Skip Navigation

Signal Is More Than Encrypted Messaging. Under Meredith Whittaker, It’s Out to Prove Surveillance Capitalism Wrong

www.wired.com Under Meredith Whittaker, Signal Is Out to Prove Surveillance Capitalism Wrong

On its 10th anniversary, Signal’s president wants to remind you that the world’s most secure communications platform is a nonprofit. It’s free. It doesn’t track you or serve you ads. It pays its engineers very well. And it’s a go-to app for hundreds of millions of people.

Under Meredith Whittaker, Signal Is Out to Prove Surveillance Capitalism Wrong
272

You're viewing a single thread.

272 comments
  • Yeah, Signal is more than encrypted messaging it's a metadata harvesting platform. It collects phone numbers of its users, which can be used to identify people making it a data collection tool that resides on a central server in the US. By cross-referencing these identities with data from other companies like Google or Meta, the government can create a comprehensive picture of people's connections and affiliations.

    This allows identifying people of interest and building detailed graphs of their relationships. Signal may seem like an innocuous messaging app on the surface, but it cold easily play a crucial role in government data collection efforts.

    Also worth of note that it was originally funded by CIA cutout Open Technology Fund, part of Radio Free Asia. Its Chairwoman is Katherine Maher, who worked for NDI/NED: regime-change groups, and a member of Atlantic Council, WEF, US State Department Foreign Affairs Policy Board etc.

    • Yeah, Signal is more than encrypted messaging it’s a metadata harvesting platform. It collects phone numbers of its users, which can be used to identify people making it a data collection tool that resides on a central server in the US. By cross-referencing these identities with data from other companies like Google or Meta, the government can create a comprehensive picture of people’s connections and affiliations.

      This allows identifying people of interest and building detailed graphs of their relationships. Signal may seem like an innocuous messaging app on the surface, but it cold easily play a crucial role in government data collection efforts.

      Strictly speaking, the social graph harvesting portion would be under the Google umbrella, as, IIRC, Signal relies on Google Play Services for delivering messages to recipients. Signal's sealed sender and "allow sealed sender from anyone" options go part way to addressing this problem, but last I checked, neither of those options are enabled by default.

      However, sealed sender on its own isn't helpful for preventing build-up of social graphs. Under normal circumstances, Google Play Services knows the IP address of the sending and receiving device, regardless of whether or not sealed sender is enabled. And we already know, thanks to Snowden, that the feds have been vacuuming up all of Google's data for over a decade now. Under normal circumstances, Google/the feds/the NSA can make very educated guesses about who is talking to who.

      In order to avoid a build-up of social graphs, you need both the sealed sender feature and an anonymity overlay network, to make the IP addresses gathered not be tied back to the endpoints. You can do this. There is the Orbot app for Android which you can install, and have it route Signal app traffic through the Tor network, meaning that Google Play Services will see a sealed sender envelope emanating from the Tor Network, and have no (easy) way of linking that envelope back to a particular sender device.

      Under this regime, the most Google/the feds/the NSA can accumulate is that different users receive messages from unknown people at particular times (and if you're willing to sacrifice low latency with something like the I2P network, then even the particular times go away). If Signal were to go all in on having client-side spam protection, then that too would add a layer of plausible deniability to recipients; any particular message received could well be spam. Hell, spam practically becomes a feature of the network at that point, muddying the social graph waters further.

      That Signal has

      1. Not made sealed sender and "allow sealed sender from anyone" the default, and
      2. Not incorporated anonymizing overlay routing via tor (or some other network like I2P) into the app itself, and
      3. Is still in operation in the heart of the U.S. empire

      tells me that the Feds/the NSA are content with the current status quo. They get to know the vast, vast majority of who is talking (privately) to who, in practically real time, along with copious details on the endpoint devices, should they deem tailored access operations/TAO a necessary addition to their surveillance to fully compromise the endpoints and get message info as well as metadata. And the handful of people that jump through the hoops of

      1. Enabling sealed sender
      2. Enabling "allow sealed sender from anyone"
      3. Routing app traffic over an anonymizing overlay network (and ideally having their recipients also do so)

      can instead be marked for more intensive human intelligence operations as needed.

      Finally, the requirement of a phone number makes the Fed's/the NSA's job much easier for getting an initial "fix" on recipients that they catch via attempts to surveil the anonymizing overlay network (as we know the NSA tries to). If they get even one envelope, they know which phone company to go knocking on to get info on where that number is, who it belongs to, etc.

      This too can be subverted by getting burner SIMs, but that is a difficult task. A task that could be obviated if Signal instead allowed anonymous sign-ups to its network.

      That Signal has pushed back hard on every attempt to remove the need for a phone number tells me that they have already been told by the Feds/the NSA that that is a red line, and that, should they drop that requirement, Signal's days of being a cushy non-profit for petite bourgeois San Francisco cypherpunks would quickly come to an end.

      • Incidentally, this explains why Signal insists that the app has to be installed through the Play store as opposed to f-droid.

        • Strictly speaking, you can download it directly from their website, but IIRC, the build will still default to trying to use Google Play Services, and only fall back to a different service if Google Play Services is not on the device. Signal really, really wants to give Google insight into who is messaging who.

      • Anyone who has any experience with centralized databases, would be able to tell you how useless sealed sender is. With message recipients and timestamps, it'd be trivial to discover who the senders are.

        Also, signal has always had a cozy relationship with the US (radio free asia was it's initial funder) . After yasha levine posted an article critical of signal a few years back, RFA even tried to do damage control at a privacy conference on signal s behalf:

        Libby Liu, president of Radio Free Asia stated:

        Our primary interest is to make sure the extended OTF network and the Internet Freedom community are not spooked by the [Yasha Levine’s] article (no pun intended). Fortunately all the major players in the community are together in Valencia this week - and report out from there indicates they remain comfortable with OTF/RFA.

        These are high-up US government employees trying to further spread signal.

        You can read more about this here.

      • Law enforcement doesn't request data frequently enough in order to build a social graph. Also they probably don't need to as Google and Apple likely have your contacts.

        Saying that it is somehow a tool for mass surveillance is frankly wrong. It has its issues but it also balances ease of use. It is the most successful secure messager out there. (WhatsApp doesn't count)

        Sure it has problems. I personally don't understand there refusal to be on F-droid. However, phone numbers are great for ease of use and help prevent spam. You need to give your personal information to get a phone number. Signal also has very nice video calls which no other messager can seem to replicate.

        • Law enforcement doesn’t request data frequently enough in order to build a social graph. Also they probably don’t need to as Google and Apple likely have your contacts.

          They don't need to request data. They have first-class access to the data themselves. Snowden informed us of this over a decade ago.

          Saying that it is somehow a tool for mass surveillance is frankly wrong.

          Signal per se is not the mass surveillance tool. Its dependence on Google is the mass surveillance tool.

          However, phone numbers are great for ease of use and help prevent spam.

          And there's nothing wrong with allowing that ease-of-use flow for users that don't need anonymity. The problem is disallowing anonymous users.

          • Signal is not dependent on Google. Also to my knowledge Signal isn't part of AT&T

            • Signal is not dependent on Google.

              It literally is though.

              • If that were the case Molly FOSS wouldn't exist

                • If that were the case Molly FOSS wouldn’t exist

                  I'm not speaking of hard dependence as in "the app can't work without it." I'm speaking to the default behavior of the Signal application:

                  1. It connects to Google
                  2. It does not make efforts to anonymize traffic
                  3. It does makes efforts to prevent anonymous sign-ups

                  Molly FOSS choosing different defaults doesn't change the fact that the "Signal" client app, which accounts for the vast majority of clients within the network, is dependent on Google.

                  And in either case -- using Google's Firebase system, or using Signal's websocket system -- the metadata under discussion is still not protected; the NSA doesn't care if they're wired into Google's data centers or Signal's. They'll be snooping the connections either way. And in either case, the requirement of a phone number is still present.

                  Perhaps I should restate my claim:

                  Signal per se is not the mass surveillance tool. Its dependence on Google design choices of (1) not forcing an anonymization overlay, and (2) forcing the use of a phone number, is the mass surveillance tool.

    • It collects phone numbers of its users, which can be used to identify people making it a data collection tool that resides on a central server in the US. By cross-referencing these identities with data from other companies like Google or Meta, the government can create a comprehensive picture of people’s connections and affiliations.

      That's fuck up. I always found bad to have the phone number as requirement but that's make a lot of sense.

    • So no Tor either bc started by US Naval Research Lab?

      • If Tor leaks data about you then yes you should also be concerned about that.

        • That has nothing to do with the team behind it. Also it is the best tool right now even if it isn't perfect. You just need to be aware of its limitations. (For the love of god turn off JavaScript)

          I hate to break it to you but the internet itself was created by the US.

          • The team behind it very much does matter because you can infer the motivations from knowing who develops a particular piece of technology. However, my point was that the question with both Signal and Tor is what data they leak based on their technical design. That's what people should be concerned with first and foremost.

            Meanwhile, the internet was created by CERN https://home.cern/science/computing/where-web-was-born

      • Wait until you here about DARPA

    • I use the Molly-FOSS fork, do you know if that removes the metadata collection? I know it doesn't use any Google Play Services and it comes with its own notification bubble though.

      • It doesn't because you're still talking to the same server.

      • Signal does not collect metadata.

        https://signal.org/blog/sealed-sender/

        • that amounts to trust me bro since nobody actually knows what the server does with the data

          • You don't have to trust the server and shouldn't have to trust the server if the client is doing proper E2E because you know the maximum amount of metadata it's got.

          • Signal has been forced by court to provide all the information they have for specific phone numbers [0][1]. The only data they can provide is the date/time a profile was created and the last date (not time) a client pinged their server. That's it, because that's all the data they collect.

            Feel free to browse the evidence below, they worked with the ACLU to ensure they could publish the documents as they were served a gag order to not talk about the request publicly [2].

            [0] https://signal.org/bigbrother/

            [1] https://www.aclu.org/news/national-security/new-documents-reveal-government-effort-impose-secrecy-encryption

            [2] https://www.aclu.org/sites/default/files/field_document/open_whisper_documents_0.pdf#page=8

            • Once again, even if this is the way things worked back in 2016 there is no guarantee they still work like that today. This is the whole problem with a trust based system. You are trusting that people operating the server. It's absolutely shocking to me that people have such a hard time accepting this basic fact.

              • Once again, even if this is the way things worked back in 2016 there is no guarantee they still work like that today.

                You have to trust someone. You're not building all your software and reading every line yourself are you?

                While there's no guarantees, Signal continues to produce evidence that they don't collect data. Latest publication August 8th, 2024: https://signal.org/bigbrother/santa-clara-county/

                The code is open has had a few audits: https://community.signalusers.org/t/overview-of-third-party-security-audits/13243

                This is the whole problem with a trust based system

                Can you point me to a working trustless system? I'm not sure one exists. You might say peer-to-peer systems are trustless because there's no third party, but did you compile the code yourself? did you read every last line of code before you compiled and understood exactly what it was doing?

                It's absolutely shocking to me that people have such a hard time accepting this basic fact.

                What's shocking to me is the lack of understanding that unless you're developing the entire platform yourself, you have to trust someone at some point and Signal continues to post subpoenas to prove they collect no data, has an open source client/server, provides reproducible builds and continues to be the golden standard recommended by cryptographers.

                I would recommend to anyone reading this to rely on the experts and people who are being open and honest vs those who try to push you to less secure platforms.

                • You have to trust someone. You’re not building all your software and reading every line yourself are you?

                  No, you don't have to trust anyone. That's literally the point of having secure protocols that don't leak your personal data. 🤦

                  Signal made an intentional choice to harvest people's phone numbers. The rationale for doing that is very thin, and plenty of other messengers avoid doing this. The fact that Signal insists on doing that is a huge red flag all of its own.

                  The code is open has had a few audits

                  Only people who are actually operating the server know what's running on it. The fact that Signal aggressively prevents use of third party clients and refuses to implement federation that would allow other servers to run is again very suspect.

                  Can you point me to a working trustless system?

                  SimpleX, Matrix, Briar, and plenty of other chat systems do not collect personal data.

                  You might say peer-to-peer systems are trustless because there’s no third party, but did you compile the code yourself? did you read every last line of code before you compiled and understood exactly what it was doing?

                  The discussion in this thread is specifically about Signal harvesting phone numbers. Something Signal has no technical reason to do.

                  What’s shocking to me is the lack of understanding that unless you’re developing the entire platform yourself, you have to trust someone at some point and Signal continues to post subpoenas to prove they collect no data, has an open source client/server, provides reproducible builds and continues to be the golden standard recommended by cryptographers.

                  Kind of ironic that you've exposed yourself as being utterly clueless on the subject while accusing me of lack of understanding.

                  I would recommend to anyone reading this to rely on the experts and people who are being open and honest vs those who try to push you to less secure platforms.

                  I would recommend anyone reading this to rely on rational thinking and ignore trolls who tell you to just trust Signal. Privacy and security are not based on trust, and if you ask any actual expert in the field they will tell you that.

                  • No, you don’t have to trust anyone. That’s literally the point of having secure protocols that don’t leak your personal data. 🤦

                    Unless you're reading all the code, understand the protocols, and compiling yourself you are placing your trust in someone else to do it for you. There's no way around this fact.

                    You suggest SimpleX, Matrix, and Briar (which I believe are great projects btw, I've used them all and continue to use SimpleX and Matrix) but have you read the code, understand the underlying protocols, and compiled the clients yourself or are you placing your trust in a third party to do it for you? Be honest.

                    I will agree though, if you absolutely do not trust Signal, you should use Briar or SimpleX, but neither are ready for "every day" users. Briar doesn't support iPhones so its basically dead in the water unless you can convince family/friends to switch their entire platform. SimpleX is almost there but it still continues to fail to notify me of messages, continues to crash, and the UX needs significant improvement before people are willing to put up with it.

                    The discussion in this thread is specifically about Signal harvesting phone numbers. Something Signal has no technical reason to do.

                    Let me give you a history lesson, since you seem to have no clue about where Signal started and why they use phone numbers. Signal started as an encryption layer over standard text/SMS named TextSecure. They required phone numbers because that's how encrypted messages were being sent. In 2014, TextSecure migrated to using the internet as a data channel to allow them to obscure additional metadata from cell phone providers, as well as provide additional features like encrypted group chats. Signal continued to use phone numbers because it was a text message replacement which allowed people to install the app and see all their contacts and immediately start talking to them without having to take additional action - this helps with onboarding of less technical users. Fast forward to today and Signal is only using phone numbers as a spam mitigation filter and to create your initial profile that is no longer being shared with anyone unless you opt into it.

                    Now, you can say they're collecting phone numbers for other nefarious purposes but they publish evidence that they don't. Will they ever get rid of phone numbers? Unlikely unless they figure out a good alternative to block spam accounts.

                    Privacy and security are not based on trust

                    You're 100% right. If you read the code, understand the protocols, and build the clients from source, you don't have to trust anyone 😊

                    • Unless you’re reading all the code, understand the protocols, and compiling yourself you are placing your trust in someone else to do it for you. There’s no way around this fact.

                      That's why you have a lot of eyes on the code and security experts who dedicate their research to finding flaws and breaking algorithms. It's certainly a very different scenario from simply trusting people who run a server. The fact that this even needs to be said is frankly phenomenal. There's also a concept of reproducible builds, so even if you're not compiling everything yourself you can be reasonably sure that what's package in the binary was in fact compiled from the source. Again, these are solved problems.

                      SimpleX is almost there but it still continues to fail to notify me of messages, continues to crash, and the UX needs significant improvement before people are willing to put up with it.

                      If people genuinely care about privacy then it's important to promote apps that actually care about privacy by design and invest in improving these apps instead of just perpetuating the problem by recommending Signal. Even Matrix is far better in terms of privacy and it's plenty mature at this point.

                      Let me give you a history lesson, since you seem to have no clue about where Signal started and why they use phone numbers.

                      I'm well aware of the history, and the justifications. The fact remains is that I simply do not trust Signal knowing where it originates.

                      Fast forward to today and Signal is only using phone numbers as a spam mitigation filter and to create your initial profile that is no longer being shared with anyone unless you opt into it.

                      The correct statement is that Signal claims to do this, there is no way for an outside party to verify that this is actually the case, hence why it comes down to you taking what people operating Signal say on faith.

                      You’re 100% right. If you read the code, understand the protocols, and build the clients from source, you don’t have to trust anyone 😊

                      Trusting countless researchers an security experts to read the code, understand the protocols, and provide reproducible builds, is a lot better than trusting a sketchy US company that was started by the CIA and NED. I guess that's a concept that's difficult for some to wrap their head around though.

                      • Even Matrix is far better in terms of privacy and it’s plenty mature at this point.

                        I would disagree, this guy's been finding issues and reporting them to Matrix for a while now and appears to find them every time he glances at the project. I LOVE Matrix. I would recommend it over Discord, Telegram etc, but I would not recommend Matrix over Signal.

                        The fact remains is that I simply do not trust Signal knowing where it originates.

                        This is fair. No critique against this stance.

                        Trusting countless researchers an security experts to read the code, understand the protocols, and provide reproducible builds,

                        I agree! Trust the countless researchers, security and cryptography experts.

                        ... is a lot better than trusting a sketchy US company that was started by the CIA and NED.

                        You're gonna have to cite your sources.

              • True but I find the opposite end of the spectrum hard to believe. Extraordinary claims require extraordinary proof.

                What is known is that government agents from countries like Iran, China and Russia actively are spreading misinformation. Not to say that you are a government agent but you should doubt the argument on both sides. For instance, using Signal is way better than not using an audited encrypted messager. Often times I see people jump to worse platforms. I think it is important to understand the problems with Signal.

          • True, however your claim lacks evidence. They have your phone number and a few time stamps. That isn't going help much.

            • My claim is that privacy should not be based on trust. This appears to be a very difficult concept for people in this thread to understand.

              • You always will have to trust something at some level.

                • Yeah, you trust that the encryption algorithm is designed correctly and that it doesn't leak data because many people have audited it and nobody found a flaw in it. You absolutely will not have to trust people operating servers however. If you can figure out why e2ee is important then I'm sure you'll be able to extrapolate from that why metadata shouldn't be seen by the server either.

        • I'm not very tech-savvy, and that article looks very nice, but it's kind of old and it's true that they haven't been as transparent (and frequently audited) as other services and they still require a phone number to set up an account, even if you can switch to only using a username later. Also, they removed encrypted database, and Molly brings that back which is the main reason I use it. Another thing I don't like about Signal is how ferociously they've tried to shut down forks in the past, and how they don't say that you need Google Play Services for it to work properly. Sadly it's the only "privacy-conscious" service I've managed to make most of my family and friends use, after trying for years.

          • They only shut down forks that violate Signal branding. Mozilla does the same thing with Firefox.

            It is libre so if you fork it there is nothing they can do. Also if they were really hostile they would of used a non libre license or made it entirely proprietary.

      • They have your phone number and time stamps. Nothing more nothing less. Also chances are that isn't being used to create a massive social graph or whatever the Lemmy.ml users are going on about.

        For most people it doesn't matter. Signal has the benefit of being widely adopted and being easy to use. Simplex Chat is another alternative although it isn't as well funded or as well known.

    • Cross referenced you on the sister thread.

      People there positing that this is no correct. Granted their info appears to be signal "disclosed" to the feds as part of a court proceed what it collects, which is only apparently when you connect to the server.

      Doesnt answer the issue if they could collect your call logs though

    • This message is definitely giving all the vibes of a disinformation/misinformation attempt. There is no metadata to harvest from signal.

      Here is an example of all the extent of data that signal has on any given user: https://signal.org/bigbrother/cd-california-grand-jury/

      It involves phone number, account creation time and last connected time. That's it. Nothing more.

      The cross referencing of data is just nonsense. Google and meta already have your phone number. Adding signal info to it adds absolutely zero information to them. They have it all already. They know nothing of who you talk with, which groups you are part of.

      The funding of Signal did involve public grants but that's not anything bad. Many projects and nonprofits receive public money. It does not imply that there are backdoors or anything like that. And signal was purposefully designed so that no matter who owns and operates it, the messages stay hidden independently on the server infrastructure. They did the best possible to remove themselves from the chain of trust. Expert cryptographers and auditors trust signal. Don't listen to this random ramble of an online stranger whose intentions are just to confuse you and make you doubt.

    • There is no metadata harvesting on Signal and the use of a phone number is so convenient and helped massively with adoption from the general unaware public.

      I loved that it acted as a private and secure drop in replacement for SMS (particularly before they removed that integration) that does what I needed and does it very well and easily connects me with people that already have my number. This made sharing Signal very easy. The only data Signal has to even provide to the authorities is your registration date, phone number, and time of last connection. The absolute minimum. It's fantastic. If you compare this to Whatsapp which has everything but the exact content of your messages, it's not even a contest.

      For myself on Signal and everyone else I've known that that uses Whatsapp or Insta or whatever, the extra absolute anonymity of also removing phone numbers from the already small equation just isn't needed or worth it, otherwise you wouldn't be using Signal, let alone fucking Facebook.

      • You can believe whatever you want of course, but the reality is that Signal collects phone numbers on registration and these can be used in many ways. The fact that you chose to trust Signal to be a good actor is your prerogative, but it's based purely on your faith which is not how privacy or security works.

        • I don't think you're aware of how independent audits, open source, good cryptography, a non-profit, government data subpoenas, and a lack of data collection works. That is what I have faith in. If you're this concerned over someone having just your phone number, call your phone carrier, cancel your plan, and destroy your SIM card because whatever you're paranoid about happening to your phone number is already being done by countless entities that are not Signal.

          • I don’t think you’re aware of how independent audits, open source, good cryptography, a non-profit, government data subpoenas, and a lack of data collection works.

            I think that you maybe the one who doesn't understand how any of this works. Security and privacy are guaranteed by design, and any information that is collected has to be assumed to be available to bad actors. Period. The same reason logic about trusting the server to do the encryption applies to letting the server handle metadata. No amount of audits can guarantee that people operating the server are doing it in good faith.

            Meanwhile, the concern isn't just about somebody having your phone number it's about Signal server having the ability to map out relationships between these numbers. It's perfectly fine for people to reason that this is not something they're worried about, and make an informed choice to use Signal. However, it's incredibly disingenuous to pretend this problem doesn't exist.

            • Edit: nevermind I typed a lot but that Lemmygrad user made a far better post that I agree with.

You've viewed 272 comments.