Privacy

38798 readers

302 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

195

Why does Signal want a phone number to register if it's supposedly privacy first? (programming.dev)

submitted 1 month ago by 0101100101@programming.dev to c/privacy@lemmy.ml

283 comments fedilink hide all child comments

I remember a time when visiting a website that opens a javacript dialog box asking for your name so the message "hi " could be displayed was baulked at.

Why does signal want a phone number to register? Is there a better alternative?

you are viewing a single comment's thread
view the rest of the comments

[–] rottingleaf@lemmy.world 27 points 1 month ago (13 children)

Yes, and in that time you would visit a website with your own IP address likely, likely over HTTP without SSL/TLS, likely with your vulnerable browser fingerprint. Point?
Privacy, not anonymity. Two completely different things.
Because the way Signal is built hosting it requires a lot of resources (storage especially), so they want spam prevention and fewer accounts per person.

[–] solrize@lemmy.world 6 points 1 month ago* (last edited 1 month ago) (7 children)

I haven't seen a non-TLS website in years.
Your asserting "two completely different things" doesn't make it true. Privacy and anonymity are not synonyms but they are overlapping areas. Also ISTM you are redefining terms to suit your purposes. Anonymity to me means the message recipient can't tell who you are. If a THIRD PARTY (the server operator) can ALSO tell who you are, that's a privacy failure, not just an anonymity one.
Why does it take so much storage per user? Does it have video uploads or anything like that? A user account should basically just be a row in a database.

From https://en.wikipedia.org/wiki/Signal_(software) :

In August 2022, Signal notified 1900 users that their data had been affected by the Twilio breach including user phone numbers and SMS verification codes.[105] At least one journalist had his account re-registered to a device he did not control as a result of the attack.[106] ...

This mandatory connection to a telephone number (a feature Signal shares with WhatsApp, KakaoTalk, and others) has been criticized as a "major issue" for privacy-conscious users who are not comfortable with giving out their private number.[142] A workaround is to use a secondary phone number.[142] The ability to choose a public, changeable username instead of sharing one's phone number was a widely-requested feature.[142][144][145] This feature was added to the beta version of Signal in February 2024.[146]

Using phone numbers as identifiers may also create security risks that arise from the possibility of an attacker taking over a phone number.[142] A similar vulnerability was used to attack at least one user in August 2022, though the attack was performed via the provider of Signal's SMS services, not any user's provider.[105] The threat of this attack can be mitigated by enabling Signal's Registration Lock feature, a form of two-factor authentication that requires the user to enter a PIN to register the phone number on a new device.[147]

[–] rottingleaf@lemmy.world 1 points 1 month ago (3 children)

When people would complain about JS on webpages, they were not.
Completely different things overlap all the time.
Because your status updates and messages are encrypted and stored (until retrieved, of course) once for every recipient, and that includes your other devices and their other devices.

[–] solrize@lemmy.world 1 points 1 month ago (1 children)

Because your status updates and messages are encrypted and stored (until retrieved, of course) once for every recipient, and that includes your other devices and their other devices.

I'd like to see a numerical estimate of how much data this is. But, it sounds to me like more reason to want to self-host.

I don't see any point to rehashing the other stuff. Non-TLS websites mostly went away once DNS spoofing at wifi hotspots became widespread.

[–] rottingleaf@lemmy.world 1 points 1 month ago (1 children)

But, it sounds to me like more reason to want to self-host.

So do that. You can do that with Signal.

I don’t see any point to rehashing the other stuff. Non-TLS websites mostly went away once DNS spoofing at wifi hotspots became widespread.

Maybe I wasn't clear, someone said that back in the day registration on a website was a new and bad thing, connecting it with privacy and comparing to Signal asking for phone number. I answered with the idea that not much commonly thought from that time about privacy has aged well. You wouldn't register on websites, but you would communicate with them over plaintext. I hope that makes it clearer.

[–] solrize@lemmy.world 1 points 1 month ago* (last edited 1 month ago)

So do that. You can do that with Signal.

Do you know of anyone doing it? Other people have said there are difficulties.

You wouldn’t register on websites, but you would communicate with them over plaintext. I hope that makes it clearer.

It is ok, in that era (dialup or wired internet) unencrypted http was basically as secure as unencrypted landlne phone calls. People still have unencrypted phone calls all the time. Typicalally sites would show public content (like product pages on an e-commerce site) by http, then switch to https for checkout to protect stuff like credit card numbers. Encrypting everything became important when wifi became widespread. Wifi hotspots would hijack DNS and spoof entire web sites to steal credentials. Also, LetsEncrypt made it possible to bypass the CA scam industry, making https-everywhere more popular. Public awareness also increased due to Snowden's disclosures.

The RSA encryption patent also expired in 2000. Before that, US website operators were potentially exposed to hassle if they didn't use a commercial server with an RSA license ($$$). But, it didn't apply outside the US and FOSS SSL servers existed for those wanting them.

load more comments (1 replies)

load more comments (4 replies)

load more comments (9 replies)