For sure, I do understand the concerns. Government subpoenas and metadata leaking are real problems, and it’s hard to design algorithms well in order to minimize the leakage. But Signal is designed in such a way that the only information that they can possibly collect on any user is (1) phone number, (2) account creation time, and (3) time of last connection with their server. This is true even if they are compelled to release information about their users, even under duress. This has played out in court many times, and Signal is unable to comply with government demands for any information other than exactly these three things: https://signal.org/bigbrother/

I’ve done 5 years of research into designing private messaging systems specifically, and the more I learn about Signal the more I believe that they’re really the gold standard of privacy, to the degree that it’s shocking that they’re a non-profit and provide their service for free. Knowing how hard it is to design a secure messenger, and how few eyes are actually on most open source projects, people should always be cautious about smaller projects promising stronger privacy guarantees.

The other concerns you brought up (anonymity, targeted government investigations, device compromise, etc.) are super valid and important. But I think Signal also does the best of any private messenger in their UI/UX design, to be as clear as possible about what they keep private. At some point, it’s not clear to me how Signal would protect users who (for example) use their full name and think they’re anonymous, or users who don’t put a password on their phone. They’ve really nailed the “private messenger” part, and I’m just trying to emphasize that the concerns in this comment thread and linked github essay are mostly unfounded, thankfully.

When you register with Signal, they do know your phone number. This gives them the information that “the person who owns this phone number is registered with our service.” That is not linked in any way to what leaves the client when you send a message because, I cannot stress this enough, you don’t send your phone number or identify yourself in any way to Signal’s servers when you send a message. Please take a look at the client source code yourself.

I won’t be replying anymore, have a great one! There are better things to use my PhD in cryptography for.

I’ll just say one last time: none of this information ever leaves your client device, so even if signal wanted to know the phone number of a message sender, or which group chats you’re in, they have no access to this because it all never leaves your phone. As long as you’re running the correct client code, the server can be arbitrarily malicious, and it doesnt matter.

Have a great day

These are super cool parts of signal’s architecture, that are not obvious to understand, but you can truly verify client side that (1) signal only sees an IP address, no phone number, associated with each outgoing message, and (2) signal has no idea who is in which group chat and which permissions you have in those chats.

The first one is pretty simple: you don’t prove to signal who you are, signal just routes packets and lets the receiver verify that the sender is who they say they are by verifying a short lived certificate attesting your identity.

The second one is more interesting: group chats are implemented as a complete graph of direct messages between all participants. In order to update the group state, you send Signal a zero-knowledge proof that you are a member of the group, which convinces Signal that you can add or remove people, without ever revealing your identity. This same mechanism is used to prevent griefing, spam, and DDOS attacks for sealed sender.

Again, both of these can be verified by only looking at the client source code, and nothing else.

More info: https://signal.org/blog/sealed-sender/ https://signal.org/blog/signal-private-group-system/

Can you explain how signal will build a social network graph when it doesn’t know who sent any message, which group chats you’re in, or who is on your contact list? Again, none of this ever leaves your device without being encrypted, which you can check by looking at the client source code.

I don’t really understand why you think this, can you explain? Signal stores, and has access to, no message metadata. They don’t know who your contacts are, which group chats you’re in, when you’re sending messages, or who you’re talking to.

To be convinced of this, take a look at the client source code, and compile the app yourself. None of this information ever leaves your phone without being encrypted or otherwise masked. No analysis of their server code is required to be convinced of this.