Let’s hope they’ll be able to continue to use it. It (and all other messengers with proper E2EE) is already on track to be outlawed in Sweden and France, and the new government in Germany will be pro mass-surveillance, too.
Moral of the story? Use
selfhostabledecentralized messaging instead.Milk is getting more expensive. Moral of the story: Buy a cow.
I really wish people would stop being so delusional about the average person’s technological abilities. jUsT TeLL grAn To sPin Up a mATrIx SErvEr… stfu
“Everyone should be hosting a server” was NOT my point, sorry if I got misunderstood. My mother could in no way host an XMPP server on her own - but I could register her an account on mine.
Rather, I meant: a) if you can host it, suggest your friends and family to use your server; b) if you can’t - that is still better: with multiple public servers available, there is no single point of failure, you can choose a server in whatever jurisdiction you want, or even an onion/i2p one.
Sorry for being harsh at the end. I just see this notion too often.
But still, your option b) is not self hosted. Maybe a better word to use would be decentralized then?
Selfhost able. But yeah, “decentralized” would be indeed a more fitting term.
That’s just pedantry. ‘Selfhosted’ never meant that every single user has to host it themselves.
It’s not pedantry, it’s using the right terminology.
And yes, self hosted means hosted by yourself. It’s in the name. https://en.wikipedia.org/wiki/Self-hosting_(web_services)
The promise of self hosting is that you own your data which may be better for privacy/security if you know what you are doing. The same doesn’t apply if you have to trust a third party, even if it is a friend/family member who provides you with a service they host. They become a service provider to you.
self hosted means hosted by yourself
A lot of selfhosters share with family. I’m not gonna make my wife spin up her own servers when she can use mine.
That’s called ‘peer-to-peer’, not ‘hosting’.
i rather talk to my grand parents over ham radio than giving them a smartphone
Are you the only one who decides that? My grandparents have a bunch of children and grandchildren, if I tried to take their smartphone away the others would just call me an asshole and give them a new one.
No way in hell my relatives are going to use a messenger I selfhosted. My brother doesn’t even use Signal for whatever reason, even though even my grandmother has it.
That is the problem of getting another person to change something… A very valid problem but not inherent to decentralization.
Kinda is, though - regular people have a lot more trust in centralized services, and Signal has a very large userbase compared to anything selfhostable. And IME they really, really hate installing new messengers.
Plus, selfhosted E2EE would still be just as illegal as Signal. Many people won’t be willing to participate in illegal activity, and if you just don’t use E2EE on your selfhosted solution the usefulness seems rather dubious.
I don’t think any ban on such selfhostable servers is enforceable at all.
What if the government shuts off the app source (and source code) and makes it illegal for anyone to download or redistribute it?
It doesn’t necessarily have to be enforcable to deter most people. At minimum, with such a ban there’s zero chance to communicate with government agencies with E2EE.
well in the end it’s just HTTPS traffic… police has to search your phone to know if you are a user.
but if you federate (on clearnet), that could give away that you host it
Well, technically, they could MITM the traffic similarly to how they did to jabber . ru. But a) there are mitigations for this and b) more importantly - they would need to bother. No one’s going to bother doing it to a random family server that has attracted no previous attention.
We have never come across one that is as easy to use as Signal and has no problems with encryption, either that it can have its encryption turned off, it breaks easily or that it makes dubious claims with few-no audits to back them up.
Plus the common person enjoys the fun features of Signal or other easy messengers, most decentralised messages do not have these features, are indefinitely working on them or make them not as easy to use, leading to most being uninterested in those messengers.
We have tried most if not all of them, than most and they are definitely lacking as much as we wish they were not. Decentralised encrypted (or partially encrypted) messengers always seem to have problems whether it’s with their encryption, moderation tools, connectivity or the lack of other features.
My dad just said in the WhatsApp group, why not move to signal. I tried moving friends and family before, but now that there has been anti meta media reports in some news sources. But especially reports on signal in almost every major newspaper and news source.
It seems not only a push because of privacy, but even more a anti big tech(especially us tech) and buy/use eu stuff push.
I don’t mind the push I’m just curious if people stay on signal. Previous time there was a push to signal (during whatsapp technical difficulties and privacy push) people quickly want back to whatsapp.
Now my volunteer work, 1 friend and a family chat already moved to signal. The only thing I did was some explaining that you can just send images and so on. (That it’s not something scary)
What are the major differences between what you can do on Whatsapp vs Signal?
Whatsapp let’s you donate your contact list and social network to meta for them to resell.
Source?
It requires access to your contacts to work on Android. That is, you cannot type in a phone number. That’s an intentional choice.
Oh, that’s yucky. Thanks for the information, we haven’t used it since it got bought by Facebook.
Thank you!
The only real differences we can think of is:
Whatsapp unlike Signal doesn’t have usernames meaning a phone number must be used to contact others on it, and that Whatsapp’s report feature shares the unencrypted message and surrounding messages with Meta to give context for the report.
it is just a messaging app, legit the exact same. group chats, image and video, previews to links i send, it even has a way higher level of customisability that i haven’t found elsewhere.
Why? Because the Dutch national broadcasters keep plugging it as an alternative to Whatsapp.
Aside… Two apps keep getting mentioned as alternatives, Signal and Element/Matrix, but in MHRO both are not viable as replacements.
Signal: still a US app, CIA funded, provides their encryption backbone to Whatsapp, recommended by governments & FBI. Matrix/Element: Developed in Israel, with ties to IDF, preferred by NATO (NI2CE)
you’re spreading lies lies lies FUD
Other than people you don’t like living in the world here with us, do you have any proof of anything actually nefarious done by signal or matrix?
Signal is funded by the CIA now ? And I thought Element is in the UK?
Signal: still a US app, CIA funded
Honestly, this gives me more confidence in it. The CIA is very interested in keeping its people safe, so if they’re using it, its in their interest to ensure it’s secure. If they do put in a backdoor, I happen to be a US citizen so I’m unlikely to be a target since the CIA is all about surveillance on outsiders (FBI is domestic). FBI and Signal rarely agree, but they agree that Signal is great, so I think that’s a pretty strong endorsement.
Add to that Edward Snowden recommends it, and he’s certainly an enemy of both the CIA and the FBI at this point.
If nobody used CIA funded security tools, we wouldn’t have security tools
A lot of VPN servers in Netherlands may have something to do with it…
I guess this means we’re not switching to RCS then?
RCS is not an open standard
Not to mention only available on certain phone brands and certain carriers (where I am, only one of major four).
Nope.
If I can implement my own RCS client, then I’ll consider it.
I use Telegram, like betamax have I backed the wrong horse?
Holy shit… Yes, yes you have.
Hah, thanks. I had no idea it was Russian backed. I dropped it over the weekend. The only issue is I’m now solely on WhatsApp as none of my friends/family are behind this movement.
I’m sure going all in on a Russian company is just fine. Their Wikipedia entry has nothing at all to indicate any shady behavior.
/s
Oops, I didn’t realise. I’d not fully adopted so will pivot. Ta
Fuck signal. No “privacy” focused messenger should need a phone number to register…at that point u basically handing the agencys meta data on a platter
privacy != anonymity
nitpicking
No, that is an important distinction. People have different threat models. For most people, privacy without anonymity may suffice (i.e. I don’t mind that you know it’s me, I just don’t want you to see what I’m sending). For others (i.e. journalists, whistleblowers, more privacy-centric individuals), anonymity may be equally important.
Exactly. And requiring a phone number enables convenience features like:
- account recovery
- find contacts
- be found by other people
Once you have an account, you can disable the phone number and use Hawks usernames instead (can be changed at will) of disable discovery entirely.
It’s a pretty reasonable limitation IMO.
“Account recovery”, yeah but by whom?
“Find contacts”, dont you know who u wana talk with?
“be found by other people” ???
yeah but by whom?
Whoever controls the number. This is fine for 90% of people who hold on to their number, especially since no data is leaked unless you are sent messages after changing your number. But that’s the same for SMS, so it’s not a downgrade from that.
dont you know who u wana talk with?
Yes, but most aren’t on signal yet. When they do join, it’s nice for them to know you’re on it too so your communication can default to that.
You can disable discovery (I do).
Don’t let perfect be the enemy of good. Getting people off of proprietary stuff is the first step. Whatever else is the next step.
Why are you licensing your comment?
But why do you want to license it at all? It’s normally not licensed. When AI vendors break the law they don’t care about licenses. Fuck, look at meta.
Hmm, did you read the links I posted?
Sure, what meta did is fucked up, but they are being sued. Just because someone ignores the law, does that mean that we should just stop doing something?
Yes, it did not answer my question. Legally you don’t have to do anything to make it so corporations legally can’t use this for AI unless you signed away your rights and if you signed away your rights you can’t change the license back with a notice. So what’s it actually for?
I should probably write a blog post about it. Basically it’s there to possibly get commercial LLMs in trouble for scraping licensed stuff. LLMs have been tricked into revealing their training data and gotten in trouble for that. There are also ongoing lawsuits due to those revelations. Maybe the most notable is the one against
Github’sMicrosoft’s CoPilot for spitting out licensed (GPL and also copyrighted from private repos) code.Whether the lawsuits will be successful or not is yet to be determined (Japan already considers nearly everything fair game for training AIs and machine learning). Whether they will have an impact if they are successful is also unknown. It just costs me a key-stroke (and the occasional response to a friendly question like yours), so I do it 🤷 Once all my hope is lost, I might stop.
From another answer. I highlighted the important part, which explains why the explicit link to the license text instead of it being implicit.
I know it’s not the best, but it is great when you want someone to shift from other popular proprietary app like WhatsApp.
Replacing one phone number based system with another may not be a wise choise.
at that point u basically handing the agencys meta data on a platter
Can you explain what you mean? I’m not sure I understand how that would work.
Well in many nation you can only get a phone number by showing ID, hence the number itself isnt anonymized. So if there is a legal request to signal they hand over the number and u already de anonymized. If you dont use your own number you have to relock signal every week (manual) so the number cant be used for account takeover…why is that lock even on a timer? That just sounds like a trap.
But lets assume u used your own number, and it gets found out. With that number it would be easy af for a state actor to send u a zero day SMS to take over your phone…there are so many reasons why a phone number is just bad to use as a identifier in a privacy focused app. The technical hurdles to allow account creation without phone number or like just to have number as optional, are very low. The official reason for the numbers is spam protection…but there are a lot of privacy messengers out there that dont use numbers and dont have a spam problem.
would be easy af for a state actor to send u a zero day SMS to take over your phone.
Two problema with this logic
- do you think a state actor needs to leak the phone number from signal to find out your number?
- 0-click SMS exploits are possibile, but extremely rare and extremely expensive. Someone with such an exploit won’t burn it for random Joe.
Edit: In any case, if your security depends on malicious actors not discovering your phone number, a generally public piece of information, your have no security to begin with.
there are a lot of privacy messengers out there that dont use numbers and dont have a spam problem.
Because they have not users either. You are talking about niches in a niche segment of a niche market.
Using a phone number that is used only for account creation is a non-issue overblown by a lot of people. Your phone number is likely in the contact list of tens or hundreds of people, already comfortably associated with your name and conveniently shared with many applications that your contacts use. The association between phone number and identity is something that telco companies can already (and do) provide to authorities. The only bit of metadata that is added is that “person X uses signal” which in itself is an irrelevant piece of data.
In any case, if your security depends on malicious actors not discovering your phone number, a generally public piece of information, your have no security to begin with.
I am taking the time to remove my info from the various aggregators, and it is scary the kind of detailed info that exists out there just as public information.
As you say, if you are worried about a phone number being tied to your identity, it’s already public information.
But that assumes the Signal identity is the same as your IRL identity. Makes not just anonymity (which is often important for safety just as much as privacy!), but multiacc arbitrarily harder. I can’t imagine using the same chat account for my online gaming buddies and for my real family!
What you said is exactly the point of preventing spam. Having a real identity attached to a signal identity is the point to prevent spam. There is functionally no difference between your multiaccount and a spammer with 6000 accounts.
I can’t imagine using the samw chat account for my online gaming buddies and for my real family!
I can’t really see why, but if that’s the case, signal is not the application for you, I suppose.
Yeah, but I’d say separating your identities you use for different things is a very basic measure a lot of people would want to use.
Well, it depends how you define different “things”. In your example you are talking with people. It doesn’t matter with whom or about what, and the service is a meta-service in this sense. You might not want to use the same email for the gambling site and for your school newsletter, but talking with people - information that says private - using a program that identifies you with a number is not the same thing.
Couldn’t you use a signal username with the gaming buddies, and your real name / number with the people that already know it?
I don’t use signal much, but I convinced 1 person. They didn’t give me their number but gave me a username instead.
There is no option to set a different handle and avatar for different groups of people tho, and I don’t remember if the username shows if you get discovered by number. Also, this was just an example - usually you’d have more than two groups you’d want to isolate.
Jmp.chat is worth being aware of
Also you’re a wackadoo
Yeah lets use the phone number of a middle man to sign up…sure u wont forget to relock the number every week so they dont get the power for account take over since they manage your number.
So no disagreement on the wackadoo part.
Tbh I hope you’re doing something cool with this paranoia. Like I want to see news articles about you secretly fighting evil, not sitting at home playing pirated video games.
Errybody hatin’ your logic but your logic is just that: paranoid and for no shortage of good reason and those are my dice.
Session
GPG
