I just noticed that this video is also available on Odysee.
https://odysee.com/@RobBraxmanTech:6/signal-unsafe:7
I don’t know this platform, but can’t be as bad as YouTube, no ?
deleted by creator
I don’t know…
-
He is saying that encryption makes you a target: Well, WhatsApp is encrypted. So with approximately 2 billion people that all are getting targeted, being targeted isn’t bad anymore, because there are so many targets.
-
Signal can track metadata: Where is the proof, where is the reference, where is anything of that? Moxie Marlinspike showed all his metadate in a talk of his. The only metadata there is to read is “lastSeen” and “accountCreated” which says basically nothing. No groups, no contacts, no everything. Bold assertion to say otherwise without any kind of proof.
The video was mainly about how a lot of these platforms tie your real identity to your user, then use contact lists to leak what users you’re connected to.
He gives the example of a fed wanting to find a suspects for a hacking case. He has a potential list of names, and subpoenas the phone company’s for their phone numbers. He then installs signal, whatsapp, telegram ( all of those services that use real person identifiers ) and adds those phone numbers to his contact list. Boom, now he can narrow down suspects because all of those services, including signal, will tell you if that person uses signal.
The key link was phone number identifiers, which are easily traced to your real identity, and which is the backbone of signal’s id system.
Signal is also hosted in the US, which makes it subject to NSL laws: its illegal for signal to tell you if they’ve been compromised. Sure, the US gov might not have message content, but they likely have real people’s identities in a connection graph, with dates and times of contact.
He gives the example of a fed wanting to find a suspects for a hacking case. He has a potential list of names, and subpoenas the phone company’s for their phone numbers. He then installs signal, whatsapp, telegram ( all of those services that use real person identifiers ) and adds those phone numbers to his contact list. Boom, now he can narrow down suspects because all of those services, including signal, will tell you if that person uses signal.
The only thing the fed is doing here is checking if number x has signal installed. How is ‘having signal installed’ connected to ‘being a hacker/criminal’?
Hackers are more likely to use encrypted messengers, and signal will gladly tell the world, even people you don’t know that you use it via contact lists. Anyone in law enforcement is going to consider someone who uses encrypted messengers a more likely suspect than someone who doesn’t.
deleted by creator
deleted by creator
deleted by creator
He annoys me so much. It’s awesome that he points out privacy issues and raises awareness. But he always points out things which are possible in theory as facts which are already happening at large. Like after some researchers showed that it might be possible to keep track of location data by using the gyroscope feature, he started to say that all non foss apps are doing that.
deleted by creator
This YouTuber is actually notorious for not posting sources to his claims. Which is just goofy since he considers himself to be a source of non-mainstream information on privacy.
From my (very limited) point of view, he is just talking a lot of bullshit.
Its even counterproductive, because he is putting quite good (even tho maybe not perfect) applications on the same level as Facebook’s application, which are so different that I can’t discribe it.
deleted by creator
deleted by creator
-
deleted by creator
deleted by creator
deleted by creator
deleted by creator
deleted by creator
The only time he mentions email in the vid is to say that its not secure and you shouldn’t use it. Email was definitely not the focus of the vid.
deleted by creator
deleted by creator
deleted by creator
I think an important difference is that we are comparing companies that definitely sell your metadata to companies that could sell your meta data but where there is no known case (to me) that they actually do, e.g Signal. So it comes down to trust.
deleted by creator
deleted by creator
deleted by creator
Ok, out of interest, how does this work?
You (as aggressor) scan all your known mobile numbers agains let’s say Signal and discover that some numbers use Signal. That I understand. But now what? Unless you are the company Signal you would not have access to further data, or ?
deleted by creator
When it comes to states spying you then there is no safety. The state can always just send someone over to put a gun on your head (or the legal equivalent) and voila, you yourself give them your data.
And I understand that states are very different in their (perceived) legal integrity, but if I should guess ( no evidence) then all the encryption and safety development benefit criminals most. Also some journalists and dissidents but mostly criminals to do their criminal business and in the whole, if you have the fortune to live in a state that can be mostly trusted I prefer that Police has some lever identity this kind communication. Not in-similar to when Police is allowed to tap your phone (after a judge signed off). Not many people where concerned about that.
So so in the end I feel the bigger threat are private companies who sell all your data for the highest bidder regards of the bidders intention. And provided you trust Signal, ProtonMail and Tutanota then they definitely reduce the risk there (imho).
Even with a gun to your head you can still make the choice to say “no”. This is always the case - you always have the choice to refuse, you just have to be prepared to live with the consequences.
I needed to be police vetted for a job and they wanted to know lots of stuff about me, including who I’d slept with in the last five years (becaue, allegedly, this information could be used to blackmail so… Well so why would I tell the rozzers, exactly…? Anyway, getting off my point). I refused to tell them because the people I’d slept with hadn’t given their consent. I was refused the job *shrug
I refused to tell them because the people I’d slept with hadn’t given their consent. I was refused the job
I wouldn’t give the job to a rapist either. 🙃
To be clear, I meant consent for me to share their love-life with the police!
You’re a naughty person! But you did make me laugh.
I hope he just made a mistake when typing haha
Hmm, the style of the video is maybe a bit pushy and I am not sure if it is useful to make a case with the Facebook, Whatsapp, Instagram connection and then turn around and say because this lot is bad all other alternatives like Signal etc. are equally bad, but I have to admit that it makes you think.
I have read several times that meta data leaking can be as bad as access to the actual message and I think he explains well why that might be.
I am less clear what to do about this. It is unlikely to set up a network of people and only communications with them in this network and at the same time to ensure that no one in this network communicates with anyone else. So they communicate with you, but only you ?
My view is that I am less concerned about state access to my (meta) data. They have a lot anyway, with certificates, passport, medical record etc… My concern is that this data is used and misused for a small fee by private companies and here it seems to comes down to trust. Do I really think that Signal or Tutanota sell my data in the same way as Facebook does ? Other than that I don’t see how people who want to be able to communicate in the digital world with other less tech savvy people can do so.
Are there projects out there who next to encryption focus on minimising or avoiding meta data?
deleted by creator
I have a Nextcloud for my own, works mostly well, but it requires some effort here and there and I oft wondered what my dear users would say (if there were any) if it takes me several days again to fix some small issues or renew the certificate. Plus I know nothing about security and can only hope everything is all right. Once you set email, messenger etc. up for larger groups I could see the efforts to keep this stable and secure to be quite high. It’s probably a good solution for the privacy problem but I am not so sure that it is a solution that is manageable or even available for many and therefore a good solution overall.
deleted by creator
deleted by creator
Unfortunately that doesn’t look like it pulls thumbnails or anything.
deleted by creator
Am I the only one who doesn’t like linking to alternative frontends? Instances are often unreliable, sketchy, and they come and go. Additionally it obscures the true source of information (which is very important to me personally). I also have an auto redirect set up for YouTube to my favourite instance, and it obviously doesn’t work when someone links to something else.
deleted by creator
Yep there being metadata, and it being abused, are also two subtle differences. We know with WhatsApp there is metadata including IP address, location, phone number, etc, but it also gets actively sent to a company (FB) whose business is to profit from that data and advertising. We know Telegram and Signal have some metadata but neither are in the business of selling data. Yes Wire, Threema, etc don’t have as much metadata and don’t have an actual phone number or e-mail to even tie it too, but how many of our friends are actually using the services… There has to be some dose of actual reality too.
Hosting own e-mail has some issues unless you put it on some server service and the domain is usually tied in some way to you, and yes that e-mail is often accessible in transit because again 99.99% of our friends and businesses that we mail, have not got OpenPGP or similar E2EE on all their e-mails. I have only one family member who exchanges fully E2EE mail with me. Every other one is using GMail standard or a work server etc. The fact of life is that very few people are able to fully setup e-mail servers with all the validations etc required so that the server is not blacklisted. I can just imagine my doctor, plumber, local hardware shop, etc all setting up their own privately hosted and fully encrypted mail servers - I just hope they’re using the same encryption standard I’m using otherwise neither of us will read each other’s mails ;-)
We know Telegram and Signal have some metadata but neither are in the business of selling data.
That’s not really for us to know. In signal’s case, its domiciled in the US, and due to NSL laws, it’d be illegal for them to tell you that they’ve been forced to forward info to the US govt. Not only that, but a lot of their early funding came from the OTF, a US government fund.
Which actuially means we don’t “know” any of that - difference again with Facebook is it has sated in it’s privacy policy that it is sharing the metadata, so we do “know” that. We can’t just speculate about what others do unless we have evidence in some form. We do know that Signal and Telegram (as at now) are not in the advertsiing business, nor that their privacy policies state data is being passed on.
Removed by mod
