“Telegram is not a private messenger. There’s nothing private about it. It’s the opposite. It’s a cloud messenger where every message you’ve ever sent or received is in plain text in a database that Telegram the organization controls and has access to it”
“It’s like a Russian oligarch starting an unencrypted version of WhatsApp, a pixel for pixel clone of WhatsApp. That should be kind of a difficult brand to operate. Somehow, they’ve done a really amazing job of convincing the whole world that this is an encrypted messaging app and that the founder is some kind of Russian dissident, even though he goes there once a month, the whole team lives in Russia, and their families are there.”
" What happened in France is they just chose not to respond to the subpoena. So that’s in violation of the law. And, he gets arrested in France, right? And everyone’s like, oh, France. But I think the key point is they have the data, like they can respond to the subpoenas where as Signal, for instance, doesn’t have access to the data and couldn’t respond to that same request. To me it’s very obvious that Russia would’ve had a much less polite version of that conversation with Pavel Durov and the telegram team before this moment"
It’s also important to continue educating people about the fact that Signal is incredibly problematic as well, but not in the way most people think.
The issue with Signal is that your phone number is metadata. And people who think metadata is “just” data or that cross-referencing is some kind of sci-fi nonsense, are fundamentally misunderstanding how modern surveillance works.
By requiring phone numbers, Signal, despite its good encryption, inherently builds a social graph. The server operators, or anyone who gets that data, can see a map of who is talking to whom. The content is secure, but the connections are not.
Being able to map out who talks to whom is incredibly valuable. A three-letter agency can take the map of connections and overlay it with all the other data they vacuum up from other sources, such as location data, purchase histories, social media activity. If you become a “person of interest” for any reason, they instantly have your entire social circle mapped out.
Worse, the act of seeking out encrypted communication is itself a red flag. It’s a perfect filter: “Show me everyone paranoid enough to use crypto.” You’re basically raising your hand.
So, in a twisted way, Signal being a tool for private conversations, makes it a perfect machine for mapping associations and identifying targets. The fact that Signal is operated centrally with the server located in the US, and it’s being developed by people with connections to US intelligence while being constantly pushed as the best solution for private communication should give everyone a pause.
The kicker is that thanks to gag orders, companies are legally forbidden from telling you if the feds come knocking for this data. So even if Signal’s intentions are pure, we’d never know how the data it collects is being used. The potential for abuse is baked right into the phone-number requirement.
Apparently they don’t store contact info.
https://signal.org/blog/looking-back-as-the-world-moves-forward/
The problem is that you just have to trust them because only people who actually operate the server know what they do or do not store. Trust me bro, is not a viable security model. As a rule, you have to assume that any info an app collects, such as your phone number, can now be used in adversarial fashion against you.
Yeah there’s a reason they don’t allow you to use your own self hosted server.
People just accepting what companies say is how we ended up in the current mess. But here we are again. Companies work around how people perceive things to be secure and private all the time. It’s just one small cog in the big machine.
It’s how some NGOs are part of a intelligence and surveillance network but people only focus on the social work and it becomes immoral to criticize the good things they do as a cover.
There’s also reluctance to release it in f-droid. They say they want to becontrol the distribution, but they have no problem with Apple and Google being the main distribution platforms. They haven’t even looked at unified push. And that just adds to the “there’s something else going on” factors.
Signal protocol might be bullet proof but the app supplier, centralized server, and phone number requirement and the most mainstream OS aren’t. When you combine with how mainstream OS companies like Microsoft, Apple and Google work together with the feds, there’s ways that the bulletproof protocol may not be sufficient and is only a part of the bigger picture. There’s also US government spying on notification.
They may work without them but the inconvenience will deter 99% of people. Being dependent these external factors, It just doesn’t feel as bullet proof as a whole.
Whatsapp also uses the signal protocol, but you wouldn’t trust them because they’re under facebook, would you?
