this post was submitted on 20 Sep 2024
46 points (76.1% liked)

Privacy

32120 readers
270 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Convincing people to use apps such as Signal is hard work and most can't be convinced. But with those you manage to convince, do you feel happy to talk to them on Signal?

The problem is these people use Signal on Android/IOS which can't be trusted and IOS has recently been in the news for having a backdoor. And it has also been revealed that american feds are able to read everyone's push notifications and they do this as mass surveillance.

So not only do you have to convince people to use Signal which is an incredibly difficult challenge. You also have to convince them to go into settings to disable message and sender being included in the push notifications. And then there's the big question is the Android and IOS operating systems are doing mass surveillance anyway. And many people find it taking a lot of effort to type on the phone so they install Signal on the computer which is a mac or Windows OS.

So I don't think I feel comfortable sending messages in Signal but it's better than Whatsapp.

These were some thoughts to get the discussion started and set the context.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 40 points 2 months ago* (last edited 2 months ago) (3 children)

You are just spreading misinformation! Cite your sources!

There is a strategy used, which allows the government to find out who an account belongs to. They ask the push providers (Apple/Google) for data on the push token from e.g. a messaging app. This way they associate the account from an app with an identity.

Nothing there about message content. It is still safely E2EE.

~~I don’t know how it works in your country, but in mine, phone numbers are already associated with identities, so nothing gained as the gov can just ask signal for the phone number of an account, instead of having to ask signal and the push provider to get the identity.~~ (Edit: apparently it’s hashed, so there seems to be a use for this.) Signal isn’t about Anonymity but Privacy. There is a difference.

If you have another vulnerability cite it!

[–] [email protected] 7 points 2 months ago* (last edited 2 months ago)

They ask the push providers (Apple/Google) for data on the push token from e.g. a messaging app. This way they associate the account from an app with an identity.

Very overlooked point. You can find privacy guides online but very few even suggest that FCM etc. might have privacy issues, let alone explain exactly why. It seems this has already been used by law enforcement in the past: https://www.wired.com/story/apple-google-push-notification-surveillance/

The Molly-FOSS fork of Signal (which aims to be even more secure/private) actually supports self-hosted push notifications using UnifiedPush.

I also found this comment:

As far as I know, FCM on Android can be configured to use a notification payload (which is piped through Google's servers). But for a release app this is discouraged, especially if you are privacy conscious. An app would normally use FCM to receive a trigger and look up the received message from the app's own backend. See here for more information.

[–] [email protected] 6 points 2 months ago (2 children)

good points altough the number is note saved. the hash of the phonenumber is hashed so Signal could not hand out your number, just the hash.

[–] [email protected] 2 points 2 months ago

Thanks for pointing that out to me, I wasn‘t aware of that.

[–] LambdaRX 2 points 2 months ago (1 children)

So how can Signal send verifying sms?

[–] [email protected] 2 points 2 months ago

that is only done once at the creation of an account and does not proof that the number ist not saved hashed.