Personally I'd rather avoid the feature bloat. I also think it just waters-down the "secure" image they are clearly going for. I mean, broadcasting images to your contact list isn't exactly what I think of when I think "private messaging".
Everything about Signal will make more sense if you forget every opinion you've had or read on a message board, and accept that the project's mission is simply to transition as many people off insecure systems as they can. For example: message board nerds are apoplectic about Signal's phone number requirement, but the systems ordinary people were already overwhelmingly used phone numbers already. As communications trend towards ephemeral video messages (I have trouble understanding why, too, but then I'm old), that's where they're going to head.
The cool stuff about Signal is what happens under the hood. They don't want a special identity as a "private messenger"; they believe all messaging should be secure.
It supports backing up to a file that you can't specify. This is unhelpful in many use cases.
Example: I am running out of space on my phone. I look, and see Signal is taking 4gb of space. But I would like to preserve a lot of that media. So I buy a mini-SD card and install it in my phone. Yay! Now to turn on Signal chat backups!
Oh, but the backups are hardcoded to a location on your primary storage that you can't change. so even though I have 126gb of free space on the SD card I installed, I can't back Signal up to it and I am still running out of space.
My only option is to try removing every other app I have installed, and hope there is enough space reclaimed to perform a backup, which I can then copy off my system so I can reinstall my apps...WTF.
Meanwhile there is no way to back up a single chat. You can archive it, but that just removes it from your Signal home screen, it doesn't actually create an archive of any kind. And there is no way to back anything up on desktop.
Even a cynic like me wouldn't go so far as to assume bad intent here. Signal is open source so the file format should be readable and likely this is just an oversight, I guess it's not a highly requested feature. Have you filed an issue?
Repeatedly refusing to fix this widely reported issue with non-sensical explanations does imply bad intent.
In the beginning, it might have been an oversight. Now moxie is just making seriously misleading arguments on behalf of people he doesn't know to make their service worse.
Please explain how do I configure Signal for people in my family so they won't lose any message, photo or group membership if their phone falls out of the pocket.
This means:
* Backup must be automatic.
* Backup must be done off device.
* Backup must be common enough that messages aren't lost.
* Restore must be available to person of average technical ability.
* Restore must not require a person to remember typing in a 20+ character pregenerated number they probably lost in last 2 years of having Setup signal.
It absolutely does not do that by itself. As proven by other secure implementations with more user friendly approaches to entering encyption keys.
It's also funny how demanding on use of phone numbers, shoving in crypto currency and demanding everyone to use out-of-date Electron app is somehow fine, but making backups user friendly is suddenly a massive "security" issue.
This is the BS security theater I despise at Signal. It's the software equivalent of having every single airplane passenger take off shoes.
I never said anything about intent. If it's an oversight then maybe they should be thinking a little harder and listening to feedback from beta testers, of which I am one.
Backing up to the same device on which are running out of space is an extremely obvious problem, to which the solution is to just ask the user where they want the backup stored instead of deciding for them.
It's a very First World take on it, though. Mid-to-high-end phones are usually the ones that pack a considerable amount of integrated storage but ditch the SD card slot. Budget ones are the other way around, though.
Then do it insecurely and warn the user. 'We can't figure out how to do this securely' is their BS excuse for every bad design decision or unimplemented feature.
You might say 'but they don't want to make people less secure, people will get the wrong idea!' But they do this already, in ways that are much worse than allowing the user to make a security decision for themselves.
You can change a setting to prevent screenshots inside the Signal phone app, so you can't take screenshots. Your conversations are now secure, right? Nobody can take pictures of your disappearing messages! WRONG. You can turn on that feature and I can still take screenshots all day, including disappearing messages that you send to me.
Likewise, Signal can't tell if you're downloading pictures or copying text I send to you. You could be backing up everything - my only 'assurance' is that you probably aren't doing it because it's inconvenient.
You can change disappearing messages timer to anything you want! Great! But the change of timer is itself a message. So if we are arrested and police get into one person's Signal, they can see when disappearing messages were turned on and when the timer was lengthened or shortened. Sure, the messages disappeared, but what were you doing on August 23rd at 7:39pm that made you change the timer to 10 minute4s for 3 hours? We know where you were because of your phone's IMEI, I guess we will tell the court that you were trying to cover something up during those 3 hours and charge you with obstruction of justice.
I have asked them to change the latter behavior repeatedly, explaining why it could be a problem for users, and all I ever hear is 'good point, we'll look into it' even though there's no reason that information should be stored.
Your former examples are things that quite simply can’t be mitigated in any case. If you want to send a message to someone there is no way to prevent them from storing it in a way you control.
Your latter example is also a security concern they can’t address. A jurisdiction that allows a message about a settings change being used as a basis for obstruction of justice can rule the use of signal as the same (though I do agree that former is problematic on its face).
I dont know the ins and outs of the problems with backups, but it doesn’t take a phd in cryptography to envision a case where your settings about backups open all your contacts to automated dragnet surveillance. In that case it doesn’t make sense for a single user to downgrade everyone else’s security settings.
I'm not saying they can be mitigated, I'm saying that casual users have the illusion of security through settings that seem to mitigate security concerns, but don't.
The disappearing message timer history could absolutely be mitigated by simply not retaining that information or timestamping it.
If you could export/back up single conversations, you would have much more granularity than exporting or backing up your entire message database. Other people could also get a message that the conversation had been exported. there are lots of cases where you might want to do this by mutual agreement, but it isn't possible.
What I don't understand here (though admittedly I haven't been following the iOS discussions closely) is why backups are possible on Android but not on iOS?
The backups on Android are near useless as well - they expect users to remember and save a massively long string of numbers (that are pre-generated, so they can't even choose a password they remember) and then they only do backup manually and onto device storage where it'll be gone together with everything else on the device if it breaks or dies.
Getting that backup off the device is yet another manual process for most users they need to think about.
Compare this to Telegram: user doesn't have to do anything.
Compare this to iMessage: user doesn't have to do anything.
Compare this to WhatsApp: user just needs to click agree.
The last two even save backups in an E2E encrypted fashion unreadable by servers.
As I understand it, iOS backups normally go to iCloud -- where they're stored encrypted but the keys are held by Apple (i.e. not end-to-end encrypted, and not a zero-knowledge system by any stretch). This makes iCloud-stored iOS backups susceptible to subpoena, malicious employees, and/or good-enough hackers.
I'm sorry, but that's just not true. Stickers are widely used in the group chats I am in. I myself have created multiple sticker packs since the sticker feature launched. Before that, several people mentioned they thought Signal looked like a shitty app because it "didn't even have stickers."
Ultimately there was no shortage of boring, cryptographically-secure apps. Signal is filling demand for an app that is both secure and fun to use.
Taking it up after it became available is not the same thing as asking for it. Sorry but this a frivolous cosmetic thing compared to security issues like Signal's ongoing linkage to phone numbers.
That is correct, but "nobody was asking for stickers" isn't, and that sort of thing does dramatically affect adoption. Also, in the cases I am talking about, not using an app because it doesn't have a feature technically does mean they didn't request the feature, but I'm not sure that is a useful distinction if our goal is to get people to use more secure methods of communication.
I really can't buy the proposition that demand for stickers outweighed the years-long pain points about things like your Signal identity being tied to your phone number or a ping going out to everyone in a person's address book who already used signal, both of which are at odds with the core mission of secure and private communications.
Why is that? Not disagreeing but genuinely curious. One of the issues I face sometimes is wanting to stay in touch with someone I met. I'd like to do that over Signal (I don't use any of the popular social media platforms) but I don't feel comfortable sharing my phone number with them. It would be nice if I could use a unique user handle instead.
It allows Signal to work similarly to the messaging services it replaces without having to keep serverside contact lists. Those contact lists, which practically every other "secure messenger" keeps, are the most valuable metadata the service keeps, in many cases more than the content itself: they're a record of who talks to who. Signal's phone number system means they can keep those contact lists clientside by piggybacking on the device contact list, which is keyed by phone number.
My curmudgeonly self would prefer if the stories were off by default. It's not a feature I'm even remotely interested in, and feature creep really isn't a positive thing.
I've tried snapchat and Instagram stories, and I hate that the messages disappear with time. It seems counter-intuitive for an asynchronous communication method, and that doesn't even count how it always feels like another FOMO marketing gag to keep you engaged with the app.
Just let people delete posts (and really delete them to boot).
I think you don’t quite have the right mindset for the purpose of stories. The point is “this is not important enough to interrupt my friends; but here’s what I’m up to if you’re interested”. It doesn’t matter that it expires, because it’s only relevant to what is happening now.
Of course it still has all the usual social media failings where it is used to make the senders life seem more exciting and fun than it really is but I see the point of having the option.
I especially like signal’s groups implementation. I have a couple of large group chats where I am happy to share my day with people but it’s not important enough to notify everyone’s phone and it doesn’t matter if they miss it.
See - that's the part I don't get. Photos, to me, are not ephemeral. They are valuable, even if you don't think they are at the time. I've lost too many photos because I considered them to be ephemeral, and I regret that loss because I now only have vague memories of the events they captured. My only remaining memories of some of my oldest friends who are no longer with me are captured in those "irrelevant" photos.
Future you will thank you for keeping photos of your friends.
I mean the person who took the photo still has it and you can still ask for it if you like it? If anything stories make you likely to see more photos of your friends, not less.
> broadcasting images to your contact list isn't exactly what I think of when I think "private messaging".
Neither was signal taking your contact list and uploading a copy along with your name and photo and storing that data forever in the cloud. Neither was refusing to update their privacy policy to reflect their new data collection practices. A company that promotes itself to whistleblowers and human rights activists and then lies to them about what data they collect and keep is highly unethical.
None of this inspires confidence in Signal as a private/secure messaging service. I've moved away from it. I wish them luck as a social media platform.
Yes, “though contacts are encrypted, users are not prevented from using a weak PIN” would have been a better way to word this criticism from the start, rather than implying that they are stored completely unencrypted.
“though contacts are encrypted, users are not prevented from using a weak PIN” ignores that Signal encouraged users to set a weak pin (for many people the word "PIN" means a 4 digit number) and that the data is stored using SGX which has already proved to be vulnerable. In my view the fact that they have been lying in their privacy policy is a much bigger problem for a company we're supposed to trust.
