KLISHDFSDF

Those clients exist despite Signal Foundation, not because they encourage community development. They are doing everything they can to discourage third party app development.

That was your original claim. None of the sources you provided back up your original claim. We can talk about Google libraries or the delay in server side code if you want to go down that path, but that's a completely different discussion. Why are you pivoting to other topics? Will you concede your original point or do you have evidence to back it up?

No, you don’t have to trust anyone. That’s literally the point of having secure protocols that don’t leak your personal data. 🤦

Unless you're reading all the code, understand the protocols, and compiling yourself you are placing your trust in someone else to do it for you. There's no way around this fact.

You suggest SimpleX, Matrix, and Briar (which I believe are great projects btw, I've used them all and continue to use SimpleX and Matrix) but have you read the code, understand the underlying protocols, and compiled the clients yourself or are you placing your trust in a third party to do it for you? Be honest.

I will agree though, if you absolutely do not trust Signal, you should use Briar or SimpleX, but neither are ready for "every day" users. Briar doesn't support iPhones so its basically dead in the water unless you can convince family/friends to switch their entire platform. SimpleX is almost there but it still continues to fail to notify me of messages, continues to crash, and the UX needs significant improvement before people are willing to put up with it.

The discussion in this thread is specifically about Signal harvesting phone numbers. Something Signal has no technical reason to do.

Let me give you a history lesson, since you seem to have no clue about where Signal started and why they use phone numbers. Signal started as an encryption layer over standard text/SMS named TextSecure. They required phone numbers because that's how encrypted messages were being sent. In 2014, TextSecure migrated to using the internet as a data channel to allow them to obscure additional metadata from cell phone providers, as well as provide additional features like encrypted group chats. Signal continued to use phone numbers because it was a text message replacement which allowed people to install the app and see all their contacts and immediately start talking to them without having to take additional action - this helps with onboarding of less technical users. Fast forward to today and Signal is only using phone numbers as a spam mitigation filter and to create your initial profile that is no longer being shared with anyone unless you opt into it.

Now, you can say they're collecting phone numbers for other nefarious purposes but they publish evidence that they don't. Will they ever get rid of phone numbers? Unlikely unless they figure out a good alternative to block spam accounts.

Privacy and security are not based on trust

You're 100% right. If you read the code, understand the protocols, and build the clients from source, you don't have to trust anyone 😊

They could be waiting until it becomes a big issue

I guess I don't see that as a problem if its causing a big issue.

Let me throw it back to you: If you were providing a service and a third party client was using your resources and causing a "big issue" like you stated, would you not want to remediate the problem? Lets say you introduced a new feature, but it doesn't work for 15% of your user base because they're using an outdated third party client that may not get fixed for another year or two - if ever. What would you do?

Here's another example, lets say someone develops a client that lets you upload significantly bigger files and has an aggressive retry rate that as more people start using your client, it starts increasing the hardware requirements for your infrastructure. Do you just say "oh well", suck it up and deal with having to stand up more infrastructure due to the third party client doing things you didn't expect? Is that reasonable?

That link, and I could be missing it, has nothing to do with what I claimed. Mind editing your post and quoting a red flag linked at the source you provided?

I'll reiterate my statement as you didn't address it.

If Signal wanted to block third party clients, they would have blocked them already.

Once again, even if this is the way things worked back in 2016 there is no guarantee they still work like that today.

You have to trust someone. You're not building all your software and reading every line yourself are you?

While there's no guarantees, Signal continues to produce evidence that they don't collect data. Latest publication August 8th, 2024: https://signal.org/bigbrother/santa-clara-county/

The code is open has had a few audits: https://community.signalusers.org/t/overview-of-third-party-security-audits/13243

This is the whole problem with a trust based system

Can you point me to a working trustless system? I'm not sure one exists. You might say peer-to-peer systems are trustless because there's no third party, but did you compile the code yourself? did you read every last line of code before you compiled and understood exactly what it was doing?

It's absolutely shocking to me that people have such a hard time accepting this basic fact.

What's shocking to me is the lack of understanding that unless you're developing the entire platform yourself, you have to trust someone at some point and Signal continues to post subpoenas to prove they collect no data, has an open source client/server, provides reproducible builds and continues to be the golden standard recommended by cryptographers.

I would recommend to anyone reading this to rely on the experts and people who are being open and honest vs those who try to push you to less secure platforms.

He was specifically talking to that developer. The "You" and "You're" in that quote was specifically targeted at the LibreSignal developer.

I recall the gurk-rs developer specifically mentioned that his client reports to Signal's servers as a non-official app. The Signal admins can see the client name and version - just like websites can tell what browser you're using - and could easily block third party clients if they wanted to but they don't.

If Signal wanted to block third party clients, they would have blocked them already.

They have demonstrated history of asking third party clients to not use the signal name, and not use the signal network.

The lead developer, nearly 10 years ago now, specifically asked LibreSignal to stop. A single event does not make a demonstrated history.

• Molly ~5 years in development
• gurk-rs ~4 years in development
• signal-cli ~9 years in development
• Flare ~2 years in development
• Beeper

The client that currently exists that do this do it against the wishes of the signal foundation

If you have evidence to back this claim, I would like to see it so I can stop spreading misinformation.

They are doing everything they can to discourage third party app development.

I'd say you're moving the goalpost. Other than the hostility the founder showed towards LibreSignal nearly 10 years ago now, can you source any evidence to support your claim?

Signal has been forced by court to provide all the information they have for specific phone numbers [0][1]. The only data they can provide is the date/time a profile was created and the last date (not time) a client pinged their server. That's it, because that's all the data they collect.

Feel free to browse the evidence below, they worked with the ACLU to ensure they could publish the documents as they were served a gag order to not talk about the request publicly [2].

[0] https://signal.org/bigbrother/

[1] https://www.aclu.org/news/national-security/new-documents-reveal-government-effort-impose-secrecy-encryption

[2] https://www.aclu.org/sites/default/files/field_document/open_whisper_documents_0.pdf#page=8

Signal doesn't disallow third party clients, you should always understand the risk when messaging anyone on any platform. See my post here: https://lemmy.ml/post/19672991/13312234

That's outdated information:

• Molly ~5 years in development
• gurk-rs ~4 years in development
• signal-cli ~9 years in development
• Flare
• Beeper

Go forth and contribute, fork, or create your own.

They also refuse to distance themselves from Google’s app store.

This link has existed forever at this point if we count in internet years: https://signal.org/android/apk/ - getting an app directly from the developer with no middleman is about as distant as you can get from Google's app store.