I think there are different ways that could be done:
Putting a backdoor in the Signal FOSS software that everyone is using, including tinfoil-hat-wearing extremists like a Librem 5 user who builds everything from source. This would affect everyone, but it should be possible to detect it by looking at the source code. Of course, if the code is big and complicated, they could succeed anyway if nobody is auditing the code carefully enough.
or
Putting a backdoor not in the Signal FOSS software itself, but in the versions of the Signal app that is distributed throuch closed iOS/Android āapp storesā, where only Google/Apple knows what is actually installed, so they can install a version built from modified source code that is different from the official FOSS code. The FBI or other 3-letter agency could do this by only pushing Google/Apple to go along with it, the Signal organization would not need to be in on it. That should only affect those who use closed iOS/Android things, Signal could still be used safely between users who use Signal apps built from the proper FOSS source code.
Do you know which one of the above the guy was claiming was happening?
Thereās a third option that doesnāt require any backdoor in Signal. All of the Signal messages are stored locally on the device in an encrypted SQL database, and the encryption key is stored on the device as well. If the database and key files are extracted from the device, the database of messages can be decrypted and read. On a non-free device, the designer of the OS could easily extract these files. The extraction could be done as part of a service to back the device up in the cloud. Everything needed to read the messages would then be on the cloud server of the service provider. Snowden revealed in 2013 that government agencies regularly collect data from the servers of collaborating service providers.
I think these systems are built so that we do not learn more. I have no affiliation with the US government and have not worked for them for at least 8 years, (and when I did work for them it was in no way related to this topic.) It may be quite reasonable if you donāt want to concern yourself with my opinions. The following are only opinions / thoughts:
Here are some of my conspiracy theory ideas with citations:
An opinion piece about why one person sees issues with Signal:
Signal founders say that even though Signal is āopen sourceā they are not OK with you changing the code and using it / distributing it, using a legal loophole in their allegedly āopen sourceā license (link is from the above opinion piece but this link is a primary source link to Signalās founder on GitHub): Please add LibreSignal to f-droid Ā· Issue #37 Ā· LibreSignal/LibreSignal Ā· GitHub
Link to where in the source code the Signal app generates metadata at Google when you try to compile it, by way of āautomatic dependency downloadā from Google and others: Signal-Android/build.gradle.kts at main Ā· signalapp/Signal-Android Ā· GitHub (obviously any project on GitHub, when you download it, is creating metadata at Microsoft of your decision to download it, but that problem applies much more broadly than to Signal ā this citation simply indicates that Google is getting a piece of your metadata pie when you try to download and compile this app)
Signal for Android is built on Google Firebase Messaging (link to dependency section of app source code: Signal-Android/app/build.gradle.kts at main Ā· signalapp/Signal-Android Ā· GitHub ). When I pointed this out on Signal forums, they deleted my post for spreading information that āeverybody already knows.ā So I assume you already know that when you send or a receive a message through Signal, if one of the ends is Android then metadata is sent to Google via their messaging systems. If you register for your Signal account using an Android device that has no Google Play Services, then this system allegedly turns off, but itās not possible to turn it off from any setting section in the Signal app (so you would have to register from an Android device that was intentionally extremely privacy conscious, where many āmodernā things do not work).
Now that we have some evidence that Signalās open source nature is a hoax, and that it notifies Apple and/or Google of the messages being sent, we could venture more into conspiracy theory. Here is an alleged leaked text session that alleges that the FBI has compromised Signal: https://www.reddit.com/r/UFOs/comments/1nhigo7/leaked_texts_between_fmr_senate_intel_committee/ . As a note, this is likely referring to a different problem than the Metadata leak. It may be for your threat model in your life that having Signal tell Google whenever you send a Signal message is not a problem ā since Signal says they do not tell Google the contents of those messages. This āconspiracy theoryā link here on some other non-reputable site called āredditā which links to other non-reputable sites such as āxā is basically alleging that the FBI has some backdoor into the actual message contents on Android and iOS, possibly for all apps on those systems.
I donāt know about baseless, but forget signal listen to Moxie - donāt trust his statements, rather note that his non-FBI explanation really does explain why they donāt like unsupported signal clients (even if we donāt fully go along with that explanation - he does): https://www.youtube.com/watch?v=1W5fuqySBnE The other half of it is (or has been) the usual reason for not providing support for unpopular platforms: finite development effort (heās talked about this publicly also).
Itās okay. I like to try to find what are my opinions, what is true, and what is not.
But I clicked the link that you provided, and I think what happened is that I just used a Google spyware video service to watch a recording of a self-proclaimed sleep-deprived man give a speech culminating in a description of why āopen sourceā software offers users less control over their devices than their closed source counterparts that interact with a monolithic server, such as WhatsApp.
Do you believe he is correct? I think that I might put more stock in what he has to say if he can find a way for his 11 year old company to make a version of their app that works on my 3 year old phone. One primary talking point of his speech was that āthe ecosystem is moving,ā and I think he means both to centralized services and also to mobile. And based on his brief mention of āopen source,ā perhaps he is also referring to the ecosystem as moving to proprietary software.
So where is the proprietary version of his app that runs fine on my phone, since the world and I are moving to mobile? My phone is 3 years old but for some reason, the only version of his app that runs on it was made by some third party guy who cloned the Signal repo using its āopen sourceā property and hacked together a working version of the Desktop client to be used on mobile, then adopted the mantra āI no longer use Signalā in all of his posts.
The missing part of Moxieās talk about the ecosystem moving to mobile and centralized services and how systems develop more rapidly when he and a lot of people with a lot of money build them for me, instead of me having the power to build them myself, is that in 3 years he was not able to build even a working prototype app for me!!
Oh dear my conversation latency here on a thread I revived myself has hit months I see! Shameful
I just used a Google spyware video service to watch a recording of a self-proclaimed sleep-deprived man give a speech
Actual genuine laugh out loud
Do you believe he is correct?
No! But probably thatās mostly optimism rather than analysis (in a good way)
One primary talking point of his speech was that āthe ecosystem is moving,ā and I think he means both to centralized services and also to mobile. And based on his brief mention of āopen source,ā perhaps he is also referring to the ecosystem as moving to proprietary software.
My probably partial half-remembered understanding of his position: he means proprietary protocols with centralized organisations owning them, not closed source on centralized systems (but heāll go with centralized systems when he thinks theyāre the best option overall right now).
So where is the proprietary version of his app that runs fine on my phone, since the world and I are moving to mobile?
This is what I was defending: there isnāt one because he legit (if incorrectly) thinks thatās the best option - he has a good (if wrong) explanation why. Heās following his principles, heās a principled guy, and he changes his mind about things in a good way. (Edit: except he thinks thereās no such thing as the truth or something like thatā¦ sigh - none of us is perfect)
@robert2 which flatpak are you using?
I tried yesterday installing from here: Signal Desktop Flatpak for arm64 + x86_64 - added the remote fine, but attempting to install the flatpak complained I need a different flatpak runtime (a freedesktop one, not the purism runtime). Iām not very familiar with flatpak but that sounds a little bit of a weird thing to be doing - both because I guess itāll pull in another big surface area for vulnerabilites, and use a bunch of storage, and bandwidth over time to keep it updated.
Maybe Iāll do it anyway but hoping somebody knows a better way - I should probably ask in the other signal thread
