this post was submitted on 11 May 2025
141 points (86.2% liked)

Privacy

37745 readers
1152 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
k_o_t@lemmy.ml
tmpod@lemmy.pt
Yayannick@lemmy.ml
ranok@sopuli.xyz
141
Why does Signal want a phone number to register if it's supposedly privacy first? (programming.dev)
submitted 1 day ago by 0101100101@programming.dev to c/privacy@lemmy.ml
227 comments fedilink hide all child comments
 

I remember a time when visiting a website that opens a javacript dialog box asking for your name so the message "hi " could be displayed was baulked at.

Why does signal want a phone number to register? Is there a better alternative?

(page 4) 50 comments
sorted by: hot top controversial new old
[–] FreeWilliam@lemmy.ml 3 points 17 hours ago* (last edited 17 hours ago) (9 children)

Jami.net

Ignore the comment saying signal is "end to end encrypted" "private" etc They are simply stuck in a delusional state where they try to convince themselves that signal is the best option so they can continue using it. Nothing is private if it isn't fully libre because you never know what the proprietary code is doing. The signal protocol itself has its source code released, and the encryption and security code is publicly available, but the signal Foundation has stated that it uses both free code and proprietary code. Their reason is UI, but it's hard to make sure whatever proprietary code is being used for because you simply can't see it. As GNU puts it: "You're walking in a pitch black cave". Jami is fully libre and is a GNU project. You don't even need any phone number!

[–] rottingleaf@lemmy.world 1 points 16 hours ago (6 children)

You should have visited Signal's github page first, I dunno. Before talking. Made up a lot of stuff.

They do have proprietary code for that crypto wallet they have there, well hidden, and for, eh, phone number registration, but other than that module it's all released, I think.

The server and the client applications are FOSS. You can host it for yourself, patching out the domain names and registration parts the way you like it more.

[–] phx@lemmy.ca 2 points 16 hours ago (2 children)

I didn't actually know the server code was published. It'd be cool if the client allowed multiple servers so you could talk to people on the "normal" master while also thing a private instance

[–] rottingleaf@lemmy.world 2 points 16 hours ago (2 children)

I think choosing a server, like in some ICQ clients, is not a complex modification.

load more comments (2 replies)
load more comments (1 replies)
load more comments (5 replies)
load more comments (8 replies)
[–] SpicyAnt@mander.xyz 7 points 21 hours ago

Maybe I am being too simplistic here. But I have never received a spam message to my XMPP account and I don't know how a spammer would find it.

In a phone-based system a spammer can spam a list of numbers, or use contact lists that are easily shared via phone permissions. There are several low-effort discovery processes.

For e-mail, you get spam when you you input your personal e-mail into forms, websites, or post it publicly.

But for something like XMPP... It seems rather difficult to discover accounts effectively to spam them. And, if it is an actual problem, why not implement some kind of 'identity swap' that automatically transmits a new identity to approved contacts? A chat username does not need to be as static as an e-mail or a phone number for most people.

I just don't see 'spam' as such a difficult challenge in this context, and not enough in my view to balance out requesting a phone number. Perhaps a spammer can chip-in?

[–] solrize@lemmy.world 5 points 22 hours ago (2 children)

Is there a quick explanation of what signal actually does? I don't understand the need for a phone number either. Jami doesn't ask for a phone number. It has other deficiencies that make me not want to use it, but those are technical rather than policy, more or less. Similarly, irc (I'm luddite enough to still be using it) doesn't ask for a phone number either. So this is all suspicious. There are a bunch of other things like this too (Element, Matrix, etc.) that I haven't looked into and tbh I don't understand why they exist.

[–] devfuuu@lemmy.world 3 points 18 hours ago (1 children)

It's not suspicious. It's been talked about for years. People know exactly what the phone number is used for. Easy discoverability, quick and seamless onboarding of new users by providing a way to bootstrap their social graph, and it being very similar to the process of the other biggest player that people just understand. And spam prevention. The phones are not leaked or used for anything else. The other alternatives exist and you are welcome to onboard the people you want onto them if you think it's simpler.

The code is open, if you don't trust other people and can't read the code to understand then hire someone you trust to validate the claims and assure you. But spreading FUD and saying it's suspicious is not productive to anyone.

[–] solrize@lemmy.world 1 points 15 hours ago* (last edited 15 hours ago) (5 children)

  1. I don't understand what you mean about discoverability: is my presence on the network advertised to strangers and spammers? That doesn't sound good. What does the onboarding process look like?

  2. You still haven't said what Signal's advantages are supposed to be over alternatives, though I can guess some (e.g. better/more crypto than irc has). Jami seems conceptually ok, but buggy in implementation. Nextcloud Talk works but is kind of clunky. Matrix is popular though I've never used it: is it the main alternative to Signal these days? I thought it was what all the hipsters had migrated to while luddites like me were still on irc. Jitsi Meet looks nice though again I haven't explored it much. I've been puzzled for a long time that there is so much work in this area yet everything has deficiencies. Are there difficult problems to solve?

  3. If Signal's code is open then of course I'd want to self-host the server. Can I do that? Does that get in the way of the onboarding process you mention? Where does the phone number come in, in that case? If I to use Signal's server, that doesn't sound so open, and normally there's no way for me to verify that it's running the same code that they claim.

I don't see where I'm spreading FUD. Ignoring a question and calling it FUD doesn't invalidate the question.

load more comments (5 replies)
[–] CosmicTurtle0@lemmy.dbzer0.com 4 points 21 hours ago (7 children)

Signal is a messenger service. You can expire messages after a certain amount of time.

They ask for a phone number to limit bots. I used my Google voice number and it worked fine. I like Telegram which banned me after a day of use for using Google Voice.

load more comments (7 replies)
[–] quickenparalysespunk@lemmy.dbzer0.com 5 points 23 hours ago (3 children)

thousands of threads on this topic since decades ago.

it's an eternal debate (since signal has no plans to change)

just read the history and join the rest of us waiting for them to change. using signal before that change is completely optional. go ahead and don't use it. no problem.

opening the discussion again is just tiring.

load more comments (3 replies)
[–] nucleative@lemmy.world 4 points 22 hours ago (1 children)

Is it possible to use a voip based SMS for registration?

Those are a little easier to get anonymously then physical sim cards.

load more comments (1 replies)
[–] Maverick604@lemmy.ca 4 points 22 hours ago (5 children)

Session is an alternative that does not require, or request, your phone number (or any other identifying information). Honestly, I have no idea why Signal got popular and Sessions did not. As soon as Signal asked for my phone number that set off alarm bells for me and I’ve never really trusted it since.

[–] guy@piefed.social 2 points 21 hours ago (2 children)

Isn't Session the one with insane username strings?

[–] Maverick604@lemmy.ca 1 points 14 hours ago (2 children)

Yes. That was how they avoided using identifying information from their users.

load more comments (2 replies)
[–] devfuuu@lemmy.world 2 points 18 hours ago (1 children)

Session is the one with broken security.

[–] Maverick604@lemmy.ca 0 points 13 hours ago

I don’t know that their security is “broken”. It may be, I don’t know. But also without anything that connects you to any particular message, it seems that – in itself – is a pretty good form of security.

I just don’t get why people accept Signal’s justification for requiring a phone number. They absolutely don’t need to (session proves that). It is certainly possible for them to say, “If you register without a phone number and access to your phone book then you will lose automatic discoverability by other users of Signal — meaning that you need to find another (physical) way to exchange your Signal username with your contacts”. They CAN do this. I think many users, like myself, would be fine with this tradeoff for greater anonymity. For some reason, they have steadfastly refused. The reasoning behind this refusal is what bothers me.

load more comments (4 replies)
[–] j4k3@lemmy.world 6 points 1 day ago* (last edited 22 hours ago) (1 children)

They implemented an alt method IIRC but you must go out of your way to search and find it. I just recall seeing a bunch of post headlines about using email or something like that a year or so back.

They send an initial SMS message that is a main expense and funded by some rich person and donations. I think that has some significance to encryption or something but I'm not sure of the details. I could be wrong on that one, it has been years since I read the details.

load more comments (1 replies)
[–] 0xtero@beehaw.org 5 points 1 day ago (1 children)

https://signal.org/blog/phone-number-privacy-usernames/

load more comments (1 replies)
[–] RockLobstore@lemmy.ml 1 points 17 hours ago (2 children)

Tried session? Anyone have comments on it? Nice to be able to skip the phone and easily use vpn, though I haven’t spent enough time on that.

load more comments (2 replies)
[–] Geodad@lemm.ee 4 points 1 day ago (3 children)

I believe you can delete your phone number once you're up and running, but yeah that seems like an anti-feature.

[–] Maeve@kbin.earth 4 points 1 day ago (1 children)

I see an option to change it, not delete. It's still attached to a SIM card which requires identity verification in many states.

[–] Geodad@lemm.ee 4 points 1 day ago

You're right. That is odd.

[–] autonomoususer@lemmy.world 3 points 22 hours ago* (last edited 22 hours ago)

When anyone get a copy of your data, nothing will bring it back.

load more comments (1 replies)
load more comments
view more: ‹ prev next ›