this post was submitted on 08 Mar 2024
247 points (97.0% liked)

Privacy

32159 readers
670 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
all 34 comments
sorted by: hot top controversial new old
[–] electricprism@lemmy.ml 33 points 8 months ago (4 children)

It would be better if it was randomly generated, I'm looking at you CoralApples216

[–] ryannathans@aussie.zone 6 points 8 months ago (1 children)

Doesn't really matter with them being non unique. Multiple people can have the same username, there's a randomly generated number that goes with it

[–] Wogi@lemmy.world 7 points 8 months ago (1 children)

Let's make a compact to all use "guillotinetherich"

[–] ryannathans@aussie.zone 3 points 8 months ago (1 children)
[–] LemmyKnowsBest@lemmy.world 1 points 8 months ago

maybe Wogi wants to check his makeup in the mirror while he's out at guillotine-the-rich rallies.

[–] akilou@sh.itjust.works 3 points 8 months ago (2 children)
[–] rdyoung@lemmy.world 11 points 8 months ago* (last edited 8 months ago) (1 children)

Probably because some people tend to pick user names that identify them in some way. Take me for example, I have a few names I go by but this username is definitely helpful in identifying me. I use it on the other place, a couple of emails, discord, telegram, etc. I don't feel the need to be as anon as possible (no shade on those who do) so I main this one. I have a few others that I have been known to use and those are mainly for things that I don't want easily connected back to me.

[–] akilou@sh.itjust.works 3 points 8 months ago (2 children)

You shouldn't be forced to be anonymous. If you want to pick the same username, you should be able to. But even so, there's still a required number at the end. So unless your username elsewhere ends in 2 digits and isn't already taken, then you can't pick it anyway

[–] otter@lemmy.ca 5 points 8 months ago

The best compromise might be similar to how it works currently

Right now you enter your username, and then a number is randomly generated but you can change it manually.

Randomly generate both, and allow the user to change both

[–] rdyoung@lemmy.world 1 points 8 months ago* (last edited 8 months ago)

It's not about forcing anyone to be anonymous. I'm not OP here but I kind of agree. Maybe signal should default to a randomized one with a blurb about safety, anonymity, etc but let you create your own if you want.

Again. My personal view isn't to force random usernames on people but to maybe educate them on this stuff. Also, there are legit reasons why you should have non identifying usernames even if it's not how the world should work. There are enough nutters out there who may recognize something in someones name that links them to someone they know offline and people are nucking futz. I can tell you stories I've heard from my clients that you would believe but don't want to.

Oh and for the numbers, that can be even more identifying because people tend to use numbers that mean something to them. I have a variation on this name that includes my birth year in 2 digits. If I was posting things online that close family might have a problem with, it wouldn't be hard to do to the math and identify me that way.

[–] olicvb@lemmy.ca 9 points 8 months ago (1 children)

guessing it would mean that people wont be using the same username as they do on every other account. So if doodlebop69 can't be traced from signal they could go to google and find the same doodlebop69 to grab their information from

[–] akilou@sh.itjust.works 2 points 8 months ago (1 children)

But doodlebug69 needs to accept a message from you before you can see their profile info.

[–] Baguette@lemmy.ml 4 points 8 months ago

They have the username already, they don't need to see their profile info to search for a username

[–] pedroapero@lemmy.ml 1 points 8 months ago (1 children)

It generated a suffix of two digits when I tried (you can set it explicitely but it is mandatory).

[–] LemmyKnowsBest@lemmy.world 1 points 8 months ago

I kept having to randomly scramble it until it gave me a number I liked.

[–] rar@discuss.online 1 points 8 months ago

I can be your Guest1234 anytime you want ;)

[–] autotldr@lemmings.world 14 points 8 months ago

This is the best summary I could come up with:


Based on a phone number, the federal prosecutors were asking for the user’s name, address, correspondence, contacts, groups, and call records to assist with an FBI investigation.

Whenever Signal receives a properly served subpoena, they work closely with the American Civil Liberties Union to challenge and respond to it, handing over as little user data as possible.

Whittaker stressed that this is “a pretty narrow pipeline that is guarded viciously by ACLU lawyers,” just to obtain a phone number based on a username.

Signal’s leadership is aware that its critics’ most persistent complaint is the phone number requirement, and they’ll readily admit that optional usernames are only a partial fix.

She gave an example of a person who faces severe threats and normally maintains vigilance but whose mother is only on WhatsApp because she can’t figure out the numberless Signal.

Signal engineers have discussed possible alternatives to phone numbers that would maintain that friction, including paid options, but nothing is currently on their road map.


The original article contains 1,894 words, the summary contains 165 words. Saved 91%. I'm a bot and I'm open source!

[–] ShortN0te@lemmy.ml 10 points 8 months ago (4 children)

just two pieces of data: the date the target Signal account was created, and the date that it last connected to the service.

And how does Usernames help here? Should be the same 2 data Points and not more?

[–] BakedCatboy@lemmy.ml 17 points 8 months ago (1 children)

The idea is that you change or remove your username after someone else starts a conversation with you, so the username can no longer be used to subpoena your account details.

Put another way, signal is able to provide those 2 pieces of information to law enforcement based on a phone number. This helps you to prevent law enforcement having a phone number to ask signal to look up in the first place, assuming you change your username every time you hand it out.

They also hash the usernames that they store on your account which means law enforcement can't ask what usernames are being used, only being able to ask for specific usernames which are currently in use.

[–] LWD@lemm.ee 3 points 8 months ago (1 children)

I understand that right now LEA can serve up a subpoena and give Signal a username and get a phone number, but they can't give them a phone number and get a username.

Is it also possible for Signal to keep track of past usernames/associated hashes for a particular phone number?

(For comparison, Signal could record IP addresses, but we trust they don't due to unsealed cases. Could they keep a username history?)

[–] BakedCatboy@lemmy.ml 5 points 8 months ago

Yes it entirely depends on whether they store previously used usernames along with the date range it was in use (to tell apart multiple people who used the same username at different times)

We'll have to see if any unsealed cases in the future support that they don't keep those records like how they don't keep IP logs, but personally their track record is enough for me to have confidence in the feature, especially since my "threat model" is primarily opportunistic hackers or spearphishers at most, not police or state / nation state level actors.

[–] zaph@sh.itjust.works 12 points 8 months ago

My phone number is registered to my phone carrier under my real name. My username is not. Unless I've misunderstood the question.

[–] Natanael@slrpnk.net 5 points 8 months ago

They don't track username history and don't have a server side list of plaintext usernames, and others can't find your phone number from the username alone. That makes it harder to confirm which account is yours.

[–] rdyoung@lemmy.world 1 points 8 months ago

Iirc from the last time this article or similar was posted, it's about how warrants are issued. It's the username versus phone number not username versus or and/or other data points. Anything more than that I am still unclear about.

[–] xor@infosec.pub 2 points 8 months ago* (last edited 8 months ago) (1 children)

still waiting for this to roll out on ios...
edit: nevermind, it updated

[–] James_Ryan@feddit.de 2 points 8 months ago (1 children)

I have this for some time now on iOS

[–] xor@infosec.pub 1 points 8 months ago (1 children)

you have the beta?
the beta is closed now...

[–] James_Ryan@feddit.de 2 points 8 months ago* (last edited 8 months ago) (1 children)

I dont. I got it via normal update. The 7.1 has been installed recently on my iPhone

[–] xor@infosec.pub 2 points 8 months ago

hmm... well shit, i swear i tried to update it before...
but i did just update it to 7 just now... thanks

[–] Rivalarrival 1 points 8 months ago

Not-a-paywall paywall.