Privacy @lemmy.ml minnix @lemux.minnix.dev 2mo ago

Signal Is More Than Encrypted Messaging. Under Meredith Whittaker, It’s Out to Prove Surveillance Capitalism Wrong

www.wired.com Under Meredith Whittaker, Signal Is Out to Prove Surveillance Capitalism Wrong

On its 10th anniversary, Signal’s president wants to remind you that the world’s most secure communications platform is a nonprofit. It’s free. It doesn’t track you or serve you ads. It pays its engineers very well. And it’s a go-to app for hundreds of millions of people.

https://ghostarchive.org/archive/0QgXq

136

136 comments

I hope they don't arrest them too.
- Not that the action against Telegram is right, but there's a big difference between what Signal and Telegram is doing.
  
  Would you have more info on the differences? I was wondering the same thing, but I don't know enough about Telegram to compare
  
  Telegram is available on F-Droid. Signal is not. Whatever is Signal doing, it's pretty bad.
- She has her hand in too many strategic places, unlike Telegram.
  
  employed at Google for 13 years
  
  speaker at the 2018 World Summit
  
  written for the American Civil Liberties Union
  
  advised the White House, the FCC, the FTC, the City of New York, the European Parliament, and many other governments and civil society organizations
  
  It's a pleasing thought, of course, that an influential person may have morals and good goals (and nice looks).
  
  But since there's no way to know for sure, I think I'll just stop trying to classify those names into good and evil.
- She's in the US
  
  Say what you will about US but they are pouring money into the cyber security industry
  
  Dude, it's a non-profit, and their biggest contribution is money that was made by selling WhatsApp to Facebook. Cuz the guy just couldn't live with what happened to his creation.
- They won't there's no need. Their clients are garbage and they're most likely backdoored anyways. This action against Telegram is only happening because they can't get inside it, they can't backdoor it nor corrupt anyone. If they were able to do that they wouldn't be doing this.
  
  No matter how good the protocol or client encryption, your privacy is only as good as your own physical security for the device in question.
  
  Given that if you lose your private key, there is no recovery, I would be surprised if there were real back doors in the clients. Maybe unintentional ways to leak data, but you can go look for yourself: https://github.com/signalapp/Signal-Android
  
  They have one for each client.
  
  Telegram isn't even E2EE
This is a very rude question, but on this subject of being lean, I looked up your 990, and you pay yourself less than … well, you pay yourself half or a third as much as some of your engineers.

Yes, and our goal is to pay people as close to Silicon Valley’s salaries as possible, so we can recruit very senior people, knowing that we don’t have equity to offer them. We pay engineers very well. [Leans in performatively toward the phone recording the interview.] If anyone’s looking for a job, we pay very, very well.

But you pay yourself pretty modestly in the scheme of things.

I make a very good salary that I’m very happy with.

That's pretty cool. But knowing the number would matter.
- IIRC She earns around 400+k per year. Which is a nice salary, but rather low compared to other execs.
As a happy user of Signal (no bugs or incidents from my viewpoint), I regardless chime in to say a word for decentralization. :)

Signal is centralized:

there is a single Signal implementation, with a single developing entity

you have to install its mobile version before you may run the desktop version

There exist protocols like Tox which go a step beyond Signal and offer more freedom -> have multiple clients from diverse makers (some of them unstable), don't have centralized registration, and don't rely on servers to distribute messages - only to distribute contact information.

In the grand comparison table of protocols (not clients), Tox is among the few lines that's all green (Signal has one red square).
- Tox isn't the most secure or private. I would go Simplex Chat
This is the same Meredith Whittaker doing interviews with US defense-department aligned sites like LawFare.

Why are all these big tech sites like wired so interested in pushing signal anyway?
- Maybe the US government (or even "deep state" or something) has realized that making everyone use insecure devices for easier surveillance is as smart as forbidding fire exits so that people would be easier to arrest.
  
  I haven't heard too many bad things about Signal.
  
  Various dictatorships want to simply read correspondence because the social graphs producing actual value and keeping stability in our world, and also protecting their embezzled value stored abroad, are all abroad too, and they won't hurt these. Some politicians in the west want to invade privacy for the same reason - what they embezzle is stored in ways unaffected by insecure communications in their own countries.
  
  But if you are part of some establishment, even if not well-meaning, you are interested to protect the system from outright erosion, meaning secure communications.
  
  Other than that, WhatsApp and FB Messenger are owned by Zuck and he's become too big to tolerate, Telegram is an African brothel with no protection and plenty of diseases, and in general it's all corporate around.
  
  Let's please also remember that there are people of various views and interests in every organization and force.
Signal is compleletly compromised through spell check on 99% of OEM smart devices. Spell check can see what your typing word by word, and signal uses it. Feds are 100% using spell check to view your private messages. And by feds I mean every government on earth with a computer.
- Spell check? If you mean smartphone keyboards, then yes, the non-foss ones are keyloggers. One of my side-projects is a privacy-oriented keyboard, but there are many out there that don't require network calls to google or apple.
  
  Nah dude the red squiggly lines are actually CIA backdoors
- Is this some Network Allowed problem that I'm too Network Not Allowed to understand?
  
  Are you using a custom rom? I don't have this option on my oneplus 9 pro. but I have something else.
- The problem is actually further - it's that they push people to use Signal on mobile.
  
  In the official desktop client, there is no option to register (even though it would likely be not that hard to add a box accepting a verification code), they tell you to use it in the mobile app instead. All while far from all phones can have privacy-respecting OSes installed on them at all.
  
  Yes, there are ways around (Signal-cli or an Android VM - and even then you have to use Molly since the official client requires you to scan a QR rather than following a link). But arbitrarily directing people to a platform that is harder to make private is nonetheless weird.
Isn’t Signal at least partially funded by the agency?
- No, they found some billionaires to do it 😉
- What part of non-profit and open-source do you not understand?
  
  Review the source, build it yourself, be happy. It uses well-known assymetric encryption algorithms. Not much your agency could really do here even if they harvest all the traffic from the server.
  
  Was my fucking question about the integrity of the algorithms they use, or was it about who’s been funding the product? Because a quick web search will show you that they did in fact fund it at one point.
Signal's hostility to third party clients is a huge red flag.

They also refuse to distance themselves from Google's app store.
- That's outdated information:
  
  Molly ~5 years in development
  
  gurk-rs ~4 years in development
  
  signal-cli ~9 years in development
  
  Flare
  
  Beeper
  
  Go forth and contribute, fork, or create your own.
  
  They also refuse to distance themselves from Google’s app store.
  
  This link has existed forever at this point if we count in internet years: https://signal.org/android/apk/ - getting an app directly from the developer with no middleman is about as distant as you can get from Google's app store.
  
  I wish they had Signal on F-droid but at the end of the day at least it is possible to use Molly Foss.
  
  Those clients exist despite Signal Foundation, not because they encourage community development. They are doing everything they can to discourage third party app development.
  
  Signal actually has a rule on not using third party clients on its servers. These clients existing do not prove the point you intend.
- Yeah, I would like to use it from f-droid instead of google store or apk
  
  https://molly.im/ Especially the FOSS version. Need to manually add the repository though.
- Do you hate Signal or do you hate the west? There legitimate reasons to not like Signal but calling them hostile toward third party clients is untrue. Last time I checked Signal wasn't proprietary.
  
  They have demonstrated history of asking third party clients to not use the signal name, and not use the signal network. The client that currently exists that do this do it against the wishes of the signal foundation
- What? How is this a red flag? Having third party clients is not good for security.
  
  Having third party clients is not good for security.
  
  If the first party provider told you this, you should always second guess them.
  
  Moreover, providing an option that informed users can choose doesn't hurt security. This idea the user can't be trusted to use the appropriate type of messaging if provided options needs to die.
  
  Is there any merit to this comment?
  
  Why do you think so? I see it as a strength in diversity and a great driving force for a proper server api
The thing I hate about signal is the UI. Everything looks way too big on my device. WhatsApp, for example, holds 2 more chats, and the messages themselves are tidier.

This may seem like it's not a big deal, but UI is absolutely crucial on order to get people to actually use the app. I moved a few people to signal but they just hated the way it looks. "seems like an app for old people, font too big". I can see that. They moved back to insta/WhatsApp.

I think some small and easy UI changes could make the app much better: just give us a "compact" mode.
- Both WhatsApp and Signal show the same amount of chats to me (9 for both). WhatsApp does show a small sliver of a tenth chat, but it's not really properly visible. There is a compact mode for the navigation bar in Signal, which helps a bit here.
  
  From what I can see there's slightly more whitespace between chats, and Signal uses the full height for the chat (eg same size as the picture), whereas WhatsApp uses whitespace above and below, pushing the name and message preview together.
  
  In chats the sizes seem about the same to me, but Signal colouring messages might make it appear a bit more bloated perhaps? Not sure.
  
  For me, I can see 7 chats on signal, 9 chats on WhatsApp. There are tons of wasted space on signal for me. It just looks bad.
0% chance that the feds don't have Signal backdoors, otherwise Wired wouldn't be promoting it. fyi everyone Proton is CIA. It's modern cryptoAG.
- https://community.signalusers.org/t/overview-of-third-party-security-audits/13243
  
  https://freedom.press/newsletter/crossfire-over-messaging-security/
  
  https://freedom.press/training/locking-down-signal/
  
  You don't have to take Signal's word for it, because it's been audited. The EFF, who are VERY privacy minded, and do extensive research into this type of thing, recommends Signal because it's known to be secure.
  
  Does the EFF have access to signal's server? Where they store all the phone numbers and messages for its users?
- Well, I disagree about Signal. Proton however, I agree is extremely shady and should be avoided at all costs.
  
  That's pretty strong and I've never seen or heard anything like it before. If it's true I'm betting the rest of Lemmy would like some details, too.
- Centralized service with servers in the US, requires a phone number to create an account, and tech bros like it. "0% chance" 100% confirmed.
Ppl just gone use it to cheat smh

136 comments