• poVoq@lemmy.ml
    link
    fedilink
    arrow-up
    1
    arrow-down
    1
    ·
    3 years ago

    You are missing the point. If you have a big list of suspect phone-numbers you can put them into Signal and it will show all that have their phone numbers registered with Signal. That is a metadata leak and quite a significant one.

    • Ferk@lemmy.ml
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      3 years ago

      You wouldn’t be able to know which of the Signal accounts actually belong to a particular group, or any other info other than them having an account. The example from the Hong-Kong protests is misdirected.

      With a big enough democrafic of the population using Signal, you wouldn’t even be able benefit much from knowing a number is in Signal… if every phone had a Signal account that metadata would be virtually useless.

      Sure, it’s a leak, but it’s one leak that also exists in Whatsapp and Telegram, along with many others leaks that those other messengers have and Signal doesn’t.

      I don’t use Signal, but I would definitely much rather recomend people use it rather than having billions of them continue with Whatsapp or Telegram. The whole point being made is that there’s a big difference between using Signal and using those, this is not about saying any particular form of communication is perfect. None are.

      • poVoq@lemmy.ml
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        3 years ago

        Sure, but other messengers that do not use phone-numbers do not leak this info. And as long as Signal is used by a certain minority it is a risky metadata leak.

        And you can turn this in any way you want, but using phone-numbers as the public identifier is a really bad idea and disqualifies Signal for most privacy sensitive communication. Even if everyone was using Signal it would be still a bad idea to hand out your phone number and have it visible in group-chats.

        • Ferk@lemmy.ml
          link
          fedilink
          arrow-up
          0
          ·
          edit-2
          3 years ago

          And yet Telegram and Whatsapp do that and more.

          We are not comparing Signal with “messengers that do not use phone-numbers” (which often leak other info instead). We are comparing it to messengers in the level of Telegram and Whatsapp, because the point was that placing it all on the same level isn’t accurate or fair. Reality isn’t Black&White.

          Signal has flaws, but I’d much rather have people asking me to communicate via Signal than through Telegram/Whatsapp as they usually do. I do wish Signal was able to catter to that demografic.

          • poVoq@lemmy.ml
            link
            fedilink
            arrow-up
            0
            ·
            3 years ago

            Why? That is like saying lets only compare really bad options with slightly less bad options.

            Threema for example does not require phone numbers and there are also good XMPP based messengers.

            • Ferk@lemmy.ml
              link
              fedilink
              arrow-up
              0
              ·
              edit-2
              3 years ago

              Because “slightly less” is a subjective measure that’s relative to how pedantic we want to get.

              Even XMPP is a “slightly less” bad option, in the sense that you are still targetable when using a sufficiently advanced method, and you are still not free of risk. Even hosting your own instance you give away the IP, if you don’t hsot it then you do have to trust the host, since it does store metadata (maybe more so than Signal).

              • poVoq@lemmy.ml
                link
                fedilink
                arrow-up
                1
                ·
                3 years ago

                So? We are talking about the risk of using your phone number as the public identifier. So any service that doesn’t use phone numbers at all is by definition in a completely different league then one that does.

                I am not talking about some hypothetical extreme privacy considerations, but the very real problem of using phone numbers and the huge number of issues associated with that.

                • Ferk@lemmy.ml
                  link
                  fedilink
                  arrow-up
                  0
                  ·
                  edit-2
                  3 years ago

                  I thought we were talking about security and privacy in general, applied to messaging platforms. Specifically, comparing Telegram/Whatsapp with Signal.

                  If you want to talk exclusively about phone numbers then it’s obvious that if a messaging system doesn’t use phone numbers there’s no risk that metadata related to phone number is the one that’ll get leaked.

                  Whether you want to make them be “a completelly different league” based on that distinction alone is an arbitrary separation. By that logic XMPP would be in the same “league” as unencrypted email.

    • Palaress@lemmy.161.social
      link
      fedilink
      arrow-up
      1
      ·
      3 years ago

      You are missing the point. If you have a big list of suspect phone-numbers you can put them into Signal and it will show all that have their phone numbers registered with Signal.

      Yes. That’s exactly what you get. A list of Signal users.

      That is a metadata leak and quite a significant one.

      Why is a user list in itself “a significant metadata leak”. You would need other information for that, like groups, contacts, online times or anything else. But you don’t get that, so I can only repeat my question: what is the problem with it?

      • poVoq@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        3 years ago

        I explained that already in much detail elsewhere in this thread.

        tl;dr as a Signal user you are a minority that is automatically suspect to law-enforcement and when this meta-data is overlapped with other meta-data is is easy to narrow down a list of suspects and get legal permission to deploy more intrusive surveillance methods. In addition once that more intrusive surveillance method is deployed on a device, it can read other linked phone-numbers from Signal group-chats and thus those people are also compromised because phone-numbers are always linked to government issued identities (either explicitly or due to payments).