[jwr]

I think this discussion should also mention that Signal is a non-profit organization, dedicated to enabling secure and private communications.

Yes, it's not strong proof, but it should be taken into account when comparing the goals and motivations of organizations developing various other communicators.

The organization behind your communicator app could be in the business of gathering data about you and selling it in various forms (Facebook, Google), in the business of selling hardware and add-on software services (Apple), or in the non-business of trying to provide you with private communications.

[TrueDuality]

I prefer to look at the history of who founded and continues to run the Signal Foundation... Moxie Marlinspike. Moxie has a long history of improving security in all kinds of tech and fighting for privacy.

The Signal app itself is opensource as well various pieces of the tech stack. You can audit yourself what is being sent and how their protocols work. The protocol itself has won awards due to its security and elegance.

There is a lot of good things to say about Signal and you can easily find it all. They have made some annoying or less than ideal features that are opt-out instead of opt-in but they're not sacrificing privacy for them.

[evolve2k]

Curious. Is there an easy way to validate the code running on my phone is exactly the same code available on Github (here: https://github.com/signalapp) ?

[tialaramex]

"Easy" is a moveable feast.

Your phone is running an APK, which is a bunch of signed code. You don't have the keys to sign such an APK yourself, but you can get tools that will tell you exactly what's inside the one you have.

I believe the Java source in GitHub is designed to be capable of a reproducible build, where you get the exact same Java binaries out as Signal's own builders did and thus you can compare that to confirm the Java code in your APK matches a specific Git checkout.

The media files (e.g. images, labels) are just straight binary copies so that's easy enough.

However there is native code to make stuff like video calls work, and when I last paid attention there was no reproducible build for that component. So you could imagine that somehow the native video call code is actually a secret backdoor or something.

[gcblkjaidfj]

The source have a script that builds in a docker from a bunch of other previously built binaries, allegedly to be built with keys that are secret, and then just output "the apks are the same" and you have to believe that ¯\_ (ツ)_/¯

Still, years ahead anything else that actually have users. The server is mostly 100% closed source. There's one open source that you can host, but it's widely believed to not be even close to the one they use.

I think only matrix is fully open and p2p.

[ibraheemdev]

For anyone looking for the script: https://signal.org/blog/reproducible-android/

[TrueDuality]

I don't believe so directly, but you can build it yourself and put it on your phone. You'll still be able to use your account and their service.

[urvader]

Someone should file a PR with a git hash (and some form of proof) of the currently running app?

[danielheath]

What could possibly comprise suitable proof? Anyone tampering with the app can edit it to show the same information.

[grier]

> a non-profit organization

> should be taken into account when comparing the goals and motivations of organizations developing various other communicators.

Business or funding models can change for both for- and non-profit organizations. Especially as people move to options that are believed to have better user-privacy, the idea that they do not sell/monetize collected user data today does not indicate what they will do tomorrow.

Unless users have strong evidence that companies are not collecting and/or monetizing this information (which as the OP pointed out, there is for Signal as found in a subpoena), the "billboard" approach towards promising user privacy via marketing and PR is a shallow one at best for non-profits as well as for-profit companies.

[spicybright]

Whenever I see an ad flaunting privacy guarantees, I ask myself "How would a honey pot for gathering user's information be advertised?" Exactly the same way.

That said, at the end of the day you have to trust SOMEONE if you want to use digital communications. And there's certainly a difference between facebook and GPG email encryption.

It's just a matter of balancing convenience and privacy for your personal use case.