this post was submitted on 09 Aug 2021
23 points (81.1% liked)
Privacy
33192 readers
562 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Source?
https://www.zdnet.com/article/hong-kong-protesters-warn-of-telegram-feature-that-can-disclose-their-identities/
Note that while this is about Telegram, this problem of reverse phone-number lookup also exists AFAIK with Signal.
Where is the source for Signal? Because ASAIK there is no metadata accessible for Signal besides creation data of the account and the last time the account was online. No groups, no contacts, no anything. Source
You are missing the point. If you have a big list of suspect phone-numbers you can put them into Signal and it will show all that have their phone numbers registered with Signal. That is a metadata leak and quite a significant one.
You wouldn't be able to know which of the Signal accounts actually belongs to a particular demografic other than "it uses Signal". It's definitely much less significant than all the datamining you can do in Facebook/Whatsapp and Telegram.
With a big enough "it uses Signal" democrafic , you wouldn't even be able benefit much from knowing a number is in Signal.. if every phone had a Signal account that metadata would be virtually useless.
Sure, it's a leak, but it's one leak that also exists in Whatsapp and Telegram, along with many others leaks that those other messengers have and Signal doesn't.
I'm definitely not a fan of Signal (or Moxie's views) myself, but I would definitely much rather people use it instead of having billions of them continue in Whatsapp or Telegram. The whole point being made is that there's a big difference between using Signal and using those, we aren't implying that any particular form of communication is perfect. None are. It's just some are better than others. Saying that Signal is in the same level is not exactly fair.
Sure, but other messengers that do not use phone-numbers do not leak this info. And as long as Signal is used by a certain minority it is a risky metadata leak.
And you can turn this in any way you want, but using phone-numbers as the public identifier is a really bad idea and disqualifies Signal for most privacy sensitive communication. Even if everyone was using Signal it would be still a bad idea to hand out your phone number and have it visible in group-chats.
And yet Telegram and Whatsapp do that and more.
We are not comparing Signal with "messengers that do not use phone-numbers". We are comparing it to messengers in the level of Telegram and Whatsapp, because the point was that placing it all on the same level isn't accurate or fair. Reality isn't Black&White.
Signal is definitely flawed, but I'd much rather have people asking me to communicate via Signal than through Telegram/Whatsapp as they usually do. I do wish Signal was able to catter to that demografic.
Why? That is like saying lets only compare really bad options with slightly less bad options.
Threema for example does not require phone numbers and there are also good XMPP based messengers.
Because "slightly less" is a subjective measure that's relative to how pedantic we want to get.
Even XMPP is a "slightly less" bad option, in the sense that you are still targetable when using a sufficiently advanced method, and you are still not free of risk.
Even hosting your own instance you give away the IP, if you don't host it then you do have to trust the host, since it does store metadata (maybe more so than Signal).
Yes. That's exactly what you get. A list of Signal users.
Why is a user list in itself "a significant metadata leak". You would need other information for that, like groups, contacts, online times or anything else. But you don't get that, so I can only repeat my question: what is the problem with it?
I explained that already in much detail elsewhere in this thread.
tl;dr as a Signal user you are a minority that is automatically suspect to law-enforcement and when this meta-data is overlapped with other meta-data is is easy to narrow down a list of suspects and get legal permission to deploy more intrusive surveillance methods. In addition once that more intrusive surveillance method is deployed on a device, it can read other linked phone-numbers from Signal group-chats and thus those people are also compromised because phone-numbers are always linked to government issued identities (either explicitly or due to payments).