A quick rebuttal of some points you made. Not going too in depth as I just want to provide my perspective:
CIA Funding:
This is a non-issue. The OTF also funds: Briar, Tor, Wireguard, Delta Chat, Bind9, CGIProxy, CertBot, K-9 Mail, Tails, NoScript, QubesOS, The Guardian Project, and a host of other essential privacy tools/software. You’re telling me they’re all compromised just because they’re getting funded? I don’t buy it.
A Single, Centralized, US-based service
The Code is open source and Android has reproducible builds, iOS would have them too, but it’s impossible based on the way Apple’s build process works. Lastly, Signal’s devs/infra exist in the US, they have to exist somewhere, why not the country of origin? With the code being open/reproducible, you don’t have to trust them.
Phone # Identifiers
This is to make onboarding easier and minimize spam - I got my grandma to install it and find the rest of the family on Signal VERY easily. Trying to get her onboard with Matrix/Element or even Briar would have been a struggle. I like Briar, but its not ready for mainstream yet. I also like Element, but I don’t believe it’s quite a text/sms replacement like Signal is - in addition to leaking metadata.
Social network graphs
Here you mention metadata, so I’ll ask which other provider goes to the lengths that Signal does to minimize the collection of metadata? And please read over how Sealed sender works before you claim its easy to circumvent. You deride their implementation and claim how easy this is to collect without understanding what’s going on under the hood.
Abandonment of Open source
This is a stretch. Signal is a non-profit. They don’t have the same funding or staffing as their competitors and all their code is current. Yeah, they let it get out of sync for a while, they’re human, not robots. Don’t let perfect be the enemy of good.
Bundling a Cryptocurrency
What does a messaging platform have to do with crypto/payments? I don’t know, you should ask every other big player who is also trying to get in on the game hoping to siphon even more data from everyone’s purchases.
I do want to close by saying that Signal is definitely not the end-all-be-all of secure messaging platforms, but it is currently the best for mass adoption. I’m keeping my eyes on Matrix, Sessions, and Briar, but can’t say they’re ready to “go mainstream” yet.
the server code being not federated means you effectively can’t (or won’t) self host.
Phone # Identifiers – This is to make onboarding easier and minimize spam
Yeah but you could do that as verification and an additional means to find users, not the primary user ID. Threema has generated IDs, Matrix has usernames, Telegram has usernames. Why can’t Signal?
Yeah, they let it get out of sync for a while
Why, though?
What does a messaging platform have to do with crypto/payments?
Good question. Signal obviously didn’t ask about it and wants to become another WeChat/QQ clone where you can pay with your messaging application and circumvent taxes.
Signal is definitely not the end-all-be-all of secure messaging platforms, but it is currently the best for mass adoption.
I’d agree if you’d add “one of” between “currently” and “the”.
Also, its not that signal just got lazy with letting their code get out of sync. They chose not to publish updates for their server for a whole year, until the open source community got really angry, and then they finally relented. If I or any open source maintainer did that, we’d rightly be abandoned. Some here are giving signal a pass for it tho.
I think the difference is it’s not a federated platform so not many people really care about access to the server-side code. If I was hosting a lemmy instance I would obviously be frustrated if you withheld from all other instance admins as you’d be putting us at a disadvantage. Signal doesn’t allow federation so the consequences aren’t the same.
and then they finally relented
You’re embellishing the story for added emotional value. What if instead you wrote, “users were angry, the Signal devs were busy, but eventually got around to publishing the latest code”. You weren’t there so you can’t say that they didn’t want to - or had the time to - publish the server code. You’re implying malice when it doesn’t have to be. Why? Maybe it was on their backlog and it was a task that nobody ever got around to? I dunno, I’ve been in situations like that before and it just sucks to hear people implying the Signal devs are doing shady things when it may simply be that they’re human and not perfect. I’ve had times where our dev team was accused of being “lax” when we’re all running at 110% but just can’t get to that one thing that a small handful of people really want and are very vocal about.
I can tell you, publishing source code is as easy as typing git push. That they needed to “clean things up” at all in an ostensibly open source codebase is sus.
I know how easy it is to type “git push”. I’ve worked where we had 200+ things that were that “simple” but just weren’t prioritized because of our small team. Also had to do thorough code reviews before we synced to our public repo. There’s a hundred non-malicious reasons they delayed - including that they didn’t yet want to make the monero stuff public yet. It’s not uncommon to keep things from the public until they’re ready, in case you decide to scrap the project and remove it last minute before you sync to your public repo and have people question something that is no longer valid/important. I guess I try to look at it from a more human perspective than immediately trying to tarnish people’s intentions.
That simply means that development isn’t out in the open. Why would you not push branches and do code reviews out in the open for an ostensibly open source project?
the server code being not federated means you effectively can’t (or won’t) self host.
Agreed. I hope they change their minds on this, although I’m not holding my breath.
Yeah but you could do that as verification and an additional means to find users, not the primary user ID. Threema has generated IDs, Matrix has usernames, Telegram has usernames. Why can’t Signal?
Agree. The devs have stated that this is coming this year. We’ll see if they can roll it out before the year ends.
Yeah, they let it get out of sync for a while
Why, though?
Honestly, don’t know and don’t care. I suspect because they didn’t want to yet make public their crypto stuff, but I’m not going to assume malice here without evidence.
Good question. Signal obviously didn’t ask about it and wants to become another WeChat/QQ clone where you can pay with your messaging application and circumvent taxes.
Whatsapp also lets you pay - although I believe its only in India. Telegram also attempted to include crypto. Why wouldn’t we want a private way to pay instead of letting Facebook/Google/etc, take over? I fully support them making sending money easier and more private.
I’d agree if you’d add “one of” between “currently” and “the”.
I’ll agree that it’s “one of” the best. Which one would you throw in your top 3?
"Signals database, which we must assume is compromised due to its centralized and US domiciled nature, has a few important pieces of data;
Message dates and times
Message senders and recipients (via phone number identifiers)"
I have a problem with the article’s claims on metadata too, hasn’t there been too many transparency reports and subpeonas that prove that they literally have nothing to offer to the government except the last time someone used signal and the date of joining?
A quick rebuttal of some points you made. Not going too in depth as I just want to provide my perspective:
I do want to close by saying that Signal is definitely not the end-all-be-all of secure messaging platforms, but it is currently the best for mass adoption. I’m keeping my eyes on Matrix, Sessions, and Briar, but can’t say they’re ready to “go mainstream” yet.
the server code being not federated means you effectively can’t (or won’t) self host.
Yeah but you could do that as verification and an additional means to find users, not the primary user ID. Threema has generated IDs, Matrix has usernames, Telegram has usernames. Why can’t Signal?
Why, though?
Good question. Signal obviously didn’t ask about it and wants to become another WeChat/QQ clone where you can pay with your messaging application and circumvent taxes.
I’d agree if you’d add “one of” between “currently” and “the”.
Also, its not that signal just got lazy with letting their code get out of sync. They chose not to publish updates for their server for a whole year, until the open source community got really angry, and then they finally relented. If I or any open source maintainer did that, we’d rightly be abandoned. Some here are giving signal a pass for it tho.
I think the difference is it’s not a federated platform so not many people really care about access to the server-side code. If I was hosting a lemmy instance I would obviously be frustrated if you withheld from all other instance admins as you’d be putting us at a disadvantage. Signal doesn’t allow federation so the consequences aren’t the same.
You’re embellishing the story for added emotional value. What if instead you wrote, “users were angry, the Signal devs were busy, but eventually got around to publishing the latest code”. You weren’t there so you can’t say that they didn’t want to - or had the time to - publish the server code. You’re implying malice when it doesn’t have to be. Why? Maybe it was on their backlog and it was a task that nobody ever got around to? I dunno, I’ve been in situations like that before and it just sucks to hear people implying the Signal devs are doing shady things when it may simply be that they’re human and not perfect. I’ve had times where our dev team was accused of being “lax” when we’re all running at 110% but just can’t get to that one thing that a small handful of people really want and are very vocal about.
I can tell you, publishing source code is as easy as typing git push. That they needed to “clean things up” at all in an ostensibly open source codebase is sus.
I’m going to disagree again.
I know how easy it is to type “git push”. I’ve worked where we had 200+ things that were that “simple” but just weren’t prioritized because of our small team. Also had to do thorough code reviews before we synced to our public repo. There’s a hundred non-malicious reasons they delayed - including that they didn’t yet want to make the monero stuff public yet. It’s not uncommon to keep things from the public until they’re ready, in case you decide to scrap the project and remove it last minute before you sync to your public repo and have people question something that is no longer valid/important. I guess I try to look at it from a more human perspective than immediately trying to tarnish people’s intentions.
That simply means that development isn’t out in the open. Why would you not push branches and do code reviews out in the open for an ostensibly open source project?
Correct. FOSS doesn’t mean they have to develop it out in the open, only that they have to release the code for everyone else’s benefit.
Because open source simply means the code is available. You’re not forced to interact with anyone else just because something is open source.
deleted by creator
Agreed. I hope they change their minds on this, although I’m not holding my breath.
Agree. The devs have stated that this is coming this year. We’ll see if they can roll it out before the year ends.
Honestly, don’t know and don’t care. I suspect because they didn’t want to yet make public their crypto stuff, but I’m not going to assume malice here without evidence.
Whatsapp also lets you pay - although I believe its only in India. Telegram also attempted to include crypto. Why wouldn’t we want a private way to pay instead of letting Facebook/Google/etc, take over? I fully support them making sending money easier and more private.
I’ll agree that it’s “one of” the best. Which one would you throw in your top 3?
Matrix or XMPP. I made a messenger comparison matrix (in German) and they get the most green check marks for my criteria.
"Signals database, which we must assume is compromised due to its centralized and US domiciled nature, has a few important pieces of data;
I have a problem with the article’s claims on metadata too, hasn’t there been too many transparency reports and subpeonas that prove that they literally have nothing to offer to the government except the last time someone used signal and the date of joining?
deleted by creator
Damnit! guys and gals, the CIA is hinding in bind9