Replying to Avatar Janneke

Why Signal is not a secure messenger!

Signal runs its entire traffic via the clouds of Google, Amazon, Microsoft & Cloudflare. They don't tell their users this, but speak of “3rd parties” in a trivializing way.

These 4 IT giants have enough of your IP address and the Americans know who is writing to whom = valuable metadata!

There are no “free” messengers!

Why do they use these 4 cloud providers and not just one of them, or another cloud service?

Because they are the biggest, with the widest distribution. And they have the most data!

Google's Android runs on around 85% of all smartphones. This sends encrypted data “home” every day. So you can assume that Google can always link 85% of all smartphone IPs to the respective user!

Amazon is the online shopping market leader (in the West) and can provide the name and address for IPs.

Microsoft is the world market leader in operating systems and can provide further user data, for example the IP of your wifi.

And Cloudflare is “stuck” invisibly in front of many well-known websites and knows the surfing behavior for the IP!

More espionage or user data collection is almost impossible!

Financing

If you want to know who is behind it, you have to look at where the money comes from.

Signal gets money from the Open Technology Fund = US government.

https://www.opentech.fund/projects-we-support/supported-projects/signal-open-whisper-systems/

If they put money into it, then they want something in return = namely data!

Open Technology Fund = “Affiliations U.S. Government”

https://en.wikipedia.org/wiki/Open_Technology_Fund

In addition, WhatsApp billionaire Brian Acton has invested millions of dollars in the Signal Foundation. That alone should give you pause for thought!

He had a lot of functions built into SignalApp that were stolen/adopted 1:1 from WhatsApp. Both messengers also use the same protocol.

So you can assume that if the Signal app has enough users, he will sell the whole thing back to Facebook/Meta. The data in the cloud services will then be the real treasure for which Zuckerberg will again make billions.

Cloud Act

And everything that the cloud services have on you can be obtained and viewed by US services via the Cloud Act!

“The law obliges American internet companies and IT service providers to guarantee US authorities access to stored data even if it is not stored in the USA.”

https://en.wikipedia.org/wiki/CLOUD_Act

MetaData, MetaData, MetaData....

The Americans are only ever interested in MetaData! So: Who writes when with whom, how often, etc.

A quick reminder:

“Metadata tells you absolutely everything about a person's life. If you have enough metadata, you don't really need the content.”

NSA General Counsel

Stewart Baker

See:

“We kill people based on metadata”

https://www.nybooks.com/daily/2014/05/10/we-kill-people-based-metadata/

How “great” the encryption is only plays a subordinate role. Cloud spies almost always only need your IP and that of the recipient and they know who is writing to whom = valuable metadata.

Compulsory telephone numbers

Even today, Signal still demands that you give out your mobile phone number and this will always remain the case (I've been saying this for 6 years).

This reveals your complete identity, because in the EU all mobile numbers must be registered by name. And if not, government services can query device and location data via “silent SMS” without the user being aware of it.

All of this together (cloud storage, compulsory mobile phone numbers and CloudAct.) gives a very detailed user picture, which works into the arms of the US services.

If you want to know how to do it right, take a look at Threema, the messenger that can be used 100% anonymously:

Threema does not use any third-party (cloud) services, but runs everything via its own server.

Messages are only stored until they have been successfully delivered. Then they are deleted.

And most importantly:

Threema does not store any metadata or IP's!

Quasi confirmed in court here (translate for yourself)

https://magazin.nzz.ch/wirtschaft/threema-wehrt-sich-erfolgreich-gegen-staatliche-ueberwachung-ld.1558968

If you want to communicate securely and anonymously without leaving any traces on the operator's infrastructure, there's no way around Threema.

There are no “free” messengers. You always have to pay - either with your privacy or, as with Threema, with a few euros in return for not storing anything about you. The latter is clearly the better option.

Avatar
freemymind 🇨🇭 2d ago

> "Google's Android runs on around 85% of all smartphones. This sends encrypted data “home” every day. So you can assume that Google can always link 85% of all smartphone IPs to the respective user!

Amazon is the online shopping market leader (in the West) and can provide the name and address for IPs.

Microsoft is the world market leader in operating systems and can provide further user data, for example the IP of your wifi.

And Cloudflare is “stuck” invisibly in front of many well-known websites and knows the surfing behavior for the IP!

More espionage or user data collection is almost impossible!"

This takes in the assumption one is using an IP as one person and that those companies would figure out your network with only knowing IP connection time and package size.

But many people can share the same IP and IPs change regularly. So I agree, that through the use of such Servers of these companies some surveillance of their side is possible. But considering all the connections that come and go from VPN and TOR network, the picture those companies get, would not get them significant information from signal chats.

I can support the point, that Threema does several technical things better than Signal. But I would argue, that when the switch from Whatsapp to Signal it is 1k privacy points, then from signal to threema accounts for additional 20 or 30 privacy points for protecting user data with their own datacenters and not having any unique identifiers used somewhere else.

But for a messenger to be useful, my contacts need to use it actually. There I like the model of signal better, where I can ask whatever contact to install signal and make a fast login to start chatting. It is known, that Signal does protect their user data and who messages with whom from courts and commercial companies.

They use opensource software. There is even an android client, that does not use any google framework integration within the Molly-foss app.

So I agree, that Threema has some parts that are superior compared to signal (and I have the app installed). But Privacy is not a one size fits all solution. So I rather use Signal with as many people as possible, since I trust Signal much more than I would Meta with the data of a messenger.

Privacywise I would put personally the following row:

SMS < Telegram < Whatsapp < iMessage < Signal < Threema < Simplex < Briar (top of private messaging)

Probably in the future some nostr messaging apps will come to that ladder somwhere at the top. But depends on the relays used and if there are public security reviews of the app.

Reply to this note

Please Login to reply.

Discussion

No replies yet.