Don't trust texting apps made in the USA

They may be sponsored by the US Government, or by cryptographers with ties to the government.

https://thebaffler.com/salvos/the-crypto-keepers-levine

It’s a long read, but it’s quite good. Here’s a snippet to whet your palate where he describes some of the prominent people behind these projects:

At least that’s how they saw themselves. My reporting revealed a different reality. As I found out by digging through financial records and FOIA requests, many of these self-styled online radicals were actually military contractors, drawing salaries with benefits from the very same U.S. national security state they claimed to be fighting. Their spunky crypto-tech also turned out, on closer inspection, to be a jury-rigged and porous Potemkin Village version of secure digital communications. What’s more, the relevant software here was itself financed by the U.S. government: millions of dollars a year flowing to crypto radicals from the Pentagon, the State Department, and organizations spun off from the CIA.

For context: I have become very interested in the debate amongst app users such as Telegram, Signal, Threema, etc… and I know that many people claim that Signal is the very best amongst all of them but there’s something really sketchy about its location (US based) and the fact that the government can for anyone to comply with their orders and forbid them from telling anyone about it via gag orders (see Durov’s comments on this: https://t.me/durov/59).

Both are fascinating reads, and certainly help me appreciate platforms like Telegram and Threema even more. Regarding Threema, today they posted a comparison between their app and the competition, and found this interesting tidbit regarding Signal:

https://threema.ch/en/blog/posts/messenger-comparison-2021

Signal enjoys an outstanding reputation among experts, and it’s certainly a good alternative to WhatsApp. However, just like WhatsApp, it requires users to disclose personally identifiable information: Providing a phone number is mandatory. As a US company, Signal is also subject to the CLOUD Act, which entitles US authorities to access data from IT service providers that are based in the US.

Also: I just learned that FB spends millions of dollars every year on marketing and trying to influence people to not use platforms such as telegram.

riccardo
12
edit-2
4M

I appreciate that we are discussing this. Although Signal is like what every cryptographer is suggesting to use, the fact that it is a company based in the US has always overly bugged me. Also considering that as a no-profit, in its early days, the government funded a considerable part of its development.

From a privacy point of view, though, I wouldn’t suggest to use Telegram over it. I strongly believe Durov is driven by the right principles and that he would rather shut everything down and throw the servers into a volcano instead of sharing his users’ data with governments or mine them for advertisers, but Telegram is still vulnerable to hacks and data breaches and I wouldn’t like my data to appear in some torrent zip if shit happens.

I’m trying to move friends and family to Signal, but just because Threema and Element are not free (as in “free beer” of course) or as user-friendly as Signal is. The chats I’m unable to move will stay on Telegram. The chats I do not really care about that much will stay on WhastApp. As of today (and after an effort that has been lasting for almost an year), I’ve been able to move a three people group chat to Signal (plus I some friends have it installed on their phone so I can write them there). I like to take part in discussions about messengers too (because it’s effectively the app that most people can’t really live without - messaging apps are the heart of our social life), but these discussions are only theoretical to me because once I have to log off and try to actually move my circles somewhere, I have to face the harsh reality and clash with a number of social and educational obstacles that are really hard to overcome. So I end up resorting to the same cheap arguments such as “Telegram has a ton of cool stuff, let’s move our chat there” and “Signal has the same functions as WhatsApp but at least it’s not facebook, we should try it out” and the ethical aspect completely fades out. And (with Signal in particular) the chat will move back to whatsapp as soon as we have to add a new member I haven’t been able to “brainwash” with my propaganda /rant

So after writing these paragraphs, I’ve only now noticed that the article you’ve linked is something that Durov used to share often a few years ago on twitter and on Telegram. Yes the story is actually quite creepy, it almost sounds like a novel. I actually believe he might have romanticized it a little bit to be honest, but at least it explains why he’s so opposed to anything that comes from the US. He recently said he doesn’t actually care about how much Telegram is gaining in popularity in the US after the recent (current) surge in global downloads lol

@kitsunekun
creator
34M

Yeah, I think it’s important to point out that I’m not saying that Signal is a bad app or that it doesn’t do what it claims it does. But when it comes to who’s funding these projects, it matters a lot. In contrast, look at telegram, whose main backer is a libertarian semi-anarchist billionaire. He’s been backing up the entire operation for a long time now although they will move into using ads and offering plus services to make it self-sustainable in the future. On that front, I trust Durov more than I would trust Signal coders and people affiliated to the project who, in turn, have ties to the feds in the USA. So all in all, at least in my case, I will be sticking to Threema and Telegram for the foreseeable future.

poVoq
14M

The Signal Foundation is also funded by Silicon Valley billionairs these days (for example the WhatsApp founders who cashed out to Facebook).

@kitsunekun
creator
14M

Yes, the same applies for example to Proton VPN/Mail. It makes me sometimes wonder, but Proton VPN being in Switzerland does help them quell some skepticism for sure.

@TheAnonymouseJoker
10
edit-2
4M

Hello again!

I think everyone here knows my position on 14 Eyes from my smartphone hardening guide, which I have also earned some racist flak for for my rigid stand on the same. This is a large reason why I recommend staying away from Google Pixels with proprietary Titan M chip, or Qualcomm smartphones or even South Korean Samsung’s Exynos phones. Apple iPhones are equivalent to Ebola virus for me.

I myself use a debloated Huawei phone since the baseband modem and hardware is non 14 Eyes, and might only pick either a Huawei and/or an ARM based Linux phone in the future. I refuse to trust 5/9/14 Eyes proprietary technology for any sensitive work, and the only reason I am seeing Signal as decent for masses is its audited cryptography with ease of use. (I am also more outspoken on Lemmy compared to Big Tech Reddit.)

Still using XMPP and Matrix, and have special email provider for covert operations.

The thing to remember is that cryptography is very tricky business, and even when an algorithm is sound on paper that does not guarantee that it’s implemented in a secure way. A famous example is when NSA “helped” develop the Diffie-Hellman cryptographic key exchange standard and introduced a vulnerability that nobody noticed for a very long time.

Any standard that’s been developed in conjunction with US agencies should be considered compromised in my opinion.

poVoq
64M

I think the NSA got smarter (as did cryptographers) and the actual algorithms are probably ok these days. The problem is the surrounding app and infrastructure that is easy to compromise, especially if it is hidden in convenience features like cloud backups or “web” clients.

Yeah exactly, if you know a specific exploit then it’s not that hard to design the system in a way that looks innocuous, while being compromised. Without knowing the nature of the exploit it can be incredibly difficult for a third party to find it.

The more I try to understand this the clearer it seems that XMPP/jabber is still really the king of the hill here.

poVoq
54M

Actually the messenger of choice for NATO ;) /s

For people willing to use it, yes. For everyone else Signal is the king of the hill for now.

@oriond
64M

Too bad it does not have an F-droid Version. I would have installed otherwise.

There’s an APK download on their webpage: https://signal.org/android/apk/

@lelgenio
24M

Is it even possible to find this URL on the website?
I go to signal.org/download, search for APK, find nothing
Clicking on “Android” opens a new tab with Google PlayStore and closes the signal.org tab, come on the developer cannot be serious!

poVoq
64M

Well Durov is hardly a neutral source.

Anyways, I think it is important to keep in mind that most of the people involved in intelligence agencies and the people that (sometimes without realizing it) support their activities, believe that that are doing the right and good thing. They are not some sort of evil villain organization.

Never the less they end up doing a lot of bad things (“road to hell, paved with good intentions” and all that). So when looking at motives and possible bad outcomes, it is good to keep this in mind.

poVoq
54M

The US (and related five-eye countries) have definitely the best funded intelligence agencies, and hence are the most likely to compromise private communication, but being from the US isn’t actually the main problem.

If I was living in the US, then Signal would be probably an ok choice, as US citizens are much better protected from US intelligence agencies than foreigners, and most people working in these agencies do actually think they are protecting US citizens from foreign powers.

I know, one of the big revelations of Snowden is that the NSA was also spying on US citizens, but if they were only doing the same on foreigners then Snowden would probably still be working for the NSA, showing just how little these agencies care about non-citizens.

Why is everyone hating on signal and not on TOR for example, which has many of the same problems, but obv also still is the best solution we have.

@kitsunekun
creator
24M

I’m not sure that Signal is the best solution as you say, but it is a solution with hopefully more to come.

@oriond
3
edit-2
4M

It has always created a conflict to me the fact that Signal is open source and yet there are no forks out there. You would think someone would come with a fork outside the US or something.

Sometimes I have even thought that Signal may be a social engineering effort from the NSA, or some three letter agency to bring and spy on all the “people that have something to hide” I mean, wouldn’t it be brilliant?

Besides, on any centralized service, you never know that they are actually running the published “open source” code and not a modified one.

For security, I would go to Matrix in a self hosted server.

*Edit: minor typos

Dreeg Ocedam
4
edit-2
4M

There are a few niche third party clients:

The reason there are no big third party clients is that the devs don’t want to have to deal with bugs in third party clients/maintaining API stability etc… Also, a bad implementation could potentially lead to compromising the Security of the people using it.

Besides, on any centralized service, you never know that they are actually running the published “open source” code and not a modified one.

You don’t know that either on a decentralised service, unless you self host. And even if you self-host, you likely interact with hosts that you don’t trust, and you still need to give them a lot of metadata.

The whole point of Signal is that everything is E2EE, so you don’t even have to trust the server.

@nutomic
admin
94M

There reason there are no big third party clients is that the devs don’t want to have to deal with bugs in third party clients/maintaining API stability etc… Also, a bad implementation could potentially lead to compromising the Security of the people using it.

That is no reason to prohibit f-droid.org from compiling Signal from source and distributing it. That point alone is very suspicious for me.

The whole point of Signal is that everything is E2EE, so you don’t even have to trust the server.

You have to trust the Google Play server that the Signal apk it sends is actually built from the published source code.

poVoq
34M

There is no point in forking Signal, as XMPP with OMEMO is more or less the same thing, but better.

But this doesn’t go with the circlejerk at all! Signal is perfect!

Who said that signal is perfect?!?

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

  • Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
  • Don’t promote proprietary software
  • Try to keep things on topic
  • If you have a question, please try searching for previous discussions, maybe it has already been answered
  • Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
  • Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

  • 0 users online
  • 39 users / day
  • 74 users / week
  • 203 users / month
  • 541 users / 6 months
  • 2740 subscribers
  • 1206 Posts
  • 5635 Comments
  • Modlog