Yes, and I'm tired of hearing "burner sim" thrown around as a solution whenever some company stupidly demands a phone number. Getting a burner sim is WAY more effort than I'm prepared to expend to sign up to some service.
Stop asking for phone numbers!
My mother has my phone number. A few of my closest friends and family have it. That's it. I have like 10 actual people on my phonebook. My phone provides immediate 24/7 access to me, and there are very few people who are close enough to me that I want to be able to reach me at any time.
Some Silicon Valley company with an inflated sense of importance is never on that list...
Furthermore, "burner sim" implies an accompanying burner phone and all of the opsec that entails (eg only turn it on away from home), lest that "burner" number be trivially linked to your identity through databases that the telephone companies are happy to sell.
Moxie should know better, but this blog post repeatedly boasts about privacy while not addressing this at all. Getting basic encryption into the hands of the masses is a laudable goal. But when the popular threat model changes (eg pocket computer compromise incident to arrest at a protest - an "evil raid" attack), you either need to adapt or you've become an attractive nuisance.
Specifically I'm envisioning an attack where say ten protestors are arrested and found to have a shared contact, and then the police turn that phone number into a real world identity and go after that person for organizing.
Signal has an option to prevent this by locking the number with your PIN. This capability introduces plausible deniability that a phone number assigned to a SIM is actually associated with the number of a Signal account. Don't know if that matters legally or not.
Also the people doing shady things are generally hopping accounts regularly anyway.
PIN only stops registration for a fixed amount of time, believe 7-days, then the entity controlling the number would be able to reclaim the account. If the “attacker” maintained control, new devices that add the number from their contact list would get no alert; that is, the users would have to figure out the number is controlled by someone else.
That’s 7 days since last use. So if you continue to use the app at least once every 7 days, it will remain registration locked.
Also, anyone who had communicated with you before the switch would see a “safety number changed” notification if the number became affiliated with a new device.
Curious, where’s the “last use” in the documentation or code? Ask because I have seen other issues with the PIN vs docs and haven’t gotten to testing the recovery mode.
EDIT: Found the related docs, appears they had been edited since I lasted looked at them; for example, you can now disable PIN reminders:
And yes, “anyone who had communicated with you before the switch would see a ‘safety number changed’ notification if the number became affiliated with a new device” is correct, though so is my statement about new numbers adding the number. To be honest, I have caused the alerts to happen before, the other user had no idea what they meant, didn’t say anything, just clicked okay.
