❌ Software Removal | Signal

[ghost]

Problem with Signal

Signal has copious privacy issues making it unfit for privacytools.io endorsement.

1. Users are forced to supply a phone number to Signal (https://github.com/privacytoolsIO/privacytools.io/issues/432) (diagram of mass surveillance)
   1. Phone numbers are forcibly tied to legal identities in some countries (e.g. many European nations force carriers to copy ID cards)
   2. Phone numbers are usually not gratis -- the payments of which are traceable. Even cash payments trace to a shop.
   3. Privacytools.io target audience is unlikely to go through the hoops of getting an anonymous phone number. They will give in to convenience and supply a sensitive phone number.
   4. Signal's claims to the contrary do not obviate the above points. It's a broken registration process from the standpoint of privacy, all to serve a centralized master. Note that Jami (decentralized) does not require phone number registration, and Wire (centralized) does not require phone reg. if the desktop app is used and it's optional for their mobile app.
   5. Some people in the US will buy burner phones and thus financially support one of the four privacy-abusing mobile phone carriers. Signal compels people to feed companies working to the detriment of everyone's privacy, when those four carriers should be boycotted.
   6. Signal retains a record of users phone numbers for account recovery purposes. This means:
      1. Users who choose to supply a number they do not keep control over (e.g. a hotel phone) are vulnerable to an attacker exploiting that to initiate account recovery.
      2. Metadata is linked to identified individuals (and it has been subpoenaed)
      3. If those records are ever breached everyone is needlessly exposed.
   7. The privacy abuse is viral. When a user opts to sacrifice their own privacy by registering a phone number, they become bait by which their friends are pressured to make the same compromise in order to stay in touch. This is effect a consequence of both phone reg. and part 7 (network protectionism).
   8. Entities with no connection to OWS are able to deanonymize Signal users using phone number cross-referencing.
2. Users are forced to feed Google.
   1. APK download requires users to connect to Google's server and execute non-free javascript
   2. Playstore pushed
      1. Directing users to Google Playstore is contrary to the mission of privacytools.io. From the PTIO front page: "You are being watched. Private and state-sponsored organizations are monitoring and recording your online activities. privacytools.io provides knowledge and tools to protect your privacy against global mass surveillance." By knowingly sending users to signal.org who are then sent to Google Playstore, privacytools.io is failing their mission and betraying the users. At a minimum the link on privacytools.io should be to the APK page that is anchored to the bottom of the page. At least the risk of subjecting novice users to advanced tools is less serious than subjecting them to Google's walled-garden of surveillance.
      2. Google accounts are required to access Playstore even when using a third-party app.
      3. Registering for a Google account is in itself a privacy abuse, the process of which requires having a phone number (one abuse) and then disclosing that number to Google (another abuse).
      4. Use of the account to access the Playstore abuses user privacy through Google tracking (Google keeps track of apps you download and your IMEI number). From this Google also knows all the vulnerabilities a user has. Google also records users’ IP addresses and browser prints when logged in, which is later used to link to logged-out traffic and behavior.
      5. Users who bought an Android without a PlayStore^(tm) license are excluded if they are not advanced enough to use third-party hacker tools, and those who are advanced are outside the scope of privacytools.io target audience and still must use a Google account (thus still subject to the abuses of using the Google account at the Playstore).
      6. Playstore is scientifically proven to be relatively insecure compared to F-Droid in the "Understanding the Security Management of Global Third-Party Android Marketplaces" article. (see also F-Droid: The privacy-friendly alternative to Google Play Store)
   3. Google's reCAPTCHA used
      1. Google's reCAPTCHAs compromise security:
         • anonymity is compromised.
         • (speculative) could Google push malicious j/s that intercepts user registration information?
      2. Users are forced to execute non-free javascript (recaptcha/api.js).
      3. The reCAPTCHA requires a GUI, thus denying service to users of text-based clients. If someone were to develop a third-party non-graphical plugin or app, OWS is now dictating that all Signal apps must support a GUI and it must also be javascript capable.
      4. CAPTCHAs put humans to work for machines when it is machines who should be working for humans. PRISM corp Google Inc. benefits financially from the puzzle solving work, giving Google an opportunity to collect data, abuse it, and profit from it. E.g. Google can track which of their logged-in users are visiting the page presenting the CAPTCHA.
      5. The reCAPTCHAs are often broken.
         • E.g.1: the CAPTCHA server itself refuses to give the puzzle saying there is too much activity.
         • E.g.2:
      6. The CAPTCHAs are often unsolvable.
         • E.g.1: the CAPTCHA puzzle is broken by ambiguity (is one pixel in a grid cell of a pole holding a street sign considered a street sign?)
         • E.g.2: the puzzle is expressed in a language the viewer doesn't understand.
3. APK download is implemented in a privacy-hostile manner:
   1. ^ That link is hidden. From the landing page users are directed to Google Playstore exclusively. There is also no way to navigate to the APK download from the home page. The only way to get the APK page URL is word-of-mouth or searches on 3rd-party websites.
   2. The small minority of users who will actually take initiative to proactively search for the APK may or may not discover this buried page, which the Signal project calls the "Danger Zone". And these users are not the ones that Signal puts at risk with Google surveillance- it's everyone else.
   3. Those who find the page will only see Signal pimping Google Playstore again. Many won't realize they must scroll down to see the Danger Zone. Fooled me a couple times. Even after I knew about the APK download I thought the download option got removed but I actually neglected to scroll down.
   4. The page says "The safest and easiest way to install Signal for Android is through the Google Play Store" (emphasis mine).
   5. Visitors of that page who use the noscript or uMatrix plugin do not get an APK download link. They see a blob of text below "Danger Zone" which doesn't include a link so they won't even bother reading it. If they do read it then it just appears like a broken page. They actually have to realize that they must enable javascript from Google in order to render the download button. So making a connection to Google is still inescapable even for the APK download.
   6. The Signal project says that link is for "Advanced users with special needs". So not only are they undermining their more secure distribution by calling it dangerous (when really it's the Playstore link that should be in a "Danger Zone"), they also say it's only for a subset of advanced users - this is not the audience privacytools.io is targeting. The privacytools.io audience should be able to find the app on f-droid.org.
4. Platform limitations (due to refusal to cooperate)
   1. Open Whisper Systems takes a hostile posture toward developers of third-party apps like LibreSignal for using OWS-owned networks and having "Signal" in the name (likely it's the "Libre" they really don't like, but use of "Signal" invokes legal power).
   2. No official Debian distribution. Debian is the most common linux distribution and it's known for high quality standards and high standards of software freedom. The fact that Open Whisper Systems distributes an Ubuntu package directly from their own repository calls into question why they've not achieved the quality standards of having an official Debian release. One side-effect is that #debian on freenode will not support unofficial packages and in fact they advise against them. And in this case support is lacking (see the next section).
5. Users seeking support are forced into CloudFlare.
   1. CloudFlare mushrooms into many privacy abuses, listed here
6. Signal is centralized on Amazon AWS.
   1. When users connect to AWS, privacy abuser Amazon gets their IP address and likely knows they are using Signal. That IP address can then be cross-referenced to other activity recorded by Amazon (both their shop and other AWS-based services like Wire). (This is speculation - investigation needed).
   2. There are several privacy-related ethical problems with AWS.
7. Network protectionism: the Signal network is a closed walled-garden in itself. "Open" Whisper Systems does not allow tools developed by others to use their network. OWS also will not federate their network with another network. So they've capitalized on the marketing benefit of free software licensing but implement a policy that prevents the freedoms of free software from actually having a practical usable effect. They do this while telling users: "As an Open Source project supported by grants and donations, Signal can put users first."
8. Detrimental partnerships that aid privacy abusers:
   1. (Facebook) OWS contributed to the development effort of Facebook Messenger and WhatsApp
   2. (Google) OWS contributed to the development effort of Allo

Playstore history

The Signal-Playstore discussion (quite rightly) never dies. Threads keep popping up over the years and moving, but one thing that never changes is the project's unwillingness to deviate (in short, they want their stats). The most recent discussion lives here if anyone wants to follow it.

Perhaps it's worth mentioning that Google can possibly exceptionally be avoided entirely if a user downloads the source code and compiles it from scratch. I've not verified that, but it's somewhat moot anyway since privacytools.io target users would not be doing that.

bad players involved with OWS Signal

entity	walled-garden?	direct privacy abuse w.r.t Signal	indirect privacy abuse
Amazon	no	Amazon sees all connections, IP addresses, can associate to their webshop data	OWS feeds this notorious privacy abuser
Apple	yes	iTunes tracking	funds anti-privacy lobbyists
CloudFlare	yes	sees all web traffic to OWS support site and blocks Tor users	OWS feeds this notorious abuser of privacy and net neutrality.
Facebook	yes	none	OWS contributed to the development effort on Facebook Messenger and WhatsApp projects
Google	yes	user tracking in many different ways via playstore and captcha	OWS feeds this notorious privacy abuser and PRISM corp
OWS	yes (OWSs own system is a walled-garden)	forced participation in telephone systems and forced disclosure of sensitive phone numbers	subjects users to privacy abusers in this table
phone vendors	no	some (e.g. Motorola) caught putting spyware on phones; factory configs hinder security	most phone makers fund anti-privacy lobbyists
phone service	no	CDMA/GSM tracking; reduces the security of phones	all US carriers are privacy abusers and also fund anti-privacy lobbyists

Prostitution ring diagram showing privacy abuses:

(PDF)

[smaragdus]

Seeing major privacy offenders like Brave and Signal in the list of recommendations means that Privacy Tools website has nothing to do with privacy- better no privacy than false privacy.

[blacklight447]

What are you hoping to accomplish by commenting that you are not agreeing with the community consensus on a closed issue?

[smaragdus]

What are you hoping to accomplish by commenting that you are not agreeing with the community consensus on a closed issue?

In am expressing my opinion, I don't care for community consensus, I care for privacy,

[blacklight447]

@smaragdus which is exactly what the community agreed on: that signal provides privacy.

[smaragdus]

@blacklight447-ptio

The only chat protocol I consider secure is Tox. Tox desktop clients (qTox, Isotoxin, Toxygen, the latter two seem to be abandoned) are fine but the mobile ones (Antox, TRIfA) suck so much that they are barely usable on mobile phones.

If I have to make a compromise with privacy I would rather use a XMPP client or Telegram than Signal. I don't need to repeat all the reasons why Signal is hostile to privacy, I would just mention that Google Play Store is a huge privacy calamity and Signal main developer- Moxie Marlinspike (the most hostile to forking person in the open source world that I have ever seen) refuses to offer Signal via free and open source stores like F-Droid (issue). Also, In contrast with Telegram Desktop (C++) Signal Desktop is pure junk (JavaScript + Electron). A further reading why Signal cannot be trusted. Also, locking issues is common practice for Signal developers.

Privacy Tools recommends Brave, which is another privacy disaster (the same applies to Firefox) while there is no mention of the very few really privacy-friendly browsers- Pale Moon, Basilisk and Iridium (the latter being the only de-Googled Chromium clone while Bromite being its Android counterpart).

These two examples- Signal and Brave, show that Privacy Tools cannot be taken seriously as privacy and security adviser. I do not know who stays behind Privacy Tools but I can imagine only two reasons why the website recommends privacy disasters like Brave, Firefox and Signal- either the people behind Privacy Tools website are totally incompetent about privacy or they are being paid by Brave, Firefox and Signal.

[dawidpotocki]

The only chat protocol I consider secure is Tox. Tox desktop clients (qTox, Isotoxin, Toxygen, the latter two seem to be abandoned) are fine but the mobile ones (Antox, TRIfA) suck so much that they are barely usable on mobile phones.

If I have to make a compromise with privacy I would rather use a XMPP client or Telegram than Signal.

Telegram does not even have good E2EE and you are saying that it is better than Signal? Also source code of Android app is always released after some time, which makes it pain for Telegram-FOSS builds in F-Droid. Server of Telegram is nonfree, while Signal's is on GitHub.

while there is no mention of the very few really privacy-friendly browsers- Pale Moon>

Oh, is this that browser that was serving infected execs for like half a year? https://forum.palemoon.org/viewtopic.php?f=17&t=22526

Or that which fscked with OpenBSD developers? https://github.com/jasperla/openbsd-wip/issues/86

[blacklight447]

First of all, privacytools.io is a community project, the only reason the there are a few people with commit access is to prevent vandalism. All content is on the site by community consensus.

Second of all, we are actually in the process of removing brave. (Not though, because it would be privacy unfriendly)

Second of all we have decided not to list palemoon and basilisk because they have severe security problems, which you can read in #375 #856 and #375.

If you disagree with the listings, you are free to open up an issue for each item with a concrete set of proper arguments. And if you don't like that, you can always fork ptio and make your own website. However, privacytools.io is and always will be a project which listens to community consensus to decide what the best possible listing would be, I hope you have respect for our choice to follow this model.

[dijit]

@smaragdus which is exactly what the community agreed on: that signal provides privacy.

The author of this thread has good points to the contrary that are worth considering.

[Lunarequest]

As of the time of writing. the github repo for the server component of Signal has remained untouched for almost a year. The version of the server can be veritably proven to be not the version running on the server, This is due to the fact the source code in the repo has data leaks that are not present in the current version of Signals server. Along with this signal recently released a tls proxy for those in countries like Iran. shortly after its release a issue was found showing that a government or any malicious entity could bypass and the proxy and track the users. when this was reported to the signal team via the github. their reaction was to remove the issues section completely(as of writing still missing) and proceeded to ban the users that found this issue from the signal forums. we can not endorse signal due to their practices that quite frankly endanger lives. For more information on the tls-proxy issue you can read this [issue[(https://github.com/net4people/bbs/issues/60) on the Net4People BBS repo

[t1011]

It seems that PrivasyTools disregard for the arguments of contributors over the years regarding the unsafe use of Signal has reached an apogee. Remove it at last.

[Herohtar]

their reaction was to remove the issues section completely(as of writing still missing) and proceeded to ban the users that found this issue from the signal forums.

This is false. They removed the issue section because they had no intention of using it and politely requested that discussion of the proxy be continued on the Signal Community forum. One user was auto-silenced (not banned) on the forum due to Discourse's spam prevention settings, which was promptly reversed by the mods as soon as they realized what happened.

[smaragdus]

Signal is a government op

This was obvious from the very beginning for those who have eyes to see and brains to think.

PrivacyTools? No, thanks.

[smaragdus]

@LongJohn-Silver

All about Signal has always been murky and suspicious to me, from the leading developer (whose name I don't even want to mention) to the distribution model. Proving such stuff like the one mentioned above is from hard to impossible for obvious reasons. The problem with metadata is very grave (Michael Hayden Gleefully Admits: We Kill People Based On Metadata) as is the problem with the currently available chat programs- almost all are either insecure or underdeveloped, or perform miserably, or all of that together. As far as I know setting up your own Matrix server is only theoretically possible and the Matrix desktop clients are very poor. About Session- Session Desktop is forked from Signal Desktop, which is JavaScript/Electron which means firm no to me.

About Signal- I got even more suspicious when Snowden started recommending it enthusiastically, but when creatures like Musk recommend it it becomes more than obvious that it shouldn't be used.

[Lunarequest]

I would not recommend session due to some heavy al-right ties the current developers of session have. You can see more about this here https://twitter.com/WPalant/status/1281540005190672384

[smaragdus]

I would not recommend session due to some heavy al-right ties the current developers of session have. You can see more about this here https://twitter.com/WPalant/status/1281540005190672384

Your argument is absolutely ridiculous. Unfortunately dumb SJWs and useful idiots have heavily infiltrated GitHub.

[Lunarequest]

Unfortunately it appears a large amount of racist Alt-right groups have infiltrated GitHub

[dijit]

It's not useful to flame each other.

I don't know anything about session, but if it's a FOSS technology then nothing prevents your or I from adopting it independent of undesirables.

In fact, that would be the only way to save its reputation from extremists.

Regardless. It is a tangent and not related to the removal of signal. Which I support for the reasons mentioned above.

[ph00lt0]

Although I agree that the trend of Signal forcing up more and more Google spyware is worrying, I find it fun to read that people recommend Matrix instead. The sign up process of matrix also requires Google's reCAPTCHA. Session is indeed a great alternative, but yet no support for calls. I guess that for calls, there is a need for good servers... ...from the big boys. I also wonder why it would be problematic that Signal has enabled other companies to adopt E2EE, I believe this has greatly improved privacy and security of the masses. Luckily Signal will remove the phone number dependency, so we can take that from the list. All in all, Signal is for most people (which is the targeted audience of PTIO) a huge improvement over other chat apps. I see no reason to delist it.

[freddy-m]

At the moment, we will not be delisting Signal. However, if you want some legitimate criticism of Signal, see this video: Signal's Terrible MobileCoin Betrayal

[lrq3000]

I find it fun to read that people recommend Matrix instead. The sign up process of matrix also requires Google's reCAPTCHA.

Ah indeed, in the past there wasn't a reCAPTCHA but now there is one. However, I think that using the desktop app there is no reCAPTCHA as far as I know. And in-browser it's possible to use Tor Browser which nullifies risks with reCAPTCHA, which is not possible with the Signal app.

[lrq3000]

Some updates on the issue of requiring a phone number for registration in Signal:

Currently only devices with a PSTN number are supported. Embedded devices like door stations, webcams, etc. 1 should be able to communicate with Signal users, too. I suggest to implement UID support for devices without a PSTN number.

maybe with an email or just an user name .

As replied by Open Whisper System many times, it’s on DOTO list.

Source: https://community.signalusers.org/t/registration-without-a-phone-number/2222/2

Another interesting discussion at the pros and cons of using email addresses for registration: https://community.signalusers.org/t/registering-with-an-email-address/919/103

From what I gather, it seems Signal is not going to support other form of registration anytime soon, as they want to bar spammers and bots from joining the network from the get go, they chose a strategy of gatekeeping.

[lrq3000]

At the moment, we will not be delisting Signal. However, if you want some legitimate criticism of Signal, see this video: Signal's Terrible MobileCoin Betrayal

I wasn't aware of MobileCoin. This is very concerning. MobileCoin is a fork of Monero, but with the decentralized consensus algorithm being stripped out in favor of a centralized one. This cryptocurrency has all the marks of a scam: centralized (only nodes approved by the parent company can become validators), fully pre-mined, unknown circulating supply and shady allocation (15% already allocated to private investors, public investors can't get more than 5K euros annually, and for the rest we don't know). MobileCoin has been integrated into signal. Signal's co-founder Moxie is also trying to blur lines about his involvement in MobileCoin.

Beyond the very unadvisable MobileCoin, Signal failed to update the server's source code during the last year, and they never explained why despite inquiries.

All these issues seriously raise the question of whether Signal can still be trusted.

I would suggest to re-open this issue to discuss the opportunity of a removal.

[ph00lt0]

@lrq3000 also on desktop (web) there is. I am not sure if I agree with the statement about Tor. We don't really know what patterns google tracks with Recaptcha. Personally I wouldn't be surprised if the behavior leads to unique fingerprints (or at least put's you in some cohort). In addition we have seen fingerprintJS's findings a few weeks back. Let's agree that using ReCaptcha generally is a very bad decision from both Matrix and Signal. Both do however provide a lot more privacy as other providers. Signal still is a great improvement for most people. Privacy should be approachable for the masses. If we didn't have Signal we would still be needing WhatsApp or texting to contact our relatives.

Ah indeed, in the past there wasn't a reCAPTCHA but now there is one. However, I think that using the desktop app there is no reCAPTCHA as far as I know. And in-browser it's possible to use Tor Browser which nullifies risks with reCAPTCHA, which is not possible with the Signal app.

[lrq3000]

Yes I agree, it would be better without Google services at all. I don't think the pattern of clicks on the reCaptcha is sufficient to track a user across different Tor circuits when the user reconnects later, but it still is a data leak. Unfortunately it's understandable there is a gatekeeping against bots, and unfortunately reCaptcha is the most reliable of all captcha systems. I have worked myself on an alternative, it's no easy task, always a cat and mouse game, so unless Element/Matrix decides to verify the user's "humanity" by another mean, which likely would involve more intrusive methods such as providing a phone number or an ID, I guess this is the least of evils.

Also worth noting is that if the matrix server is self hosted, then the captcha can be disabled. This is impractical for Signal since it's a centralized system, self-hosting means that you would be gated from interacting with the main network.