1/ In defense of #Signal. Yes, I'm a guy that just posted a roundup of distributed/mesh messengers https://changelog.complete.org/archives/10205-roundup-of-secure-messengers-with-off-the-grid-capabilities-distributed-mesh-messengers of which #Signal was obviously not part. I am really excited about the potential of those.
But to the general public, I still recommend Signal. Here's why.
2/ #Signal brings #encryption and #privacy to meet people where they're at, not the other way around. People don't have to choose a server, it can automatically recognize contacts that use Signal, it has emojis, attachments, secure voice and video calling, and they all just work (Musk aside). It feels, and is, a polished, modern experience with the bells and whistles they are used to.
3/ I am a huge fan of #Matrix/#Element and even run my own instance. It has huge promise. But it is Not. There. Yet. Some reasons:
#Synapse, the only currently viable Matrix server, is not ready. My Matrix instance hosts ONE person, me. Synapse uses many GB of RAM and 10+GB of disk space, with little tuning for either. It's caused OOMs more than once. And this is AFTER extensive tuning. It cannot be hosted on a Raspberry Pi or even one of the cheaper VPSs.
4/ Choosing a #Matrix instance. Well you could just tell a person to use matrix.org. But then it spent a good portion of last year unable to federate with other popular nodes due to Synapse limitations. Or you could pick a random node, but will it be up when someone needs to say "my car broke down?" Some are run from a dorm computer, some by a team in a datacenter, some by one person with EC2, and you can't really know. Will it be stable and long-lived? Hard to say.
5/ Voice and video calling is not there yet. Matrix has two incompatible video calling methods (Jitsi and built-in), neither work consistently well, both are hard to manage, and both have NAT challenges.
6/ #Matrix is so hard to set up on a server that there is matrix-docker-ansible-deploy https://matrix.org/docs/projects/other/matrix-docker-ansible-deploy/ . This makes it much better but it is STILL terribly hard to deploy, and very simple things like "how do I delete a user" or "let me shrink down this 30GB database" are barely there yet, if at all.
7/ Encryption is not mandatory in #Matrix. E2EE has been getting DRAMATICALLY better in the last few releases, but it is still optional, especially for what people would call "group chats" (rooms). Signal is ALWAYS encrypted. Always. (Unless, I guess, you set it as your SMS provider on Android). You've got to take the responsibility off the user to verify encryption status and make it the one and only way to use the ecosystem.
8/ Again, I LOVE #Matrix. I use it every day to interact with Matrix, IRC, Slack, and Discord channels. It has a TON of promise. But would I count on it to carry a "my car's broken down and I'm stranded" message? No.
9/ What about some of the other options out there? #Briar is fantastic and its offline options are novel and promising. But in common usage, it can't deliver a message unless both devices are online simultaneously, and doesn't run on iOS (though both are being worked on). It also can't send photos or do voice or video calling.
10/ Some of those same limitations apply to most of the alternatives also. Either that, or they are encryption-optional, or terribly hard to set up and use. Just today, I boosted a post about #Status, which shows a ton of promise also. But it's got no voice or video calling capabilities. How about #Scuttlebutt? Fantastic protocol, extremely difficult onboarding (lengthy process, error-prone finding a sub, multi-GB initial download, etc)
11/ So #Signal gives people: dead-simple setup, store-and-forward delivery, encrypted everything, encrypted voice/video calls, ability to send photos/video encrypted. If you are going to tell someone "it's so EASY to get your texts away from Facebook and AT&T", THIS IS THE THING you've got to point them to. It may not be in 2 years, but for now, it is. Do not let the perfect be the enemy of the good. It advances the status quo without harming usability, which nothing else does yet.
12/ I am aware of all of the very legitimate criticisms of #Signal. They are real and they are why I am excited that there are so many alternatives with promise, some of which I use actively. Let us technical people use, debug, contribute, and evangelize the alternatives.
And while we're doing that, tell Grandma to contact us on Signal.
/END
@jgoerzen great exposition, most comprehensive address to my objections. still: i don't want to give my phone number to people i don't trust (that is moxie and openwhisper and all who can grab it from the discovery process, like the police, the state, fascists, etc). i don't want them to have my kid's phone number either, nor my friends and comrades. 1/
@zeh
It may be worth reiterating at this point that although Signal uses your phone number as a user identifier, I'm not actually sure of they store it or just a hash of it, and they definitely don't transmit otjer numbers from your contacts for discovery:
https://support.signal.org/hc/en-us/articles/360007061452-Does-Signal-send-my-number-to-my-contacts-
They also announced they're trying to move away from using phone numbers at all (the recent intoduction of PINs is in preparation of that) -- but it may take some time
@jgoerzen
@Mr_Teatime @jgoerzen @zeh #OWS keeps a copy of your phone number on record for account recovery purposes. Of course, this also opens you up to various attacks and compromises.
Hm... yeah, makes sense. Would it be possible to do those things without storing the user ID?
@Mr_Teatime @zeh @jgoerzen It occurs to me that they could theoretically store a hash, and then ask for the ph# again at acct recovery time, then compare the hashes. But I don't give OWS the benefit of the doubt considering how they push users into Google Playstore & claim it's safer than the APK download which they hide. It's hard to trust OWS anytime trust is needed.
As far as I can tell, they are pretty good at minimizing the amount of stored data, including profile, contact data, metadata etc:
https://signal.org/bigbrother/
As far as i can tell, they don't have more than the phone number (hashed or not, not sure, haven't found the info yet)
Also, the code is open source, so it is testable whether it does what OWS says it does -- no need to speculate.
@Mr_Teatime @resist1984 @jgoerzen oh, look at that. not only is #signal hostile to federation and freedom, centralized and closed source (no new code published for a year), they also gone full cryptoscam now. who could have possibly imagined something like this.
Cryptoscam? Which news did I miss again? Do you have a link or something?
Also, they do have a reson for not federating -- I think there are more important counterarguments, but it's a valid one: Federating means the server will be operated by loads of different people, some of whom might not know what they're doing or be malevolent, and regular users can't (and shouldn't have to) make sure that their own and their contacts' providers do everything right.
@Mr_Teatime @zeh @jgoerzen I've always considered #Signal trash (see https://github.com/privacytoolsIO/privacytools.io/issues/779). For #Schneier to endorse it for "grandma" neglects the fact that Signal is exclusive. It completely disservices grandmas who just want to reach everyone. Signal excludes those without mobile phones & those unwilling to share their number with OWS, which makes grandma exclusive.
@jgoerzen @zeh @Mr_Teatime Wire is more suitable for grandma, because it works on all major desktop systems and mobile devices, and registration does not require a mobile phone number.
@resist1984
Wire has taken venture capital, though, so it's effectively inevitable that they'll try to sell their users at some point.
With that funding model, the incentive to sell out grows proportionally with the size of their userbase...
I'm kinda hoping that Jami becomes sufficiently mature soon. Or maybe some miracle happens to XMPP, but that's not probable. Maybe someone picks up the Signal code if/when they continue like this?
@jgoerzen @zeh
@resist1984
»Without mobile phones«
So ... that grandma in your example has a PC/laptop but no smartphone, or has a smartphone but is unwilling to tell others her phone number?
I'd say there's a few orders of magnitude fewer people who fall into that category than the people who have nothing but a smartphone and don't know how to use it for anything but facebook and whatsapp.
*both* groups are important but for the second one, Signal is the best thing out there.
@Mr_Teatime @jgoerzen @zeh grandma may have 50+ people in the family. Do all 50+ family members have a both a mobile phone & the willingness to share their number with OWS? Both of my grandmas would be excluding me if they were to use Signal.
@zeh @jgoerzen @Mr_Teatime a lot of people are willing to use exclusive technologies, but grandmas, not so much. They tend to want to include everyone in their families.
@Mr_Teatime @jgoerzen @zeh So #Signal is /exclusive/, while #Wire is inclusive. Wire is therefore more suitable for the grandma use case.
@resist1984
Your grandma has funny priorities.
My grandma never had anything but a landline telephone.
My father progressed 2y ago from being able to play solitaire on an old Windows XP laptop to being able to watch youtube videos on an old Windows7 laptop, still has no e-mail, and his dumbphone mostly stays in the drawer.
He's not excluding anyone, he just finds that stuff annoying to deal with. You wanna call him, you use the landline. Same number as the last 41 years.
@jgoerzen @zeh
@Mr_Teatime @zeh @jgoerzen it would be bizarre priorities for a grandma /not/ to be inclusive. What grandma is going to not talk to a family member for not having a mobile phone? Of course grandma wants to talk to everyone, whether they have a mobile phone or not-- a requirement that #Signal can't meet. Wire can. Wire is inclusive, so it makes more sense for a family to use.
@jgoerzen @zeh @Mr_Teatime If Wire were to sell out to GAFAM and start requiring a mobile phone like Signal does, I'm sure Jami will have sufficiently improved by then.
@Mr_Teatime @zeh @jgoerzen The only thing unusual about my grandma is she uses linux. Which is not to say she's technologically advanced, but she never used Windows or Mac, so she never had the disadvantage of developing bad habits & proprietary knowledge in the days before linux became user friendly.
@jgoerzen @zeh @Mr_Teatime regarding your grandma never having anything but a landline telephone-- that excludes her from using Signal. Wire would work with just a landphone, dial-up access, and an old desktop, if necessary.
@resist1984
...and the ability to use that desktop... game over.
The only communication channel that works for everyone is telephone. SMS as well, mostly. If I asked my family to install Wire ... no chance. I'm glad that most of them have been persuaded by myself and my brother to install Threema. Took long enough. No way am I going to bring up yet another one.
Curious to hear how your miraculous grandma managed to get 50+ people on Wire ...
@Mr_Teatime @zeh @jgoerzen She didn't get everyone on Wire because she still reaches most people from her landline. She can't reach everyone with her landline though because overseas calls are still very pricey. If she had to use Wire for everyone, she could because unlike Signal, Wire excludes no one except those with neither a mobile phone or a desktop.
@jgoerzen @zeh @Mr_Teatime She probably has a couple friends her age who have only a landphone & no desktop, only reachable by landphone. But landphone alone doesn't reach everyone. Landphones are pricey for overseas calls & calling me would be a hassle (she would have to leave a msg for me to call her since my # is v/m only, then I would have to call her back over a VOIP phone & hope she hears the ringer).
So ... how inclusive does that make you, not even being prepared to receive a phone call from your dear granny?
We do have a landline number (using VoIP, as most are these days) for the express purpose of calling our families who live in different countries, and receiving calls from them. Costs 15€/month, for free EU-wide calls, which is less than a lot of people pay for mobile data.
@Mr_Teatime @zeh @jgoerzen Inclusivity came up in the context of the grandma use case. I am not a grandma & with my wildly different situation with security parameters, I am very far from inclusive. I have a vm-fax-only # & a non-DID VOIP acct. Intl outbound is cheap w/the VOIP acct but only vm-fax is reachable from POTS/VOIP/GSM. Even if I had a DID it would only give cheap calls to initiators in 1 region.
@jgoerzen @zeh @Mr_Teatime There are people who would like to reach me on #Facebook, but I exclude them deliberately. Giving people a way to reach me through FB is to facilitate FB. I will not do that. If they want to reach me, they must use a secure & free-world-respecting option. Signal is a non-starter; it brings in several forms of surviellance. My ethics & security needs are very different than grandmas.
»Signal is a non-starter; it brings in several forms of surviellance.«
Please elaborate.
Last time I checked, all they have is your identifer (i.e. phone number) and the date of the last time you used the service:
https://signal.org/bigbrother/eastern-virginia-grand-jury/
Compared to that, Wire holds tons more user data:
https://wire.com/en/security/
https://wire-docs.wire.com/download/Wire+Privacy+Whitepaper.pdf
(profile picture, group memberships; start/end time and members of group chats ...) Not sure if they require e-mail addresses
Which is not to say that they were horrible surveillance monsters or anything, but their protocol is inherently less privacy-preserving than Signal's. Most of the data Wire stores, Signal does not ever get their hands on, or only in user-side encrypted form (i.e. undecipherable to them).
Granted that Wire has functional advantages, but there's no way your statement about surveillance is appropriate.
@Mr_Teatime @zeh @jgoerzen Signal collects and retains everyone's mobile phone number, which is far more sensitive than Wire's collection of pseudonym & email address.
@resist1984
... and communication partners, chat times, durations, profile pictures ... to you.
That's a *very* subjective judgement. If you find it more important to tightly control access to your phone number than to allow the (VP-funded) company running your messenger to log part of what you do with it and who you talk to ... I guess there are scenarios where that makes sense. But you must be aware that one doesn't have to be stupid, naïve (or eViL!!!) to choose differently.
@zeh @jgoerzen
@Mr_Teatime @zeh @jgoerzen See https://github.com/privacytoolsIO/privacytools.io/issues/779. #Signal drags users into several surveillance systems needlessly. Mobile phones are tracked in the US & that data is openly sold. Most Europeans must register their SIM cards & show state-issued ID. Signal subjects people to Google's privacy abusing system by pushing users into Playstore & the code uses reCAPTCHA.
@jgoerzen @zeh @Mr_Teatime Compare that to Wire, which does not impose whole systems of surveillance like that inherent with mobile phones. The metadata is not ideal, but usernames can be whatever you choose & IP address is not collected. The email address can trivially be a throwaway & normies are more inclined to use a throwaway email than go through the hoops getting a burner phone for Signal.
My SIM card is linked to a throwaway e-mail adress, my phone runs Lineage OS without Google apps.
I downloaded the SIgnal APK directly from their site, not through the playstore, because I have no Google account.
Almost all private desktop computers run Windows 10 now, which tries hard to apply similar levels of surveillance as mobile phones.
So, while "I don't use smartphones because they spy on me" is a valid argument, the gap to desktops is closing fast.
The obvious reply to that would be "just use Linux" -- but using Linux is still sadly not for everyone, and while installing LineageOS is a bit harder than Llinux, using it is just as easy as regular Android.
I say this as someone whose main computer runs on Linux for over 10 years.
@Mr_Teatime @jgoerzen @zeh Yes, it is possible to travel to a country that has burner phones, use cash to buy a burner chip if you can find an unsurveilled shop that sells them, find an unsurvielled allyway to register to Signal, and throw the chip away. And after all that effort to go through hoops you shouldn't, you've still only given yourself privacy not the normies you will talk to who won't do that.
So, if you're okay with not being inclusive, then why do you get so worked up about Signal for the same thing?
It's fine that you have a favourite messenger, and of course it has some advantages, but that doesn't mean that there weren't some aspects where it wasn't the other way round. I'm sure there are people for whom one of those differences is more important than another but this is just getting plain silly.
@Mr_Teatime @jgoerzen @zeh You've lost track of the thesis, which is that Signal is unsuitable for grandmas due to exclusivity. A lot of normies naively chose to use Signal without that consideration. I exclude options that unreasonably reduce security. The use of Signal excludes those unwilling to compromise security. So it's not exclusivity alone that's a problem; it's when it imposes /less/ security.
So ... your hypothetical grandma considers it a security risk to give her phone number to the people she talks to, but finds zentralized accumulation of metadata to be acceptable in exchange for desktop clients? This stopped making sense some time ago.
I hope *no* single-operator service becomes the universally-accepted "best", because then people won't want to switch away once
we have a free, secure, decentralized and completely intuitive messaging system.
@Mr_Teatime @zeh @jgoerzen You're mixing up different people. Grandma doesn't care about sigsec. To be good for grandma the tech must be: 1) easy to use 2) inclusive. Signal fails the grandma test b/c it's exclusive. #Signal also fails basic security concepts by needlessly dragging in whole systems of surveillance (so it excludes the poor + those who will not compromise security by using mobile phones nets)
Soo, after a lot to and fro, what you are saying is that the people who make Signal are bad humans because they have no desktop client?
Couldn't you just say that a desktop client is important to you, and that that's why you prefer Wire? Did you have to accompany it with an ad hominem?
There's no current messengerwithout some kind of drawback. As long as the predominant messenger is still Watsapp, I'm fine with either Judean Front or the Front of Judea.
Also;
Signal does have a Desktop client. As long as you have some means of receiving text messages, you can activate an account and use the desktop client.
And they stated last year that they're working on separating the user ID from the mobile phone number.
In other words: It's a drawback which was no issue at all when they started (competing with SMS). They recognize it but it can't be solved with a hammer.
@Mr_Teatime @jgoerzen @zeh well then why in your previous msg did you imply lack of desktop client? I had not said to that point that there was a problem with Signal not having a desktop client. The problem is the /exclusivity/ of it for the grandma use case. Wire works on a desktop & doesn't require a mobile phone (but doesn't exclude those with only a mobile phone).
@Mr_Teatime @jgoerzen @zeh I didn't even know that Signal lacked a desktop option. That would make it even more exclusive than requiring a mobile phone subscription, which further excludes those who might register with a burner phone and use the desktop post-registration. The exclusivity of Signal is the problem with saying "it's for grandmas". Signal fails the grandma test b/c grandma does not exclude ppl.
@resist1984
...do all 50+ people have wire?
I find it generally impossible to agree on a single communication medium with 50 people, unless it's telephone. Not everyone has and reads e-mail, and if I suggest a messenger, it's either Whatsapp or "don't be so paranoid, they already know everything about you anyway, and your data isn't that interesting, either. Encryptinf everything sounds pretty sketchy, too, probly illegal..."
@resist1984 @zeh @jgoerzen
Those people (who know little beyond FB and WA) mostly believe that secure communications is kinda unnecessary (possibly illegal!) and makes everything complicated. They will only change this view if there is a secure method that they instantly understand how to use, requires not a single tap more than WA and just works, all the time.
In some cases Threema is better, but there *should* absolutely be something better in all regards, but no alternative is there yet.
@resist1984 @zeh @jgoerzen
...and I know we've been through this a few times, but neither XMPP nor Matrix are (at the moment) something you can recommend to a non-technical person with limited time to spare and have high confidence that they won't hit any issues or need support.
Understanding why so many people find Whatsapp so easy to use is extremely important if you want to replace Signal or Threema with something that has even better privacy/security in all aspects.
@Mr_Teatime @jgoerzen @zeh indeed. XMPP & Matrix fail the grandma test because of difficulty. #Signal fails the grandma test because of exclusivity. Wire is really the best thing when security, ease of use, and inclusivity are all factors.
@resist1984
oh wow... thanks for the hint!
I think I agree with Schneier on all points: Signal is currently (still ... so far) the best messenger "for the masses", and attaching a cryptocurrency to it is dangerous and smelly. Very smelly.
And it does reduce my esteem for Moxie Marlinspike, who has in the past walked away from large piles of money in favour of the common good.
Wonder if the recent success went to his head.
@jgoerzen @zeh