this post was submitted on 05 May 2024
331 points (97.4% liked)
Privacy
32120 readers
308 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Signal & WhatsApp are not secure enough. Meta/Facebook regularly give data & metatadata to the cops & Signal is centralized & not self-hosted by your crew so while messages are encrypted, the metadata still isn’t. If you must use Signal, I would pick Molly as an Android client since you can a) encrypt the messages under a separate password for storage on seizure & b) you can use the UnifiedPush version to make sure your notification metadata isn’t going thru Google’s Firebase servers. Protests are the ideal place for Briar as it is works via mesh net so internet & SIM cards are not required (but years ago wden I tried it, the app was a major battery drainer).
Also worth noting that OpenStreetMaps works offline too.
That doesn't quite work in the case of Signal
The only data that they have, based on transparency reports and dissections of their source code, is the time you created your account and last connected to the servers.
Messages themselves are essentially only relayed, with sealed sender, and anything that would be actually useful to identify who was at a protest and who wasn't encrypted.
Things like, e.g when messages arrive at the server would have to be monitored live on compromised servers, which reasonably unless you assume* it is wiretapped already prior to a protest, isn't realistic.
*: of course, I am saying this because making an assumption and portraying it as truth (e.g assuming something is already wiretapped based on no evidence at all) is not the smartest of moves when it comes to threat modeling...especially if you wanna stay sane whilst having a threat model
With the right intel you could piece back some of the pieces, especially with some pieces from other sources, with just that metadata. With metadata, it’s about putting together lots of sources to see the picture clearly which is why Facebook bought WhatsApp for just the metadata (& address book). The thing is that you, can skip Signal & you will still have several free software messaging alternativ where nothing is on a US-based server where they can subpoena.
But that'd already entail control over the whole Signal AWS in- and egress as well as any VPN you may be using and/or your local ISP. And then you still have to prove the actual link to the natural person. At that point we're speaking of a threat level assuming the US DoD as adversary. While not impossible, I think if you're willing to pick that kind of fight, you're clever enough not to rely on Signal (or most digital communication).
Signal is not WhatsApp, there aren't a lot of data points linking your communications to end points in the same way Meta does link them.
Not saying you are wrong, but I think the argument a) should mention WhatsApp in the same breath as Signal & b) stopping at Signal instead of linking to where to find more info
You are absolutely right about metadata, but as far as protests, just having encryption is enough to prevent anyone from accessing the data. Extracting metadata from 3rd party companies or extracting a phone requires a lot more resources than cops can spare.
In the corpo cases, I’m sure all they have to do is ask. There are better alternatives & this guide feels radically incomplete stopping at such pedestrian option instead of labeling them in a bottom tier of like suffiecent-if-you-literally-can’t-use-anything-else.
If your problem with signal is that it isn’t self-hosted, just self-host it? It’s all open source.
Those components are not really meant for self-hosting, its open to be looked at. You would need to patch out the SIM requirement, point the hardcoded server/clients elsewhere, find some way to sideload modified clients to those using iOS lol, & it’s not federated so you would need a separate app for just this task. At this rate you are 100% better off using a choosing systems where server & clients are actually built with this in mind… Signal’s chat features are not novel
The developers are very hostile about alternative clients and networks. Also, the app does not support this in any form, so you would have to distribute modified APKs that want to use your hosted server.