What happens to Signal when the EARN It Act passes? I assume that eventually the Apple App Store and Google Play Store will just stop allowing it to be downloaded if they do not add the backdoor in? Is there a workaround that will allow people to use it still? I've heard people mention locating the servers in other countries, but wouldn't the various App stores be bound by US law and still not allow them?
Thanks for the link. There's a subtle threat in there, that they'll move out of the country if they have issues which I think a lot of tech companies would.
This bill is so stupid in that tech companies can relatively easily move.
The legal entities can move to other jurisdictions, sure, but it doesn't matter because app distribution still occurs primarily through USA-based Google Play and USA-based Apple App Store—both of which can easily geofence apps as they please (or as they're required).
This is one of the reasons I've started to appreciate Matrix a lot more lately.
Putting aside Signal officially declining to the add option to discover or manually add a server via the client, theirs nothing stopping anyone from going to GitHub, downloading the code for the server and client, editing the code however they see fit as long as it follows the legal guidelines.
I don't think that the earn it act will affect Signal - they aren't a publisher by any reasonable standard so they don't need the 230 exemption in the first place.
As I don't know much of the details of the legislation, or more importantly its references or modifications, can you elaborate more on what "they don't need the 230 exemption" means in the context that this act would likely not apply to them? Are you implying that the EARN IT act focuses on publishers of content and thus it less likely apply to Signal?
Disclaimer: IANAL, an not really well informed on these subjects.
I think with sufficient funding for a legal department, Signal could work without the section 230 exemption. In practice, they don't have that money and would be forced out of business long before they were able to prove their case.
I recall reading something recently about how in a coming release, Android will disable sideloading. The sole permitted way to sideload will be to enable ADB and then install the app with adb install. Some techies will continue to do that, just like some people unlock the bootloader and install LineageOS on their device, but removing Signal from the Play Store would make it as good as dead for the general public. (Even Signal’s website discourages people from downloading the APK from them, and prefers that people use an app store instead!)
There is a concern with getting ordinary non technical users accustomed to the concept of sideloading apps... It might be totally safe to download the official Signal APK and sideload it. But people will then think that's a suitable and acceptable way to install other things, and will then be more likely to be easily social engineered or phished into loading other malicious APKs.
The ordinary non technical user has no idea of how to manually verify the sha256 checksum of a APK they've downloaded from the "official" software developer of an app.
"Given that these features are already functional once enabled, it may not be long before the sideload protections arrive for those who enrolled in the Advanced Protection Program."
Perhaps developers will one day be required to provide proof of ID to Apple or Google before being allowed to carry out the "dangerous" activity of installing unapproved software.
Some googling leads to this [1]. From what I read it seems to be an opt-in program (for now). Was initially very concerned when I read your post, especially because Google recently broke Magisk (likely forever).
Basically Google has actually implemented remote attestation properly (using hardware) so Magisk can't hide unlocked bootloaders anymore unless someone finds a crypto flaw. It's slowly being rolled out to Play Services but I believe cts still passes for now.
Signal started open-source, it was TextSecure, I'm sure there'll be an open-source alternative if the commercial entity fails, though I hope they do not.
> Signal Messenger, LLC, is a software organization that was founded by Moxie Marlinspike and Brian Acton in 2018
Did you google it? You're simply wrong.
It is open-source as it was, I didn't dispute that, but they are liable for their users if this bill passes, and they will easily go bankrupt. If there's no commercial entity, then liability falls to the developers most likely--whose identity can be obscured since they're developing Signal hopefully.
No; I didn't have to Google it because I've been paying attention to Signal for the better part of the last decade. I'm afraid it is you who are mistaken.
If you've googled it, surely you're aware of the Signal Foundation[1], the 501(c)(3) parent organization of the LLC.
And while OWS/Signal Messenger did not have formal non-profit status prior to the Signal Foundation, it was never acting as a for-profit entity[2]:
> in general, Open Whisper Systems is a project rather than a company, and the project's objective is not financial profit.
I've been paying attention as well, I've been using it since the early days, I also have an M&A lawyer by my side.
The Signal Foundation is responsible for all costs associated with the project--without it the project wouldn't function.
OWS was also largely a corporation, but it wasn't require for TextSecure to operate--a key difference.
> And while OWS/Signal Messenger did not have formal non-profit status prior to the Signal Foundation, it was never acting as a for-profit entity[2]:
A corporation, non-profit or not, is still a corporation. Based on my knowledge of full-cycle accounting for non-profits, they tend to make more profit, they just pay less taxes.
Having a non-commercial parent doesn't mean your business is non-commercial, Signal Messenger LLC is the corp which is associated with Signal Messenger. Signal Messenger could offer private equity, since Signal Foundation is not the exclusive shareholder.
I have an M&A lawyer right here if you want me to ask him.
In any case, I doubt they have enough funding to do this in a standard donation-based non-profit, it seems like there's a non-profit which is used to funnel money to the commercial entity, Signal Messenger LLC.
It's a standard structure, I'm sure, but it's definitely not your standard non-profit.
I'm more concerned about the coloquial use of commerical in any case--does the corp make profits or not, not whether they pay tax or not. I'd say they're looking to transition into a fully non-commercial entity, but for the purposes of this thread they are still a corporation and can still be held liable for their users' actions--in this case the app can still operate without a formal legal entity, but it would be removed from app stores, I'm sure.
As far as I know, while the DevOps code is not open source, the server and app code are on GitHub; that is you’re able to roll your own version however it defined by the licensing; recent attack on Signal by security researcher used a self-compiled app as a proof of concept; Signal patched the issue.
