Subnostr

Only required to register, it's a means to prevent spam. There's no requirement that your number be visible to anyone you chat with.

Dr. Hax 1y ago

It's limited in theory, but I'm skeptical that there aren't leaks to people thst you chat with (by design).

Plus it's available to Signal sysadmins, Amazon (they're host in AWS), the SMS provider they use, the telephone companies, potentially all these company's "partners" that the "share" data with... the list goes on and on.

Overcollecting data is not appropriate, no matter who does it. And as you have pointed out, they do not need to do this in order to allow people to chat with one another, which means it is, in fact, OVERcollecting.

Reply to this note

Please Login to reply.

Discussion

Jimmy 1y ago

All those intermediaries can collect as much as they want, it's meaningless without the encryption keys

Dr. Hax 1y ago

All of those people hace access to the unencrypted phone numbers and metadata. How do you think they do SMS verification? With cipertext? LOL

Jimmy 1y ago

I believe it's twilio that handles the registration texts. But once registered, everything is encrypted. The phone number, and even traditional cellular telephone infrastructure isn't used. Everything is e2ee. So...I don't see what the concern is here.

Dr. Hax 1y ago

Like I said, not everything is encrypted.

Like I said, the concern is metadata.

You don't even need to look at the code to confirm this. If Signal's servers didn't have access to plain text phone numbers, they wouldn't be able to let anyone look up people by phone number. They wouldn't be able to send out SMSes to people when they lose their phone. And so on.

You can say you trust Signal, Twilio, AWS and the rest of their partners to keep this safe.

You can say that you don't care if metadata leaks.

But please don't decieve people into thinking these organizations do not have access to everyone's phone numbers or pull a strawman argument about Signal being perfect just because there are even worse options (like SMS).

Jimmy 1y ago

You're making a lot of wild accusations. I think you need to learn how signal works. Otherwise just provide evidence for your nonsense or STFU.

Dr. Hax 1y ago

Haha, I described the functionality of the system and you get big mad, call it a wild accusation, and say it's nonsense.

It seems like it's you who needs to get a clue or STFU.

Jimmy 1y ago

You didn't describe anything. You think you know how Signal works but you really don't and you're throwing around wild accusations, probably to spread FUD thus driving people to less secure options. Do your homework, come back when you know some things?

Dr. Hax 1y ago

Wow, you're just doubling down with the personal attacks instead of simply proving me wrong.

All you have to do is explain how Signal sends an SMS to allow users to recover from a lost phone when Signal supposedly doesn't have access to anyone's phone number.

Feel free to reference the code if you'd like. I've did security audits on the library, Android and desktop apps years ago. But if the Signal developers added code to send an SMS to an encrypted phone number, I'm sure the crytographers of the world would love to see it.

Dr. Hax 1y ago

You do realize that the only reason Signal added usernames in the first place was because of privacy advocates like myself calling them out on it, right?

It took many years before they finally added usernames, and their system is better because of it. Now the same privacy advocates are calling for them to finish the job and removing phone numbers entirely.

Many of us also feel like Signal should move away from centralization, allow the 100% open source version of their app to be published in the official F-droid repos, and a number of other improvements.