Protest security - Signal app

Yes, Signal is well known around these parts.

The inability to self host a server would appear to be its only real setback. Well that and its reliance on phone numbers for accounts.

3 Likes

…and the fact that it sends an information that you started to use that software to anybody

  • who has signal installed
  • who happens to have your phone number in her/his contacts
  • allowed signal access to her/his contacts

and that there’s no way for you to stop it doing so and that there is no information about this behaviour in their privacy statement or any other document or reference they present to you during installation.

6 Likes

Right, that too.

What is the privacy and security concerned crowds opinion on Telegram I wonder?

1 Like

Considering Telegram’s server is proprietary, by default they don’t e2e encrypt messages and some devices can’t participate in e2e encrypted conversations I think it’s a non-starter. Signal has some issues, but afaik it’s the best thing out there.

2 Likes

Started getting spam messages on Signal and was disappointed it had no good way to block or report an individual in a group message.

The spam I was getting should be easy to detect and block, as it was a bunch of phone numbers with the same area indicators and a single email address (hotmail of course).

Funny how I started getting them shortly after the company I work for started requiring us to use our phones for Microsoft 2FA. As always, I find it easy to blame Microsoft for incompetent services.

2 Likes

You can read the official website documentation and see that they have a specific protocol to avoid to know who are your contact:

Soon, it will be possible to use the app without a phone number:

4 Likes

How did that work? You sure that these numbers did not send plain SMS? As Signal can also work as an SMS app if you configured it to do so at first use. Signal lets you block some of your own contacts; however, I’m not aware wether that conflicts with the group system (note: you have to invite somebody before he can get into the specific group).
By the way, the Signal employees currently work on “groups v2” which is assumed to support kicking people out of groups. After all these years.

1 Like

By law (GDPR) Signal has to inform me how the information I give them is used and if and to whom the information might be forwarded.

This means that these informations have to be presented to me during installation and I have to explicitly agree to information storage, usage and relay.

“Read The Fine Manual” and reference to some websites does not count as such information - especially if it is not given during install.

I read all documents presented during install and the references presented and didn’t get to know the point I’m criticising.

Furthermore there is no way to stop this behaviour I’ve heard of and some people on the Signal forum confirmed that it is not changeable (though I don’t know the level of insight of these people).

If you know more about these topics I’d be interested in references to:

  • information about the fact that Signal informs any other Signal user having my phone number in her/his phonebook about me starting to use Signal
  • information about a way how to stop Signal doing so

The references you published, yet, are not useful in the context of the above critics and the two points I ask hereby again.

The “Signal PIN” might change the behaviour I criticise, but it is not reality, yet - as far as I know.

1 Like

But you don’t give them personnal information.
Your RGPD point is useless.

How to use a chat app if you hide the fact that you are using this app to your contact?
If you send or get messages or calls on Signal, unless your contact is totally stupid, he obviously knows you’re using the app.

1 Like

I get the impression you didn’t understand what I tried to describe.

When you register new to Signal, Signal generates a hash over your phone number and sends this hash to the Signal server.

Then there happens some voodoo part (about I do not know how it is technically realized), but the outcome is that any other Signal user having your phone number in her/his address book is actively by a popup message (at least in Android, didn’t try iOS) informed that you started using Signal.

Personal information: I’m using a certain software

My right is to decide whom I give this information to. The least to expect is that I’d be warned that this information is broadcasted.

Please don’t tell me that it is no personal information what software I use (what I do with my time, e.g. using software).

Again: Any other user (even the spam marketing company having random phone numbers in their address books) is informed without my knowledge and without my consent that I started using that software.

If my problem with this behaviour is not become clear now, please try the mind experiment that all the other software you use would inform all other users without your knowledge and consent about the fact that you became a user.

Say e.g. software for steganography, or software that analyses network traffic (and by doing so is breaking the law in some countries) or software that calculates your period, etc. pp.

I bet you’ll get to some software you’d feel embarrassed about when any other user of that software would be informed that you started using it.

I don’t say it could not be convenient for people who want this behaviour I just say it is strictly against my understanding of privacy and I guess also against GDPR.

2 Likes

What a crazy definition of personnal information.

I don’t understand what’s the point with steno or network trafic or period. Signal dont do that

It’s an app used to communicate with others. If you don’t want to, don’t use it.
Problem solved.

What @ChriChri is saying is that Signal should have an opt-in mechanism such that if you opt in, it tells everyone else you’re now using signal. Otherwise, you have to manually exchange usernames. I don’t think its an unreasonable request.

5 Likes

And make it less usable? Why?
Eventually an opt-out, for him, but forces everyone for nothing, I don’t understand the principle.

It was plain SMS. It wasn’t a group I chose to be in.

Its not less usable and it doesn’t force anyone anything. An option would be presented “do you want to notify your contacts that you’re using this app?” If not, say no, and text the ones you do want to talk to and ask their username. Simple.

Thus, the app isn’t broadcasting to everyone that you now have it installed. I personally don’t care, but he obviously does. The “why?” isn’t particularly relevant, and the existence of this desire isn’t particularly strange.

3 Likes

Actually, the only worry that I have regarding my pre-ordered Librem 5 is that there will be no Signal support. Signal is my daily messenger. Without having Signal on the Librem 5 it will be very problematic for me to start using it as a daily phone. So I urge Purism to make sure that we can use Signal on the Librem 5. Maybe the Desktop client can be adapted to a full primary client. Currently, I’m using the flatpak distribution of Signal on my Fedora desktops:
https://flathub.org/apps/details/org.signal.Signal

That would be nice and that would mean that your contacts would be defined by my own address book.

At the moment the right question would be:

“do you want to notify any person having your phone number in its address book that you’re using this app”

And this is what really annoys me: It is not my contacts that get notified it is any person who happens to have stored a phone number the same as mine (no matter if it is mistyping, guessing, probing, etc. pp.).

I tried it with two phones using two different sim cards: It really is this way. The phone I installed second didn’t have an address book and Signal didn’t get the right to read the empty address book. Even though my phone first installed with Signal got notified that the second phone joined. Only way to know has been that the first installed phone had the second installed phones number in its address book and had allowed Signal access to that address book.

O.k. - to understand you’d have to try to follow my line of thinking:

  • define information
  • define personal information

Take your definition and check whether “@Torrone is using a certain software” falls under your definition.

If so check whether Signal broadcasting the fact that you’re starting to use Signal falls under the definition “telling a group of people without your consent and knowledge that your using a certain software”.

This way you could find out where I lost you in my way of thinking.

1 Like

Telegram is standard supported for mainstream Linux. Therefore I expect a seamless installation on Librem 5