Sure. Aside from the Google phones upload contacts to cloud issue, and the encouraging contacts to be added thing, there are two clear problems: both metadata.
(1) It's the network of phone numbers - who knows who, when they added, that starts to draw a picture.
(2) If they have any infrastructure at all - update checks, contact additions, whatever, that is going to phone home or be polled or contacted whatsoever, particularly that which can facilitate a network response (generate network traffic when an ID is added) then the app effectively acts as an element that can be used for identity verification even if all traffic is encrypted. This is not a small issue.
These issues are not unique to Signal, but they should not be swept under the rug. FWIW I do not claim to have read or audited their code, I just feel the use of PSTN IDs (== highly available link to personal identification) is a total farce which introduces huge risk for nearly no benefit to users and is fundamentally incompatible with their nominal public stated goals (again haven't read the official text) of end user security if that security is supposed to be best-effort.
> Sure. Aside from the Google phones upload contacts to cloud issue
You can add contacts through Signal that aren't synced with Google. I've just understood this process as a way to initiate the social graph. You can just not give Signal access and start from scratch, but I don't think that accomplishes much.
Also, as far as I'm aware, Signal doesn't actually know your phone number.
The thing is, some percentage of your contacts will accidentally or knowingly grant permission for their contacts to go to Google. So by linking to that infrastructure Signal is making this problem worse, whether or not they actually facilitate the spying themselves.
(1) It's the network of phone numbers - who knows who, when they added, that starts to draw a picture.
(2) If they have any infrastructure at all - update checks, contact additions, whatever, that is going to phone home or be polled or contacted whatsoever, particularly that which can facilitate a network response (generate network traffic when an ID is added) then the app effectively acts as an element that can be used for identity verification even if all traffic is encrypted. This is not a small issue.
These issues are not unique to Signal, but they should not be swept under the rug. FWIW I do not claim to have read or audited their code, I just feel the use of PSTN IDs (== highly available link to personal identification) is a total farce which introduces huge risk for nearly no benefit to users and is fundamentally incompatible with their nominal public stated goals (again haven't read the official text) of end user security if that security is supposed to be best-effort.