[faitswulff]

Signal’s claim to fame here is that they were subpoenaed in 2016 and could only supply account creation and last connection times:

> The American Civil Liberties Union announced Tuesday that Open Whisper Systems (OWS), the company behind popular encrypted messaging app Signal, was subpoenaed earlier this year by a federal grand jury in the Eastern District of Virginia to hand over a slew of information—"subscriber name, addresses, telephone numbers, email addresses, method of payment"—on two of its users.

> ... “The only information responsive to the subpoena held by OWS is the time of account creation and the date of the last connection to Signal servers,” Kaufman continued, also pointing out that the company did in fact hand over this data.

https://arstechnica.com/tech-policy/2016/10/fbi-demands-sign...

[jwr]

I think this discussion should also mention that Signal is a non-profit organization, dedicated to enabling secure and private communications.

Yes, it's not strong proof, but it should be taken into account when comparing the goals and motivations of organizations developing various other communicators.

The organization behind your communicator app could be in the business of gathering data about you and selling it in various forms (Facebook, Google), in the business of selling hardware and add-on software services (Apple), or in the non-business of trying to provide you with private communications.

[TrueDuality]

I prefer to look at the history of who founded and continues to run the Signal Foundation... Moxie Marlinspike. Moxie has a long history of improving security in all kinds of tech and fighting for privacy.

The Signal app itself is opensource as well various pieces of the tech stack. You can audit yourself what is being sent and how their protocols work. The protocol itself has won awards due to its security and elegance.

There is a lot of good things to say about Signal and you can easily find it all. They have made some annoying or less than ideal features that are opt-out instead of opt-in but they're not sacrificing privacy for them.

[evolve2k]

Curious. Is there an easy way to validate the code running on my phone is exactly the same code available on Github (here: https://github.com/signalapp) ?

[tialaramex]

"Easy" is a moveable feast.

Your phone is running an APK, which is a bunch of signed code. You don't have the keys to sign such an APK yourself, but you can get tools that will tell you exactly what's inside the one you have.

I believe the Java source in GitHub is designed to be capable of a reproducible build, where you get the exact same Java binaries out as Signal's own builders did and thus you can compare that to confirm the Java code in your APK matches a specific Git checkout.

The media files (e.g. images, labels) are just straight binary copies so that's easy enough.

However there is native code to make stuff like video calls work, and when I last paid attention there was no reproducible build for that component. So you could imagine that somehow the native video call code is actually a secret backdoor or something.

[gcblkjaidfj]

The source have a script that builds in a docker from a bunch of other previously built binaries, allegedly to be built with keys that are secret, and then just output "the apks are the same" and you have to believe that ¯\_ (ツ)_/¯

Still, years ahead anything else that actually have users. The server is mostly 100% closed source. There's one open source that you can host, but it's widely believed to not be even close to the one they use.

I think only matrix is fully open and p2p.

[ibraheemdev]

For anyone looking for the script: https://signal.org/blog/reproducible-android/

[TrueDuality]

I don't believe so directly, but you can build it yourself and put it on your phone. You'll still be able to use your account and their service.

[urvader]

Someone should file a PR with a git hash (and some form of proof) of the currently running app?

[danielheath]

What could possibly comprise suitable proof? Anyone tampering with the app can edit it to show the same information.

[grier]

> a non-profit organization

> should be taken into account when comparing the goals and motivations of organizations developing various other communicators.

Business or funding models can change for both for- and non-profit organizations. Especially as people move to options that are believed to have better user-privacy, the idea that they do not sell/monetize collected user data today does not indicate what they will do tomorrow.

Unless users have strong evidence that companies are not collecting and/or monetizing this information (which as the OP pointed out, there is for Signal as found in a subpoena), the "billboard" approach towards promising user privacy via marketing and PR is a shallow one at best for non-profits as well as for-profit companies.

[spicybright]

Whenever I see an ad flaunting privacy guarantees, I ask myself "How would a honey pot for gathering user's information be advertised?" Exactly the same way.

That said, at the end of the day you have to trust SOMEONE if you want to use digital communications. And there's certainly a difference between facebook and GPG email encryption.

It's just a matter of balancing convenience and privacy for your personal use case.

[Kuraj]

Is it possible that they could in fact produce this data but were prevented from publicly saying so due to a gag order?

I'm asking specifically because I remember Private Internet Access, a VPN provider, also being tested in court in the past [1], and because of this I've chosen to trust them despite them falling under Five Eyes jurisdiction.

[1] https://torrentfreak.com/private-internet-access-no-logging-...

[cmroanirgo]

Signal has blogged all the answers to these questions.

https://signal.org/bigbrother/eastern-virginia-grand-jury/

In short, the ACLU helped them to lift the gag order, and the blog itself shows the legal documents. The documents show exactly the data returned (Account creation and last access in Unix millis). Only the phone numbers are still redacted.

[sithadmin]

PIA used to be my go-to, but I immediately ceased using PIA after the 2019 acquisition by Kape Technologies, which has a rather foul track record.

[Kuraj]

Thanks for the heads up. Really excited to see a lot of folks here agree on Mullvad as a good alternative.

[dave_sullivan]

What did you switch to?

[geraltofrivia]

I’ve been using Mullvad since the past few years and I’ve no complaints. The fact that the recent Mozilla VPN is based on Mullvad makes me more confident in my decision.

[dorchadas]

I switched from PIA to Mullvad too for that reason and have absolutely no complaints. Wish I had done them first!

[a012]

Mullvad has contributed to Wireguard that secures me the confidence in their service. Also the experience of creating an account without my name and email address is the best. Theh only thing left is the billing message (I use credit card) has prefix: VPN*

[Tenoke]

Do you get decent speeds from Mullvad? Friends were reporting that they moved back to PIA due to worse speeds on Mullvad. That and the lack of a chrome extension (which is occasionally useful) has prevented me from switching away from PIA even if I'm unhappy about being in business with Karpeles and Kape.

[bentcorner]

I just fired it up and connected to an endpoint in my city, I have a 600mps download pipe and hit 150mbps with default settings and about 275mbps with wireguard selected in the mullvad app. Switching to TCP in the mullvad app didn't change my result enough to notice.

I didn't try other servers/cities to get more information.

[zelphirkalt]

I am getting great speed out of Mullvad, usable for everything, except frame critical gaming. Even video streaming usually works fine. I would say I get approximately 3/4 of my normal speed when using VPN.

[godelmachine]

Did you consider NordVPN? I like the fact that I get to login from anywhere in the world.

My default choice is Sweden since they have the most lax copyright laws in the world, so subpoenaing any Swedish server gonna be tough.

They also offered me unavoidable discount.

[godelski]

> I like the fact that I get to login from anywhere in the world.

This is a fairly common practice and my understanding is that every major and most minor VPN services offer this.

[michaelmrose]

NordVPN may have good intentions but they were hacked.

https://techcrunch.com/2019/10/21/nordvpn-confirms-it-was-ha...

[nobodyandproud]

Any thoughts on airvpn.org?

[merlinscholz]

I can recommend protonVPN

[sithadmin]

Like many others here, Mullvad. I've also been experimenting with ProtonVPN because it was offered as part of a bundle with ProtonMail.

[busterarm]

AlgoVPN is really so easy that it's hard for me to justify using anything else.

[ndiscussion]

not the GP but I switched from PIA to Mullvad

[chimeracoder]

> Is it possible that they could in fact produce this data but were prevented from publicly saying so due to a gag order?

Unlikely. Signal and the ACLU were the ones who filed suit to allow them to disclose the terms of the warrant the first place.

It would be an incredibly expensive and risky move for them to do so if they knew that the judge could force them to reveal that they've been turning over more detailed user data in secret.

Not to mention that it would have amounted to perjury.

[michaelmrose]

They were bought by an adware tech company last year AFTER the events of the article you linked. I would suggest mullvad as a good alternative. I've had better speed and as good ease of use.

[godelmachine]

That’s one point in favor of PIA.

I chose NordVPN coz we can access from any server in the world and they have offered me good discount

[dewey]

Are you aware of the controversies around NordVPN?

https://en.wikipedia.org/wiki/NordVPN#Security_issues_and_co...

[godelmachine]

Thanks for highlighting this.

I also read somewhere their CEO did something comprising to churn in more profits.

Maybe I will think about buying Mullvad subscription.

[gruez]

>I chose NordVPN coz we can access from any server in the world and they have offered me good discount

That describes literally most of the VPN service offerings out there.

[1vuio0pswjnm7]

"And Mr. Musk's endorsement of Signal last week sent publicly traded shares of Signal Advance Inc., a small medical device maker, soaring from a roughly $50 million market value to more than $3 billion. (The company has no relation to the messaging app.)"

https://www.nytimes.com/2021/01/13/technology/telegram-signa...

[k__]

lol

Can they keep the money?

[abrookewood]

That's not how the share market works ...

[InvertedRhodium]

It is if they can sell (their shares) quick enough!

[Mediterraneo10]

Signal may have only supplied that metadata at the time. But what I am concerned about is that if Signal is US-based, couldn’t the state demand Signal’s app signing key via a NSL, and couldn’t that signing key then be used for targeted attacks by which someone of interest gets a Signal app upgrade that is malicious (while everyone else gets the non-malicious app)? I admit to being somewhat unfamiliar with Android distribution through the Play Store, so if this is unfeasible, help me understand why.

[bigiain]

Yes. But if you specifically are targeted by organisations capable of issuing NSLs, you're completely hosed already. (And they're just as likely, if not more so, to have done that to your OS instead of just the Signal app.)

[restingrobot]

Technically they could get the signature key, but they can't force Signal to publish it via the store. Users would have to download an .apk file and install it directly. At that point there is no reason to have the signing key at all as the phone will recognize a sideload as a third party install. As far as I know, the government cannot compel a company to do something like update an app.

[Mediterraneo10]

> but they can't force Signal to publish it via the store

Is there not a suspicion that Google, another US-based corporation, may have some agreement with American national security to supply malicious APKs to individual targets via the Play Store? Having Signal’s signing key would allow the state to present that custom-targeted APK as an ordinary Signal version update.

[vel0city]

While I'm not saying Google hasn't done something like this (I have no proof either way) there's a strong legal argument to be made that forcing a company to produce binaries is compelled speech which goes against the first amendment.

[skyzadev]

It's more about preventing companies like Facebook getting their hands on everyone's data and abusing it as well as preventing organizations like Signal themselves using / abusing this data. We won't ever truly know if Signals data makes it's way into the hands of government security agencies but I would say it more than likely does or it will if they want it to in the future.

If some government wants to get you they will get you, probably via your operating system... Signal won't help you. If that's your concern then you gotta stay off the internet to be honest!

[argggg]

This, more than anything, is why I trust them and recommend them to others.