I remember a time when visiting a website that opens a javacript dialog box asking for your name so the message “hi <name entered>” could be displayed was baulked at.
Why does signal want a phone number to register? Is there a better alternative?
Because they’re building a private, not anonymous, instant messenger. They’ve been very open about this.
Spam prevention
And discovery.
It’s not an argument. Think about regular mobile numbers, are they preventing spams? No.
Are you seeing spam on signal? Do you even know why spam is possible on phone networks and what the difference is between phone networks and the internet?
I don’t know what is spam for you, but when you get three message requests from three girls respectively named Tania, Clara and Ella that are contacting you about you carrier or your management skills, I call it spam.
The way that Signal integrates phone number is odd because it opens up the spam door. O understand why Signal use phone numbers this way (to make “normies” adopt Signal more easily like WhatsApp would do) but it not the best to kind of contaminate the network with the traditional cell network
Because Signal has a low user base. Why Spam on Signal, if you can reach everyone with an SMS?
One of the design goals is that they don’t have a user database, so governments etc can’t knock down their door demanding anything. By using phone numbers your “contacts” are not on their servers but local on your phone.
But your phone number is, and thus every agency can get your full name and address and location.
Yes but only yours. That’s still better and only having to knock on one door to get everything.
If I’m the target, then this is enough.
and then every phone number on your phone by arresting you and searching your phone.
That’s WRONG they have a Database of every Phone number registered to them and metadata like the last time they logged in. You send all your contacts numbers to signal so they can respond who is also using Signal.
During registration they want a phone number to send a verification code. I know I am me. They don’t need to verify that.
Signal fills an incredibly important spot in a spectrum of privacy and usability where it’s extremely usable without sacrificing very much privacy. Sure, to the most concerned privacy enthusits it’s not the best, but it’s a hell of a lot easier to convince friends and family to use Signal than something like Matrix.
If you want to be mainstream a) you can’t have spammers, scammers, and all the other scum of the earth and b) finding your contacts in the app HAVE TO be plug and play. Literally no normie will bother adding with usernames or whatever.
Ignore the comment saying signal is “end to end encrypted” “private” etc They are simply stuck in a delusional state where they try to convince themselves that signal is the best option so they can continue using it. Nothing is private if it isn’t fully libre because you never know what the proprietary code is doing. The signal protocol itself has its source code released, and the encryption and security code is publicly available, but the signal Foundation has stated that it uses both free code and proprietary code. Their reason is UI, but it’s hard to make sure whatever proprietary code is being used for because you simply can’t see it. As GNU puts it: “You’re walking in a pitch black cave”. Jami is fully libre and is a GNU project. You don’t even need any phone number!
Molly.im is a Signal Client fork with Security enhancements and the possibility to install a version with only free software.
Great, but it relies on signal’s servers, so it’s centralised. Also, Moly merely removes proprietary parts from Signal, but that’s a workaround (same thing for linux-libre kernel, it’s free software, but just a workaround which is why I’m looking to help with HyprbolaBSD). I’m not coming here to say Molly isn’t an improvement, but being centralised and relying on a non-tully-free program’s servers is a huge red flag for me :)
It doesn’t matter whether a server claims to run free software or not. You can’t verify what it’s running. That’s why E2EE is designed entirely around the client. You can’t trust the server no matter what.
Maybe I am being too simplistic here. But I have never received a spam message to my XMPP account and I don’t know how a spammer would find it.
In a phone-based system a spammer can spam a list of numbers, or use contact lists that are easily shared via phone permissions. There are several low-effort discovery processes.
For e-mail, you get spam when you you input your personal e-mail into forms, websites, or post it publicly.
But for something like XMPP… It seems rather difficult to discover accounts effectively to spam them. And, if it is an actual problem, why not implement some kind of ‘identity swap’ that automatically transmits a new identity to approved contacts? A chat username does not need to be as static as an e-mail or a phone number for most people.
I just don’t see ‘spam’ as such a difficult challenge in this context, and not enough in my view to balance out requesting a phone number. Perhaps a spammer can chip-in?
you will still need a phone number to sign up for Signal
It’s private but it’s not anonymous. they know who is talking to who, but not what they are talking about.
thousands of threads on this topic since decades ago.
it’s an eternal debate (since signal has no plans to change)
just read the history and join the rest of us waiting for them to change. using signal before that change is completely optional. go ahead and don’t use it. no problem.
opening the discussion again is just tiring.
opening the discussion again is just tiring.
so tiring that i opened it and read it, then typed a long response.
I think it’s important to remember de difference between being private and being anonymous. Signal IS private. It’s not anonymous. The same is true for many other apps/services.
Personally I like to be private. I don’t really need to be anonymous.
Do not trust signal. Mosk advertised it on twitter.
Edit: I only got 11 downvotes yet, so i have to add:
Signal is not allowed in Russia, guess why. Telegram is. yes yes try harder. THINK mf
WhatsApp is obviously not recommended.
I’m not saying don’t use. I’m saying do not trust.
Because their founder (Marlinspike) is probably under a National Security Letter, maybe it’s just that, maybe he’s done some crimes they’re also holding over him. If you look at his behavior it’s that of someone very paranoid that they’re going to be found out to be cooperating with the feds and get hit with charges for not upholding the bargain, someone straddling one or two big lies that have to be maintained to keep their life going. Very controlling of things they should be open about if they care about privacy as they claim. But exactly the behavior of someone under an NSL who’s terrified of getting hit with charges for that and maybe other things but who is expected to front and run a purported privacy first messenger. The secrecy, the refusal to allow others to operate their own servers, the antagonism towards federation, the long periods without publishing source code updates.
This doesn’t necessarily mean that signal message content is compromised, the NSA primarily scrapes metadata and would most care about knowing who is talking to who and to put real names to those people and building graphs of networks of people. Other things like what times they talk can be inferred from upstream taps on signals servers without their knowledge or cooperation via traffic observation and correlation especially when paired with the fourteen eyes global intercept network. With a phone number it’s also a lot easier to pinpoint an exact device to hack using a cooperating (or hacked) telecom. Phone numbers can also be correlated to triangulated positions of devices, see who in a leftist protest network was A) heavily sending messages and B) attended that protest and left last and begin to infer things about structure and particular relationships.
And those saying it has to do with spam prevention, that’s kind of nonsense. First I still get the occasional spam, second a phone number that can receive a confirmation text is something all these criminal organizations have access to which the average person doesn’t. Third it’s possible to prevent spam just by looking for people (especially new accounts under 120 days old) sending very small amounts of messages (1-3) to a very large amount of other users especially in a short amount of time. Third there’s no reason to keep the phone number tied to the account, a confirmation text could be required with a promise to delete the phone number immediately after (would still be technically useful to the NSA though less useful for keeping track of people changing numbers or using a burner for this who might be higher value targets).
Privacy: they know who you are but they don’t know what are you doing/when are you doing. Anonymity: they don’t know who you are.
Tried session? Anyone have comments on it? Nice to be able to skip the phone and easily use vpn, though I haven’t spent enough time on that.
I think the people behind Session cares for their mission, and it might align with OP’s, so maybe. Although I personally am not too fond of about all their choices.
The omission of Forward Secrecy for instance doesn’t sit well with me. Each to their own though, and they do go into their reasoning on their blog: https://getsession.org/session-protocol-explained
Likewise their last audit from 2021, lists quite a handful of critical/moderate issues in their apps, hopefully they’ve fixet it. Afterall it’s been a while since 2021. https://getsession.org/faq#security-audit
