To everyone who is concerned about government harvesting Signal metadata: All NATO members and some other countries do have 100% passive monitoring coverage of network flows for intelligence agencies. Once participating IPs are determined, your traffic will be correlated.
The only way to prevent that is to use a trusted mixer that would have too many inflows and outflows. Any distributed system is actually more vulnerable. Well at least until the storm the offices.
@eff Self proclaimed experts in the comments pointing out at well known facts that has been discussed bazillion of times, stating that "I can build better", while completely ignoring the socio economic reality of the day and practical feasibility of their solution, whilst using condescending language towards less tech savvy users ... in your comments in 3, 2, 1, ...
@eff @evacide @CNN I've quit advocating #Signal, once I learned about how most of the platforms which Signal runs on, collects (AI-driven) "Intelligence" - which can only provisionally be opted-out of, one informed user at a time.
For example: https://mas.to/@alexskunz/113982258324599047
They don't have your message contents, but that's about all they don't have. They have a whole lot of metadata, including who the messages are going to.
On the other hand, I can run my own XMPP server, with end-to-end encryption enabled, route it through Tor, and nobody's got anything on me.
@danjones000 @eff @CNN This simply not true and I'm not going to bother digging up the chart from the FBI showing that they get almost no data from Signal or the links to stories about Signal's responses to warrants, which does not include any data about who you are messaging or when you are doing so, because it is dinnertime and I am tired.
@isilzha314 @evacide @danjones000 @eff @CNN That's not the point that Dan is making. Dan is saying that Signal's present infrastructure and architecture provide significant opportunities for a sufficiently funded and motivated adversary -- i.e., the NSA, or some other branch of the US government -- to monitor metadata about who is talking to whom. Signal may not explicitly collect that data and store it in a discoverable database, but that won't stop an adversary from gathering the metadata anyway. And the phone number requirement --which Signal *does* store and which *is* available to discovery-- is itself a very risky gambit when that adversary decides that anyone using Signal is a fair target.
And since [we kill people based on metadata](https://abcnews.go.com/blogs/headlines/2014/05/ex-nsa-chief-we-kill-people-based-on-metadata) and a fascist coup is currently in progress in the United States, Signal's users (as well as the Signal Foundation itself) should be laser focused on eliminating those opportunities. Unfortunately, Signal has
* Recently indicated that it does not consider network-layer anonymity as within its scope: https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117
* Has shown no interest in working with others (including myself) in the Free Software ecosystem to integrate such anonymity technology into its stack and make it a default for its users: https://community.signalusers.org/t/use-an-anonymizing-overlay-network/62670
* Has remained mum on the fediverse when the organization and its current president have been invited to previous conversations on this matter: https://tenforward.social/@aspensmonster/113946901827746517
Signal has an ethical responsibility to bring anonymity into scope.
@aspensmonster @isilzha314 @evacide @danjones000 @eff @CNN
And selfhosting actually makes that problem worse, because especially if you self-host for yourself, you have just assigned a unique identifier (the IP address), in Google terms that would be called advertisement ID, to yourself and all communication that you run over that one server, especially for an adversary like the NSA that can be considered having global monitoring access to the internet. You just made tracking easier for them.
@eff Because you trust them with your phone number, your social network, who you talk to and when...? So it's super secure. All based in the US, of course.
(P.S. Nobody cares about the content of your chats. They'll kidnap you and throw you in a dungeon to be tortured based on who you happen to be connected to.)
End-to-end encryption by default means “if you show up with a warrant or a subpoena (to Signal), they have almost nothing about you that they can hand over,” EFF’s @evacide told @CNN. https://www.cnn.com/2025/02/09/tech/secure-chat-apps-signal-tor-browser/index.html