They may be sponsored by the US Government, or by cryptographers with ties to the government.

https://thebaffler.com/salvos/the-crypto-keepers-levine

It’s a long read, but it’s quite good. Here’s a snippet to whet your palate where he describes some of the prominent people behind these projects:

At least that’s how they saw themselves. My reporting revealed a different reality. As I found out by digging through financial records and FOIA requests, many of these self-styled online radicals were actually military contractors, drawing salaries with benefits from the very same U.S. national security state they claimed to be fighting. Their spunky crypto-tech also turned out, on closer inspection, to be a jury-rigged and porous Potemkin Village version of secure digital communications. What’s more, the relevant software here was itself financed by the U.S. government: millions of dollars a year flowing to crypto radicals from the Pentagon, the State Department, and organizations spun off from the CIA.

For context: I have become very interested in the debate amongst app users such as Telegram, Signal, Threema, etc… and I know that many people claim that Signal is the very best amongst all of them but there’s something really sketchy about its location (US based) and the fact that the government can for anyone to comply with their orders and forbid them from telling anyone about it via gag orders (see Durov’s comments on this: https://t.me/durov/59).

Both are fascinating reads, and certainly help me appreciate platforms like Telegram and Threema even more. Regarding Threema, today they posted a comparison between their app and the competition, and found this interesting tidbit regarding Signal:

https://threema.ch/en/blog/posts/messenger-comparison-2021

Signal enjoys an outstanding reputation among experts, and it’s certainly a good alternative to WhatsApp. However, just like WhatsApp, it requires users to disclose personally identifiable information: Providing a phone number is mandatory. As a US company, Signal is also subject to the CLOUD Act, which entitles US authorities to access data from IT service providers that are based in the US.

Also: I just learned that FB spends millions of dollars every year on marketing and trying to influence people to not use platforms such as telegram.

  • riccardo
    link
    fedilink
    12
    edit-2
    3 years ago

    I appreciate that we are discussing this. Although Signal is like what every cryptographer is suggesting to use, the fact that it is a company based in the US has always overly bugged me. Also considering that as a no-profit, in its early days, the government funded a considerable part of its development.

    From a privacy point of view, though, I wouldn’t suggest to use Telegram over it. I strongly believe Durov is driven by the right principles and that he would rather shut everything down and throw the servers into a volcano instead of sharing his users’ data with governments or mine them for advertisers, but Telegram is still vulnerable to hacks and data breaches and I wouldn’t like my data to appear in some torrent zip if shit happens.

    I’m trying to move friends and family to Signal, but just because Threema and Element are not free (as in “free beer” of course) or as user-friendly as Signal is. The chats I’m unable to move will stay on Telegram. The chats I do not really care about that much will stay on WhastApp. As of today (and after an effort that has been lasting for almost an year), I’ve been able to move a three people group chat to Signal (plus I some friends have it installed on their phone so I can write them there). I like to take part in discussions about messengers too (because it’s effectively the app that most people can’t really live without - messaging apps are the heart of our social life), but these discussions are only theoretical to me because once I have to log off and try to actually move my circles somewhere, I have to face the harsh reality and clash with a number of social and educational obstacles that are really hard to overcome. So I end up resorting to the same cheap arguments such as “Telegram has a ton of cool stuff, let’s move our chat there” and “Signal has the same functions as WhatsApp but at least it’s not facebook, we should try it out” and the ethical aspect completely fades out. And (with Signal in particular) the chat will move back to whatsapp as soon as we have to add a new member I haven’t been able to “brainwash” with my propaganda /rant

    So after writing these paragraphs, I’ve only now noticed that the article you’ve linked is something that Durov used to share often a few years ago on twitter and on Telegram. Yes the story is actually quite creepy, it almost sounds like a novel. I actually believe he might have romanticized it a little bit to be honest, but at least it explains why he’s so opposed to anything that comes from the US. He recently said he doesn’t actually care about how much Telegram is gaining in popularity in the US after the recent (current) surge in global downloads lol

    • @kitsunekun@lemmy.mlOP
      link
      fedilink
      33 years ago

      Yeah, I think it’s important to point out that I’m not saying that Signal is a bad app or that it doesn’t do what it claims it does. But when it comes to who’s funding these projects, it matters a lot. In contrast, look at telegram, whose main backer is a libertarian semi-anarchist billionaire. He’s been backing up the entire operation for a long time now although they will move into using ads and offering plus services to make it self-sustainable in the future. On that front, I trust Durov more than I would trust Signal coders and people affiliated to the project who, in turn, have ties to the feds in the USA. So all in all, at least in my case, I will be sticking to Threema and Telegram for the foreseeable future.

      • poVoq
        link
        fedilink
        13 years ago

        The Signal Foundation is also funded by Silicon Valley billionairs these days (for example the WhatsApp founders who cashed out to Facebook).

        • @kitsunekun@lemmy.mlOP
          link
          fedilink
          13 years ago

          Yes, the same applies for example to Proton VPN/Mail. It makes me sometimes wonder, but Proton VPN being in Switzerland does help them quell some skepticism for sure.

  • ☆ Yσɠƚԋσʂ ☆
    link
    123 years ago

    The thing to remember is that cryptography is very tricky business, and even when an algorithm is sound on paper that does not guarantee that it’s implemented in a secure way. A famous example is when NSA “helped” develop the Diffie-Hellman cryptographic key exchange standard and introduced a vulnerability that nobody noticed for a very long time.

    Any standard that’s been developed in conjunction with US agencies should be considered compromised in my opinion.

    • poVoq
      link
      fedilink
      63 years ago

      I think the NSA got smarter (as did cryptographers) and the actual algorithms are probably ok these days. The problem is the surrounding app and infrastructure that is easy to compromise, especially if it is hidden in convenience features like cloud backups or “web” clients.

      • ☆ Yσɠƚԋσʂ ☆
        link
        93 years ago

        Yeah exactly, if you know a specific exploit then it’s not that hard to design the system in a way that looks innocuous, while being compromised. Without knowing the nature of the exploit it can be incredibly difficult for a third party to find it.

  • @TheAnonymouseJoker@lemmy.mlM
    link
    fedilink
    8
    edit-2
    3 years ago

    Hello again!

    I think everyone here knows my position on 14 Eyes from my smartphone hardening guide, which I have also earned some racist flak for for my rigid stand on the same. This is a large reason why I recommend staying away from Google Pixels with proprietary Titan M chip, or Qualcomm smartphones or even South Korean Samsung’s Exynos phones. Apple iPhones are equivalent to Ebola virus for me.

    I myself use a debloated Huawei phone since the baseband modem and hardware is non 14 Eyes, and might only pick either a Huawei and/or an ARM based Linux phone in the future. I refuse to trust 5/9/14 Eyes proprietary technology for any sensitive work, and the only reason I am seeing Signal as decent for masses is its audited cryptography with ease of use. (I am also more outspoken on Lemmy compared to Big Tech Reddit.)

    Still using XMPP and Matrix, and have special email provider for covert operations.

  • poVoq
    link
    fedilink
    63 years ago

    Well Durov is hardly a neutral source.

    Anyways, I think it is important to keep in mind that most of the people involved in intelligence agencies and the people that (sometimes without realizing it) support their activities, believe that that are doing the right and good thing. They are not some sort of evil villain organization.

    Never the less they end up doing a lot of bad things (“road to hell, paved with good intentions” and all that). So when looking at motives and possible bad outcomes, it is good to keep this in mind.

  • poVoq
    link
    fedilink
    53 years ago

    The US (and related five-eye countries) have definitely the best funded intelligence agencies, and hence are the most likely to compromise private communication, but being from the US isn’t actually the main problem.

    If I was living in the US, then Signal would be probably an ok choice, as US citizens are much better protected from US intelligence agencies than foreigners, and most people working in these agencies do actually think they are protecting US citizens from foreign powers.

    I know, one of the big revelations of Snowden is that the NSA was also spying on US citizens, but if they were only doing the same on foreigners then Snowden would probably still be working for the NSA, showing just how little these agencies care about non-citizens.

  • @fidibus@lemmy.161.social
    link
    fedilink
    33 years ago

    Why is everyone hating on signal and not on TOR for example, which has many of the same problems, but obv also still is the best solution we have.

    • @kitsunekun@lemmy.mlOP
      link
      fedilink
      23 years ago

      I’m not sure that Signal is the best solution as you say, but it is a solution with hopefully more to come.

  • @oriond@lemmy.ml
    link
    fedilink
    3
    edit-2
    3 years ago

    It has always created a conflict to me the fact that Signal is open source and yet there are no forks out there. You would think someone would come with a fork outside the US or something.

    Sometimes I have even thought that Signal may be a social engineering effort from the NSA, or some three letter agency to bring and spy on all the “people that have something to hide” I mean, wouldn’t it be brilliant?

    Besides, on any centralized service, you never know that they are actually running the published “open source” code and not a modified one.

    For security, I would go to Matrix in a self hosted server.

    *Edit: minor typos

    • Dreeg Ocedam
      link
      fedilink
      4
      edit-2
      3 years ago

      There are a few niche third party clients:

      The reason there are no big third party clients is that the devs don’t want to have to deal with bugs in third party clients/maintaining API stability etc… Also, a bad implementation could potentially lead to compromising the Security of the people using it.

      Besides, on any centralized service, you never know that they are actually running the published “open source” code and not a modified one.

      You don’t know that either on a decentralised service, unless you self host. And even if you self-host, you likely interact with hosts that you don’t trust, and you still need to give them a lot of metadata.

      The whole point of Signal is that everything is E2EE, so you don’t even have to trust the server.

      • @nutomic@lemmy.ml
        link
        fedilink
        93 years ago

        There reason there are no big third party clients is that the devs don’t want to have to deal with bugs in third party clients/maintaining API stability etc… Also, a bad implementation could potentially lead to compromising the Security of the people using it.

        That is no reason to prohibit f-droid.org from compiling Signal from source and distributing it. That point alone is very suspicious for me.

        The whole point of Signal is that everything is E2EE, so you don’t even have to trust the server.

        You have to trust the Google Play server that the Signal apk it sends is actually built from the published source code.

    • poVoq
      link
      fedilink
      43 years ago

      There is no point in forking Signal, as XMPP with OMEMO is more or less the same thing, but better.

  • Signal has not been able to provide the US gov with personal data as they only store the date of account creation and a signal ID number. Look at how signal handles these information requests right now.