[mintplant]

> the homeserver has (!) plaintext access to all traffic on it, besides all the delicious metadata the spooks love and that (e.g.) Signal hands over to them with effusive eagerness

What do you mean? Signal is known for providing minimal information when requested by authorities, e.g., [0].

[0] https://signal.org/bigbrother/central-california-grand-jury/

[ncmncm]

Last I checked, it tied every single communication to a pair of phone numbers.

[2Gkashmiri]

oh, in my place, the police routinely stop you on the road, check your phone and if they see "whatsapp/signal" or "videos", they mercilessly beat you up, arrest you and charge you with sedition.

i know "whatsapp admins" who have been made to report to police stations because they operate "whatsapp news channels". there they are made to submit their phone and wait outside. then the phone is returned. i have suspected, for like past 3 years that pegasus style malware would have been installed during that time.

now, a lot of these issues and problems can be reduced/prevented if you were not required to mandatory link your mobile number. if they know me by a handle, rather than a phone, it would be a little bit harder to do mass surveillance and bullying.

[cormacrelf]

That's awful. Are there other "security by obscurity" measures you would like to see? For example, making these apps blend in with icon changes, fake splash screens/façades that look like games? Would people have done this already if it were common to build and use alternative clients to the major messaging services?

[2Gkashmiri]

https://thewire.in/tech/kashmir-police-vpn-smartphone-checki...

this was last yearand it continues. i have taught people to use launchers on android like evie that lets you hide apps. that saves you a lot of roadside quick grief. same for using password protected "gallery" like simple gallery to keep stuff behind a password. a thorough check will defeat all this but saves you in the field as you can be randomly picked.

whatsapp/signal/telegram as i said is more difficult, even clubhouse because since your phone is already public, the police do join groups, public or private using any means, lets say by surveillance, by getting access from company side or "borrowing" a phone from a member. then they just get a list of names and go knocking on doors. if the number was not there, it would have been much more difficult.

[IYasha]

And his is not the only example out there, unfortunately. ( Depending on country, measures can vary a lot.

[kelnos]

No, all they can provide to law enforcement is the time that you created your account, and the last time you connected to Signal's servers. That's it.

[lucgommans]

That's what they claim to store (and I believe it), but that's not all they can be forced to collect.

As a simple example, they could easily log whenever account xyz connects to do a token exchange for using sealed sender. Asking that of Signal won't be something I'd expect a judge would consider excessive if there is a legitimate reason.

[cormacrelf]

Yes, at the limit (not sure if US laws have caught up to Australian ones in this regard) they could potentially be forced to push an app update to carbon-copy all messages from specific people at the client side, unencrypted, to the government. This is generally why people care about having the app available on F-Droid, because you can more easily analyse DIY "supply chain security" on your own copy of the app. The other solution is what Matrix does, which is to encourage people to develop many different client implementations.

[kelnos]

Good point. It's unclear to me how much a government could require Signal does for future use of the service. Regulated telecoms are required to provide lawful intercept capabilities for phone calls. I'm actually surprised that the government hasn't argued against E2E encryption on those grounds.

[KennyBlanken]

Homeserver refers to matrix, and they're still wrong. If rooms and conversations are E2EE, they're E2EE.

Edit: grandparent comment can't seem to keep Matrix vs Signal straight.

[ncmncm]

I wonder why you would guess that.

Signal is the one that only works with Google Play, thus a Google account, and a phone number. It is easy for the spooks to connect that and its IP address to every subsequent communication, after the fact.

[einpoklum]

If it's known for providing some information upon request, then at the very least it is likely it provides lots of information upon demand - including secret demands like National Security Letters.