The phone numbers being hashed doesn't matter because of how small the input space is. A standard phone number is a country code plus 9 digits. If we assume that anybody looking at this information already knows what country the people they're targeting is from, that means there is 1000 000 000 possible phone numbers to check for any hash. Even if the hash is extremely slow, and takes 1 second to compute on a strong CPU, that still only takes 1000 000 000 / (60 * 60 * 24) = 11574 days, or 31 years to compute on a single core. For any large organization (like, say, any government or any large tech company), getting 1000 cores to run the hashes in parallel would be quite simple, reducing the time it takes to have a complete hash list down to 11 days to get a complete database of all possible hashes. Hashing phone numbers is literally just a mild inconvenience.

Edit: Actually looking it up phone number formats vary quite a lot by country, but the point still stands.

Signal doesn't run in a vacuum. It's main distribution platforms are app stores from Google and Apple. And most people are going to use stock smartphones from these two companies to sign up to Signal. But with them being under the same US jurisdiction, matching the two identities isn't that far-fetched.

The parent companies of both OS platforms are well known to funnel data and notifications to the US government. It too had no evidence to support it, until they admitted it. There's a setting for it now, but the person you're talking to might not be doing the same, so it's still out for profiling.

Other thing, they vehemently oppose F-Droid because "f-droid security flaws" bs, even though they can literally host their own repo for it without anyone else building their app. They would control every aspect of supply chain, but they didn't.

Besides that, they make it very inconvenient to get it from elsewhere, even though they did the bare minimum to provide a standalone installer, after an outcry. And with those stripped down installers, you have to deal with inconsistent notifications, because no apple/google. And they never ever gave unified push a look. I wonder why? Are they a small indie company with just a couple of devs?

Signal protocol may be "secure", but it's only a part of a bigger picture.

It's forced reliance on phone numbers, privacy averted platforms and unwillingness to work with opensource platforms and standards that lets it become decentralized and out of the hands of authoritarian government, leaves a lot to be desired.

Facebook's whatsapp also uses the signal protocol, but would you call it private or secure after all that zuck has shown to do? Signal creator literally helped them implement it too. I wouldn't touch a Facebook product with a 10 feet pole.

And now he's helping them again encrypt Meta AI, whatever that means. Why is he working with one of the worst offenders of privacy?

If that doesn't tell you these things are concerning, you do you.

https://lemmy.ml/post/48427945

All speculation. You gave them your phone number (which also means your real identity), so you should assume they have it. And because its a US-based company, it must adhere to US laws including key disclosure laws, which make it illegal for any signal employee to tell you that any US government agency has asked for this information.

https://en.wikipedia.org/wiki/National_security_letter

So the data that would be captured here is a network of hashed phone numbers and literally undecryptable messages

With this data you can build social networking graphs: who is talking to who, and when.

Also this is all the more suspect when you consider that US military / government agencies like OTF fund signal, and constantly try to push signal in privacy spaces.

The point is that they could. We are discussing honeypots here. They don't advertise the fact if they are.

Be the phone numbers hashed/encrypted or not they will still get your ip. They are not routing anybody's messages otherwise. Phone number is just more directly tied to a personal details, unless it's a burner, but with burners you lose the account if you need to log in. Also you can set your phone number public, so it probably can be seen by the signal servers at some point. And what about discovery through phone number and like the actual sending of the signal confirmation code? How is any that suppose to work if the servers don't know your actual phone number? And your anonymity trick only works if everybody you talk to does it, which they don't. If they want to profile you they can profile you directly or through the people you talk with. If the people you are trying to hide from don't care about getting message logs and just association with some group is punishable or can lead to punishment or death then tough luck.

And you miss the main point. practically speaking you cant self host a signal server, therefore you can't trust it fully (in a way 'fully' matters anyway). if you do it's unsupported and not recommended and you probably need a custom client to access it. That added with it being under American jurisdictions, and Signal starting as a spook project should really set off alarm bells.