Signal serves a "bridging" purpose: users who are currently in the privacy/digital rights space will expect it to run or have to use two phones (making long-term commitment to Purism very unlikely). This is especially true for our early adopters.
We can't tackle network effects overnight and force people into our choice of E2EE client.
OpenWhisperSystems / the devs behind Signal made the choice to centralize the service and build identity around the phone number system, instead of doing the federated / decentralized approach.
They did this consciously to encourage widespread adoption without the traditional difficulties associated with a decentralized, multiple-client approach.
That makes it different from approaches by Matrix.org, XMPP, and so on. 1/2
From the OWS perspective, it's important to keep the UI/UX consistent; alternative clients degrade the user experience for everyone on the network, and use expensive resources. Security and QC are impossible to verify for apps out of OWS control
The FOSS-y arguments are familiar, and include the fact that centralization is dangerous for freedom. 2/2
As for the OWS perspective, we're going to have to file that under #utterbollocks.
For the record, I have nothing against closed source per se. It's specious arguments, outright lies and #antisocial behaviour that gets in my tits. And that's the things that #signal truly are experts on.
Just for the record.
* First things first, the #wikipedia advertised “Open Whisper Systems” does not actually exist. Prove me wrong with an official incorporation document.
* The also #wikihyped “Signal Foundation”, AFAICT does not exist either, according to people who should know, namely https://www.irs.gov/charities-non-profits/tax-exempt-organization-search
See next message for what *does* exist…
* What does exist is SIGNAL MESSENGER, LLC, a #Delaware company incorporated in January 2018 (yep, date is correct) https://icis.corp.delaware.gov/Ecorp/EntitySearch/NameSearch.aspx
* It is also registered (at a mail drop address) in #California since March 2018 (https://businesssearch.sos.ca.gov/CBS/SearchResults?SearchType=LPLLC&SearchCriteria=Signal+Messenger&SearchSubType=Keyword)
* Previously, when this guy came up with his previous product iteration, he had set up another #Delaware entity, WHISPER SYSTEMS TECHNOLOGIES, INC. This was in 2011.
* In 2012, a #California #LLC (https://businesssearch.sos.ca.gov/CBS/SearchResults?SearchType=LPLLC&SearchCriteria=Riddle+Quiet&SearchSubType=Keyword) was selling his software on the #apple store (https://news.ycombinator.com/item?id=8105849)
@diggity @philippemargery @Purism
For the Delaware entities, if someone wants to shell out $20 you can get the tax returns which should give an idea to what extent the claims made in #wackypedia and the press are true or not, and where any money has been coming from and going to.
For the “foundations”, please someone publish their articles. And obviously, as for any other private non-profit, their finances.
Not even getting into the technical aspects of it. #Security? Your own phone number as your ID, what could possibly go wrong?
But the obvious disparity between the public claims and the hard data that can be found with just a casual search, are no journalists wanting to dig a bit into that? @maxeddy?
Conversations will offer to set you up with Daniel's own server (conversations.im) by default, or you can use your own.
This is no different than setting up a new email address though and people manage to do that every time.
Obviously, it's also as good an excuse as any for supporting the great job the #FSF do.
Yes, what about it? That is known as the data at rest problem and is precisely one of the things that makes electronic messaging (and data processing in general) a poor choice from a security standpoint. In practice, your security management policy will determine acceptable risks, implement risk minimisation strategies and put in place appropriate contingencies.
From a consumer point of view, the considerations are different: first, what level of security do you need? The best you can expect is to avoid casual disclosure of information, and for that most solutions currently on the market (xmpp, email, and proprietary implementations such as WhatsApp, signal and telegram) are probably ok if not necessarily at par with their hype
@Gorio @philippemargery @diggity @Purism @maxeddy
Now, if we start to talk about upping the stakes, you as a consumer will find yourself in a hopeless situation with the huge amount of information a) leaked by modern communication systems and b) captured by anyone who may possibly have an interest.
In this respect, you may find something like a semester course in digital forensics quite enlightening.
One last observation, as it occurred to me that some vendors may seek to exploit consumers very legitimate concerns about mass surveillance: if you are dealing with a loss of trust between people and government
an appropriate response cannot be primarily technological. It must necessarily be social and political.
@Gorio Sorry I went off in a tangent and didn't see the bit where you say you were actually using Daniel's server.
There is no real technological impediment to admins intentionally or negligently accessing your data. In your case however, you do have the protection of #Germany's strong #privacy laws and efficient enforcement.
While I do host my own #xmpp servers, I wouldn't mind using conversations.im
I realy like the concept behind #XMPP, federation is the best way, but i can't recomend it to friends yet becouse this things about an admin or an adversary. I can use it but can't recomend it for every one. I don' t belive the capitalist privacy laws too mutch, I belive more in code. Signal apear to be more efecient at this moment but I would love if xmpp evolve in this questions.
@philippemargery @diggity @Purism
There is a fundamental trust problem with #signal, in that there is what they say they do and what they actually do. The difference here is that the main figure behind signal has been dishonest in the past (use Google) and operates in a regulatory environment that does not currently offer an adequate level of protection. Though this may change if California go through with their new privacy law.
@stevenroose @Gorio @61 @philippemargery @Purism XMPP is great but we're putting our focus on Matrix as the default and are supporting development of apps for that purpose. We want to see others develop chat clients for XMPP etc for Librem 5.
My interest in Signal is to meet user expectations, as a "bridging" technology... we want the people who buy our phone to use it and not have two phones. Signal may be contentious, but I'd like to see the option (just like a "Conversations.im clone" etc).
@stevenroose @Gorio @61 @philippemargery @Purism chat "swiss army knives" are always problematic in one way or another, and even Pidgin userbase is mostly XMPP from what I see (OTR still because no decent OMEMO?)
Tor Messenger was killed partially because libpurple is a beast of a codebase... Purism won't be heading in that direction.
Nothing stopping a libpurple app (even Pidgin w/ a tweaked UI) from Librem 5... our base is Debian; we focus on Gtk and GNOME. Qt is of course an option as well.
@Gorio Interesting read. Generally, however, it's not surprising that people who administer whichever kind of infrastructure also will have access to (meta)data collected all along the way, and be that just for being able to provide a given service. We either need *true* (serverless) peer-to-peer solutions or a way to provide *trustworthy* operations of critical infrastructure. Just to have FLOSS code available to "run your own" doesn't help here.
IMO I don't think the arguments are dumb, they are valid and worth reminding of.
So I looked up #wire, a messenger that supports video/voice calls.
That said, the developers seem very frank when talking about their software and open to cooperation and constructive criticism. They deserve credit for that.
@61 @philippemargery @Purism @maxeddy I'm very much aware of the tracking issues with Wire and have engaged with them directly about it. Basically, if you don't check two boxes about user metrics and stats reports upon first startup, the settings are disabled.
Still, it means you're putting trust that the UI is doing what it says it does.
Yes they are very open to working with the community but have a small team... there hasn't been enough support for making a libre version without that code.
So the tracking is opt-in? If so, that deserves recognition.
To clarify, I have no issue with tracking per se, provided there is clear and transparent information on what is being sent, a reasonable excuse for doing so, and an easy way to disable it.
I agree, but this is also why it's been adopted so widely, so quickly. The app just bootstrapped onto address books already in phones. Sure, Kontalk would be better, but it doesn't have the critical mass of users to keep people in the network, which is something Signal picked up very quickly via hype, as you said.
@61 @philippemargery @Purism @maxeddy As for the 501(c)(3), it's probably taking time to set up (I've been involved in one org that made the transition and it is not fast). We'll see what happens with that; it sure is premature to announce with a website if there's no foundation yet.
But I don't think it's a scam.
There is this filing from 2016, which may or may not be the same people: https://frama.link/UhcVjfPR
XMPP is great, Matrix is great, we're investing heavily in the latter at Purism.
What I find unbelievable is that some bloke says "I have 50 mill and a foundation!" and everyone goes to print with that. Is it really that difficult to ask a pertinent question or two, do a little research?
I do not think it is an outright scam either, but we've seen in the past that you can only trust this guy as far as you can throw him.
There is no problem with using phone numbers as user IDs or making the onboarding as simple as possible so that you can get more customers.
The problem is doing that while hyping (but carefully avoiding making any explicit claims, let the journos do that) your app as the last word on secure communications.
Hi there. I'm not clear on what you're claiming about Signal. Its initial release as RedPhone and TextSecure, as well as it being briefly pulled from the appstore in 2011 when Marlinspike took a job at Twitter, may be throwing off your research. The Signal Foundation was announcement wasn't made until earlier this year. (https://signal.org/blog/signal-foundation/)
What I am pointing out is that the public statements do not square with the facts. Why are they being obtuse as to who is behind it? Open Whisper Systems doesn't exist, as we have seen. It's not even declared as a DBA name for the company that they started earlier this year. Back when you could still see owner information in whois, the domain records for signal.org led to a block of flats in the canary islands, etc.
Too much trust too little verification going on.
@61 I've been in contact with the devs over the years, and they've given interviews to other publications as well. The code appears on Github (granted, that's not my expertise) https://github.com/signalapp. The TOS lists the company as Privacy Signal Messenger, LLC and an address in CA. I've seen a few researchers find issues with Signal, which have been addressed. To me, it's been nothing but on the up and up.
Do you have an entity number for "privacy signal messenger, llc"?
And what exactly is the legal personality of "Open Whisper Systems", which appears on the github repo as the copyright holder for 2013-2017 and to whom (since January 2016) contributors assign copyright according to https://signal.org/cla/?