
Signal app downloads spike as US protesters seek message encryption - pera
https://qz.com/1864846/signal-app-downloads-spike-as-us-protesters-seek-message-encryption/
======
jwr
What really hurts Signal are two things:

* sub-par user experience: WhatsApp is just nicer and smoother, and people tend to like that

* very few people understand that Signal DOES NOT get your full contact list, while Facebook (through WhatsApp) does

Especially the second point is very relevant with the current situation — you
do not necessarily want to expose your entire social graph to Facebook. But so
few people understand this, and even fewer grasp that Signal can still work
without doing the same thing.

~~~
sekai
Telegram is a great alternative also, offers encrypted chat's also.

~~~
outadoc
Not encrypted by default afaik.

~~~
theshrike79
They're all encrypted, but only specifically created Secret Chats are end-to-
end encrypted.

~~~
CultOfSkaro
Encrypted in transit... But stored plain-text accessible in Telegram’s cloud.
They store all your metadata, full contact list, all conversations, all media
and attachments, etc. If you value your privacy, Telegram is the absolute
worst and one of the most dangerous messengers out there. Telegram should
never be recommended as a secure alternative. It’s insecure right to their
core. Heck, even their secret chat crypto is a joke. Telegram should be
avoided at all costs for private and/or sensitive communication. Even WhatsApp
is wayyy more secure.

------
AnonC
The biggest drawback with Signal for protesters is that it exposes the user's
phone number to everyone else in groups (just like WhatsApp does). There is no
way to even hide the fact that you have an account on Signal. I can add phone
numbers by enumeration into my contacts and Signal will show who among my
contacts is on it. If the authorities don't use tactics like they did in Hong
Kong, the protesters may be safe from being spied on (or worse).

~~~
hjek
Signal is not only used by protesters[0][1] so discovering that a phone number
is connected to a Signal account by no means implies that the phone is used by
a protester.

[0]:
[https://www.militarytimes.com/flashpoints/2020/01/23/deploye...](https://www.militarytimes.com/flashpoints/2020/01/23/deployed-82nd-
airborne-unit-told-to-use-these-encrypted-messaging-apps-on-government-
cellphones/)

[1]: [https://www.theguardian.com/politics/2019/dec/17/tories-
swit...](https://www.theguardian.com/politics/2019/dec/17/tories-switch-to-
messaging-app-signal-to-curb-whatsapp-leaks)

~~~
m12k
Yeah, if you're ever asked why you're on Signal, just say you wanted to stay
in touch with a programmer friend who's not on Facebook/WhatsApp, and they
suggested Signal (that is now literally true as well - I suggest you try
Signal, friend)

~~~
jrochkind1
If the law enforcement is talking to you in the U.S., the only right answer is
"I'd prefer to have a laywer here."

Not a joke, for real.

They are experts at getting you to talk to them even if you know this. They
are experts at getting you to say things that incriminate you or your friends
-- that you or your friends have done nothing wrong (in your opinion/as far as
you know) will not protect you.

The only answers you should be rehearsing or thinking of in advance are "I
would like a lawyer" and "I would like to remain silent." They are rehearsing
how to get you to say incriminating things, a lot. Rehearsing or thinking up
any other answers only plays into their strengths. Even knowing this, I've
been tricked into talking to them, to my detriment. They are really good at
it.

~~~
vincentmarle
I’ve heard this before but here’s my practical problem: I don’t know any
lawyers. I have literally no idea who to call in such a situation. Do I have
to go find and retain a lawyer beforehand just in case I might need one later?

~~~
inetsee
There are services where you pay a monthly fee ($20 a month in my case), and
you get a card with phone numbers for a law firm (actually it's a service that
will connect you with a lawyer local to where you are). You get access to a
lawyer for a certain amount of time without extra charge, the amount of time
increasing the longer you pay for the service. If you get into serious legal
trouble you will end up paying for a lawyer anyway, but a service like this
will help in those circumstances where a cop wants to question you, and you
want to say "I want a lawyer present."

I agree with some of the other commenters that you really should say the word
"want", not "wish" or "would like". You need to be clear and emphatic about
having a lawyer present.

~~~
vincentmarle
That sounds like exactly what I need. What’s the service called that you use?

~~~
inetsee
It's called LegalShield. The website is here:
[https://www.legalshield.com](https://www.legalshield.com)

There are others. Do a search for "prepaid legal services". Most of them have
similar prices (~$20 a month) and provide similar services (wills, traffic
tickets, document review, etc). Like I said, if you get into serious trouble,
you will have to pay for a lawyer. This is like insurance. In my opinion, if
it helps you avoid saying something stupid to a cop, it's probably worth it.

------
matheusmoreira
I hope one day apps like Signal will be the default for _everyone_ , not just
protesters in a time of crisis.

~~~
AnonC
I don't think that's a great idea until Signal stops exposing the phone number
of the user to everyone else (for all the bashing that Telegram gets on
cryptography, it has mechanisms to hide one's phone number and even the fact
that one has a Telegram account from others).

~~~
0xy
Absolutely agree. I really wish Telegram would get off the phone number
system, especially after the embarrassing hack in Brazil. It's not explicitly
Telegram's fault, but if your primary authentication method is insecure it's
at least a little bit your fault.

Phone numbers are NOT safe. I don't know why SMS MFA is even a thing, they're
worse than passwords.

When you use phone numbers or SMS for security, you are putting the fate of
your entire company's security on an underpaid customer service rep at
Verizon.

~~~
nickik
Telegram should maybe just use proper encryption first.

~~~
xerxesaa
Can someone explain to me why MtProto is not considered proper encryption?
Genuinely asking, not challenging.

At least since version 2.0 it seems it's using AES encryption:
[https://core.telegram.org/mtproto/description](https://core.telegram.org/mtproto/description)

~~~
nickik
By default its not e2e encrypted and if you want to use e2e you lose lots of
capability. That is simply not acceptable in a modern messenger.

~~~
0xy
Speaking as someone who regularly uses private chats, what capability?

~~~
AnonC
Secret chats are tied to one single device, which may be ok for some people.
The bigger disadvantage is that you cannot have group chats that are end to
end encrypted. Only person to person chats are allowed as secret chats.

------
aerophilic
Honest question for those in the know: If I wanted to run my own personal
“analysis” to verify the security of Signal, where would I start? Is it even
possible? Just curious if there was a way to “know” rather than “trust”.

~~~
angott
The first step would probably involve getting a PhD in cryptography...

~~~
bawolff
There's a lot more than just crypto. Its much more common for systems to fail
in the supporting code then it is for the crypto to be wrong. So first step is
probably learn reverse engineering and verify the crypto is being used
correctly.

Then after that get a phd in cryptography.

~~~
colordrops
The source code is available.

~~~
sadfklsjlkjwt
Unless the build is reproducible it would be smart for a paranoid person to
use the published source code only as a comparison with the decompiled app.

~~~
sigmar
The build is reproducible: [https://github.com/signalapp/Signal-
Android/blob/master/Repr...](https://github.com/signalapp/Signal-
Android/blob/master/ReproducibleBuilds.md)

------
lordnacho
I like signal, mainly because it's open source. One minor annoyance though,
perhaps someone knows how to fix it: when I use Signal on either my phone or
my laptop, going back to the other device makes it sync the messages. But it
does this really slowly, making a notification noise for each message,
sometimes for several minutes. How do you either coalesce them or just do it
fast? Doesn't seem like it's really a speed issue.

------
upofadown
>Signal and other encrypted messaging apps offer limited protections. If
police have access to an unlocked phone, they can still read any messages on
it that haven’t been deleted.

In general, forward secrecy can't work if you insist on keeping the messages.
If you truly want the messages to be gone for others you have to have to make
them gone for you as well.

------
salex89
I actually like Signal, and would use it a lot more, but don't because of one
feature - link previews. I understand the technical reasoning why are they so
slow to adopt it, but I (and a group of people I communicate on a daily basis)
would probably accept even a half-baked solution like the one on WhatsApp.

~~~
pacemkr
You want your encrypted chat application to emit DNS queries to your ISP. As
another Signal user, I do not want that. Nor do I want the bloat of this and
other features that will make the core functionality worse. Next we'll want
Memoji's and animated drawings and fireworks.

My point is, there is already an app for that. Signal has a completely
different purpose.

~~~
salex89
You can generate a preview on the sender side. I think WhatsApp does it like
that. Since you're the one sending the link, you've already opened it/know
what's behind it. The receiver would basically get a thumbnail, with no egress
traffic.

As for the DNS, if you're concerned with the DNS of your ISP, you shouldn't be
using it anyway (I don't).

Don't extrapolate what I said. I like link previews and don't like Memojis and
bloatware. But more often than not I like to know what's behind the URL. Maybe
I don't wan't to open the site, or already seen the article, or the preview is
enough to get information (like weather?).

If we're on the road to proliferate privacy-conscious behaviour, we need to
give something to "the masses", so they can enjoy the experience. And I want
my mom and dad using products such as Signal, so I can use it with them. I
have no use of it if my friends are not using it, and I'm all alone on the
whole network. I don't support bloatware, but some sugar is needed.

------
LongHalloween
Has anyone here successfully convinced their non-techie friends to switch to
Signal? How have you done it? I've been trying on and off with my closest
friends, but no luck.

~~~
Vinnl
Yep (or at least, less techie friends). Strategy is to not have WhatsApp -
which leaves plenty of other alternatives (SMS, email, calling, Twitter DMs,
whatever) for people who do need to contact me, but Signal is just considered
easier by some. I just made sure that I've got groups chats for all my social
circles that I add everyone who joins Signal to.

Additionally, taking the initiative for fun activities (or always being eager
to join), which -besides being fun- gives people without Signal FOMO, haha.

 _Edit:_ Well, "switching" is a big word. They've got it installed, use it to
contact me, and some have started using it as the primary means of
communication with others who also have it. Most of them will still use
WhatsApp even for contacts who are also on Signal though.

------
grandinj
The thing about using these kinds of tools (IMO) is that it is effectively a
giant flag waving at the NSA saying "hey: over here, I'm doing something worth
keeping a close eye on!"

And once they get sufficiently interested, they can crack pretty much anything
the market can come up with.

So if you're trying to hide stuff - old school is probably best, innocuous
code-word language stuff, keep communication to a minimum, leave phone at
home, etc, etc.

~~~
ardy42
> The thing about using these kinds of tools (IMO) is that it is effectively a
> giant flag waving at the NSA saying "hey: over here, I'm doing something
> worth keeping a close eye on!"

That's why I use Signal to chat with my wife and parents, and pretty much no
one else. Secure apps need to become mundane so they don't draw attention, so
I prioritize using them for mundane things.

------
Andrex
Really hope E2EE on RCS isn't just Google blowing smoke.

[https://9to5google.com/2020/05/26/google-messages-end-to-
end...](https://9to5google.com/2020/05/26/google-messages-end-to-end-
encryption-rcs/)

Clearly not a solution to the current crisis but would be beneficial in future
situations.

------
gnome_chomsky
The more people that adopt Signal, the better. I've been using it for years
due to privacy concerns and usually ask everyone that I regularly communicate
with to adopt it. I don't think it indicates any subversive or illegal
behavior, but merely a desire to have private communications remain private.

------
travisporter
I use signal, but am a little bit at unease because it's free. What's in it
for the developers? Whatsapp is e2e and all that but the reason it got bought
by facebook for an obscene amount of money is what gave me pause

~~~
vesche
The Signal Foundation is a 501(c)(3) nonprofit. They're funded by Brian Acton
(former co-founder of WhatsApp, net worth ~3 billion), donations, and the
Freedom of the Press Foundation. They are not owned by Facebook not sure why
you said that.

~~~
travisporter
Was referring to WhatsApp owned by FB not Signal.

------
zaroth
Just an anecdote, I live close to the town I grew up in, which happens to have
a large high-end mall. Over the weekend there have been large peaceful
protests (“protest” perhaps isn’t even the right word, more like a show of
solidarity) in the town common, a 2-acre square at the center of town.

Police apparently got a tip on Monday night that a separate group was planning
on looting the mall. They intercepted a convoy of cars many with out of state
plates gathering in the empty parking lot and which fled when they saw the
police.

I guess that’s one thing that works in favor of suburban malls being only
reachable via car, versus the destruction inflicted upon urban malls in my
State.

Apparently there had been public social media posts calling for the looting
which got passed along to local police which deployed ahead of time to close
the mall and clear out the parking lots.

Op sec is particularly difficult I guess when these groups do not have pre-
formed networks and are just sending out public recruitment posts to commit
crimes.

Anecdote aside, I think that Signal isn’t going to support the many-to-many
broadcast messaging that large groups would need to organize effectively
(whether peaceably or otherwise) and a system which allowed mass coordination
is that much more likely to be infiltrated (see e.g. Project Veritas’ latest
work against Antifa).

~~~
ShamelessC
Can you please cite a source for these claims?

~~~
zaroth
Family members of mine were at the town center to show support for BLM. The
town police spokesperson was interviewed on the local news and there is video
of the police response at the mall.

[https://boston.cbslocal.com/2020/06/01/police-respond-to-
nat...](https://boston.cbslocal.com/2020/06/01/police-respond-to-natick-mall-
south-shore-plaza/)

------
epistasis
To paraphrase Lenin, there are years where no one has Signal, then weeks where
everyone gets Signal.

[https://twitter.com/benlorber8/status/1268596748198596608?s=...](https://twitter.com/benlorber8/status/1268596748198596608?s=21)

------
ian-g
A couple friends of mine are professional organizers, and I know their orgs
use signal for pretty much anything sensitive. I dunno how much they like it,
but it's something they all use regularly

------
killswitched
One has to wonder about behind the scenes heuristics as it pertains to taking
a chance distributing a backdoored version sideloaded into the App Stores. One
also wonders about whether the encryption or app are possibly compromised
generally (even if the source is vetted and distributions are verified)

Perhaps most of interest though would be how many phones are owned otherwise,
to give access to the protester Signal comms anyway

And also metadata must still fly around anyway, no?

~~~
raspyberr
Signal does a pretty good job at minimizing the metadata it has access to. For
example, the app can tell you who of your contacts has Signal installed but
the Signal service itself never gets to see your contacts
([https://signal.org/blog/private-contact-
discovery/](https://signal.org/blog/private-contact-discovery/)).

~~~
canjobear
Signal absolutely could do better in minimizing metadata by simply not
requiring a phone number. Despite this obvious, huge, and dangerous
shortcoming, I have never seen a single explanation of why Signal needs a
phone number for signup.

~~~
kick
They give an explanation literally every single time this subject is brought
up, but of course on the Internet there's someone who against all possible
odds manages to completely ignore years and years of the reasoning being
linked to or _given_ by a person at Signal in every single possible thread on
Signal possible anywhere on the Internet, but what can you do?

~~~
canjobear
I've asked many times and searched many times and never found a convincing
answer. What's the reason?

~~~
Mediterraneo10
The typical answer is that a secure app is useless if no one actually uses it,
and the use of phone numbers is an unfortunate tradeoff that had to be made to
allow the general public to easily sign up for Signal and find their friends
automatically from their phone's contacts.

Often this answer is accompanied by pure sarcasm where if you are concerned
about this feature, you are told that Signal is not for you and "you can go
play at being a spy and sharing a secret decoder ring with your friends", as
these people regard PGP to be. I wish those Signal advocates could lay off the
sarcasm, it just makes the project look bad.

------
Markoff
even after spike lower than already extremely obscure (in US) Telegram

------
maverick74
Jami, anyone?

Jami.net

It does not have Signals problems

------
_pmf_
Cell tower association should be enough. Maybe not recording videos of
yourself and others committing felonies would be a start.

------
kome
Signal exposes the user's phone number, better alternative is to use burner
phones or Telegram.

~~~
Evidlo
Or an open standard like Matrix

~~~
0x49d1
First time hearing about Matrix standard. But in case the clients are
maintained by some individuals - why should we trust them that there are no
backdoors in their compiled binaries? Seems like a nice project! But probably
it will take it's small niche, probably for now it is not wide spreaded,
haven't heard any noise about the standard.

~~~
INTPenis
The signal server has 10 maintainers out of which 5 are signal employees.

Matrix is 100% open source, has a larger community maintaining it and is
federated.

If you're worried about backdoors then you should have more eyes on the code.

------
0xADEADBEE
Long-time Signal user but I'm on the verge of moving I think. There are
several UX shortcomings but the new PIN nag is a bridge too far. What are my
options for alternatives? I imagine Telegram is the next best bet but very
open to suggestions.

~~~
drannex
Settings -> privacy -> Pin Reminders

You can disable them there.

~~~
0xADEADBEE
I tried that but that just makes you set a PIN which I don't want to do! I
appreciate the help though, thank you.

------
TaylorAlexander
While I assume Signal is very good at keeping your neighbors and the like out
of your business, I feel like the NSA must have some ways of getting in to
signal if they want. Like if they have backdoors to get in to iPhones I assume
they can replace the binary and get at your info.

Idk after learning about the Snowden revelations I assume every computer is
compromised. I mean didn’t x86 have unpatched vulnerabilities for like two
decades? It’s really hard for me to imagine that apps like Signal running on
iphone or android can offer enough security to keep out the NSA. But I’d be
very curious what folks think about that. I’ve told my drug dealer friends
“signal is fine for selling weed but if you commit a murder they will probably
find a way to get your messages.”

~~~
RMPR
> While I assume Signal is very good at keeping your neighbors and the like
> out of your business, I feel like the NSA must have some ways of getting in
> to signal if they want.

'You have to go back in history, at least to the time when the devs dropped
sms encryption and even earlier.

The main developer, in a matter of weeks, had turned from someone harassed by
the TSA into a receipient of a major government grant ($13 mln). Then he
received lucrative contracts with the “greatest” bastion of privacy, Facebook
and affiliates. You don’t get that by accident. You get that by providing your
own significant part of the bargain.'

[https://forum.f-droid.org/t/we-can-include-signal-in-f-
droid...](https://forum.f-droid.org/t/we-can-include-signal-in-f-droid/7373)

Just saying it's not the most unfounded theory out there.

------
monksy
I'm not seeing it. I've only had 1 of my friends convert to signal in the last
week. The rest of them: they've always have been on signal.

~~~
CGamesPlay
So 100% of the people you know who were not on signal are now on signal?

~~~
monksy
Not sure I said that right. I have some friends on signal. Of the other
platforms out there, I've only seen 1 sign up.

I'm saying anidotically, I'm not seeing a massive wave of people sign on to
signal.

