eylenburg
Signal looks more secure and private than it is. Maybe add a digital exclusion or digital soverignty attributes.
The IM comparison makes Signal look better than it is. Consider that a 15 year old kid figured out how to denonymize Signal users along with those of other Cloudflare apps. Signal’s dependancy on CF is astonishing and foolish. And we know from this long list of Signal issues that Signal exposes users to many bad players.
Two possible interesting attributes to add:
-
digital exclusion: if some demographic of people are excluded from a platform, it’s important to note this. Signal has “Phone number or Username” in the privacy:userid box, but that does not disclose the fact that users must register a mobile phone number to get access. And in many countries they must get a national ID card and register their national ID to their phone number. There should be a screaming red box for that because it’s both an exclusion factor and a privacy detriment.
-
digital soverignty: Signal is not on f-droid and the APK download is concealed and discouraged. Signal pushes users into walled gardens like Google Playstore because they want to collect stats. An app should only get a green box for digital soverignty if there is no relationship with tech giants or pressure to connect to tech giants.
From there, I’m not sure off the top of my head what other attributes to cover. Perhaps a “notes” attribute is needed to collect miscellaneous pros/cons.
Consider that a 15 year old kid figured out how to denonymize Signal users along with those of other Cloudflare apps.
They use Cloudflare as a form of CDN. Using a CDN is nearly mandatory for an app of this scale for hosting static content. How else would they host the static files? Incredibly strange for you to claim this somehow makes it a Cloudflare app. A bunch of the apps are using CDNs and popular cloud hosting companies. Which ones aren't doing it? The federated ones are still doing it such as Matrix having the vast majority of users on matrix.org which is entirely behind Cloudflare, not only static file hosting like Signal but the entire service as a whole. People using another server still have to use Cloudflare in practice with Matrix due to matrix.org and other servers using it. They don't have much choice since it would be ridiculously easy to DoS without it. It's still far too easy even with Cloudflare in front.
The huge number of insecure devices which are compromised through unpatched security vulnerabilities results in massive DDoS attacks on services. This forces services with lots of users which are going to be targeted with DDoS attacks to use a service like Cloudflare or at least a large cloud hosting provider with huge data centers that's able to provide a weaker form of protection for the servers hosted there. This is the direction the internet is evolving in large part due to so many insecure devices and servers being connected to it. Lack of reverse path filtering by ISPs is an issue too. In https://github.com/eylenburg/eylenburg.github.io/issues/118, you're directly advocating for people using insecure devices missing any firmware patches and in most cases driver patches. That goes against not wanting centralization of the internet since that's largely a consequence of these kinds of insecure devices. A huge number of devices without cellular and Wi-Fi firmware updates are a huge liability. Mass compromising cellular radios and using them as a botnet is entirely possible without even needing to exploit the OS from the isolated radio. It's a huge growing liability for the health of the internet just as similar insecure devices are. You're promoting having more of it.
And in many countries they must get a national ID card and register their national ID to their phone number.
This isn't correct. You only need to buy a number online for receiving texts. You don't have to use the phone number assigned to a phone by a carrier. They require a phone number as an anti-spam feature and you can choose not to share it with your contacts or be discoverable through it.
Signal is not on f-droid and the APK download is concealed and discouraged.
F-Droid has major security issues and the people running it have demonstrated they do not care about security and aren't trustworthy. That includes engaging in very clear cut harassment towards multiple different security researchers and spreading fabricated stories about them.
Signal pushes users into walled gardens like Google Playstore because they want to collect stats.
This is a completely false and unsubstantiated claim. Signal does not somehow get data from people based on them obtaining it from the Play Store. People can use Signal via the Molly fork that's only available outside the Play Store including through the Accrescent app store.
An app should only get a green box for digital soverignty if there is no relationship with tech giants or pressure to connect to tech giants.
Not going to be green for anything that's listed.
* **digital exclusion**: if some demographic of people are excluded from a platform, it’s important to note this. Signal has “Phone number or Username” in the privacy:userid box, but that does not disclose the fact that users _**must**_ register a _**mobile**_ phone number to get access. And in many countries they must get a national ID card and register their national ID to their phone number. There should be a screaming red box for that because it’s both an exclusion factor and a privacy detriment.
This is already covered with the row "Anonymous sign-up possible?" where Signal has a red "no" for requiring a phone number, which as you mention is connected to a government ID in most countries, though of course some workarounds like paid online services for "burner" numbers are still possible.
* **digital soverignty**: Signal is not on f-droid and the APK download is concealed and discouraged. Signal pushes users into walled gardens like Google Playstore because they want to collect stats. An app should only get a green box for digital soverignty if there is no relationship with tech giants or pressure to connect to tech giants.
There's Signal-FOSS and Molly which are available through external F-Droid repos and the Signal app still works without Play Services. So while I would agree that the Signal developers mainly cater towards "normal" Android users, users who want to degoogled or use FOSS wherever possible are not excluded.
The main problems with the "digital sovereignty" proposal is that (1) it's hard to come up with easy-to-check criteria (like "Yes/No/Partial"), (2) it's already partially covered, for example some messengers have the comment "(needs Google Play for push notifications)" in the Android row, and (3) if you want to be strict and exclude stuff like not using Cloudflare CDN or not being hosted on Azure or AWS then this excludes most of them.
There are many ways to get non-KYC numbers internationally. You can even get non-KYC cellular service via providers like https://silent.link/. There are also VOIP providers like https://jmp.chat/. Signal only needs the ability to receive texts so it really doesn't need a fully functional number let alone cellular service though so neither of those services are actually needed and there are cheaper options, although I don't know a trustworthy one to point to.
@thestinger
They use Cloudflare as a form of CDN. Using a CDN is nearly mandatory for an app of this scale for hosting static content. How else would they host the static files?
They first decided to host the files as opposed to p2p. Design decisions have consequences. Then they couldn’t afford the hosting cost so they hired a data abuser from a country without privacy safeguards. Their excuses are not relevant here, whatever they are. What matters to users is exposure to tech giants, mass surveillance, security risks, and the ethical consequences of feeding the baddies. Extra bonus points for concealing it from users. An impartial comparison page has the extra duty to expose the issues.
The federated ones are still doing it such as Matrix having the vast majority of users on matrix.org which is entirely behind Cloudflare,
Indeed Matrix is reckless and I avoid it for this reason. The values pimped by that project are incompatible with Cloudflare.
And in many countries they must get a national ID card and register their national ID to their phone number.
This isn't correct. You only need to buy a number online for receiving texts.
This is like saying the road has no barricade because you can buy an off-road vehicle and drive around the barricade. The barricade is there whether you circumvent it or hack through/around it or not. It’s intellectual dishonesty to conceal an anti-feature on the basis that it can be circumvented. It should be exposed and whether or not to clutter it with hacks would be a separate decision.
F-Droid has major security issues and the people running it have demonstrated they do not care about security and aren't trustworthy.
It’s been studied. F-Droid is more secure than Google Playstore.
This is a completely false and unsubstantiated claim. Signal does not somehow get data from people based on them obtaining it from the Play Store. People can use Signal via the Molly fork that's only available outside the Play Store including through the Accrescent app store.
You really need to look at the cited sources before responding. This was cited in the long list of problems in the OP as well as the F-droid research.
Not going to be green for anything that's listed.
What would you write in the red box for digital soverignty in the Delta Chat and XMPP columns?
Even if all boxes are red, they are red for different reasons and those different reasons are interesting for users.
@eylenburg
This is already covered with the row "Anonymous sign-up possible?" where Signal has a red "no" for requiring a phone number,
Sorry, I missed that. But it’s insufficient. You cannot use just any phone number. Signal requires a mobile phone number, which exposes people to exclusion, an excessive attack surface, and a variety of other objectionable circumstances. The cell should be updated to specify “mobile” phone number.
which as you mention is connected to a government ID in most countries, though of course some workarounds like paid online services for "burner" numbers are still possible.
Indeed the table need not expose all the various the side-effects of mobile phone number disclosures and the shitshow that manifests from that -- just the fact that a mobile number is required is sufficient. People generally know what baggage and shit that brings. But to just say “phone number” is deceiving. My phone number won’t work, for example.
Pinger numbers are can of worms. I would not mention them on the comparison table. It’s a hacker workaround. I maintain a link farm of gratis pinger numbers but they are all spent on registrations for well known services so they will not work. You have to buy a clean number that’s ahead of the whack-a-mole game. That costs money, and that brings in a separate can of worms too because most money is also tracable.
There is also the dark net option of paying cryptocurrency for a 100 pack of accounts by various tech giants (google, linkedin, twitter, signal,.. etc). The table should not cover that either. Signal expects people to disclose a mobile phone number plain and simple. And that’s what the table should reflect.
There's Signal-FOSS and Molly which are available through external F-Droid repos and the Signal app still works without Play Services. So while I would agree that the Signal developers mainly cater towards "normal" Android users, users who want to degoogled or use FOSS wherever possible are not excluded.
This compels the question: who is the target audience? It’s a bit off to present the official Signal™ app and then give it the benefit of FOSS alternatives. The XMPP column cites a specific app. Whatever app is chosen, the column should be true to that choice. If the official app is in the table and not Signal-FOSS or Molly, then the detriment of that choice should also be exposed. Perhaps Signal-FOSS or Molly should take the place of Signal™ on the table to compare the better options.
They first decided to host the files as opposed to p2p. Design decisions have consequences. Then they couldn’t afford the hosting cost so they hired a data abuser from a country without privacy safeguards. Their excuses are not relevant here, whatever they are. What matters to users is exposure to tech giants, mass surveillance, security risks, and the ethical consequences of feeding the baddies. Extra bonus points for concealing it from users. An impartial comparison page has the extra duty to expose the issues.
What's the objective criteria which makes them a data abuser, and where do you think things should be hosted? EU does have privacy safeguards from companies but also very oppressive behavior from the governments. That includes imprisoning developers for writing open source privacy software based on how it gets used (Tornado Cash as one of several major examples), backdooring chat services (https://notes.valdikss.org.ru/jabber.ru-mitm/), ongoing efforts to begin chipping away at end-to-end encryption being legal to various degrees (Chat Control, etc.) and gradually working towards making it illegal for companies to create and sell privacy-focused products such as privacy-focused phones by portraying them as being for criminals. EU is not a privacy and freedom paradise.
Indeed Matrix is reckless and I avoid it for this reason. The values pimped by that project are incompatible with Cloudflare.
Wouldn't put this near the top of a list of what's wrong with Matrix.
This is like saying the road has no barricade because you can buy an off-road vehicle and drive around the barricade. The barricade is there whether you circumvent it or hack through/around it or not. It’s intellectual dishonesty to conceal an anti-feature on the basis that it can be circumvented. It should be exposed and whether or not to clutter it with hacks would be a separate decision.
They should provide the option to pay a small one-time fee for an account instead of using a phone number but there is a reason they have that requirement and many people would be very angry about them including the option to pay $2 for an account with Monero which is how we would handle it.
It’s been studied. F-Droid is more secure than Google Playstore.
This is not about the security or trustworthiness of F-Droid itself. F-Droid has major security weaknesses and has engaged in repeated coverups of security issues and attacks on security researchers. They're having major disputes among their developers over it which have been a factor in multiple people leaving the project recently.
You really need to look at the cited sources before responding. This was cited in the long list of problems in the OP as well as the F-droid research.
Doesn't address what was said. Here's WireGuard's developer posting about it for another perspective:
https://gitlab.com/fdroid/fdroiddata/-/issues/3110#note_1613430404
The ancient research you're linking has nothing to do with F-Droid's own poor security practices and anti-security views.
What would you write in the red box for digital soverignty in the Delta Chat and XMPP columns?
XMPP is not very decentralized. It has rooms based on specific servers. Users have an account on a server of their choice but when they join a chat room, that's hosted on a particular server. It's not as decentralized as Matrix. Both Matrix and XMPP end up having tons of data and metadata about users on servers they didn't really choose but rather the chat rooms they want to use chose them. It also means their data and metadata is spread to each of the servers of people using those rooms. These systems result in data being spread around to a bunch of extra parties. Sure, you can self-host XMPP without federation and only have people use your own server. Many other centralized open source chat systems exist. The way the federation works actually goes against privacy and control over your data though. Matrix is a more extreme case. A centralized chat service is in fact better in many ways than this federation approach for privacy and control over your data which is not truly decentralized at all. It is decentralized only in the same sense that email is decentralized. If XMPP or Matrix was massively successful then large companies would end up having the bulk of the users on servers they run, and they'd be heavily federating and getting tons of the data/metadata from users elsewhere too since the users from those major servers would be a major portion of the overall userbase including in private rooms. Federation is not actually generally good for privacy and is not as decentralized as it's made out to be.
Sorry, I missed that. But it’s insufficient. You cannot use just any phone number. Signal requires a mobile phone number, which exposes people to exclusion, an excessive attack surface, and a variety of other objectionable circumstances. The cell should be updated to specify “mobile” phone number.
It doesn't require a mobile phone number. It requires a number able to receive a text. It does not have to be a number assigned to a phone by a carrier.
Indeed the table need not expose all the various the side-effects of mobile phone number disclosures and the shitshow that manifests from that -- just the fact that a mobile number is required is sufficient. People generally know what baggage and shit that brings. But to just say “phone number” is deceiving. My phone number won’t work, for example.
Anything able to receive a text will work. Does not need to be able to send a text or support calls. Definitely doesn't need to have data.
Pinger numbers are can of worms. I would not mention them on the comparison table. It’s a hacker workaround. I maintain a link farm of gratis pinger numbers but they are all spent on registrations for well known services so they will not work. You have to buy a clean number that’s ahead of the whack-a-mole game. That costs money, and that brings in a separate can of worms too because most money is also tracable.
There are reputable services providing phone numbers which take payments via Monero, etc. Something costing money does not mean it cannot be private. There are forms of money with decent or excellent privacy. Monero is currently at the decent tier moving towards better cryptography to reach an excellent tier where statistical analysis, etc. won't be the issue they are now.
There is also the dark net option of paying cryptocurrency for a 100 pack of accounts by various tech giants (google, linkedin, twitter, signal,.. etc). The table should not cover that either. Signal expects people to disclose a mobile phone number plain and simple. And that’s what the table should reflect.
There are perfectly legitimate VPN, VOIP and mobile plan services which accept cryptocurrency payments. Mullvad, jmp.chat and silent.link are examples of each of those. The latter 2 being usable for Signal numbers and a VPN being something generally relevant to this topic.
This compels the question: who is the target audience? It’s a bit off to present the official Signal™ app and then give it the benefit of FOSS alternatives. The XMPP column cites a specific app. Whatever app is chosen, the column should be true to that choice. If the official app is in the table and not Signal-FOSS or Molly, then the detriment of that choice should also be exposed. Perhaps Signal-FOSS or Molly should take the place of Signal™ on the table to compare the better options.
It would be possible to just cover the differences within the cells that are relevant without whole separate columns since they're variants of the same app.