121
submitted 1 month ago by harfang@slrpnk.net to c/privacy@lemmy.ml

As Signal get your phone number. Can we considerate this application as private ? What's your thoughts about it ? I'm also using SimpleX, ElementX, Threema, but not much people using it...

Cheers

you are viewing a single comment's thread
view the rest of the comments
[-] Evil_Shrubbery@thelemmy.club 13 points 1 month ago* (last edited 1 month ago)

Can you point it out so we can close it asap?
https://github.com/signalapp
(Iirc it's up to date?)

Thx!

(I'm critical of Signal, but "in this economy" is the best I can hope to switch my friends to.)

[-] Core_of_Arden@lemmy.ml 3 points 1 month ago
[-] Evil_Shrubbery@thelemmy.club 4 points 1 month ago

I don't understand this & need some explanations (I've heard about the dev, it's just USA stuff, much like Telegram mentioned Russian). Where exactly are the backdoors/the encryption compromised?

[-] Core_of_Arden@lemmy.ml 1 points 1 month ago

Sorry mate. I really don't want to spend time writing exactly what I linked, and then explaining it in another way. English is not my main language, and I don't want to spend a lot of time on it. I will recommend that you read this link a couple of times, and maybe the other link posted also - they explain it very well.

[-] Evil_Shrubbery@thelemmy.club 2 points 1 month ago* (last edited 1 month ago)

No worries, it's not my main (or second) language either, it's just that no backdoor is explained in that link.

I'm just curious.

[-] Core_of_Arden@lemmy.ml 1 points 1 month ago

Oh, you think that they show you the actual door? They don't - ever. But read the article again. Do you think that any agency will post millions into an app, where they don't have a backdoor? The article clearly describes how the privacy part has been weakened.

[-] Evil_Shrubbery@thelemmy.club 1 points 1 month ago* (last edited 1 month ago)

Isn't it open source?

Oh, you think that they show you the actual door? They don't - ever.

In open source projects they indeed do show the backdoor. That's is one of the key points of open source (along with free-ish terms of use). Closed source projects just say "there aren't any" without showing anything.

I've said many times I'm critical of Signal & ready to switch, but backdoor seems unconfirmed. Even if probable on some level.

[-] Core_of_Arden@lemmy.ml 1 points 1 month ago

I'm sorry to hear that you don't really get how this works. Do read the article and stop wasting my time here. Thanks.

[-] herseycokguzelolacak@lemmy.ml 3 points 1 month ago

The biggest security issue in Signal is the requirement for phone numbers and SIM cards. This basically forces all Signal users to identify themselves, and makes Signal highly vulnerable to government spying.

Can I get the ETA for fixing this?

[-] notarobot@lemmy.zip 6 points 1 month ago

Requiring a Sim is not a backdoor and does not enable "spying". I does allow knowing who is on the platform, who talks to who, when, and probably some more metadata issues. But its not a backdoor

[-] herseycokguzelolacak@lemmy.ml 1 points 1 month ago

It's a huge security vulnerability that Signal devs refuse to fix.

[-] notarobot@lemmy.zip 1 points 1 month ago

Not more than using username and password. Phone number is a security risk be cause you can get Sim swapped. If you have the registration password it's safe, but a government can request a bypass. However, if you had no phone number and used username and password, governments could still request a bypass

[-] herseycokguzelolacak@lemmy.ml 1 points 1 month ago

No, phone number is a risk because a phone number uniquely identifies a person. You need a government ID to get a phone number.

[-] notarobot@lemmy.zip 1 points 1 month ago

Then it's a privacy issue. Not security

[-] herseycokguzelolacak@lemmy.ml 1 points 1 month ago

privacy and security are one and the same. you can't separate them, it makes no sense.

[-] notarobot@lemmy.zip 1 points 1 month ago

VERY different things.

Bitcoin is secure but not private.

[-] herseycokguzelolacak@lemmy.ml 1 points 1 month ago
[-] notarobot@lemmy.zip 1 points 1 month ago

I'm not really sure what you want to say with that. I always loved that comic although I always thought that my reason for wanting high security is not to be 100% protected from any thread. If you show up with a wrench I'm going to give you my btc seed before you even hit me. But I'll know. If something has low security. It can happen without my consent and without me knowing

[-] herseycokguzelolacak@lemmy.ml 1 points 1 month ago* (last edited 1 month ago)

Signal's fancy E2E encryption doesn't matter if the government can force you to unlock your phone.

What matters is that everything in Signal is based on a phone numbers. Which means it can be traced back to an individual.

Signal is insecure exactly for this reason.

[-] notarobot@lemmy.zip 1 points 1 month ago

OK. You do you. The rest of us define security, privacy and anonymity in a whole other way.

If you keep thinking about it, you will keep finding cases where they (all 3) are not the same

[-] herseycokguzelolacak@lemmy.ml 1 points 1 month ago

This is pure nonsense, as I explained here: https://lemmy.ml/post/35848526/20978624

Security, privacy and anonymity are the same thing. If you weaken one, you weaken all others.

[-] notarobot@lemmy.zip 1 points 1 month ago

Correction . you are not wrong. They are RELATED anonymity increases privacy, and privacy without security doesn't make sense. But up to a point. You may notice again that you can keep adding security layers on bitcoin (cold wallets and such), but privacy doesn't change. Because ethey are different

[-] notarobot@lemmy.zip 1 points 1 month ago* (last edited 1 month ago)

You are worng. Unquestionably. But you are also unwilling to listen, so there is no need to keep explaining. Bitcoin should be the only argument I need for this since it is perfectly secure while not being private nor really anonymous (bitcoin is pseudonymous, not anonymous). In fact usernames do not add anonymity. They add... What do I call this.... Pseudonymity? The difference is important. But you don't care

[-] herseycokguzelolacak@lemmy.ml 1 points 1 month ago

I care because Signal is the kind of insecure app that gets people into trouble. I live in Turkey, with an authoritarian government. Security is a very importan topic for us, and Signal is just a sad joke.

[-] notarobot@lemmy.zip 1 points 1 month ago

I'm donde with this conversation. I agree that signal is not for you . but it's not because it's insecure

[-] herseycokguzelolacak@lemmy.ml 1 points 1 month ago

Signal is just an insecure app that gets people into trouble.

[-] notarobot@lemmy.zip 1 points 1 month ago

Use simplex then. Not quite ready. But better than nothing

[-] notarobot@lemmy.zip 1 points 1 month ago

What you want is anonymity. Not security.

You say that yet here you are. On a public forum. On a pseudonymous forum where a profile can eventually be built of you. They would beat you to get your Lemmy credentials, but since everything is public, they don't need you

[-] silasmariner@programming.dev 4 points 1 month ago

Does it really? Iirc, you can determine: when the account was made, and when the last message was sent. This doesn't sound 'highly vulnerable' to me... Doesn't permit inspection of metadata e.g. contacts, so as vulnerabilities go it's pretty weak sauce

[-] herseycokguzelolacak@lemmy.ml 2 points 1 month ago

A phone number uniquely identifies a person because in most of the world you need a government ID to get a phone number or a SIM card.

Which means that if one account is compromised, then everyone that person talked to is also compromised. You know what they talked with whom. It's an incredible security risk that Signal devs refuse to acknowledge or fix.

[-] silasmariner@programming.dev 1 points 1 month ago

If your threat model is deanonymisation of chat users via phone numbers after one chat is fully compromised, then yeah I guess you need to register the accounts with relatively 'untracable' phone numbers (ie unregistered or incorrectly registered burner sims), but that's not my threat model. I'm more concerned about server-side broad-spectrum government surveillance than I am about targeted device seizures. And of course there are mitigations even with data access on device seizure, provided you're unwilling to provide device passwords. But, like, if you're cooperating to the point of providing passwords you're probably sharing what you know about other users identities anyway, so it's a very niche case this applies to.

[-] herseycokguzelolacak@lemmy.ml 1 points 1 month ago

It's the threat model. E2E encryption is a niche 'nice to have'. Protecting the anonymity of people who have said nasty things about politicians is the most important thing a chat app needs to do. Signal is security theater until they fix this.

[-] silasmariner@programming.dev 1 points 1 month ago* (last edited 1 month ago)

No the most important thing a chat app needs to do is send messages between the intended recipients making them unavailable to anyone else. Signal does this. You're worried about ppl receiving messages and knowing who they're from. Generally knowing where a message is from is considered a feature -- if you want anonymous broadcast, pick a different technology that's geared towards that

[-] herseycokguzelolacak@lemmy.ml 1 points 1 month ago

this xkcd is always relevant: https://xkcd.com/538/

The most dangerous thread vector is the government forcing you to unlock your phone, and reading your messages. At which point using phone numbers becomes a huge problem.

Fancy encryption doesn't matter when it's obstruction of justice to refuse to unlock.

[-] silasmariner@programming.dev 1 points 1 month ago

Ok but a messaging app that doesn't let you know who a message is from is completely pointless? I feel like you're not really addressing this issue here

[-] herseycokguzelolacak@lemmy.ml 1 points 1 month ago

You don't need phone numbers for that.

[-] silasmariner@programming.dev 1 points 1 month ago

Right. Exactly my point? Phone numbers are not, like, the only way to identify a user. You have to know who they are. You posted an xkcd but failed to derive the conclusion that if a user is 'compromised' and they know who they're talking to, then so are the people they're talking to, regardless of whether phone numbers are involved. There's no practical way to mitigate against that, it becomes a paranoid's nightmare.

[-] herseycokguzelolacak@lemmy.ml 1 points 1 month ago

Signal has a huge vulnerability: because Signal uses phone numbers, it leaves Signal users wide open to government retaliations and crackdowns. I can not recommend Signal to anyone living in authoritarian regimes.

This is the core issue. Signal devs refuse to acknowledge or fix this, which discourages people from using Signal.

You don't need phone numbers to find people. Usernames have been a thing long before phone numbers crept into the internet.

[-] Evil_Shrubbery@thelemmy.club 4 points 1 month ago* (last edited 1 month ago)

~~Afaik you don't need a phone number for Signal (a "username" can substitute it, a few years back they added it).~~ edit: you still do

(Also the phone number & IP was the security risk, not the messages, afaik.)

This however was a debate about a supposed backdoor (I otherwise agree about Signal & its USA basedness, I just remain glad it exists despite it ~~many~~few blemishes).

[-] notarobot@lemmy.zip 4 points 1 month ago

You need a number to register, but not to comunicate

[-] rumba@lemmy.zip 4 points 1 month ago

I tried to make a new account for my child recently. You need a number. It wouldn't even work as a first signup on a wifi only tablet.

I tried to uninstall on my phone, set him up a new acct with a VoIP number then move the account to his tablet. It constantly failed when I uninstalled and put my account back on my phone.

You can only use one cellphone. Of you switch between two, it has to deactivate on the other.

Then you can have 4 or 5 other devices but that acct is tied to an activated cell phone and it gets screwy if you change that phone.

[-] deprecateddino@lemmy.world 4 points 1 month ago

Molly (fork of Signal) allows you to use multiple phones https://github.com/mollyim/mollyim-android

[-] Evil_Shrubbery@thelemmy.club 2 points 1 month ago* (last edited 1 month ago)

So those posts they implemented this were lies (meaning I obv didn't read attentively enough)?

Sad :(.

[-] rumba@lemmy.zip 3 points 1 month ago

They implemented usernames to identify people so we could stop using numbers to find each other.

They still use numbers (cell and possibly device/network ids) they say to identify and secure (or so they say).

The idea is without access to your cell phone, nobody's going to get access to decrypt your data.

[-] Evil_Shrubbery@thelemmy.club 2 points 1 month ago

Yeah, no, I get & like that, I just somehow specifically (obviously mis-)remember that they did away with phone number as a prerequisite for creating an account (everything still the same, just that the account can't be reset).

:(

[-] herseycokguzelolacak@lemmy.ml 2 points 1 month ago

try to get a Signal account without a phone number. let me know if it works (hint: it won't work).

this post was submitted on 08 Sep 2025
121 points (100.0% liked)

Privacy

42779 readers
890 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 6 years ago
MODERATORS