this post was submitted on 11 May 2025
118 points (85.1% liked)

Privacy

37745 readers
1012 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
k_o_t@lemmy.ml
tmpod@lemmy.pt
Yayannick@lemmy.ml
ranok@sopuli.xyz
118
Why does Signal want a phone number to register if it's supposedly privacy first? (programming.dev)
submitted 20 hours ago by 0101100101@programming.dev to c/privacy@lemmy.ml
205 comments fedilink hide all child comments
 

I remember a time when visiting a website that opens a javacript dialog box asking for your name so the message "hi " could be displayed was baulked at.

Why does signal want a phone number to register? Is there a better alternative?

you are viewing a single comment's thread
view the rest of the comments
[–] rottingleaf@lemmy.world 26 points 12 hours ago (3 children)

  1. Yes, and in that time you would visit a website with your own IP address likely, likely over HTTP without SSL/TLS, likely with your vulnerable browser fingerprint. Point?

  2. Privacy, not anonymity. Two completely different things.

  3. Because the way Signal is built hosting it requires a lot of resources (storage especially), so they want spam prevention and fewer accounts per person.

[–] autonomoususer@lemmy.world 1 points 2 hours ago* (last edited 1 hour ago)

Our phone numbers are not private from them.

Despite this, escaping WhatsApp and Discord, anti-libre software, is more important.

[–] solrize@lemmy.world 5 points 9 hours ago* (last edited 9 hours ago) (2 children)

  1. I haven't seen a non-TLS website in years.

  2. Your asserting "two completely different things" doesn't make it true. Privacy and anonymity are not synonyms but they are overlapping areas. Also ISTM you are redefining terms to suit your purposes. Anonymity to me means the message recipient can't tell who you are. If a THIRD PARTY (the server operator) can ALSO tell who you are, that's a privacy failure, not just an anonymity one.

  3. Why does it take so much storage per user? Does it have video uploads or anything like that? A user account should basically just be a row in a database.

From https://en.wikipedia.org/wiki/Signal_(software) :

In August 2022, Signal notified 1900 users that their data had been affected by the Twilio breach including user phone numbers and SMS verification codes.[105] At least one journalist had his account re-registered to a device he did not control as a result of the attack.[106] ...

This mandatory connection to a telephone number (a feature Signal shares with WhatsApp, KakaoTalk, and others) has been criticized as a "major issue" for privacy-conscious users who are not comfortable with giving out their private number.[142] A workaround is to use a secondary phone number.[142] The ability to choose a public, changeable username instead of sharing one's phone number was a widely-requested feature.[142][144][145] This feature was added to the beta version of Signal in February 2024.[146]

Using phone numbers as identifiers may also create security risks that arise from the possibility of an attacker taking over a phone number.[142] A similar vulnerability was used to attack at least one user in August 2022, though the attack was performed via the provider of Signal's SMS services, not any user's provider.[105] The threat of this attack can be mitigated by enabling Signal's Registration Lock feature, a form of two-factor authentication that requires the user to enter a PIN to register the phone number on a new device.[147]

[–] 3abas@lemm.ee 5 points 7 hours ago* (last edited 7 hours ago) (1 children)

They are overlapping areas, but they are "two completely different things". They overlap by sharing common goals, not by being interchangeable.

Anonymity to me means the message recipient can't tell who you are.

Right. And Signal doesn't provide that at all, it ties your private messages to your identity (phone number), it explicitly does not provide anonymity. In fact, it proudly advertises you as a signal user to other signal users that have your number saved. It allows you to post public status updates, it encourages you to save your first and last name on your account.

If a THIRD PARTY (the server operator) can ALSO tell who you are, that's a privacy failure, not just an anonymity one.

Okay? And? In this hypothetical world where Signal offered anonymity but still tied you to your number for other practical reasons, then you're be correct that it would be a privacy concern.

But they don't offer anonymity, they offer private conversations.

[–] solrize@lemmy.world 4 points 7 hours ago* (last edited 6 hours ago)

They are overlapping areas, but they are “two completely different things”. They overlap by sharing common goals, not by being interchangeable.

They aren't interchangeable but they intersect. Completely different means they are disjoint.

it proudly advertises you as a signal user to other signal users

That sounds terrible, a private message service shouldn't advertise anything to anyone. If I subscribe to a subversive magazine, it shouldn't advertise me to other subscribers. It's a terrible invasion if they do. Signal and PGP are both comparable to subversive magazines in that regard, even if the PGP manual tried to say the opposite.

I think most of us these days recognize that the whole concept of public key directories and signature chains on PGP keys was a conceptual error in how people thought about privacy back then (they only cared about encrypting message content). We like to think we know better now, but maybe we don't.

Okay? And? In this hypothetical world where Signal offered anonymity but still tied you to your number for other practical reasons, then you’re be correct that it would be a privacy concern.

According to Wikipedia, they do record some of that info and report it to the government when required. In fact there is further disclosure to them (they might not retain or use the info, but they do receive it) every time you connect to the Signal server.

Anyway the Wikipedia article indicates they have introduced usernames as an alternative to phone numbers, so they have finally acknowledged the problem and done something about it.

[–] rottingleaf@lemmy.world 1 points 6 hours ago
  1. When people would complain about JS on webpages, they were not.
  2. Completely different things overlap all the time.
  3. Because your status updates and messages are encrypted and stored (until retrieved, of course) once for every recipient, and that includes your other devices and their other devices.