Nowadays, a majority of apps require you to sign up with your email or even worse your phone number. If you have a phone number attached to your name, meaning you went to a cell service/phone provider, and you gave them your ID, then no matter what app you use, no matter how private it says it is, it is not private. There is NO exception to this. Your identity is instantly tied to that account.
Signal is not private. I recommend Simplex or another peer to peer onion messaging app. They don’t require email or phone number. So as long as you protect your IP you are anonymous
Signal is private, what you should differentiate is being anonymous or not. Using your usual phone number is NOT Anonymous but is PRIVATE, as in the content of your messages being only available to you and the person you’re talking to
The way you get a phone number depends on you too, so you can be very much be Anonymous even if signal requires a phone number.
the phone number drives me nut since mine changes every few months; everyone i know has my voip number that gets everything forwarded to each new number.
You are very naive if you think that a company located un the US can provide an encrypted messaging service that can be used by anyone including terrorists, druglords and US enemies without the government being able to access the messages. Lavabit was a famous case and had to shutdown because its founder rejected to comply with an order from the US government to grant access to information. If you are using centralized communication service located in the US forget about privacy.
”Lavabit is believed to be the first technology firm that has chosen to suspend or shut down its operation rather than comply with an order from the United States government to reveal information or grant access to information.[3] Silent Circle, an encrypted email, mobile video and voice service provider, followed the example of Lavabit by discontinuing its encrypted email services.[25] Citing the impossibility of being able to maintain the confidentiality of its customers’ emails should it be served with government orders, Silent Circle permanently erased the encryption keys that allowed access to emails stored or transmitted by its service.[26]"
“Levison (founder) explained he was under a gag order and that he was legally unable to explain to the public why he ended the service.[21]”
Since when is encryption dependent on the service’s jurisdiction? When Signal has got subpoenaed it has always been incapable of providing data that involves the content of the conversation https://signal.org/bigbrother/
The app is also open source with reproducible builds (and you can use Molly instead, if you prefer) and when the clients of an end-to-end encrypted system are sound, that is all that matters to secure the content of the communication.
Audits are also performed as listed here https://community.signalusers.org/t/overview-of-third-party-security-audits/13243
I don’t understand where this doomerism comes from tbh, (online) privacy will cease to exist when either maths does or it becomes globally illegal to use encryption and the government’s intrusion is really so pervasive that they constantly know what you’re doing. Luckily we don’t yet live in that world, though the pressure is real and we are the first that have to fight for this basic human right
Email is a very different thing.
You can’t protect against emails being received in plain text.
Don’t know the technicalities of the specific case you are referencing, but I know that if the government wants to they can middleman any received email before the provider can encrypt it for storage on their servers (by forcing the provider to let them).
On the other hand, if you use an end to end encrypted chat app, you can’t middleman any messages from the providers side by force because the messages are always encrypted on the users device before being sent.
I don’t know about lavabit specifically, but typically encrypted emails are encrypted on your client computer and decrypted on the recipient’s computer. It is conceptually the same thing as an “end to end encrypted chat app”… just in email form.
Yes that works if both the sender and receiever encrypt the emails before sending them.
I specifically mentioned incoming plaintext (unencrypted) email.
Since mail is technically decentralised, not everyone is using protonmail for example, so protonmail can only perform e2e encryption on protonmail to protonmail email sending (they let you encrypt mail to people outside but it’s not as seamless).
Nevertheless, I was mentioning incoming plaintext emails, which email providers have to encrypt before storing. The government can middleman that procedure and read the incoming mail before it’s encrypted by your provider (protonmail, etc).
(This is one of the reasons why lavabit may have shutdown, you can’t protect against incoming plaintext mail)
https://en.wikipedia.org/wiki/Tor_(network)#History
The US has a law that applies to any US company operating within its borders: it is illegal to tell your users that the US government has asked your company to spy on their behalf. This is called a key disclosure law, and the US’s version of it, called National Security Letters, underwent an expansion with the PATRIOT act; by 2013, President Obama’s Intelligence Review Group reported issuing on average, nearly 60 NSLs every day.
Companies that don’t comply with this law are forced to shut themselves down, or remain open, and grant access to user communications to the US government. The Signal foundation is a US domiciled company and must comply with this law without being able to disclose that they have been issued an NSL letter.
Comply with the government order of granting access to messages or shut down implies that we are already in that world, long ago. What makes you think that what happened to Lavavit and Silent Circle would not happen to Signal? Only wishfull thinking can make you think that, evidence tells you otherwise.
And given their scale and length of time they have been around, it is guaranteed that they have been complying for some time.
It is so ironic that we run into so much cognitive dissonance on this issue. It is so weird that people have such an emotional attachment to this product.
Ok government here are the messages i’m legally required to provide you.
If it’s so easy why Lavabit and Silent Circle had to shutdown?
Do you understand what encryption means? Genuine question.
If a company is compelled to spy on its users, it doesn’t mean hack them. (although perhaps there are same edge cases where you have to wonder the exact definition of hacking)
Obviously you are missing the point. Even Gmail is private if you are going to do the job of encrypting your messages by yourself, but that’s irrelevant with what we are discussing here.
What we are discussing here is that if you are a company offering a service of encrypted communications located in the US, the government has all the power to force you to shut down if you don’t give them access to what they want. And that’s not speculation, they’re actively doint it because they are backed by the law.
Why people are so naive thinking that the government are not going to do something to get what they want when the law is on their side, when sometimes they don’t hesitate to do it even when it’s blatantly illegal?
The only way to avoid surveillance is with free, open source and descentralized software. If there is a company in charge of running the software that’s a vulnerability and, like the cases already mentioned, those in power are going to exploit it shutting the service down if the company doesn’t comply.
It doesn’t matter how much you like or trust the service, there’s simply no reason why they wouldn’t do it again when they already dit it successfuly. Why some people who care about privacy can’t see this obvious fact is beyond my understanding.
Alright I think I know what you mean, but I’m still not sure we’re actually on the same page regarding encryption.
If a company is forced to do whatever ths government commands it to do, that’s only valid within certain constraints.
For example, the company cannot be forced to grow wings snd fly to thr heavens. That’s physically impossible.
Similarly, it also cannot provide the decrypted messages of its users because it (like Signal) does not have the KEYS that are absolutely 100% necessary for decrypting the encrypted messages of its users. So, again, it’s physically impossible to hand over either the keys or the decrypted messages.
However, there is one remedy that Signal CAN do, if somehow forced. That’s changing the Signal program. It certainly can push an update that sends Signal the keys for decryption.
However, at that point, the source code at github doesn’t match the compiled binary of the program anymore, and very good chance people would notice, and thereby people would lose trust in Signal.
I’m not sure about the examples you gave about the government being successful in obtaining user details of a company. Were those details encrypted as well? Was the source code publically available? Was the program popular?
Signal is free and open-source. It cannot be denied that basically everything, including minor details like usernames, is end-to-end encrypted and kept secure. The Signal protocol has been proven to be secure by many independent experts and thus it is mathematically impossible for Signal to gain access to your sensitive information (except for your phone number, obviously).
A phone number alone just won’t do much.
Signal is not open source, its a centralized US service, and you have no idea what their server is running. They even went a full year without publishing server code updates at one point, until it caused enough of a backlash that they started doing it again. But publishing that is no guarantee of anything, because you have no access to their server.
A phone number in most countries, including the US, means your real name and address.
People who actually care about privacy: the quality or state of being apart from company or observation (definition), wouldn’t want a company knowing their phone number and thus identity tied to their phone number. Maybe you believe in a lower level of privacy than I do. That’s fine but my post was for people who never thought about it but will care and those who should care.
This is disturbing that this comment is down voted to -11, at the time of my reading, on a service that is specifically designed for people who value privacy. Is it because of some government bot, or are enough people really that emotionally attached to this product that despite the clear logic they are reacting in discomfort?
I don’t know which option is more disturbing.
I get that a lot of people don’t really value privacy that much, and are only interested in making a half hearted attempt. That is fine. But why the gross amount of denial? Why not just be honest that they think it is good enough for them, and not worth changing.
These people are sheep. It’s insanity. They worship these companies I feel like I’m arguing with cultist
Signal doesn’t know your phone number, though. It’s only used to identify other users in your contacts, and not a single thing about it is stored.
That’s not true. When asked to provide data, Signal is able to give your phone number and the last login time.
Signal stores the hash of the phone number. So you can query them for a specific phone number, but are unable to figure out phone numbers based on the hashes (outside of brute force - trying every 12-digit phone number).
And after doing that, you learn “this person uses/used Signal”, with no information about particular messages whatsoever.
Okay, I was not aware that it was only the hash of the phone number. I was under the impression that it was the phone number itself.
Wow. You give them your phone number to sign up. They text you a confirmation code but they don’t know your phone number. Magic