I've recommended Signal (then TextSecure) to a number of non-technically savvy friends as a trustworthy app that takes security seriously. Moxie is somewhat unique in this respect, among the sea of proprietary apps put out by larger shops. Upon seeing these "X is on Signal" messages, I had a number of people contacting me with concerns. At least the outward appearance is that Signal is somehow leaking contact data to their servers. Presumably it is also alerting people to the fact that "Joe" is a Signal user, despite no communication with that user having taken place.
I realize that phone numbers are probably hashed before being sent, with only local contact data being displayed, but it has people concerned nonetheless. It starts to err more towards convenience, ease of use, and network building above security.
I think we should push for Axolotl (the cryptosystem used by Signal, which is an improvement on OTR) support in Ricochet and get a Ricochet phone app.
Ricochet uses Tor hidden services to anonymise your social graph, which is something you don't do with Signal (not to mention that Signal does identity key lookups with phone numbers). I'm not sure there's a low-latency way to do VOIP anonymously. The best method I know of is to literally record and send audio files, which have a few seconds of latency.
you can easily enumerate this data anyway, though. Just go through your contact list and try to add people. You could come up with an elaborate system where the other person has to confirm you, but everyone knows that's rubbish and users hate it. Sorry for the late response, I forgot I made this comment.
Yes I'm well aware at the ease in which someone could build a client that would provide such a feature had it not been included. Moxie takes great care not to provide mere illusions of security (or in this case obscurity) such as self-destructing messages or other features of that ilk. I appreciate it, and it's a big part of why I use and recommend projects affiliated with Open Whisper. Still don't believe it was the right decision to blast users with a notification from every Signal user in your contacts. Let Telegram or Whatsapp or some other crap play that game.
I realize that phone numbers are probably hashed before being sent, with only local contact data being displayed, but it has people concerned nonetheless. It starts to err more towards convenience, ease of use, and network building above security.