for privacy (because of its use of phone numbers as usernames), but it is “good enough” for the masses. The balance between good for everyone and zero-knowledge private for everyone is delicate, potentially impossible. Honestly, I don’t know if signal was able to strike that balance perfectly, but they did a much better job than many other services, certainly than those others that are accepted by the masses.

      • ikidd@lemmy.world
        link
        fedilink
        English
        arrow-up
        10
        arrow-down
        5
        ·
        3 months ago

        But putting a phone number in immediately exposes protesters to association. Sure, Signal can’t give out the contents of messages, but it still has the chain of contact. So if a government gets hold of this record, legally or otherwise, now you have everyone associated to a suspect phone number/person and can start rounding them up.

        It’s the complete antithesis of freedom of association when there’s a record of everyone that you’ve contacted. The contents don’t enter into that problem, and I can’t see why they feel the need to keep this as part of their system. It purposely makes it impossible to use this for something like peaceful protest. So, no, it doesn’t give you privacy from governments, because governments that don’t respect freedom of association will use that information to punish dissidents.

        I can’t imagine any reason to use phone numbers except to purposefully keep this chain of association for governments to use. Even Facebook doesn’t require this sort of personal proof, and it’s suspicious as hell.

        • noodlejetski@lemm.ee
          link
          fedilink
          English
          arrow-up
          20
          arrow-down
          1
          ·
          edit-2
          3 months ago

          Sure, Signal can’t give out the contents of messages, but it still has the chain of contact.

          it doesn’t. they’ve been ordered to hand over data multiple times, and the only thing tied to the phone number they have is 1. time the account has been created and 2. last time the account connected to the server: https://signal.org/bigbrother/

          • sunzu2@thebrainbin.org
            link
            fedilink
            arrow-up
            4
            arrow-down
            3
            ·
            3 months ago

            FISA order could require them to collect the data and turn it over, US courts won’t be able to to do shit about it.

            This is purely I trust signal bro type argument

        • 𝕸𝖔𝖘𝖘@infosec.pub
          link
          fedilink
          English
          arrow-up
          6
          arrow-down
          1
          ·
          3 months ago

          You’re mistaken on the basis of your beliefs here. Signal only had two pieces of data around your phone number (joined datestamp, last online datestamp). This means that governments can’t petition signal for any more information, since signal simply doesn’t have it to give (by design).

          Your point on fb is hilarious, because they do require it. They just don’t require you to input it, because (1) they already have it and (2) you freely provide the missing pieces without them even asking. But, like I said earlier, if this goes against your posture, use something like Briar or Matrix or whatever. Choice exists, because everyone is different and has different postures.

          • sunzu2@thebrainbin.org
            link
            fedilink
            arrow-up
            5
            arrow-down
            2
            ·
            3 months ago

            FISA order could be in place and signal disclosed what they were told.

            This argument about them producing only two data points is good but it is not a slam dunk arguement everyone makes it to be.

            Signal has technical capabilities to time stamp every ineteration you have with another person if it goes through their server. This is internet 101.

            So we relying that they don’t do this but if US government said do it. They would and Jack shit anyone can do about it.

            • pressanykeynow@lemmy.world
              link
              fedilink
              English
              arrow-up
              4
              arrow-down
              1
              ·
              3 months ago

              That is my concern with any US based company. With all the information we have how their government agencies used both legal and illegal means to access data how can you ever think those companies can protect your privacy even if they sincerely want to?

            • 𝕸𝖔𝖘𝖘@infosec.pub
              link
              fedilink
              English
              arrow-up
              1
              ·
              3 months ago

              Them being a us company is a very valid concern, and one I share. If I were a dissident, I likely wouldn’t use signal just because they’re us based.

    • UnderpantsWeevil@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      1
      ·
      3 months ago

      The Signal pitch is that you don’t need identity security so long as the encryption is strong enough.

      That is, incidentally, the same pitch Botcoiner make.