At Signal, our goal is to build a reliable, secure, and private communication experience that is broadly accessible and simple to use. From the beginning, we’ve designed Signal so that your information is in your hands rather than ours.
Insecurity due to bribery can manifest in many ways. Snowden revealed (and Bruce Schneier elaborated) that the mass surveillance strategies are largely carried out by paying bribes to enlist cooperation from key organizations. E.g.
backdoors – This is completely trivial for non-free s/w. It still happens with free s/w but it requires a bit more effort, like compromising the few developers whose eyes are going to be on the piece of code under attack. Signal is non-free masquerading as free. It’s GPLd, but OWS uses network protectionism to block users from actually benefiting from free s/w. OWS threatened the makers of Libre Signal with a lawsuit. So if there is something you don’t like in the code, you can’t fix it. Your choice is to take-it-or-leave-it. Since you can’t effectively change it and make it your own, are you really going to take the time to read the code? Unlikely. When OWS renders software freedom useless, there are fewer eyes on the code and this can even be more dangerous than closed-source s/w b/c it includes the false sense of security that someone who looks at the code is looking after your interests. The big openssl bug emerged due to this snowdrift dilemma.
bugs – Who needs a backdoor when hackers exploit bugs? Bugs can be planted just as a backdoor, and in fact it’s easier to plant a bug in than it is a backdoor. Existing bugs can be ignored as well. The adversary (opentechfund) could spot a bug and either pressure OWS not to fix it, or they can make requests that guide developers eyes away from the bug. It’s so easy; I plant bugs all the time and get away with it. The only difference is that when I do it, it’s an accident. When an adversary does it, it’s an “accident”.
weak design – The project may have a design idea that makes the app more secure, but they simply opt not to take that direction b/c an important donor wouldn’t like it. Or if you consider the topic of this thread, it’s quite possible that Signal is looking to weaken the design – to get keys into the cloud in order to set users up for compromise. Government bribes are not often to cause outright blatant backdoors, but rather to weaken security in ways that their highly skilled hackers can come up with a clever attack that works in not-so-obvious ways. I don’t mean to push a conspiracy theory but you must consider the timing of this putting the keys in the cloud with the “Earn IT Act”. At the same time, they can keep users interest by claiming this is a precursor to eliminating ph#.
Insecurity due to bribery can manifest in many ways. Snowden revealed (and Bruce Schneier elaborated) that the mass surveillance strategies are largely carried out by paying bribes to enlist cooperation from key organizations. E.g.