• Dessalines@lemmy.ml
    link
    fedilink
    arrow-up
    3
    arrow-down
    2
    ·
    3 years ago

    unable to share anything with them

    Except phone numbers, dates / times, contacts… pretty much everything except message content.

    • ᗪᗩᗰᑎ@lemmy.ml
      link
      fedilink
      arrow-up
      2
      arrow-down
      2
      ·
      3 years ago

      This is incorrect.

      They store:

      • Your number
      • The date you first registered.
      • Last day (not time) a client last pinged their servers.

      Signal’s access to your contacts lets the client (not them):

      determine whether the contacts in their address book are Signal users without revealing the contacts in their address book to the Signal service [0].

      They’ve been developing/improving contact discovery since at least 2014 [1], I’d wager they know a thing or two about how to do it in a secure and scalable way. If you disagree or have evidence that proves otherwise, I’d love to be enlightened. The code is open [2], anyone is free to test it and publish their findings.

      [0] https://signal.org/blog/private-contact-discovery/

      [1] https://signal.org/blog/contact-discovery/

      [2] https://github.com/signalapp/ContactDiscoveryService/

        • ᗪᗩᗰᑎ@lemmy.ml
          link
          fedilink
          arrow-up
          1
          ·
          3 years ago

          In security, you can’t assume that the the server isn’t storing a piece of data just because the operator says it isn’t

          100% agree with you about being unable to confirm what the server is doing, but the fact of the matter is anyone you interact with - centralized server-client or decentralized peer-to-peer - can store some metadata.

          The FBI could force Moxie to hand it over, and may have already done so without us knowing

          Private contact discovery is engineered in a way that you would be unable to retrieve what is being processed even if you had access to Signal’s infrastructure or admin/root rights. If you don’t believe this is true, please point out where the weakness in their code is, it’s open for review and for anyone to point out its flaws.

          Lastly, the FBI cannot compel anyone - individuals or companies - to work on anything without compensation. That is considered forced labor, which is highly illegal in the United States where Signal resides. The FBI attempted to force Apple to develop software to compromise the security of iOS, but they dropped the case, likely because they knew they would fail. Although they claim they found the software they needed elsewhere [0].

          So the FBI can ask Signal for assistance, but that’s it. Signal must comply with the law so they always provide the info they do have - which is the data I previously pointed out - but they do not have to build any such system that would compromise the security of their service as it would fall under forced labor; i.e. developing software against their will.

          [0] https://www.beencrypted.com/news/apple-vs-fbi-events-summary/