this post was submitted on 04 Mar 2024
11 points (65.7% liked)

Privacy

32177 readers
531 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Been using signal for years and love it and got the majority of my contacts on to it. My question is how are usernames useful now? You still need to register with a phone number with signal to limit spam and bots afaik and I'm assuming you should protect your username just like you do your phone number anyways because spam, malicious files/messages, etc... What scenario is this addressing where an average person gives up their username to a stranger? The only one I can think of is online dating or other online interactions like on forums. Just seems this is just more tailored to the people who need to be pseudo-anonymous for whatever reason than an actual privacy feature. Even then for the anonymous people does that mean usernames will be able to be changed?

Tldr: Questioning what scenario does signal's new usernames address for the average Joe?

Edit: Just realized can be very useful for work relationships

all 18 comments
sorted by: hot top controversial new old
[–] [email protected] 43 points 9 months ago (1 children)

I suppose for when you are okay giving a new acquaintance your made up username but don’t want them to have your actual phone number. You can still communicate, but if you were to block them they can’t harass you on your real phone number.

Good addition

[–] [email protected] 7 points 9 months ago (1 children)

Honestly didn't even think about that. I usually use my work phone number for that purpose and if I get close to them then my personal/signal. You're so right though a very good addition

[–] [email protected] 5 points 9 months ago (1 children)

Yea for me it expands the number of people I might use signal with

I am more comfortable adding people on FB messenger than I am giving them my number. This fixes that, so I can add a lot more

[–] [email protected] 2 points 9 months ago

That's a solid point I also know some people that use those services so this will help me too

[–] gravitywell 23 points 9 months ago* (last edited 9 months ago) (4 children)

Remember that "average Joe" is not actually signals only focus, it's average journalist/ whistleblower/protestor living under a hostile government that may target them and their associates for what the rest of us "average joes" might consider basic free speech.

So a scenario might be, people use signal in Iran to arrange a mass protest on a specific day, word gets out and some of the organizers are arrested and pressured to give up their companions... They cooperate by unlocking phones, but police have no idea who the lead organizer "RndoUsr.40" is and the people arrested never met face to face so no amount of pressure would get them the organizers real ID

And yeah, for us average joes it's good for aquaintences and because names are easier to remember so it's handy.

[–] [email protected] 1 points 9 months ago

Another scenario, you are a us citizen and they lock you in for exposing your fascist country's war crimes

[–] [email protected] 0 points 9 months ago

FWIW if Signal did cooperate with law enforcement for any reason, they could be given the RndoUsr.40 account name and return a phone number, as long as that user was still rocking the username by the time they started looking... Or, I suppose, if Signal servers log those histories somehow.

Importantly, though, phone numbers cannot be queried for usernames. The data returned from a phone number will be the same as seen on previous FOIA requests.

From their blog (hard to find because it's hidden behind ellipsis):

Usernames in Signal are protected using a custom Ristretto 25519 hashing algorithm and zero-knowledge proofs. Signal can’t easily see or produce the username if given the phone number of a Signal account. Note that if provided with the plaintext of a username known to be in use, Signal can connect that username to the Signal account that the username is currently associated with. However, once a username has been changed or deleted, it can no longer be associated with a Signal account. 

[–] [email protected] -1 points 9 months ago (1 children)

If that is the threat model then Signal is not and never was fit for purpose at all.

Because every time I've complained about not wanting to give my phone number to sign up for Signal I've been lectured about how Signal is "all about privacy, not anonymity and those are not the same thing" and how that is good for the average Joe even if it isn't useful for journalists and activists, and what you're saying goes completely against that by suggesting that the police are somehow unable to get the phone number out of the thing that uses the phone number as the user id.

You're describing how a real privacy-focused app like Briar functions, but definitely not how Signal does.

[–] gravitywell 3 points 9 months ago

They can't get a phone number from someone if only a username was shared with that person. maybe the people who lectured you about it not also being for anonymity where not aware of plans to ad usernames or that a projects aims and use cases can change over time but signal can and has already been useful to a good number of journalists, not requiring a phone number to share your contact with someone is what id consider a major game changer in terms of what use cases are now open and threat models that can be accounted for.

[–] [email protected] 11 points 9 months ago (1 children)

Every scenario. Why would you ever want to share your phone number with anyone unless you must call each other specifically on the phone?

[–] [email protected] 2 points 9 months ago

I don't wanna share even in this scenario

[–] [email protected] 10 points 9 months ago

Talking to people you don't want to give your number to. It's trivial to change username

[–] [email protected] 3 points 9 months ago

An example would be getting in contact with a stranger over the internet; wouldn't want to share your phone number with just anyone!

[–] [email protected] 1 points 8 months ago

If you rotate SIMs frequently, it gives you a more stable account identifier. The fact that you still need a SIM for an account is another matter…

[–] [email protected] 1 points 9 months ago

reduce spam

[–] [email protected] 1 points 9 months ago* (last edited 8 months ago)