“Telegram is not a private messenger. There’s nothing private about it. It’s the opposite. It’s a cloud messenger where every message you’ve ever sent or received is in plain text in a database that Telegram the organization controls and has access to it”
“It’s like a Russian oligarch starting an unencrypted version of WhatsApp, a pixel for pixel clone of WhatsApp. That should be kind of a difficult brand to operate. Somehow, they’ve done a really amazing job of convincing the whole world that this is an encrypted messaging app and that the founder is some kind of Russian dissident, even though he goes there once a month, the whole team lives in Russia, and their families are there.”
" What happened in France is they just chose not to respond to the subpoena. So that’s in violation of the law. And, he gets arrested in France, right? And everyone’s like, oh, France. But I think the key point is they have the data, like they can respond to the subpoenas where as Signal, for instance, doesn’t have access to the data and couldn’t respond to that same request. To me it’s very obvious that Russia would’ve had a much less polite version of that conversation with Pavel Durov and the telegram team before this moment"
you can never validate what code a server is running, so having FOSS server code is kinda a moot point: it can’t add anything useful to the privacy conversation
the only way you can guarantee privacy is with the client code, and they have repeatable builds so you can validate the code that’s encrypting the messages, and in that case it barely even matters if their server is streaming all the data they receive to some shady other place… especially with sealed sender
Most halfway-decent messaging services (unlike signal) are self-hostable. So yes with actual open source software, that’s very possible.
that comes down to a difference in philosophy i think… signal have detailed their reasoning for not making signals servers decentralised and self hostable, and i don’t disagree with some of them… i think everything is a trade-off, and decentralisation has scaling and usability issues
signal has done a pretty good job of creating a platform that’s much much better than alternatives in a package that’s consumable by the general public
i’m not sure that something that’s more like matrix, or xmpp, etc could do that
it might be theoretically and technically not quite as perfect, but its impact on increased privacy across the globe has been far larger because they’ve made some of those compromises
I can’t really trust anyone’s security philosophy when they market their service as “secure”, but then have it built on required phone numbers (linkable to your real identity), and a single centralized US-based server subject to national security letters.
Anyone who came up with this idea of security should be laughed out of the room.
I’m convinced signal’s entire support is similar to apple’s : they make vague untestable claims about security, whilst having a shiny and functional app.
There are so many self-hostable alternatives that have signal beat on both those, that make any reason for using it moot.