What does having Signal installed has to do with tracking down and installing a Trojan?

I don’t think that they will track only track you down for using Signal, and if they are they still will install a Trojan even without Signal installed on your phone.

You are missing the point. If you have a big list of suspect phone-numbers you can put them into Signal and it will show all that have their phone numbers registered with Signal.

Yes. That’s exactly what you get. A list of Signal users.

That is a metadata leak and quite a significant one.

Why is a user list in itself “a significant metadata leak”. You would need other information for that, like groups, contacts, online times or anything else. But you don’t get that, so I can only repeat my question: what is the problem with it?

This YouTuber is actually notorious for not posting sources to his claims. Which is just goofy since he considers himself to be a source of non-mainstream information on privacy.

From my (very limited) point of view, he is just talking a lot of bullshit.

Its even counterproductive, because he is putting quite good (even tho maybe not perfect) applications on the same level as Facebook’s application, which are so different that I can’t discribe it.

He gives the example of a fed wanting to find a suspects for a hacking case. He has a potential list of names, and subpoenas the phone company’s for their phone numbers. He then installs signal, whatsapp, telegram ( all of those services that use real person identifiers ) and adds those phone numbers to his contact list. Boom, now he can narrow down suspects because all of those services, including signal, will tell you if that person uses signal.

The only thing the fed is doing here is checking if number x has signal installed. How is ‘having signal installed’ connected to ‘being a hacker/criminal’?

Sure you can easily get further data by for example asking the phone companies for cell-tower log-in location and times. This you can then narrow down against your list of Signal using suspects and either remotely infect their phones with a trojan or simply snatch up the hardware at a “random” police check and access the already decrypted messages with identifiable phone-numbers of all the group-members.

What the fuck? Sure, you could also just being tortured till you tell them everything you know, but fking tracing over cell companies is not a security flaw in an app.

They could also just as well decrypt your self hosted emails that are cached on your device.

Note that while this is about Telegram, this problem of reverse phone-number lookup also exists AFAIK with Signal.

Where is the source for Signal? Because ASAIK there is no metadata accessible for Signal besides creation data of the account and the last time the account was online. No groups, no contacts, no anything. Source

I don’t know…

• He is saying that encryption makes you a target: Well, WhatsApp is encrypted. So with approximately 2 billion people that all are getting targeted, being targeted isn’t bad anymore, because there are so many targets.

• Signal can track metadata: Where is the proof, where is the reference, where is anything of that? Moxie Marlinspike showed all his metadate in a talk of his. The only metadata there is to read is “lastSeen” and “accountCreated” which says basically nothing. No groups, no contacts, no everything. Bold assertion to say otherwise without any kind of proof.

Second this. Also I am not sure, which Telegram features are missing in Signal? You have private voicechat, background server connectivity (so you don’t rely on google cloud messaging), you have voice/video calls, group chats. Sure you don’t have public group chats, and no video message, but who really cares?