“When you use Signal, your data is stored in encrypted form on your devices. The only information that is stored on the Signal servers for each account is the phone number you registered with, the date and time you joined the service, and the date you last logged on.”
This isn’t an ad, I wasn’t paid for this post. Just to clear the air: fuck facebook, fuck elon musk and twitter, fuck anyone who thinks this is a paid advertisement. I wish I was paid for this shit, I just wanted to spread the word. Thank you. 😀 👍
I sometimes wonder who’s paying to run the servers, and where that money originates.
It kind of doesn’t matter… That’s the beauty of fully auditable open source end to end encryption.
They know the same things about me as WhatsApp. They have all contacts and all metadata. Why do you say it doesn’t matter?
There isn’t any audit on whatsapp’s side. So you are trusting they are running the code they tell you they run on their servers.
So it’s not just about metadata, I wouldn’t trust facebook not to have some kind of access to the content of the messages. Which is much worse.
Also, Whatsapp is Facebook right ? Not really an amazing track record when it comes to privacy. They said they implemented the Signal protocol but you still have to trust them to be doing so.
I think that’s what the person you are responding to was essentially saying, we do not know for sure what Whatsapp does.
Well now you are really insinuating a conspiracy inside Facebook. That may be happening and that would be bad.
But I’m not talking about anything like that. I’m really only focusing on what Facebook openly says what WhatsApp is doing, and monetizing. And that’s exactly about the same data that we give Signal under the flag of open source and freedom. There’s no difference, except that in the case of WhatsApp I know the business model, and for signal I don’t.
I don’t pay for Signal servers, so who does?
That information is easily found with a web search, so there is no need to cast aspersions. It’s funded by Brian Acton’s “activist” funding (interest-free loans of $100 million+ total to Signal Foundation over the years). I’d guess Acton used it as a huge tax write-off the year he sold WhatsApp to Facebook.
Other revenue sources include voluntary user donations and grants from many free press organizations whose members rely on Signal. Some years they report positive net income, and other years they report negative.
Signal Foundation tax forms, which list all general revenue sources: https://projects.propublica.org/nonprofits/organizations/824506840
What Signal says about how they operate: https://signal.org/blog/signal-foundation/ https://signalfoundation.org/en/
Signal Privacy Policy: https://signal.org/legal/#privacy-policy
All the code, including what runs on their servers and in their apps, so you don’t need to take their word for anything. You can compile the signal client from source if you like: https://github.com/signalapp
Article which talks about their audit history (this is their weakest point. The full results of the audits Signal paid for were never published): https://restoreprivacy.com/secure-encrypted-messaging-apps/signal/
However, anybody can check for any spooky stuff in their code, so I doubt they would purposely try to hide anything untoward there.
Signal stores no metadata on their servers that is accessible to them in any way. Everything is end to end encrypted, only your client(s) - which are open source and auditable - have the keys to decrypt the minimal data that is stored on Signal’s servers, like group names, members etc.
The Signal client also supports remote attestation [0] to ensure the server it is communicating with is running the same open source code that has been published - similar tech that’s used to allow your computer to play DRM encrypted videos is used now instead to your benefit vs corporate owned media. The same way they verify you’re not gonna rip the video before they send it to your computer, the Signal client verifies the server isn’t compromised before it starts sending it any data.
I’m not aware of any other messengers that do remote attestation.
[0] https://signal.org/blog/secure-value-recovery/
https://yasha.substack.com/p/signal-is-a-government-op-85e
No offense, but both style and factual claims that article shout conspiracy theory.
I can’t take this piece of writing as a serious source.
Maybe, but I find it more likely to be true than false. My overarching takeaway is that if you actually care about the secrecy of a communication, don’t use signal, use gpg.