- Joined
- Oct 14, 2023
I browsed community happenings and came across this thread in A&N. In it, I saw users talking about installing Signal and using it to communicate privately over telecommunication networks. Looking through existing threads to see if somebody else has made a thread about Signal, I found this thread that uncritically praises a largely performative response to Californian government subpoena. This is a mistake and this thread will explain why.
If you want a clean and comprehensive explanation of why Signal cannot be trusted, I recommend reading "Why not Signal?" (a). It's written by a USA-hating Marx lover, but the explanations of Signal are sound. It does contain some stuff about how Signal likely has its origins in CIA operations, which I am not going to vouch for. For the most part, it's irrelevant. However, this thread is not going to be specifically about Signal but more generally about how inclusion of free (as in freedom) software does not necessitate uncompromised software. A lot of people on this subforum probably already will know most of what I will talk about, so this is mainly to serve as a reference for the uninitiated in how free software can and cannot secure freedom for you.
You are much better off hosting actually free implementations of widely known protocols, such as Matrix or XMPP, which can connect to a wider network of users. They also have a wider range of clients available than Signal, so anybody can connect to those networks however they want, on any device.
If you want a clean and comprehensive explanation of why Signal cannot be trusted, I recommend reading "Why not Signal?" (a). It's written by a USA-hating Marx lover, but the explanations of Signal are sound. It does contain some stuff about how Signal likely has its origins in CIA operations, which I am not going to vouch for. For the most part, it's irrelevant. However, this thread is not going to be specifically about Signal but more generally about how inclusion of free (as in freedom) software does not necessitate uncompromised software. A lot of people on this subforum probably already will know most of what I will talk about, so this is mainly to serve as a reference for the uninitiated in how free software can and cannot secure freedom for you.
#1 Issue: Signal is centralised
Signal is not compromised, because it never was trustworthy in the first place. Signal's infrastructure can sort of be self-hosted, meaning you can host your own Signal servers. There is some information about the server-side workings like in this GitHub repository. However, this does not really help anything, but I will get to that in a moment.Black boxes and you
The age-old problem that is the Achilles' heel of free software is that you can never know two things, even if the source code is free:- That the binary executable you are running was produced from a given source code. There is some progress made in this domain, but it remains a largely unsolved problem. The only solution is to compile your software from source, which can be annoying.
- More pertinent to the topic: that the online service you are using is running a given source code. This is likely never going to be solved. The best we got are legal mechanisms such as licensing service software under AGPLv3, which Signal actually licenses their server software under.
"But it's end-to-end encrypted?"
It is true that the client seems to work as advertised, wherein it generates keys and encrypts your messages until they are received by its intended recipient. Let's assume that end-to-end encryption in Signal is completely uncompromised and flawless. There are still two critical things that Signal, the company, can collect to fuck you over:- Message dates and times
- Message senders and recipients
#2 Issue: Signal is openly hostile to freedom
I did mention that Signal can be self-hosted, but only sort of. There are major obstacles that make Signal incredibly painful to self-host to the point where it is practically impossible:- The whole infrastructure is designed from the ground-up to only run the company server, nothing else. Programming it to do otherwise is resource-intensive, from what people on the Internet are saying. I can readily believe this, considering I have not found any big project that allows an easy "run this script" self-hosting solution. In this respect, Signal is free software in name only. They do not give a single fuck about you being able to run your own instance of Signal, and it shows.
- The Matrix project has already once approached Signal with a proposition to federate with the Matrix protocol, and Signal refused (a), citing a non-concern as reason. Considering that Signal refused to federate with the biggest federated communication networking protocol currently out there, we can only conclude that Signal would prefer to keep absolute authority over all Signal communication. They say as much (a). The head of company, Moxie Marlinspike, is also an unstable character in general.
- Signal cannot federate even with itself, and any attempts to do so are aggressively put down by the company (a).
You are much better off hosting actually free implementations of widely known protocols, such as Matrix or XMPP, which can connect to a wider network of users. They also have a wider range of clients available than Signal, so anybody can connect to those networks however they want, on any device.
Conclusion
While free software is the way to go, people seem to underestimate or not pay attention to what it cannot do for you to secure your freedom and privacy. Signal aggressively shills itself as the "end-to-end encrypted platform, it has end-to-end encrypted this, it has end-to-end encrypted end-to-end encryption, everything is end-to-end encrypted," but it is just a marketing gimmick. The platform is fundamentally nothing different from other proprietary platforms such as Discord or Telegram. You are still trusting a black box. As an occasionally wise drama whore, Drew DeVault, said, "Truly secure systems do not require trust" (a).
Last edited:
