Join the Lemmy dev matrix group :)
Tbh I know very little about Qubes. Any recommended reading?
That used be true but Signal has done great work in encrypting metadata in creative ways, including who is messaging whom (and by extension also timestamps of messages). The destination phone number is useless if the sender isn’t known.
It’s true that if someone is directly monitoring your ISP/WiFi they can simply observe when Signal traffic passes in order to get timestamps, but at that point your threat model is extreme and you should be using Tails (at least)–and even that wouldn’t solve this problem either. The point is that Signal collects a remarkably low amount of metadata.
This isn’t hypothetical. The government served a subpoena to Signal and “the only information we can produce in response to a request like this is the date and time a user registered with Signal and the last date of a user’s connectivity to the Signal service.” And not just because they don’t log; they don’t have access to more info.
From Dean Bacow’s email:
The only surveillance that Signal is vulnerable to are companies like Amazon, Apple, and Google knowing that you use Signal. All messages and metadata are e2e encrypted; in contrast, Matrix (and to a lesser extent Telegram, and indeed all platforms that use server-side account management) is horrendous in terms of allowing any homeserver you interact with to store all of your metadata (who you’re talking to, which groups you’re in, even passwords for the one you signed up with, etc).
I understand that there are arguably ethical reasons to avoid Signal, and that’s fine. But (a) if you want a fair amount of user-friendliness then you simply have no choice but to interact with Google/Amazon/etc. in a limited fashion and (b) if you are simply looking for a solution to protect your data (rather than avoiding unethical consumption and supporting the wrong companies) then Signal is your best bet. Requiring a phone number is the main flaw but that’s easily mitigated by getting a free, anonymous SMS number and locking re-registration.
Depending on your needs/threat model, Signal and Telegram are both good options. Signal is for when you want your messages and metadata to remain private but don’t mind giving out your phone number, while Telegram doesn’t protect metadata but has plenty of more features and allows you to hide your phone number.
Some people like to shit on Telegram’s weird unique encryption protocol, but the reality is that if you’re worried about an actor sophisticated enough to crack it you should be using Tails.
My personal favorite is Signal, and I love how rapidly they’ve been improving & adding features to the app. ($50m in funding certainly helps.)
I’ve been in the matrix chat for a month or so and love the project. I’m glad to see that it’s gaining a lot of momentum due to the funding and HN exposure. Just became a patron on Patreon, and good luck with the dev work!