Privacy

37745 readers

1083 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

143

Why does Signal want a phone number to register if it's supposedly privacy first? (programming.dev)

submitted 1 day ago by 0101100101@programming.dev to c/privacy@lemmy.ml

234 comments fedilink hide all child comments

I remember a time when visiting a website that opens a javacript dialog box asking for your name so the message "hi " could be displayed was baulked at.

Why does signal want a phone number to register? Is there a better alternative?

you are viewing a single comment's thread
view the rest of the comments

[–] plz1@lemmy.world 11 points 18 hours ago (2 children)

They can "request" it all day long. Signal doesn't store them beyond the time needed to deliver to the end user device, and while (temporarily) stored, it's encrypted in a way Signal's service cannot read.

[–] 0101100101@programming.dev -5 points 16 hours ago* (last edited 16 hours ago) (3 children)

huh? so the phone number is encrypted in a way that can't be read, but an sms is sent to the phone? ... a separate company sends the text on behalf of signal? so that separate company logs the phone number, the timestamp and who knows what else.

[–] xthexder@l.sw0.com 5 points 13 hours ago

Signal doesn't use SMS anymore, and all messages are sent over encrypted Internet protocol. Any servers in between won't see the phone number, it's not needed to deliver the message, it's using an IP address at that point and the entire message metadata is encrypted. Signal is the only one that can see the phone numbers, which they use to identify multiple clients as a single user and route messages accordingly.

[–] plz1@lemmy.world 1 points 10 hours ago

Signal doesn't use SMS at all, once you have enrolled. The phone number is used to validate people and exclude bots, during registration. As others have noted, you can hide your number from other users, as well.

[–] JackbyDev@programming.dev 0 points 14 hours ago

What are you on about right now? I don't mean that sarcastically, I really am wondering what your concern is. Are you concerned that because your phone number is associated with Signal that police will know you use Signal?

[–] solrize@lemmy.world -4 points 17 hours ago (1 children)

The phone carrier at least here in the US is required to store the call data for 18 months, according to the one that I use.

[–] dubyakay@lemmy.ca 11 points 17 hours ago (1 children)

What does that have to do with Signal?

[–] solrize@lemmy.world -3 points 16 hours ago* (last edited 16 hours ago) (2 children)

The claim is that Signal's phone verification step doesn't cause privacy problems because Signal (purportedly) doesn't retain the phone numbers after verification. That claim is falsified because the phone carrier stores the call record even if Signal doesn't. They store it because of the same law that makes them turn it over to Big Brother on demand. The phone verification step is, therefore, a privacy problem. Obviously there are similar issues with IP routing, but at least I can use a VPN with an endpoint in another country.

[–] dubyakay@lemmy.ca 5 points 16 hours ago (1 children)

No, that wasn't the claim. Phone numbers are used for sign up, but the post's OP was talking about messaging meta data. Messaging meta data doesn't go through your carrier and is encrypted.

If you check the publication of signal's cases where they had to hand out data, and in reverse the FBI leak that listed analysis of all messenger apps by what data they were able to acquire in most cases, Signal came out as one of the top options.

[–] solrize@lemmy.world 1 points 16 hours ago

Oh I see what you mean. But a big enough data dump from the phone carriers identifies all of Signal's users, not good.

[–] plz1@lemmy.world 0 points 10 hours ago (1 children)

The "record" is a SMS verification code. All that will tell the government is that you registered for Signal, nothing else.

[–] solrize@lemmy.world 2 points 2 hours ago

Telling the govt that you registered for Signal sounds like a bad failure as far as I'm concerned, e.g. if you are a user in a repressive regime. Do you think Trump would like to get his hands on a list of all the Signal users in the US? Probably yes. What would he do with the list? IDK but it has to be bad. So it should be an objective of Signal to make it impossible for anyone to create such a list.

Anyway, it sounds like Signal has wised up and is getting rid of the phone number requirement. I don't understand why people here keep defending the misfeature. I've heard such things explained as "system justification" but I still don't understand it. All of us make poor decisions all the time, but we should at least make some effort to recognize them, and fix them when possible.

https://en.wikipedia.org/wiki/System_justification