Hacker News new | past | comments | ask | show | jobs | submit login
Privacy is priceless, but Signal is expensive (signal.org)
1114 points by mikece 9 months ago | hide | past | favorite | 907 comments



You have to appreciate the complete transparency, gently nudging towards giving without ever begging for it.

Refreshing compared to the alternative that Wikipedia is showing, with the tantrum-like emails we receive from their CEO like "LAST REMINDER" or "We've had enough" ; which they ironically send to people who gave.


Those are just non-profit fundraiser consulting tactics. Don't take them personally, just ignore them. The reason they exist is that Wikipedia has too much money, so they spend some on consultants who say they can raise more. It's weird, but that's how the world works.

I would much prefer the Wikipedia endowment model of non-profit orgs. They have a standard operating procedure with a predictable budget, and endowment that let's them run indefinitely, and we just have to suffer through pledge drives. I just block them with ublock filters. I gave them 6 dollars back in 2012, and according to their marketing that is enough for life.


> Don't take them personally

No. They are meant to manipulate me personally, as well as other persons I care about. I will take them personally.

More broadly, I don't have to excuse bad behavior just because somebody's making money off it or because it makes some too-narrow metric go up. Yes, it's a complex and imperfect world. But to me that's a reason to work harder to make things better, not a reason for people to say, "fuck it" and make the world worse.


> They are meant to manipulate me personally, as well as other persons I care about. I will take them personally.

This, absolutely! they play on people's psyche and mental cabling by trying to guilt you in the same way your parent would ; it's manipulative, and I have an absolute hatred for these tactics.


I'm good at detecting manipulation now, and the more someone tries to manipulate me the less I will give in.

I just put my money toward people who don't do that crap, and I want the manipulators to see that I'm giving money to their non-manipulating competitors.


I agree with everything before the semicolon. But as an NPR listener, I find it hard to be offended by it.


I bet NPR spends far more of their incoming money on their main product.


They're not your parent, and if you treat them as such, that's a problem you need to work on addressing.

Parental manipulation works because it's completely reasonable given the relationship for it to be effective. It's a betrayal of trust.

If a company tries that tactic and it "works" too well, that's an opportunity to evaluate your psyche, not get mad at them.


Companies do it because it works. You're blaming bad behavior on the people that are being manipulated because, according to you, they have psychological problems. As if the people being manipulated being disabled somehow excuses the company taking advantage of them.


Exactly. Taking advantage of vulnerable people is not a legitimate defense, the fact that they are easily exploitable makes the behavior even less moral.


I'm not saying they are not wrong - it's unfortunate that there is a second hand market for fundraising consulting. It doesn't accomplish anything productive, yet here we are. The key point is to understand that this is caused by Wikipedia having too much funding, not too little. As internet denizens, we can be proud that an open source store of knowledge has money to blow on wasteful consulting, and then proceed to create our ublock filters worry free.

This is different than what is currently going on with venture backed services like reddit and youtube. I would argue that we should block ads there too, but there it is an arms race where we have to consider ways to protect ourselves from encroaching privacy violations. It's much ruder, and that is something we should actually be mad at.


With respect you are misinterpreting personally here.

They don't know you; they don't know me. I'm a nobody, just like you.


I fail to see how being strangers excuses the behavior. You don't have to know each other to cause offense.


I'm not excusing it. I'm saying "do not take it personally" is excellent advice.


Ah, misunderstood, my apologies and agreed.


> Those are just non-profit fundraiser consulting tactics. Don't take them personally, just ignore them.

I don't take them personally, of course, but they do encourage me to avoid forking over any money.


any excuse to not donate!


Not really. They send those emails only to people who donated before.


I donated regularly until I learned the darker side of their behavior. If they’d be more transparent, I might start donating again. Is it so awful to ask for organizations to act better to receive voluntary support?


It's a good idea to be careful where to donate your money to. Most of us have limited resources, and while we should donate to worthy causes certainly, we have the responsibility of at least trying to put those resources to good use that reflect our own values.


Wait till you find out the truth about matching donations.


So...is Wikipedia at the level where they can invest to ensure they're sustained indefinitely?


Wikipedia? Yes easily.

Wikimedia? No, they're a money black hole and will eat whatever you give them.


You ever checked out Uncyclopedia? Nothing on that site is not like, hysterically funny and random. I'm glad Wikipedia has been such as inspiration to us all XD

Edit: check out https://en.uncyclopedia.co/wiki/Krispy_Kreme XD


What about Signal? The article they put out is like 30 minutes in my audio reader lol


> Those are just non-profit fundraiser consulting tactics. Don't take them personally, just ignore them. The reason they exist is that Wikipedia has too much money, so they spend some on consultants who say they can raise more. It's weird, but that's how the world works.

It's still shitty, even if it's a shitty "standard practice" and not a shitty thing being done to me particularly.

Honestly, it seems like Wikipedia's goodwill is seen as an exploitable resource, that people in Wikimedia are using to do other, unnecessary things (probably building little personal fiefdoms).

Sort of like Mozilla, actually. IIRC, they literally won't let you give them money to fund Firefox development, and any donations you give them go to fiefdoms almost certainty entirely unrelated to why you gave them money.


Yeah I agree. But that's consulting for you. There is a lot to not like about the evils of consulting, but wikipedia being free and doing pledge drives are on the more mild side of what's wrong.


It's basically a attempt at sql injection to the brain. Can't wait for AI glasses to filter that crap once and for all from reality.


I donated to the Southern Poverty Law Center a few years ago. A physical address was a required field on the donation form. I have never stopped regretting it, because GODDAMN! They started hammering me with physical mail asking for more money immediately and have not stopped.


I had this happen years ago, ironically I'm pretty sure they spent more hounding me for the next dollar than i gave them (like $25).


In case you're still giving money to them, perhaps consider not donating to an organization that marks people as bigots for speaking against religious extremism.

edit They do do a lot of good work in marking actual hate groups though, so I suppose it's a net positive still even if they miss a few strikes.


Just curious why you used an address that's associated with you. Choosing the address of a place like a park, which is a real address that has no mailbox or direct association with you, ought to be the default if you don't want to be spammed to hell and back.


I was young and naive! Also, I wanted to make the donation immediately, while I was thinking about it. I didn’t want to put it on a back shelf of my mind and forget about it for a few years, and I assumed “The Good Guys” wouldn’t use my information in a negative way.


You might want to receive a tax receipt.


I've usually been able to get that in email form.


Apologies in advance as I may be saying contrary to the sentiments here against Wikipedia fund raising. I also get the same emails and the banners. I diligently donate what I can. I don’t know where my funds will go. But what I do know is that I use that website practically twenty times a day and get something of value.


Wikipedia is particularly insulting because they make enough money to cover the actual costs of running Wikipedia (the site) in days if not hours, and could operate for years without any additional donations: https://news.ycombinator.com/item?id=32840097


Is it personally insulting to you that a completely free high quality services sometimes ask if you want to donate what ever small amount you'd like?

You'll be proper mad when you realize how much money that other company, whom you regularly pay for access to their services, has in the bank.


It's personally insulting that they lie and make it seem like they need the money to keep running, and that your donation will go towards helping Wikipedia itself, when they do not and it does not.

There's a difference between "donate if you appreciate this website" and "donate if you appreciate this website because we will have to shut down otherwise (not really though)"


Wikipedia is... nuanced. Keep in mind that the entity doing the fundraising is the Wikimedia Foundation. They pay the hosting costs, but return nothing to the actual Wikipedians (editors, admins.) Instead, what's left is used to pay the salaries for hundreds of administrative employees, fund third-party charities, and so on. You can love Wikipedia but have misgivings about the Foundation.


It’s openly a grift. The fundraising messages are disingenuous.


We are really the ones who provide that high quality. Wikipedia isn't edited by the Wikimedia foundation.


Is that including staff + trying to do new stuff or just the servers.


It includes staff, but not new stuff. The new stuff seems to be mostly things not directly related to Wikipedia, like funding third-party projects or causes. I'm trying to be politic here: many people don't like the projects they are funding with donation money, and others just don't like that they give money to any projects, and other people don't like that they keep the banner up after they've paid for salaries and keeping the lights on.


And others, like me, resent any hard-sell tactic and won't give money to anybody using them.


Why should Wikipedia do new stuff? Or rather, why is it okay for Wikipedia to lie to people to get funding for their new pet projects?


> Why should Wikipedia do new stuff?

Because it's not perfect yet?

The point of Wikipedia is not to have some servers ticking over. The project has a vision: "Imagine a world in which every single human being can freely share in the sum of all knowledge."

I agree it's not ok for them to lie, and am bothered enough by their dubious fundraising tactics that I stopped donating. But that's a totally separate concern than whether Wikipedia's mission is complete.


What is the mission for Wikipedia beyond doing what they already do, which is just hosting the largest internet encyclopedia? Purely curious because I thought Wikipedia was pretty much at its end game for what it wants to accomplish that is the job of the organization rather than the job of all of its volunteers.


> The Wikimedia Foundation's mission is "to empower and engage people around the world to collect and develop educational content under a free license or in the public domain, and to disseminate it effectively and globally."

Its mission is not just "hosting" - actually creating an encyclopedia is much more than paying for the server costs.

Wikimedia produced many very useful projects which often integrate into Wikipedia, but work well standalone as well, and work towards the stated mission - projects like Commons, WikiData, WikiSource. Some projects are more useful than others, but that's just normal.


Wikipedia is the marketing face of Wikimedia. People donate to the first, but the money gets used by the second, and Wikimedia grows to use all of the money it receives. Wikimedia has no solvable mission, its just a mechanism to turn donations for a project people like into donations for arbitrary causes.


> The project has a vision: "Imagine a world in which every single human being can freely share in the sum of all knowledge."

That's not their vision. Not only do they require entries to be notable, they'll remove information from articles that are, in their editorial judgment, too long. Neither action is compatible with the goal of sharing the sum of all knowledge.


It is, because removing this barrier to entry and editorial power would lead to spam and SEO bullshit, which arguably already exists. Knowledge does not equal amount of content.


Stop conflating wikipedia and wikimedia.

Little of the new stuff is for wikipedia and what's there is of questionable value.


Why not? Wikimedia intentionally conflates the two in their own funding drives, which is exactly the issue we are discussing in this thread.


I see mentioned something like making a new editor UI. This is quite important for the longevity of Wikipedia.


Some of those new projects are directly applicable to potentially improving Wikipedia. Some.


https://wikimediafoundation.org/about/annualreport/2022-annu...

Seems almost mundane, as if they’re running a very effective foundation that’s actively achieving their goals. See the recent Cambridge study that explored how their governance has been effective at promoting moderate discourse while suppressing misinformation and hateful content: https://www.cambridge.org/core/journals/american-political-s...


Uh, the opening paragraph of that second leads reads to me like wikipedia effectively got ideologically captured and got rid of all editors who didn't agree.


Seems off. They have 250 million in net asset and hosting costs 2 million a year while they spend 88 million on salaries and still beg for money each year?


> which they ironically send to people who gave

I'm a lifetime member of my university's alumni association. This means I routinely get physical mail with headlines like, "YOUR OFFER INSIDE," and then the "offer" is to give them more money.

Sigh.


There was a comic I've never been able to find about wikipedia asking for money, it basically had them being that one crazy dude yelling at you to donate, and getting worse as time passed and you tried to ignore them. Then it showed a raw screenshot of wikipedias nag screen. Unsure who drew it or where it went, but I regret not archiving it, because it conveys what it feels like every time. I just don't want to donate if I have 0 control of where my money goes. If it's straight to paying the bill for the infrastructure, then sure.



No but that's kinda good lol


2022 Salaries for those interested: https://projects.propublica.org/nonprofits/organizations/824...

Compensation Key Employees and Officers Base Related Other

Jim O'leary (Vp, Engineering) $666,909 $0 $33,343

Ehren Kret (Chief Technology Officer) $665,909 $0 $8,557

Aruna Harder (Chief Operating Officer) $444,606 $0 $20,500

Graeme Connell (Software Developer) $444,606 $0 $35,208

Greyson Parrelli (Software Developer) $422,972 $0 $35,668

Jonathan Chambers (Software Developer) $420,595 $0 $28,346

Meredith Whittaker (Director / Pres Of Signal Messenger) $191,229 $0 $6,032

Moxie Marlinspike (Dir / Ceo Of Sig Msgr Through 2/2022) $80,567 $0 $1,104

Brian Acton (Pres/Sec/Tr/Ceo Sig Msgr As Of 2/2022) $0 $0 $0


Aside from the salaries, which I agree are a problem, I think there are a lot of architectural issues that are both costly and not so secure.

> We use third-party services to send a registration code via SMS or voice call in order to verify that the person in possession of a given phone number actually intended to sign up for a Signal account. Simple solution, go distributed.

6M $ for that. Stop doing that. What do dictators control? Mobile phone networks and other infrastructure. And, yes, they really do go after people any way they can.

This "cost" puts people into danger. Coupling identity and operator infrastructure is a critical privacy flaw. And a costly one too apparently. If your #1 goal is to be the most private solution, this cannot be tolerated to continue to be the case. Get rid of it. Your identity should be your cryptographic key.


> which I agree are a problem

Are they? These salaries are much lower than most tech competitors. I know we like to call out "high" salaries when a useful service is struggling - but they'll struggle even more if they can't retain good talent because their pay is too low. There's a reason tech skill in government is generally lower than that in industry, for instance.


> Are they? These salaries are much lower than most tech competitors.

That really depends on the location these people are working from. In most of the world, those are insanely high salaries.

A company like this doesn't need to be based in SV.


I tended to agree with your sentiment. But the reality is that for some unknown reason to me, it's companies from SV the ones that get famous and used globally.

Why didn't this start from say Mexico? Or Singapore or Vietnam? Or at least Germany which has a good record of freedom conscious tech scene .

My bet is in something related to the "maslow pyramid": people in SV have so much money that have everything solved in their lives, so they have the luxury of spending their time in this sort of problems.


Many messengers companies started outside of SV,

• Telegram - Founded: Russia, Headquartered: Dubai, Users: 500M+

• WeChat - Founded: China, Headquartered: Shenzhen, Users: 1.2B+

• LINE - Founded: Japan, Headquartered: Tokyo, Users: 84M (Japan)

• Viber - Founded: Israel, Headquartered: Luxembourg, Users: 1B+

• KakaoTalk - Founded: South Korea, Headquartered: Jeju City, Users: 52M+

• Zalo - Founded: Vietnam, Headquartered: Ho Chi Minh City, Users: 100M+

• ICQ - Founded: Israel, Headquartered: Cyprus, used to have big market share

• Skype - Founded: Estonia, Headquartered: Luxembourg/USA, Users: 40M daily


1. It's a network effect. If you're raised around doctors, go to school with prospective doctors, and your school gets many university recruits from a good doctor college, you will strive to be a doctor more likely than not. SV had a bunch of tech companies and falls into the same kind of environment.

2. It's probably a matter of Venture capitalists. Even if you aren't from SV, you may strive to go there to get funding for a pitch or find talent. Similar to your prospective actor that moves to Hollywood. Go where the crowds are.

Now, we can ponder why SV became a tech hub, but current market forces makes it ripe for tech startups.


Salaries for executives in most tech competitors are inflated and should go down, starting with Signal.


Is 700k for a CEO really that inflated? You can probably find a few people here in HN as an IC making even more money at some top tech company.


I agree, if you lower the salaries now they will probably leave.


Nonsense. Asking for donations as a millionaire (which is what these people are) is a bit awkward.

This only makes sense if you ignore the world outside the Bay area and assume it's a talentless wasteland. Bay area salaries are vastly inflated in terms of value for money.

There is lots of talent elsewhere of course. I live in Europe. Lots of smart people here. I think I personally know quite a few people that could do at least as good a job as Signal has at building a messenger app + platform. No offense, but this isn't exactly rocket science.

And of course the elephant in the room here is that money is running out because this organization has a cost problem. Inflated salaries, insane cost for things that they should arguably get rid off (like the SMS bills), etc. That's a leadership problem. They aren't even getting value for money despite those salaries.


>I think I personally know quite a few people that could do at least as good a job as Signal has at building a messenger app + platform. No offense, but this isn't exactly rocket science.

They are building a secure communicator that a normal person can reasonably use - and succeeding. Something nobody else before them managed to pull off. If this isn't rocket science I don't know what is. Not to mention that they pioneer cryptographic protocols in this area, which other messengers later use.

>This only makes sense if you ignore the world outside the Bay area and assume it's a talentless wasteland.

I'm also from Europe (and love it, despite its flaws) but this comes off like whining. If it's really so easy, maybe the smart people here should create their own Signal and reap that overinflated salaries, what do you think?

Or maybe smart people are not enough and you also need VCs, reasonable taxes, laws... Oh btw, did you hear about those plans of EU to get rid of E2E encryption?


Maybe EU is underpaid instead of Bay area overpaid?

But it's hard to compare EU and US salaries directly. You got taxed way more and your health care isn't bound to your job.


Their #1 goal is not to be the most private solution. Their goal is to make day-to-day communications of most people difficult to surveil.

Day-to-day/People is why they keep the registration process familiar to other platforms like WhatsApp/Telegram. "Most" is why they try to compete with Telegram/WhatsApp on features to drive adoption (see Stories and Announcement Groups).


Have you tried verifying your contacts? It's clunky, but I believe this is how signal handles the problem:

https://support.signal.org/hc/en-us/articles/360007060632-Wh...

Using signal without verifying contacts is like bit like using HTTPS without verifying certificates. It prevents passive monitoring.


Outsourcing identity to operators just moves the problem. And it adds a lot of privacy and security concerns. Besides, other platforms manage just fine without phone number based authentication (which is what this is).


> This "cost" puts people into danger.

They know this, but it's likely a precondition of not getting Joe Nacchio'ed. It's a feature, not a bug. Signal's partners* in FVEY IC/LE have given them a lot of latitude in developing a very solid e2e cryptographic protocol and application as long as the users themselves are identifiable.

The pigs don't need to backdoor the protocol or the keys as long as there is more than one party to a conversation and each party is identifiable. The prisoner's dilemma, in real life, almost always gives the pigs a defection.

My pet conspiracy theory is not that Signal is evil, but that Signal is being allowed to operate by the pigs as long as account identifiers are very difficult to anonymize. They are likely very good people with good intentions, but when the FBI or NSA makes you an offer you can't refuse, you do the best you can.

*: I'm not suggesting Signal is in bed with IC. Just that if you operate a communications service of any scale, IC/LE will be your partners whether you want them or not.


The reason I don’t use signal much is this link to a phone number.

Both because sometimes I don’t have a phone number. And I don’t want participants to know my phone number.

I don’t get why they have this requirement as it’s not like having a phone number means anything significant. For me, I think privacy includes my ability to not reveal my identity to the network.


> And I don’t want participants to know my phone number.

They're currently in the testing phase of allowing phone numbers not be known by your conversation partners: https://community.signalusers.org/t/public-username-testing-...


You still need to register with a phone number though. Until that's no longer a requirement, I'm personally not using Signal.


Interesting take. What is your current secure messenger of choice?


I'll ask the question you're implying out loud.

Why does an organization with about 50 employees need 4 C-level executives, totalling about 2M compensation per year? Or perhaps it's 7 C-level executives (3 hiding under the "Software developer" title) totalling about 3,7M compensation per year?

I'm absolutely not donating money to such a thing without an answer to this question. As a counterpoint, I am a member of a local (Finnish) non-profit organization, one of whose many services is Matrix. This costs me 40 euros per year and none of that money goes to C-level executives.


I find this hypocritical. C executives of tech orgs with world class products often have eight figures compensation -- if not from salary then from stock options. I do not see any excess here. You need to pay to compete.


> I do not see any excess here. You need to pay to compete.

What you mean with pay to compete? The goal of Signal to exist is to offer a privacy oriented chat app. Non-profit companies serve a propose, and people not aligned with that, shouldn't be working there in the first place. If you join a non-profit to make money, you are doing it wrong.


So all the programmers who work there should live on thin air? I agree that ideally the management should not be there for profit, but come on, the salaries are not even that crazy. I suspect FAANG key employees in that area easily earn multiples of that.


> Signal is competing with for profit companies for talented engineers and their

> talented leaders.

In Bay Area? I'm quite sure you get great people all around the World, or in USA, by much less.


That line of thought is exactly why FAAMG companies tried to lower salaries for CoL when they opened up to more remote roles. I don't know if thst was fair, but it wasn't something appreciated by many engineers during the pandemic.

It's also how and why long ago they tried to outsource a lot of engineering. They still do try. But that's not an easy transition either.


> So all the programmers who work there should live on thin air?

We are talking about C*, Engineer Manager, getting almost 700k/year. Not developers.


Yes, so what's the problem?


> Yes, so what's the problem?

What is the problem of managers of a non-profit company earning around 700k/year and the company is writing blog posts complaining that the the company operation is too expensive? I think if you read it aloud, you will understand it.


When the numbers total $50m in operations and the CEO is making about as much as a principal Google engineer: no, I don't see the issue. Even if he made $0 the issue remains given that every part of the server operation costs more than him.

But sure. What do you think is a fair salary or totalccomp for a founder and CEO of a popular, privacy focused app?


> CEO is making about as much as a principal Google engineer

From a company living from donations... It is illusion (probably a California thing), to think that you are going to compete salary wise with FAANG. The time will tell (well their complaining about money, is already hinting it)...


But they aren't. A principal engineer is not a CEO but probably makes more at top companies.

I don't even work at a FAANG and I was making almost as much as the director there who lists 200k or so total comp. Probably with 20 years less experience to boot. I don't live in SF either; High CoL area but not SF.

That's why I asked you what's a "reasonable" salary. I'm wondering what your POV here is in terms of compensation.


Top European salary would be a third of that.


Signal is competing with for profit companies for talented engineers and their talented leaders. You can't just cobble together something "good enough", this thing must be airtight given some of the dangerous situations it is used in.


And you get a world-class service that a lot of people can use for free and keeps their communication private in return. I'll happily keep donating for that.

I'm sure there are some costs that they could theoretically cut without consequence. Because the same holds for any other product I buy.


Indeed, I’m blown away these numbers are so low. I know multiple senior software engineers at FAANG companies who make more than the software engineers on that list, and they contribute roughly nothing to society. I have zero qualms with Signal executives and employees being paid at that level.


> We estimate that by 2025, Signal will require approximately $50 million dollars a year to operate

And from the link: https://projects.propublica.org/nonprofits/organizations/824...

- Other Salaries and Wages $9,665,761 - Executive Compensation $744,037

So about $10,400,000 a year in compensation and wages, or about 21% of their running costs.


So if I give 5 euros, 1 of this will go to salaries. I'd say not terrible. I wouldn't be surprised if most charities are worse.

One just have to get over the feeling that I'm donating to a charity of people who make 50x more money than I do with a comparable skill set.


2M in comp distributed between 4 people is not a lot at this scale in my opinion.


It is for a non-profit asking for donations. If they want half a mill salaries, they should become for-profit instead.


The beauty of non profits is everyone thinks they're staffed with saints, when the truth is far less beatific.


Absolutely. A former student of mine worked for a non profit in Afghanistan (his home country) for a few years. Said non profit was flying in McKinsey consultants for very short gigs at six figures (USD).

Same can be said about many LGBT non profits that have shifted their goals in the developed world on the "T" part of the acronym. On countries where marriage equality is a given, no one is going to fund an NGO focused on gay marriage... so they need a new cause to fight for.


to me this smells transphobic but it's possible the trans genocide several US states are working on made me oversensitive


How is it transphobic to say organizations focused on LGBTQ shifted their alignment for the one part that isn't widely accepted in developed because others for the most part are?


Its a transphobic conspiracy theory to say, as moravak1984 explicitly did upthread, that they did it for money not because its an actual real issue where they perceive an injustice, whereas the issues where they've already won, and thus are shifting some attention from, are not, or less so, specifically because they have succeeded in shifting the situation on the ground.


Why is it transphobic? Is it not possible for an organization to do something for money? I am not accusing any particular organization of doing so, but it absolutely should be a legitimate concern/question.

In fact, I would consider it transphobic to not call out organizations with ulterior motives.


The reply to my suspicion from the same person was so transphobic it got removed. I can smell these people from a mile away. Fragments of it survive in https://news.ycombinator.com/item?id=38301956


The reply to my suspicion was so transphobic it got removed. I can smell these people from a mile away. Fragments of it survive in https://news.ycombinator.com/item?id=38301956


My reply was calling out your ridiculous and hyperbolic claims of "genocide", and examining the reality behind the euphemism.


[flagged]


> safeguarding of children against mutilation and sterilisation,

I am so, so tired.

None of that happens.

GnRH analogues are commonly used in gender affirming care, these are reversible.

Surgery is not done on minors.

> the protection of women's single-sex spaces,

Predatory men have absolutely no problems finding opportunities to predate on women. This made up crap need not happen.

You are parroting sound bites on issues you have no understanding of. For the sake of humanity, literally, please stop and start reading. You are on a very dark path.


> Surgery is not done on minors.

Sadly, this is not true. See for example this paper on 'gender-affirming' mastectomies, where the cohort included girls as young as 12 years old: https://journals.lww.com/annalsplasticsurgery/Abstract/2022/...

Also this article from Reuters on rates of 'gender-affirming treatment' in children, from health insurance data, which shows that girls as young as 13 are receiving 'top surgery': https://www.reuters.com/investigates/special-report/usa-tran...

There have been cases of minors getting genital surgery too. For example Susie Green, who used to run the Mermaids charity, is infamous for taking her child to Thailand on his 16th birthday for penis inversion surgery.

> Predatory men have absolutely no problems finding opportunities to predate on women.

Exactly, any male who disregards women's boundaries and imposes himself on a female-only space is exhibiting predatory behaviour by ignoring the lack of consent. Those males who call themselves women are no exception to this.


Trans women are not males who call themselves women, though.

If you insist they are , that's denial of trans existence and that's the road to genocide.

Trans women are not males who call themselves women, though.

If you insist they are , that's denial of trans existence and that's the road to genocide.

Apparently I was wrong on top surgeries. I will be more careful with phrasing then. However, sterilization (aka genital surgery) still is not a thing.


> Trans women are not males who call themselves women, though.

They are male, by definition. If they were female then they would actually be women, rather than men trying to mimic women - which is the reality of 'trans existence' for these males.

They really have no business imposing themselves in female-only spaces. Rejecting this form of male entitlement and keeping them excluded from these spaces that are not for them isn't 'genocide' by any means. That is sheer hyperbole.

> However, sterilization (aka genital surgery) still is not a thing.

Genital surgery for minors is rarer but it actually a thing that happens. For example, reality television victim Jazz Jennings was sterilised at 17 years old.

Here's another male who had his surgery at 16: https://metro.co.uk/2019/12/29/transgender-teen-who-began-tr...

And another: https://www.dailymail.co.uk/femail/fb-6329525/WHO-JACKIE-GRE...


Idk man, I think this shit should be between the trans person and their doctor. We already pierce the ears and rip the foreskin off babies, and minors can get boob jobs and nose jobs already. Minors get all manner of drugs prescribed. If a doctor thinks some treatment is appropriate for a kid, okay. If it turns out to be medical malpractice we have the court system for that.

Also, I disagree that men in women’s bathrooms is inherently predatory. Frankly, this discriminates against fathers of young children because often one has to bring a daughter into the bathroom or change their infants diaper. Also, the bathroom thing is super weird, like how are you gonna enforce this in a non imposing, non disregarding of boundary way? Already butch women experience harassment for not performing femininity, and there’s news articles where nosy weirdos harass them in bathrooms…


> Also, I disagree that men in women's bathrooms is inherently predatory. Frankly, this discriminates against fathers of young children because often one has to bring a daughter into the bathroom or change their infants diaper.

I don't agree with you on this, in almost all circumstances they should be using the bathroom appropriate for the sex of the adult, which in this case is the male one. If there genuinely is no baby changing facility available that isn't in the ladies' bathroom then for the welfare of the child an exception can be made, but the father needs to check with the women using this space first.

This scenario is very different to the males who feel entitled to use women's spaces whenever they please and for their own satisfaction, rather than to provide for their child as in your example.

> Also, the bathroom thing is super weird, like how are you gonna enforce this in a non imposing, non disregarding of boundary way?

All that's really being asked for is for males to understand that female spaces are not theirs, to voluntarily refrain from entering, and to acknowledge that women have the right to have violators expelled.

The problem is that far too many males truly cannot conceive of the idea of simply respecting the space and boundaries of women. It literally doesn't cross their minds, so they immediately jump to whether or not women can forcibly stop them. The belief seems to be that if a woman cannot enforce this, they may take anything they like from her with impunity.

Perhaps that's not the connotation you intended, at least not consciously, when you wrote 'how are you gonna enforce this'. But I believe this form of male entitlement is what this implies, even with the best of intentions.


“How are you gonna enforce this when it primarily harasses the women you claim to protect” isn’t a male claim. Way more women who never experienced male puberty and don’t have/never had a cock and balls are sexually harassed about this shit than trans ever are, just because there’s probably 100x more short-haired small-titty chicks than trans women.

Also, frankly banning fathers from protecting their daughters in bathrooms and changing their diapers is discriminatory. There’s nothing predatory about a dad changing his infants diaper and it’s utterly disgusting to portray it as such. This is precisely the gender discrimination we should be fighting against as a civilized society. Women aren’t fragile creatures who cannot see context and understand what is and isn’t a threat to them, and men aren’t inherently dangerous for not even interacting with women just being attentive fathers! This is so insulting to both sexes, I can’t even.


Like I said in my last comment, if you're thinking about female-only spaces only in terms of how women can forcibly stop men from entering, then you're looking at this from the perspective of male entitlement instead of focusing on women's needs. How about instead, the males just respect women's spaces, and stop trying to convert every female-only space into a mixed-sex space? Every time a so-called "trans woman" disrespects the space and boundaries of women for his own selfish pleasures, he's adding to this problem. It really shows how little these men actually understand and empathise with women, when they're exhibiting this dominance behaviour.

Also, some female-only spaces can be and are enforced by authorities with the resources to do so, for example prisons. It is well understood by most people that prisons need to be separated by sex for the safety and dignity of female inmates. The problem is that in some places, women's prisons have been incarcerating men who say they have a "female gender identity" in there too. There have been numerous cases of these men raping, sexually assaulting and even impregnating the women they have been imprisoned with. It is appalling and shows exactly why women need single-sex spaces away from these predators.

> Also, frankly banning fathers from protecting their daughters in bathrooms and changing their diapers is discriminatory. There's nothing predatory about a dad changing his infants diaper and it's utterly disgusting to portray it as such. This is precisely the gender discrimination we should be fighting against as a civilized society.

No, what is needed in this case are baby changing facilities in male and gender-neutral spaces. Not carte blanche access to female-only spaces by men.

Also please actually read my comments before responding. In no way did I say or even imply that a father changing his child's nappy is predatory. I believe it's a good thing when fathers are more involved in child care than is traditionally the case. You are railing against an argument you invented inside your own mind.


Nah you said Carte Blanche anyone male in such a space is predatory, including dad changing diapers and trans women peeing not talking to anyone. You’re also still not addressing the fundamental fact that women who have never experienced male puberty experience far, far more abuse by other nosey weirdos trying to get into their genitalia just because they don’t perform the sort of femininity demanded to enforce who gets to take a piss in the McDonald’s.


No, this is what I said:

> Exactly, any male who disregards women's boundaries and imposes himself on a female-only space is exhibiting predatory behaviour by ignoring the lack of consent. Those males who call themselves women are no exception to this.

Then it was you who brought up this unlikely scenario:

> I disagree that men in women's bathrooms is inherently predatory. Frankly, this discriminates against fathers of young children because often one has to bring a daughter into the bathroom or change their infants diaper.

To which I replied with the following, consistent with my earlier comment in that the father needs to ensure that if such a rare and urgent scenario should arise, he receives consent from the women present and to ensure he isn't disregarding boundaries and imposing himself:

> I don't agree with you on this, in almost all circumstances they should be using the bathroom appropriate for the sex of the adult, which in this case is the male one. If there genuinely is no baby changing facility available that isn't in the ladies' bathroom then for the welfare of the child an exception can be made, but the father needs to check with the women using this space first.

> This scenario is very different to the males who feel entitled to use women's spaces whenever they please and for their own satisfaction, rather than to provide for their child as in your example.

Of course the best option is that baby changing facilities are provided in unisex or male-only spaces too, which is often the case these days.

As for this part of your comment:

> You're also still not addressing the fundamental fact that women who have never experienced male puberty experience far, far more abuse by other nosey weirdos trying to get into their genitalia just because they don't perform the sort of femininity demanded to enforce who gets to take a piss in the McDonald's.

Firstly, there are no women who have experienced male puberty. The people who experience male puberty are boys and then men.

Secondly, this isn't a "fundamental fact", it's something you're claiming because you want to try to justify the invasion of women's spaces by men who pretend to be women.

Thirdly, I see you're still narrowly focusing on bathrooms and are ignoring the growing problem of these men demanding and gaining access to other spaces that were female-only up until their incursion. Any comment on, as I discussed above, that in some jurisdictions these men are being incarcerated in the female prison estate, and how harmful this has been for women prisoners?


Profit or non-profit is not about paying market rates. Even non-profits have to pay reasonably competitive salaries to attract and retain good employees.


Yeah but half of these should be competitive enough. Come on.


Competitive is just fine and even expected, but competitive vs FAANG? Seriously?


we ought to be well past this, if they want to be donation based they need efficiency.

it's possible to run this from, let's say, Andalusia, and hire competent folks for a fraction of this.


For a nonprofit?


A nonprofit doesn't mean it's a charity.


> 501(c)(3) tax-exemptions apply to entities that are organized and operated exclusively for religious, charitable, scientific, literary or educational purposes, for testing for public safety, to foster national or international amateur sports competition, or for the prevention of cruelty to children or animals.

Signal foundation is a non-profit 501(c)(3). It is literally and legally a charity.


Charities aren't charities in the colloquial sense of the word. It's not a truly altruistic collaboration of volunteers giving their time to help a cause.

Non-profit simply means that every bit of revenue made goes back into the company instead of given out to shareholders. Which includes paying your labor.

It being a non-profit is exactly why we can view the operating expenses and salaries of the public facing executives. For accountability.


A nonprofit asking for donations because of <good cause>? What is the definition of a charity then?


Does anyone have an idea why they did not list the combined salaries of all employees? They did seem to list all the other things...


They don't break out salaries specifically, but personnel costs are in this paragraph:

> To sustain our ongoing development efforts, about half of Signal’s overall operating budget goes towards recruiting, compensating, and retaining the people who build and care for Signal. When benefits, HR services, taxes, recruiting, and salaries are included, this translates to around $19 million dollars per year.


I'm kind of happy to don't see Moxie with such rockstar salary as for instance the CTO one..


From the same link, it seems like his compensation was much higher in all the preceding years. Not sure what changed this year, but I agree it's a bit refreshing to see. Especially since he's probably made good money throughout his career


I think the lower 2022 numbers reported for Moxie Marlinspike reflect that he was only involved as CEO until February 2022, so $80k would make sense as ~2 months of salary before Meredith Whittaker stepped up to the role.


Salaries: Pretty abusive salaries for a non profit but that seems to be pretty much the standard nowadays, right?

Bandwidth: I took at quick look and see that chat.signal.org resolves to AWS. If they are paying AWS for a lot of bandwidth, that is very expensive. Let's take a quick look:

   They say they use 20PB per year of bandwidth for voice calls alone, this costs them $1.7M a year.  
   
   According to AWS pricing for great customers (suckers) of over 150TB per month, the cost per GB goes waaaay down to $0.05, yay.  1.6PB per month is 1600000GBs, that's $80K a month and therefore $960K a year.

   Very roughly, a 10Gbp/s link to the Internet, from a Tier-1 provider will be around $800 (eight hundred dollars, you're reading this right) a month in a low-bandwidth-cost country like the US, possibly double that in say Asia.

   A 10Gbps link fully utilized (minus some overheads), translates roughly to 3 Petabytes per month, that's 36 petabytes per year, almost double their advertized amount of bandwidth needed for calls per year.

   So we have ~$10K a year (negotiable) for 36PB which is double their bandwidth needs but let's not forget that AWS graciously (geniously) charges for egess only, this means that their actual bandwidth needs are 40PB per year for whatever they are reporting.  So we have $10K for 36PB a year vs $960K a year for 20PB (actually 40PB) of bandwidth from dear Amazon.

   1. Not sure why they are saying the cost is $1.7M per year.
   2. Even at 960K it's daylight robbery.
   3. AWS makes an absolute killing on bandwidth costs.  Best. Business. Model. Ever.
   4. Don't these guys have a Devops pro at $300K+ a year? weird :)

Servers: I won't get into the numbers here as that's a lot more involved, and impossible without more data, but buying and maintaining your own infra, or possibly easier, renting it, would still be quite a lot cheaper than using AWS.

Takeaways: - Storage is something you should buy and maintain (Thanks B!), you swap out old/dying storage devices. See Backblaze.

   - Bandwidth, compute and storage costs at your favorite CSP are absolutely f'ing *outrageous*

   - If you care about your money, your bottom line, do things differently than the *insane* mainstream way of clickity-click on some UIs to provision services without understanding what's really happening under the hood (not saying Signal doesn't understand that part, I'm sure they do), or caring about the added costs of whatever gets so easily "added" to your "infrastructure". 

   - By having your stuff on a CSP you don't even have "infrastructure", but that's juts me.
Anyway, I do love Signal, what they do and what they represent. Keep up the good work.

Signal, mail me at m aaaat zynk.it if you'd like to talk.


> A 10Gbps link fully utilized (minus some overheads), translates roughly to 3 Petabytes per month, that's 36 petabytes per year, almost double their advertized amount of bandwidth needed for calls per year.

I understand this is napkin math, but shouldn't we consider that the load isn't evenly distributed? - in which case 50% average utilization seems extremely high


Sure, so multiply it by whatever you want. 10? You still get less than 100k a year and not $1.7M :)

100k a year for 100GBps, leaving it up to you to calculate how many petabytes per year you can pass with that.


>Salaries: Pretty abusive salaries for a non profit

Non profit employees aren’t monks, they don’t need to be talking vows of poverty.


I just donated $10 to Signal. Here's how to do so on iPhone in less than a minute:

1. Open Signal and click on your user icon in the upper left.

2. Go to "Settings" --> "Donate to Signal".

3. Click "Donate", select your donation options, and pay with Apple Pay.


Thanks, I just setup a $5 a month donation.

Love what signal's doing for the world.


I’ve got a recurring donation of $5/mo I set up ages ago


Me too! Set it up once and forget. I love their work and Unlike any other charity/nonprofit that I've donated to, they never bother me any further.


> I’ve got a recurring donation of $5/mo I set up ages ago

Thanks for that, I did a one off 300 euro donation back in '21 during the bubble market; Meredith has been doing the rounds [0] and she hits on lots of good points, and even went to the UK over their now failed bill during the Summer.

0: https://www.youtube.com/watch?v=ykfABSBeAVo


Me too


Does this entail a 30% cut to Apple/Google?



[flagged]


It’s the missing URL fragment.



Does it matter. 70% of something is better than 100% of nothing.


Because this isn't the only one way to donate, and if it were subject to the 30% cut, most people would want to know they could spend a couple extra hours steps for 30% additional impact on their donation.

Very few people are going "No apple pay? No donation."


> if it were subject to the 30% cut, most people would want to know they could spend a couple extra hours steps for 30% additional impact on their donation.

43% additional impact.


Of course it does, if there would be both 70% and 100% options to donate.


I had an old Apple Store & iTunes gift card laying around so I redeemed it and attempted to use it to donate via Apple Pay, but get "Apple Account - Not enabled for in app payments". Google isn't very helpful about exactly why. Am I missing some KYC somewhere or are payments of this type prohibited from "Apple Account" balances?


Also a reminder, your work might have a donation matching system. All the major tech companies do, so you can really boost your effect.


I guess maybe I'm missing the purported point of signal, attaching your phone number to use it notwithstanding, but attaching payment identity to it as well? Like, what's the point of going through the pain required to use it?


It is not meant as a anonymous messager, but an encrypted one, you can trust to not sell you out.


What is the basis of that trust?


Open source client AND open source server. And a quite transparent non profit running it.

But personally I actually would prefer a federated alternative like matrix.


Most people using Signal - and particularly most people likely to donate - are not using it to hide their identities, but to decrease the chance of unknown parties reading their conversations. My Signal account has my full name on it, and checking my top contacts, most of them do too (some only have their first name).


> I guess maybe I'm missing the purported point of signal, attaching your phone number to use it notwithstanding, but attaching payment identity to it as well? Like, what's the point of going through the pain required to use it?

Your payment info is not connected to your account.

https://support.signal.org/hc/en-us/articles/360031949872-Do...


The suggestion here is to use your iPhone to pay through Apple Pay.

Does Apple have any records connecting your recurring Apple Pay payment to your iPhone's phone number?


If you want to avoid that you can also donate through https://signal.org/donate/.


Signal is not for anonymity.

It's for security.


For some anonymity is security. Better to say it’s for message confidentiality.


There doesn't seem to be a way to pay annually, which I'd prefer to a monthly payment. £5/month is just a little high, but I'd merrily pay half that or £30/year.


There are two forms at https://signal.org/donate/, the second one lets you set a yearly donation at a custom amount (and both forms a monthly donation at a custom amount).


If you really need a lower tier, you can switch currencies to JPY, there's a monthly option for 500JPY which is about 2.67GBP.


Thanks for the suggestion; I just signed up for the $5/month plan. I have been using Signal for years, but never considered donating anything before.


:thumbs_up


So you donated to Apple too in the process?


Seriously consider setting up a recurring donation if you prefer Signal. They have delivered consistently over the years. I set the $20/month back when they introduced the option.

I'm curious what the breakdown of donations is. I only have 1 contact with a $10/month and 1 with a $5/month badge. Of course there could be others not displaying the badge. Signal really needs 500,000 people giving $20/month and plus the rich guys giving some millions on top of that to be in a safe financial position.

Maybe something that could be done to encourage donations is have the client estimate how much raw infra costs your usage created and display in the donation screen.


20/month for every chat service I use is very steep. I'd be spending more on chat services than on mobile data + unlimited calling + landline + DSL + streaming services combined!

They actual costs are apparently about 1 USD per year per user. I usually at least double (usually more) my incurred cost when the donation is optional, to cover for those who can't or won't pay, but paying 240× the cost price seems wasteful as well when there are other nonprofits that can do more good with every dollar you give them (be it solving poverty, climate change, whatever you find valuable) rather than one which has mostly fixed fees


I'm not suggesting every chat service get donations. I'm only giving to Signal, the rest of the chat services I have to use get 0.

I'm donating more than my costs deliberately because I fully understand that most users are not going to contribute money, full stop. I need those users though, because they are the people I want to privately communicate with. So the obvious thing to do is pay for as many other users as I can. If there's 50M monthly active users, and if 1% of them are like me and highly value Signal, then each of us 1% users can pay $20/month and cover the entire operation. Then the contributions of the super rich donors can be saved to rebuild the war chest.

$20/month is nothing to me considering the value I get. I understand that most won't feel that way, which is why I'm only appealing to those who do feel as I do to just get that recurring donation going now.


how many chat services do you use? and how many are making money off of you in other ways?


not who you replied to, but:

- signal for family and some techy friends

- whatsapp cuz some friends dont really get signal

- imessage cuz some friends dont get whatsapp nor signal

- viber cuz family across seas and that's whats popular there

- slack with some friends cuz it's nice to have focused discussions in channels

- discord cuz its better for gaming

- ig messaging cuz i stay in touch with less close acquaintances and some friends that way, comment on their stories and chat about whats going on in the moment


There's also Wire, IRC, Telegram, and Threema. SMS I also have a subscription on, but that feels different so I didn't include that in my count, and Keybase I haven't used in a while now but that might also be part of the list for some people


I fail to understand the point of supporting an organization that is completely against self-sovereignty like Signal is. Why would I want to pay someone to develop something that traps me into their platform and does not offer a way out?


Great, you go ahead and get all your friends in family using Matrix. I'll join you there when all that is sorted out and it's practical to get my lawyers and doctors and accountants and friends and family onboard. Until then, we'll keep using Signal.


First, you talk like Signal never had any issue with usability or functionality, which is far from the truth. Signal amount of bugs and security issues with their client is notorious, and the insistence of requiring phone numbers is just a silly "let them have cake approach" that is conveniently ignored for too long.

Second, are you hedging your bets and supporting Matrix or XMPP as well, or will you only encourage people to "donate" to the platform that you happen to have picked already?


Yes, I am encouraging people to donate to Signal because I prefer it. Why would I be soliciting donations for something I don't favor? If you want to contribute to something else go right ahead, but this is a thread about Signal's financial needs so it shouldn't surprise you that Signal supporters encourage other supporters to donate.

I also use Matrix. Element has been pretty good for a few years now, but it's still not smooth enough for mainstream use. (Encryption state in chats gets messed up sometimes, for example. It feels like Signal 10 years ago, and it's had security issues in its client also)

The Matrix protocol is also inferior to Signal in that all metadata is stored in cleartext on the server. You get to choose or run a server, but the protocol still leaks the user info to whoever runs the home server and to any foreign server that has a user in the same channel if you are using it in a federated context. Signal manages all of this by peer to peer messages where cleartext is only available to clients, which is really slick.

XMPP is just dead. Forget about XMPP. Matrix is the clear leader in the federated messaging system category. I'd like to see Matrix displace things like Telegram, Discord, and Slack. I may donate to Matrix affiliated projects in the future, as I also donate to other open source projects from time to time, but I'm not going to promote any of those things in this thread.


> Why would I be soliciting donations for something I don't favor?

Because you are (consciously or not) creating a self-fulfilling prophecy for one champion over the others. Worse still, you are asking everyone else to devote resources to your preferred champion when we have no reason to believe that this is long-term sustainable.

> The Matrix protocol is also inferior to Signal in that all metadata is stored in cleartext on the server.

As I said in another thread: I honestly care less about the security guarantees from one protocol over the other than I care about the fact that pushing for Signal would mean that everyone's communication would be tied to one single provider. This is a systemic risk that no amount of "you don't need to trust us, you just need to trust math" can ever mitigate.


I don't care about your preferences. I'm consciously using and giving money to Signal, and I'm encouraging others to do so. Go ahead and work on or use or donate to whatever you like.


You sidestepped the whole point about systemic risk and tried to argue based on my "preferences". My friend, that's as cheap a copout as it gets.

Sorry to break it to you, but if it was only a matter of preference, I would've been fine with Signal or even WhatsApp.


Just don't use it, don't generate cost for them, don't be trapped by them. Everyone wins.


The 50 million using them all lose because they are locked into a monopolistic platform.


they can communicate to anyone with WhatsApp, SMS, iMessage.... This is a closed system, not a monopoly.


Nobody is locked into Signal. It's free to use, and free to leave.


That’s not how platform lock-in works.


You can export to markdown apparently. Who's locked in? It might be a pain to import that into any other app but I don't think any messaging app is going to make that easy. You still have all your data if you want to bail


> pain

That's how lock ins manifest themselves


Sure. But honestly, what are you hoping for, and does any app provide it? Honest question.

I'd prefer a JSON dump but something's better than nothing.


Given how many activists have used it in overthrowing dictatorial governments, self-sovereignty seems an odd choice of words to claim it doesn’t support.


Perhaps it was a bad choice of words. What I mean is that they say "you don't need to trust us", yet they require you to run through them. They refuse to build their system in a decentralized way, and the more that time goes by the more the decentralized alternatives are showing they are as secure as Signal without forcing us to accept their restrictions like mandatory use of phone numbers for authentication.


> "you don't need to trust us"

you literally don't. It's a fully encrypted service. The literal purpose of encryption is to move data securely through insecure or even adversarial channels. Which you can verify, it's audited and open source.

They refuse to build the app in a decentralized way because decentralization is an ideological obsession that is useless in this context, and because centralized organizations can actually ship polished software that works for normal people and move quickly.


Centralized supply chain, and metadata protection is anchored on SGX.

They can use their pick of SGX exploits to undermine the weak metadata protections and they (or apple/google) could, if pressured, ship tweaked versions of their centrally compiled apps to select targets that use "42" as the random number generator. No one would be the wiser.

Signal is a money pit with a pile of single points of failure for no reason.

Matrix is already proving federated end to end encryption can scale, particularly when users are free to pay for hosting their own servers as they like, which can also generate income.


> They can use their pick of SGX exploits to undermine the weak metadata protections and they (or apple/google) could, if pressured, ship tweaked versions of their centrally compiled apps to select targets that use "42" as the random number generator. No one would be the wiser.

Signal builds on Android have been reproducible for over seven years now. That's not to mention the myriad of other ways that people could detect this particular attack even without build reproducibility.


Who is reproducing these and publishing results?

Moxie made it very clear he never wants third parties like f-droid -actually- reproducing and signing packages for distribution to de-googled signature-enforcing android distros etc. Providing side-loadable apks as an alternative a joke.

Third party builds and distribution would serve as public canary and be better for privacy forbidden. He argued the tracking advantages of centralized development and distribution outweighed any wins of allowing third party clients.

In reality a build published with a breaking change and a subtle crypto backdoor omitted from public sources may not be discovered for days or longer. Long enough to decrypt most every convo on the planet.


What’s your solution to this?


Something built like any other internet protocol with staying power.

A federated network with multiple strong client and server implementations that are able to be built, reproduced, and distributed by multiple independent parties. Like Matrix.

Matrix is far from perfect yet but it is miles beyond Signal in being a sustainable solution that can survive any single point of failure.


You can trust Signal all you want for data security. It doesn’t help you when they run out of money and shut down and all your messaging is gone.


> can actually ship polished software that works for normal people and move quickly

They can ship it, because they got a fuckton of money. But apparently they can not maintain it, because now they are crying about how expensive it is to run it.

Signal is acting like a sprint runner who signed up for a Marathon and wants to be carried out to the finish line after showing how much faster he was in the first mile. That's what I think is dishonest here.


> Given how many activists have used it in overthrowing dictatorial governments

How many? There's some news about it being recommended for use by BLM protesters, and about it being blocked in China, Iran, etc. Where is this info about it being used in "overthrowing dictatorial governments"?


Yeah this is the one thing I have against signal and why I always advise against it. Their stance against third party clients and federation.


Not completely ? Their server seems to be open source too now (with the exception of the spam filter) ?


Can I operate my own Signal server and talk with people on the "main" one?


You're moving the goal post from "self-sovereignty" to supports federation with an infinite number of servers. Nothing is stopping you from compiling your own Signal server and modifying a Signal client to use your server.

Given that Signal is free as a service, supporting federation only increases their expenses.


Without federation, Signal is still working with the advantage of network effects. So an open source server is not enough of a way out.

Element can do it for their Matrix servers. Process.one can do it for ejabberd. Prosody as well. Why can't Signal?


Back to your original point: please don't support an organization that doesn't share important values of yours! That is absolutely your choice!

You've named several products that share your values. Perhaps those would be a better fit if you were to donate.


Because centralisation provides ecosystem agility, which they absolutely value as an upside. Find a way of doing post-quantum secure key exchange? Just roll it out to the server and all the clients essentially overnight.

They've talked about this, a lot.


I'm well aware of their justifications. I'm also aware that centralization brings systemic risks, which they don't talk about.

The internet would be a lot more efficient and able to evolve if we just had it controlled by one single entity like Google or Microsoft. Do you think is a good idea to do that?

The economy would be a lot more efficient and allocation of resources could be a lot more fair if we could put it all in the hands of one single corporation or government. Do you think it's a good idea to do that?

Agricultural output would improve significantly if all crops used the exact same genetic strain and if all soil was artificially managed. Do you think it's a good idea to do that?

In case you are wondering, "ability to quickly roll out post-quantum key exchange" is waaaaay down the list of my worries compared to "facing a catastrophic Black Swan affecting all of the world's communications".


Signal is so far from being a monopoly that runs "all the world's communications" that these comparisons are essentially meaningless.

There's plenty of diversity in the messaging space. Decide your values, choose your compromises, pick your platform. Simple.


Some people avoid platforms out of principle. Look up «protocols, not platforms» if you have never heard of it.


Federation can only make security worse and I do not want it. You can have something else.


Security is extremely important, but it is not the only concern one should have when considering the design of a global communications infrastructure.

I worry a lot more about not having one single actor responsible in dealing for the communication of millions of people than about "quantum-resistant encryption".


> I worry a lot more about not having one single actor responsible in dealing for the communication of millions of people than about "quantum-resistant encryption

I'm glad you worry about this. Me and other people have other priorities.

You're putting an awful lot of effort into projecting your values onto other people, which is a bit weird.


> Me and other people have other priorities.

Did you watch "The Big Short"? You are sounding like one of those jocks-turned-real-estate agents that are bragging about how easy it is to make money and thinking the analysts were idiots.

> You're putting an awful lot of effort into projecting your values onto other people.

We live in a world where people are bullied for not using iPhones and showing up with different bubble colors on the chat apps and family members will refuse to call you on the phone and only accept you if you use WhatsApp.

All I am saying is "please let's not collectively put ourselves in the hands of any single entity". Are you sure I'm the one projecting values, here?


> Did you watch "The Big Short"? You are sounding like one of those jocks-turned-real-estate agents that are bragging about how easy it is to make money and thinking the analysts were idiots.

I've literally no idea what this means. Who thinks who's an idiot in this analogy?

> All I am saying is "please let's not collectively put ourselves in the hands of any single entity". Are you sure I'm the one projecting values, here?

I don't care what messaging platform you use. You appear to deeply care what other people use, and therefore what should be important to them. Yes, I'm pretty sure.


Genuine question: Does Tor fall under the definition of federation? Either way, a Tor-like model would have security benefits over a centralized system like Signal, right?


Tor is distributed, not federated. And it has drawbacks, like high latency and a lack of a centralized system for human-friendly names (because that would mean a system like DNS, which is centralized). As far as security goes, there's probably little benefit. E2EE doesn't get more secure because there's more encryption.

The most comparable system to Tor that has practical properties I can think of is maybe ipfs, but nobody will store your encrypted chat blobs for you out of the goodness of their hearts. Ipfs also tends to have high latency. A slow system of uncooperative nodes isn't what you want your messaging app built on.

A federated messaging system looks a lot more like Matrix. The obvious problems are that splitting users up over multiple nodes mean encrypted data doesn't live on your instance, it lives everywhere the people are you chat with. Another problem is what you see with bsky, where identifiers come with a domain name (like an email).

IRC is also federated (sort of), and there's a long list of tired, age-old problems. The most common one is simple: different servers have different features, so you can't reliably "just use it" like you can with Signal.


Because code is law, centralized systems that grow bigger than the polity they started in are inherently problematic. See Facebook in Burma/Myanmar as one recent infamous example.


Some centralized systems. But I don't think there's any evidence to suggest that's universally true. Nor is the implication that non-centralized systems don't suffer from similar problems, or other problems which result in substantially bigger drawbacks.


I'm willing to entertain the idea, what would be a counter-example ?

Old enough that the «honemyoon» period is over, say... a decade ?


bro, you're working for one of chat programs, yes? never heard of communick before. won't ever use it. if people ask me about it, i will show them how a person related to communick behaves in public.


You are creating an ad-hominem by thinking that I can not criticize Signal because I have a competing offer. And to add insult to injury, you seem to have a misconception of what Communick is.

Communick is not "a chat program". Communick is a service provider, which promotes and works only with truly open protocols. There is no custom client or lock-in based feature that I have. This means that if you are my customer and you want to move out you are absolutely free to get your things and move to a different place instantly.


yes, it's an ad hominem. people need to know who are you and what incentives behind them. if you're from a competing provider, other will need to take that into account.

also, if you want to peddle your stuff, make your own announcements or something.


I'm somewhat flattered that you think Communick is a "competing provider" to Signal. Or anything, really. Maybe I will add that to the "testimonials" section of the website along with other nice things I get to hear from my 8 customers.

Whether Communick exists or not, even if I close it down next week (because if we are being honest it is nothing but a money pit which I keep running out of spite and stubbornness, and unlike Signal I'm not panhandling for donations) my criticism of centralized messaging platforms would still stand: whether it's Signal, or WhatsApp, or FaceTime or Telegram... we should not be supporting any platform that centralizes all communications in one single place, no matter how "well intentioned" or even how "provably secure" it is.


Same. I have been doing the recurring payment since they offered it. Even though I'm effectively only using it with my partner. But that is every day

It feels good supporting something worthwhile.


I almost skipped reading into this article because I love Signal and it's mission (and their rare commitment to stick to it) and would have known it's good. Yet, the details on expenses and infrastructure was a good read. $1.3M/yr for temporary storage! $6M for verification codes during sign-up!? Toll fraud!? GOOG & FB data center spend, data breaches from GOOG, MSFT, et. al 50 full-time employees vs 3K or 4K for similar apps! All interesting.


The link about the Google "data breach" appears to be about some tax companies being sued for using Google Analytics tracking pixels. Calling this a data breach may be a bit of a stretch.


Thanks. I hadn't dug into that link, but I did based on your comment. It is a Congressional investigation that is rooted on a report from The Markup [1] that, as you note isn't about an accidental breach by Google, but one where multiple companies send extensive PII to Google about site visitors. While not necessarily a "breach", I think this lead of personal data plays to Signal article's point though. The Markup article's git repo with HAR files of what was sent to Google was convincing.[2]

[1]: https://themarkup.org/pixel-hunt/2022/11/22/tax-filing-websi... [2]: https://github.com/the-markup/meta-pixel-taxes


Didn't they do some sort of cryptocurrency thing. How is that going?

edit: it was called MobileCoin right

edit2: they do

https://support.signal.org/hc/en-us/articles/360057625692-In...

is that generating any revenue?


I have held off donating to signal so far exactly because there is no clarity around this token, why it was even added to signal and who profited from that.


And they stopped updating the server code repo for a year, apparently to hide the launch of this token: https://news.ycombinator.com/item?id=26725915

I don't think they ever confirmed that this was why they stopped updating, or did a postmortem on how poorly that launch went. I vaguely recall there was also an unexplained spike in MobileCoin trading shortly before the public launch that looked quite a bit like insider trading, though right now the stories I can turn up about it here are about similarly disconcerting and unexplained issues in its provenance: https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...

It's hard to take this fundraising plea seriously when this financial disaster is never even mentioned. I hope I've just missed whatever Signal has done to try to repair trust after the, but the fact that they haven't even removed it from the app is not promising. Can anyone share updates?


I for one will never donate to signal, and consider my $1000 (or $20k of never realized "fake" money, explained later) lost to mobilecoins to be my lifetime "donation" to them.

Short timeline of events from my side:

- Signal announces/endorses mobilecoin support, as their new and only cryptocurrency option

- I figure I'll get on it early this time after missing out on Bitcoin, despite Signal only supporting this in the UK (for now)

- Mobilecoin and Signal websites both mention FTX as being the only exchange where you can currently buy mobilecoin, never used it before but I go ahead, transfer $1000 worth (at the time) of bitcoin to buy mobilecoin

- There are currently no other wallets for mobilecoin (except maybe some difficult to use or obscure ones that looked sketchy? don't like leaving money on the exchange but didn't really have other options)

- Mobilecoin spiked on ftx, sold and bought back a few times, at the right time with some good luck, now have $20,000 of mobilecoin

- Signal finally adds support for mobilecoin in my country, proceed to try and withdraw it

- However, my country just announced legislation to require ID in order to buy/sell cryptocurrency, but it's not planned to go into effect for at least another 6 months or so, but FTX decided to start requiring it immediately and wouldn't let me withdraw without it (I could see they were still willing to take more deposits from me without it though!)

- FTX had trouble verifying ID, I already suspected what was about to happen, tried my best to get my crypto out but they kept having excuses, the ftx fall out and everything became known some months later


> I figure I'll get on it early this time after missing out on Bitcoin

So you only aped in because you were hoping to get rich without doing any work, and then you fraudulently opened up an account on a shady ass centralized exchange when you knew you couldn't KYC, and got your pretend money stuck, and then when FTX fell over it turns out it was never really there.

Cryptocurrencies are awesome. Greedy people who can't do research and complain loudly when their "get rich quick" schemes blow up in their face make everyone look bad :-/


> So you only aped in because you were hoping to get rich without doing any work, and then you fraudulently opened up an account on a shady ass centralized exchange when you knew you couldn't KYC, and got your pretend money stuck, and then when FTX fell over it turns out it was never really there.

> Cryptocurrencies are awesome. Greedy people who can't do research and complain loudly when their "get rich quick" schemes blow up in their face make everyone look bad :-/

Normally I wouldn't acknowledge this, but I find your assumptions and accusations about me quite rude, for someone who has been on HN for at least 12 years you should know the rules. I simply stated the timeline of events as is, because there is no denying the connection between Signal and FTX through mobilecoin, and I only spent what I could afford to lose, I was well aware of the risks.


> when you knew you couldn't KYC

What? Did you actually read what you replied to?


Yeah how can I trust the security of an app which is engaging in potential financial fraud. Like ffs, if your whole thing is trust and principles, don't start fucking around with things for personal financial gain.


Probably not much at all. Thankfully they didn't shove it down user's throats - its kinda hidden behind a setting. I guess if they did push it harder to users it may have generated more revenue, at the cost of users who won't put up with cryptocurrency rubbish.


Signal had 40 million active users in 2021 [1]. With 14 million in infra cost, that comes to .35 per user/year. Total expenses are about 33 million, so about .825 per user/year. All in all that seems very reasonable.

[1] https://www.businessofapps.com/data/signal-statistics/


Mastodon org + Mastodon.social also have costs of 0.6 EUR/year, though they have two orders of magnitude less users [1]. This is really what most social media costs. These rates are even payable by many in poorer countries.

[1] https://news.ycombinator.com/item?id=38117385


IIRC WhatsApp used to charge $1 per year

https://venturebeat.com/mobile/whatsapp-subscription/


With how much Mastodon.social tends to fall over when Twitter does something stupid (again), their rates are probably a bit too low for a more robust service like Signal.

Signal also intentionally doesn't store too much data, long term data costs will slowly grow over the years. I imagine for a bigger platform, costs can grow to multiples of the rates for Signal and smaller Mastodon servers.

€10 per year should be more than enough for most users, though, and it should be quite affordable for most countries.


Signal also fell over flat when the whatsapp outage happened a couple years ago. It's just difficult to handle spikes in demand.


Yeah, the issue is more that there is substantial friction in paying any amount of money, especially in poorer countries with no access to e.g. banking or payment cards. I'm sure no one here, and few people even in comparatively poorer countries, would object if Signal/their messenger of choice cost 0.60$ per year to use. The problem is that making the service have a ~1$/yr price tag (as WhatsApp once had) is itself a barrier to a huge portion of the target audience.


In Pakistan at least, sometimes you can donate to charity etc by texting a special number [1]. That subtracts some fixed amount from your prepaid mobile balance (which the vast majority of people use) or adds to your postpaid bill. I imagine its possible for some business to charge customers this way as well.

Then again, instant C2C and C2B digital payments using mobile phones is growing extremely fast in most of the global south.

[1] https://www.app.com.pk/national/pta-introduces-9999-sms-code...


Very legal and very cool? Sounds awesome :)


It’s beginning to sound like the 1 EUR/year that at some point WhatsApp wanted to charge and it seemed reasonable to me at the time. Signal is even better and even more so justified.


They used to "require" a subscription of 1$/year but it was not enforced. If you missed the deadline, nothing happened. It was basically the WinRAR model but for an online service.


That may have been an A/B testing of sorts then, because I was booted right away.


> whether you’ve been required to pay WhatsApp’s annual fee depends very much on when you joined the service, and even on what country you live in.

Source: https://venturebeat.com/mobile/whatsapp-subscription/


This is kind of the number I was looking for -- "Cover your own costs: $1/year. Cover yourself and five other people: $5/year." I feel like something pointing out that the costs are around $1/year on signing up, maybe with a reminder once a year, would get most people self-funding pretty quickly.


Reminds me of ... WhatsApp :D

(Originally WhatsApp charged $1/year.)


And I was SOOO happy when I heard WhatsApp's business model: Finally, I'M THE CUSTOMER! I gladly signed up for the "free year" and started getting other people to sign up for it... only to have it bought by FB, and never charged my $1 yearly fee. :-(

Then I tried to get people to use Telegram, but hey never implemented encryption by default, instead implementing things like chatrooms with millions of people... then I signed up for Signal, but waited to see what would happen -- and they started doing some weird crypto thing. Thankfully that all seems to have not been an issue, so I might actually start recommending Signal.


Yup. Same, re: WhatsApp and the $1 annual fee. It made so much sense "lightweight service, charge $1/year, have 1 billion customers."

These days I use Signal mainly. But also WhatsApp. And Messenger. And SMS for folks who don't have any of the others.

And my iPhone friends complain about how terrible it is to text Android-users, because iMessage.

Oh I should add that it seems that college students these days have standardized on messaging through ... instagram.


I'd be happy to pay $1/year for signal, and I'd pay $2/year if it were decoupled from my phone number.


If you pay Signal $1/year, they'll realistically see about 60-70 cents of that – and that's only considering payment processor fees.

Now add the cost of providing support (it's a paid product now!), payment handling on their end (in a privacy-preserving way, which excludes most common payment methods), and top it off with the immense damage to the network effect by excluding all the users that can't or simply don't want to pay $1/year...

Donations seem like the much better option here.


You can also charge for a 10 year minimum and get to a higher retained %

You don't need to provide support, even much more expensive consumer services live without a proper one, so being explicit about the fact that you only pay for infrastructure could suffice

Not sure why payment privacy has to be so strict for everyone

The network effect damage is real, but maybe it could be limited with donations :)


Selling a service automatically opts you in to all kinds of consumer protections, either legally or de facto through the dispute mechanism of the payment methods your customers use.

Just ignoring customer complaints and selling the service "as-is" is usually not an option.


Why is it not an option when it already exists in many places (all these protections fail all the time)? Your first sentence doesn't imply high/expensive level of customer service

Besides, even now they're not ignoring all the complaints, the do fix bugs?

Maybe to be more specific, how much did it cost WhatsApp when they had $1 price and a tiny team? How does it compare to the cost of SMS?


In a December 2013 blog post, WhatsApp claimed that 400 million active users used the service each month. The year 2013 ended with $148 million in expenses, of which $138 million in losses.[1]

FB acquired them next year and if my memory is correct there were 19 in the team then.

[1]: https://en.wikipedia.org/wiki/WhatsApp


That $ figure tells us nothing as it includes those same huge SMS costs that Signal is on an unsustainable path to rack up

With just a bit more effort you can see that most of those $148 are not related to the extra customer support we're discussing, but rather to the things that Signal is already doing

Costs and expenses in 2013:

Cost of revenue 53 (payment processing fees, infrastructure costs, SMS verification fees and employee compensation for part of operations team)

R&D 77 (engineering and technical teams who are responsible for the design, development, and testing of the features)

G&A 19


So for $10M revenue, they had $53M cost of revenue. I think asking for $1 is never going to be sustainable, even if leave all other costs. My guess is that "employee compensation for part of operations team" is the primary one taking all the cost, as payment processing fees couldn't be more than the revenue itself and one message is pretty cheap.


Why not? Someone calculated above that total costs are below $1 for Signal even with all the SMS waste (also, it doesn't have to be a literal $1)

Besides, the original point was about huge$ from running a paid vs free app, which isn't the case


Thanks for over-analyzing my comment. $1/year, $2/year, $5/year, is all insignificant in the wide array of things I pay for. Sure, I'd pay $10/year for Signal as it is today if they really needed me to. And I never said to make payment mandatory. You're just way over analyzing a simple comment.


I'd pay substantially more for Signal if I could bot accounts.

I'd like a signal daemon on all my servers for alerting which could message me via Signal. This is worth a monthly fee to me.

I know people running small businesses who would really like to have a business Signal account: an ability to send Signal messages as a business identity without tying it to some specific phone number. This would be worth a subscription even if they had to get their customers to install Signal.

Signal need to figure out what product they sell that's going to fund the privacy objective: because there's plenty and they're worth having.


If you want one for just personal use; this works well: https://github.com/AsamK/signal-cli

Just sign up with a Twilio number (using voice call) and you can make your own bot.


I know I could do these things, but the problem is (1) it's a cat and mouse game of trying to keep up with functionality they don't want to support and (2) means I'm not paying them for a service, which is the point of doing it.

IMO Signal need to figure out what they sell to people with the money to say "yes, this service helps me make money" so they fulfill the big mission statement. That's true viability.

Within that bucket there's some real obvious ones: server monitoring and alerting (I have Signal, let my severs have Signal so they can talk to me, maybe at an agreed reduced throughput rate so someone doesn't just try to run TCP/IP over it), and letting businesses have a secure multimedia messaging channel to their clients for notifications.


I find signald better. It also supports acting like a desktop client... so you can just add it to your account easily. signal-cli might do that also, but I stopped using it in favor of signald when I found that one.

But yeah, I hear you. It would be nice if it had a official bot interface where maybe all the bot's receipients have to be whitelisted so that it's easy to use for stuff like server monitoring but not easy to use for spamming.


I'd pay much more than $2 if they offered account identifiers other than phone numbers. Trying to get a burner SIM or DID while still staying anonymous is getting increasingly difficult.

But I think it's pretty clear by now that this is a feature for FVEY IC, not a bug. FFS, they burned development resources on stickers, but abjectly refuse to offer alternative account identifiers. The standard apologist response is, "but phone numbers make adoption easier". Sure, but nobody is asking to replace the identifiers, or even to make them nondefault. We're just asking for the option. It could be hidden behind a developer mode for all I care, but it should be there.

The fact that they abjectly refuse to do it is enough to tell you about what their true motivations likely are.


Agreed, at this point I don't believe the "privacy" aspect of Signal's sales sheet means anything. Most that I know use it primarily because they can have clients on all platforms, including desktop.


> We're just asking for the option

Indeed, the Wire messenger is done like this - it offers phone number, but has an option to not use them and only rely on the usernames (although I think you need to register in the web browser for that)


Based on App Store downloads on both platforms, they are well over 200M at this point.


A lot of people, myself included, have it installed but never use it after they dropped SMS support.

Only a tiny fraction of my contacts use Signal, and most of those are also on Whatsapp, Telegram, Discord, and others.

Signal offers essentially nothing to me.


The sms decision made signal go from THE messaging app on my phone to an app I only use with a very small subset of my contacts. It is infuriating that they didn't allow users to retain that functionality when it costs them nothing, and they could have disabled it by default.


I still use Signal a lot, since most people I frequently talk to use it. However, this was extremely frustrating. Having 1 messaging app for so long was incredibly nice.


You paid them nothing and are infuriated. Interesting.


Many people care about Signal, and it is okay to dislike their decision. OP didn't demand from Signal to support SMS, but they expressed their emotions about the change.

Signal is an awesome project but some of their decisions annoy many users. E.g. Signal does not allow to automatically save all pictures in the gallery. It's a privacy feature, but it's inconvenient since it forces me remember to download each image seperately.


Except real privacy?


Not even that, because it is linked to phone numbers.


Username registration is currently being tested: https://community.signalusers.org/t/public-username-testing-...


> and register for a new account with a phone number (you can use the same one you’re using in Production).

I hope that they make it so you can register WITHOUT a phone number. Perfectly fine if it's not the default. This is post is currently implying that is not currently the case.


So this puts signal on par with telegram, not above? Am I missing something?


Telegram's encryption is opt-in which means most people don't use the encrypted chats at all.



Signal is private, but not anonymous. Related, but two different things.


Afaik you can crrate an account without a number.


No. You can just hide it from other users in group chats now (and perhaps 1:1, didn't yet check but you still need one to sign up)


Where is the option for group chats please?


Does that require the sealed-sender thingy?


Not yet, but they are working on that.


Why is it more private than WhatsApp?


Pay attention to WhatsApp's wording (all privacy/security claims start with "your messages"), and their privacy policy, and you'll see that while message involving with individuals (non-Business users) are secured, your contact list is not, neither are chats with businesses or the metadata about you chatting (destinations, frequency, time)


I encourage you to read the article, but Signal minimizes the metadata it stores about you, doesn't hold on to you contact list, doesn't keep information about your IP address, etc.

WhatsApp instead makes tons of money from this kind of metadata.


Using WhatsApp means Facebook/Meta knows the timestamp, sender and recipient of every message sent.


My lawyer stopped using signal due to the sms support being dropped. It became too much of a hassle and wasn't worth it.

Many of my family also dropped Signal.

It is now really only used by the hyper-privacy conscious.


I really don't get why people are still using SMS. Is data really that expensive?


WhatsApp in 2013 spent 148 M$/y with 400 MAU, or about 0.375 $/user-year. That's remarkably similar!

https://en.wikipedia.org/w/index.php?title=WhatsApp&oldid=11...

(Small difference is that WhatsApp had a profitability of –93 %.)


Whatsapp got pretty big at 1 eur/year (iOS) and 1 eur for lifetime (Android) here in the netherlands.

I do fear they'll loose most tech un-savvy users because they don't know how to pay (safely).


That doesn't mean they were actually profitable at those rates though. They could have been in growth hacking mode with venture backing.


They were well-known for not doing that, though.


Hmm but then how did they manage before asking for that 1 euro? There were a whole lot of years where it was completely free (yes before the Facebook takeover). Here in Europe we've only needed to pay once or so until it got taken over.

There must have been some kind of venture backing because there was no money coming in at all from users for a long time.


I looked further and you were pretty spot on! It ran a loss of 138 million in 2013 alone according to their SEC disclosures for that year.


I wonder how many people paid the $5 for WhatsApp back in the day. It gave you nothing but you were able to do it. I think I did.



I've been using WhatsApp when the nominal $1/year fee was still around, but somehow never ended up being actually charged, and I don't know anyone that did.

It's possible that they were only enforcing it in some regions, though.


Indeed. I just ignored the dialog box the first time it popped up. But next year I paid. It was quite a big deal because back then it was equal to my entire monthly cellphone bill in Pakistan.

But I remember other people started to en masse switch to other messengers like Viber(?). And Whatsapp had to stop enforcing the fee.


I was billed 0,99€ (Germany) exactly once, but was able to use WhatsApp without payment for most of the time just by ignoring the notification. I remember that they repeatedly gave grace periods and just set another payment date a few weeks later.


The price changed a few times but they definitely had a lifetime thing once.

All pricing was entirely optional

Here's one reference to a different price (can't find lifetime except for people complaining that Facebook didn't honor it on original ToS)

https://www.wired.com/2011/11/whatsapp-messenger-app/


I have an old receipt in my Google Pay for whatsapp at a whopping 99 cents :)


I'm paying what works out to about 15 cents per "booking" in my app due to API fees. Maybe more,.. and I'm just now realizing we'll probably be losing money if people used their accounts to their limits. Like 500 bookings would cost me at least $75 but we charge about 50. Anyway $1/year is great


Definitely reasonable but the ultra privacy-conscious/paranoid can't easily donate or pay privately.


Sure, but privacy isn't black or white. A donation to signal does not compromise the content of your messaging.

So what you've leaked is the information that you have an interest in private conversations. This might be a problem in some countries, but I think it's fair to ask folks in affluent countries with working (sorta) democracies to shoulder that burden. I.e. you don't donate if there's elevated threat to your safety, there are enough people who aren't under elevated threat.

There's also the possibility of using a donation mixer like Silent Donor, though I'd evaluate that very carefully. (There's a record of the transfer in, and the mixer needs to keep temporary records for transferring out. There's also the question how you verify the mixer doesn't skim.)

Some donation mixers accept crypto currency, so for maximum paranoia, I suppose crypto->crypto mixer->donation mixer->charity might be workable. Or hand cash to a friend who donates in your stead.

As always, the best path is to set aside paranoia and build a threat model instead to see what the actual risks are.


There's never enough talk like this and I'm not sure why. It's always about the threat model. In this respect I always like to think of it in terms of probability. Probabilities and likelihoods aren't just about capturing randomness like quantum fluctuations or rolling dice, they are fundamentally about capturing uncertainty. Your threat model is your conditions and you can only calculate likelihoods as you don't know everything. There are no guarantees of privacy or security. This is why I always hated the conversations around when Signal was discussing deleting messages and people were saying that it's useless because someone could have saved the message before you deleted them. But this is also standard practice in industry because they understand the probabilistic framework and that there's a good chance that you delete before they save. Framing privacy and security as binary/deterministic options doesn't just do a poor but "good enough approximation" of these but actually leads you to make decisions that would decrease your privacy and security!

It's like brute forcing, we just want something where we'd be surprised if someone could accomplish it within the lifetime of the universe though technically it is possible for them to get it on the very first try if they are very very lucky. Which is an extreme understatement. It's far more likely that you could walk up to a random door, put the wrong key in, have the door's lock fall out of place, and open it to find a bear, a methhead, and a Rabbi sitting around a table drinking tea, playing cards, and the Rabbi has a full house. I'll take my odds on 256 bit encryption.


They take checks by mail. You definitely can do a cashier's check and I'm sure they'd take the "cash in an envelope" method that places like Mullvad do too. Looks like they also support crypto, and that includes Zcash. So I don't think this is a great excuse. The only "can't easily donate" aspect is going to also be tied with the "can't easily get a cashier's check or find an anonymous person to sell me bitcoin for cash" kinda issues, and when you're operating at that level I'm not sure anything is "easy." (but that's not that hard usually)

https://support.signal.org/hc/en-us/articles/360031949872-Do...


How is a check in any way private? Your name is on it.


A cashier's check doesn't.


Ah ok I didn't know those still existed. In fact even the named checks are long gone here in Europe lol.


Oh yeah, I have an old checkbook that I've had since like 2010 because the only ones I've ever used are for random landlords. Otherwise it's literally easier to get a cashier's check, which you can (in America) do at any bank or grocery store. Note that some are free and some aren't, so check beforehand. I don't think these will ever really go away tbh


I think they will, America is just very traditional. Things tend to stick around for longer. The magstripe also lingers there even though we've got rid of it for years (though unfortunately our cards still have them in case we need to visit the US - I don't like having them because they are skimmable).

Nobody would accept a check here anyway as they're not guaranteed. These days I pay with my watch or phone everywhere (Samsung Pay). I don't even use the chip on my card anymore. And payments between people happen digitally too (a system called Bizum here in Spain).


Maybe, but these some big utility to cashier's checks. They're essentially cash that can only be deposited by a specific party. I also don't think cash is going away anytime soon. And while it isn't common for me to issue a check, it isn't uncommon to receive a check. They're just always form businesses. Even ones that have my direct deposit information.

Fwiw, in America I use my phone to pay for everything too. But there are edge cases and tools like these often have utilities in domains that might not be common to the average person but are to specific groups. For example, these are often used in situations where cash is preferable but you wouldn't want to cary that around, like real estate down payments and buying a car. Some settings are sensitive to the exchange times (though that money looks like it is in your account instantly, it isn't).

I just wouldn't be so quick to make such a conclusion because it's pretty likely that your experience is not general. Despite America treating corporations like people, I'm pretty confident you aren't a corporation.

> Nobody would accept a check here anyway as they're not guaranteed.

Btw, a cashier's check is. Like I said, it is as good as cash.


Have you considered intentionally corrupting the magstripe data by running a strong magnet over it?


Hi, privacy and anonymity are different things. Named transactions can still be private.


There are clever ways around that. I use posteo as my mailprovider. They have a system where you can pay anonymously: https://posteo.de/en/site/payment


Signal requires a real phone number to open an account, you are not anonymous to Signal.


I can pop into almost any phone shop around here and walk out with a free SIM card, which I can top up for cash.


Phone numbers can be obtained anonymously in many countries. I have several anonymous Signal accounts, each with their own anonymous phone number.


It's possible in the US, but it's getting very difficult. I don't know anywhere you can buy or or borrow a DID with Monero anymore. Looks like they got to Telnum recently.

You can still buy a SIM, a prepaid PIN, and a phone with cash, but you'd need to pay a non-correlated person to be seen on CCTV to do it, at a non-correlated time, and hope they don't just take your money and leave you nothing at the dead drop.

Then there's the hassle of setting up the account in a way that's not correlated with your location, normal waking hours, etc.

All of this could just be avoided if Signal did the right thing.

But they won't. Ask yourself why.


Why would you not need to be seen on CCTV? This has nothing to do with the privacy of Signal.

I buy all of my anonymous prepaid SIMs with cash at retail myself, and they are still anonymous.

The only time you’d need to stay off CCTV is if you were using them to commit crimes and expected a significant investigation to be undertaken.

Your casual assertion of malice on the part of Signal is not supported by any facts.


Why are you typing my comments?

Exactly. They won't because .... reasons.


Very reasonable with only 40 million users?! It's shockingly expensive.


> Storage: $1.3 million dollars per year.

> Servers: $2.9 million dollars per year.

> Registration Fees: $6 million dollars per year.

> Total Bandwidth: $2.8 million dollars per year.

> Additional Services: $700,000 dollars per year.

Signal pays more for delivering verification SMS during sign-up, than for all other infrastructure (except traffic) combined. Wow, that sounds excessive.


Twitter said that's why they got rid of the SMS 2FA. They said it was costing millions to have that enabled for them.

https://www.cnn.com/2023/02/18/business/twitter-blue-two-fac...


> Twitter said that's why they got rid of the SMS 2FA. They said it was costing millions to have that enabled for them.

Previous Twitter employees have said that this is incorrect. Because Twitter began as an SMS-only (and then SMS-first) application (remember 40404?), they very early on established direct-connection infrastructure for sending SMS, meaning that they have a marginal cost of literally $0.00/message in most markets. Twitter still has to maintain that infrastructure, because they didn't get rid of SMS 2FA - they just restricted it to Twitter Blue users, so the overhead is still the same.

Almost nobody else who delivers SMS today has that infrastructure, because it doesn't make sense for most services to build.

The only place where Twitter was paying significant amounts for SMS was due to SMS pump schemes, which is a consequence of Twitter gutting its anti-spam detection, resulting in them paying for SMS pumping which was previously blocked.


> they very early on established direct-connection infrastructure for sending SMS, meaning that they have a marginal cost of literally $0.00/message in most markets.

I am very, very interested to understand how that works, because without more detail or sources I'm calling bullshit. I definitely understand how Twitter could have greatly reduced their per-message fee with telecom providers, but at the end of the day Twitter is not a telecom and is still at the mercy of whoever is that "last mile" for actually delivering the SMS to your phone, so I don't understand how they have no marginal cost here. Happy to be proven wrong.


Carriers that run their own messaging infrastructure can allow for direct connections from 3rd parties, and set the price per message to whatever they want, including zero.

For something like Twitter where you could post by SMS, the balance of traffic might have been such that giving Twitter free outbound SMS was balanced by the charges incurred by customers sending to Twitter's shortcode. Or it might just be balanced by increased customer happiness when they can use the product more effectively.

If the carrier doesn't run their own messaging infra, they might be paying their IT provider on a per message basis, and might not be able or willing to set the messaging rate to zero.

For a use case where SMS is used to show control of a phone number, getting a zero cost direct route is a harder sell, but it can happen if the routing through aggregators is poor and the carrier is concerned about that, or if there's some other larger agreement in play.


If you require global connectivity, managing hundreds of carrier APIs, contracts, etc seems like major overhead. Also, there are companies whose only purpose for existing is providing messaging, like Twilio, are they just...not doing this or do the carriers just not play ball? In that case, why would the carriers agree to sell to you at a discount?


Aggregators do some of this, and they can negotiate pricing to some degree, but a carrier is unlikely to intentionally give them zero cost traffic, and even if they do, they're not going to pass that through at zero cost.

I ran the engineering side of carrier integrations at WhatsApp. Carriers wanted to sell data plans with special pricing for data with WA and use WA branding in advertising, because it attracted customers that might later convert to a bigger general purpose data plan. As part of that, we would ask for zero rated SMS to their customers for verification. When it was available, it was generally faster and higher success vs sending messages through an aggregator.

We also had some, usually small, carriers approach us asking us to set up direct routes to them for verification, because their customers would not always receive our messages when we sent through an aggregator. Early in my career at WA, we would just send these carriers to our aggregator contacts, and often things would get linked up and then we'd still pay $/message but it would work better. As we got a little bigger and built support for direct routes anyway, it was usually not too hard to set up a direct connection and then there'd be no cost for that carrier. Messing around with IPSEC VPNs and SMPP isn't fun and the GSMA SOAP messaging APIs are way worse, but once you get the first couple implementations done, it becomes cookie cutter (and FB had built way better tools for this, and a 24/7 support team, so I never had to be up, on the phone with telco peeps at 3 am kicking racoon or whatever ipsec daemon we were running until it finally connected)


Can you say what ordinary (non-discounted) pricing was like, per message? At least in the US, most carriers did I and, believe, still do operate free SMTP -> SMS gateways. They worked okay, although they resulted in oddly formatted messages.


Twilio has a public price sheet[1], I think they haven't actually updated this one lately, but it's a good representation of what ordinary pricing is like. This is not an endorsement (or non-endorsement) of Twilio, but having a public price sheet makes it easy to link to them.

In general, pricing varies widely by destination (country and sometimes carrier), US and some other places are < $0.01, up to $0.10/message isn't uncommon, and some places are $0.20-$0.30/message. Voice calling was usually mor expensive (Twilio should have a price list somewhere for that too; if you can get 6 or 1 second billing, assume a voice verification call is about 30 seconds, but you might have to pay for a whole minute even if you don't use a whole minute).

Those SMTP -> SMS gateways sometimes work in the US, but they don't work much in other countries, and they're not good enough to rely on if your product requires an SMS during the new user flow. SMS costs are real and it's frustrating, but if it costs too much, you need to use something other than phone numbers for ids; I don't think skirting by with email gateways is going to work. But, if you build dynamic routing, I guess you could try.

Also, you've got the use the right email gateway for the user's carrier, and a carrier lookup is on the order of $0.01, unless you have tons of volume, so for the US, you might as well pay for the SMS.

[1] https://assets.cdn.prod.twilio.com/pricing-csv/SMSPricing.cs...


I don’t mean what Twilio charges — I mean what the carriers charge to senders who are directly integrated.


Oh I see... yeah, WA never went direct unless it was zero cost to us, so I don't know what carriers tend to charge. Managing payment to a foreign telecom would be challenging, managing it to enough carriers so the difference in cost is meaningful would be a major endeavor. SMS aggregation is a business with many providers and a low barrier to entry, so while there are margins, I don't think they're very high. There are some telecom groups that run networks in many countries, and some of those offer SMS aggregation services, and the prices were in the same ballpark as pure aggregators, as I recall, but it's been many years since I saw the price sheets.


Thanks very much for sharing your experience and detail! This kind of info is what I was looking for and is super helpful.


Not who you are responding to, but my guess is that it was all fixed costs. They spend $20mm (or whatever) to maintain access, and maintain infrastructure and they get to send as many SMS messages as they want.

So sending 1 costs the same as sending a 10 million. It isn't that they are free to send, its that they are charged for access to the system, but aren't charged per message.


> spend $20mm (or whatever) to maintain access, and maintain infrastructure and they get to send as many SMS messages as they want.

This is not how SMS pricing works in many, if not, most countries.


Is that true at scale? If I tell the telecoms that I want to send a billion messages per year it seems like they might be willing to take a lump sum instead of setting up the systems to bill based on usage.

I have no experience directly with foreign telecoms, so I was simply explaining how something with no marginal cost could still be a very expensive system.


> Is that true at scale? If I tell the telecoms that I want to send a billion messages per year it seems like they might be willing to take a lump sum instead of setting up the systems to bill based on usage.

In most of the world, SMS is billed per-message, so it's basically no extra effort on the Telecoms side at all. In fact, Telecoms' online charging systems are fast enough to calculate users' data usage by seconds in real time, so they don't even blink at counting SMS.


I don't know of countries that mandate a minimum price. If you are doing high volume you are free to work directly with carriers. If you are drawing as much billable traffic as you are sending, then that could even be a wash.


It’s not countries mandating a minimum price (although regulators often impose a maximum), but the carriers themselves.

> If you are drawing as much billable traffic as you are sending

SMS verification traffic is usually unidirectional, so that’s very unlikely to be the case.


Yes but in this case we are describing old-school Twitter, in which people made their tweets via SMS. That's why it was easier for them to make these deals.


Signal agrees: (from the article:)

... legacy telecom operators have realized that SMS messages are now used primarily for app registration and two-factor authentication in many places, as people switch to calling and texting services that rely on network data. In response to increased verification traffic from apps like Signal, and decreased SMS revenue from their own customers, these service providers have significantly raised their SMS rates in many locations, assuming (correctly) that tech companies will have to pay anyway.

...

These costs vary dramatically from month to month, and the rates that we pay are sometimes inflated due to “toll fraud”—a practice where some network operators split revenue with fraudulent actors to drive increased volumes of SMS and calling traffic on their network. The telephony providers that apps like Signal rely on to send verification codes during the registration process still charge their own customers for this make-believe traffic, which can increase registration costs in ways that are often unpredictable.


SMS has become a kind of real-world PoW (proof of work) mechanism. A phone number typically has a recurring fee to keep it working. So a live number indicates that someone is spending money (a proxy for effort) to maintain it.*

It still seems like a lot of money to spend on simple, old technology, but from the PoW perspective, making it cheaper would defeat its purpose.

*Which is why many sites reject Google Voice numbers, for example, for SMS verification.


> In response to increased verification traffic from apps like Signal, and decreased SMS revenue from their own customers, these service providers have significantly raised their SMS rates in many locations, assuming (correctly) that tech companies will have to pay anyway.

There's nothing that requires tech companies to use SMS for registration or for 2FA. The normal way to do it is by email, which continues to be free. For Signal, there is no need to do 2FA registration at all.

Signal is ideologically committed to publicizing your phone number, and apparently they'd rather pay $6 million to hold to their commitment than just... not do that.


SMS rates are absolutely bonkers considering the technical way they're transmitted. The US is an outlier in SMS rates actually being reasonable (usually unlimited or close to) for consumers - but for the rest of the world the insane mark up on that communication method has mostly obsoleted it...

That'd be all well and good... the technology would die naturally, but all my American relatives continue to stubbornly use iMessage.


> for the rest of the world the insane mark up on that communication method has mostly obsoleted it...

For P2P communication. SMS is alive and well for B2C messaging, most importantly for 2FA OTP delivery, but also as a first line of defense against spam/bot account creation.

It's not a good solution to either problem, but it's slightly better than nothing (which apparently makes it good enough for many), so I suspect we're stuck with it for now.

> That'd be all well and good... the technology would die naturally, but all my American relatives continue to stubbornly use iMessage.

iMessage is not SMS, though. It just uses phone numbers as identifiers, but so do many other popular over-the-top messengers, including the most popular one globally.


To clarify - iMessage does not use SMS if you're going from Apple to Apple device and both devices have data/wifi available. iMessage refuses to support messaging to Android clients and defaults to SMS for these messages.

I've got an Android phone so all iMessage transmissions come across as SMS (or MMS).


Ah, I see what you mean. That's not what I'd call iMessage though, that's just SMS:

The iOS application is called "Messages"; iMessage is the over-the-top Apple-exclusive messaging service.


Messages inflexible reliance on SMS for communication to non-Apple devices is definitely an Apple issue, in my opinion. Apple has made it clear that they continue to default to SMS for non-iPhone communication solely because it's unpleasant for everyone involved.


There's apparently even "green bubble bullying"[1] of kids who have Android devices and thus have their messages appear different. In this particular way Apple is happy compromising the mental health of young people to secure a larger market share - it's awful and they deserve a lot more negative PR for it.

1. https://www.wsj.com/articles/why-apples-imessage-is-winning-...


Agreed.

It reminds me of the "Blue eyes/Brown eyes" exercise (https://en.wikipedia.org/wiki/Jane_Elliott) so let's say this was a real psychology experiment. Middle-schoolers and high-schoolers are encouraged to communicate via a chat application with rich multimedia functionality. But any conversation that includes even a single individual who belongs to an arbitrarily-defined "out-group" has its functionality degraded and the application highlights who the out-group member(s) are. After a year you compare the mental, social, physical, and academic well-being of both groups. Would your university's IRB approve such an experiment?

I initially gave Apple the benefit of the doubt that this was simply a technical limitation. And of course kids will always bully each other about something. But at this point it does indeed seem like a billion-dollar company is intentionally amplifying and leveraging this sort of bullying to drive marketshare. If you don't find this immoral then I'm not sure what to say.


> apparently even "green bubble bullying"[1] of kids who have Android devices and thus have their messages appear different

Bullies will bully. Targeting the articles of bullying versus the source is fruitless; the former is unlimited.


On the other hand, I have saved many a dollar by instantly knowing that I just sent a legacy text to somebody I normally iMessage with.

My carrier charges an arm and a leg for international texting, and if distinguishing between texts and iMessages wasn't as easy as it is, I would probably have to pay hundreds in carrier bills at least once.


> Apple is happy compromising the mental health of young people

Dramatic exaggeration and attribution of evil intent is counterproductive and disingenuous.


> In this particular way Apple is happy compromising the mental health of young people to secure a larger market share

Should we also force luxury brands to offer stipends so that teenagers whose parents can't afford them (or simply don't want to participate in that nonsense) don't feel stigmatized?

It would be a completely different story if Apple were to ban third-party messaging apps on their platform, but as restrictive as they are in other areas, they aren't doing that.

It literally only takes a free app download to get a cross-platform messaging experience at least on par with iMessage (and in my personal view superior in many regards).



RCS is Google's idea of a solution – a company not exactly widely known for their excellence in all things instant messaging.


Do you have a source that it was started by Google? From looking around, they support its development but it was an industry initiative, and Samsung was one of the first OEMs to support it.


It was embraced and extended by Google.


I was asking for a source so I could look further into this, do you have any?


Neither me nor GP said that it was started by Google. Just that it was adopted by them as a solution.


Adopted by Google yes, but since when would Google adopting a technology give them full control over the future of that technology? Surely the other industry members who started RCS also have a say?

And I would argue that the language used implies Google created RCS themselves (it was their idea): "RCS is Google's idea of a solution"


> since when would Google adopting a technology give them full control over the future of that technology

It's the Microsoft 90's playbook https://en.wikipedia.org/wiki/Embrace,_extend,_and_extinguis...


What does the default Android messaging app do?


Google Messages, which is fast becoming the default Android messaging app across Android OEMs uses RCS when both participants support it and falls back to SMS when that is not the case.

RCS is an open standard that any carrier/OS/messaging app can support, unlike iMessage, which is exclusive to iPhones.


That's exactly RCSs biggest problem: It requires active carrier support. (As far as I understand, Google runs the infrastructure for many international carriers at this point, but they still need to opt into that.)

Using my phone number as an identifier and authentication factor for so many things these days is bad enough; I really don't want the messaging layer itself to touch my phone provider at all.


RCS-the-open-standard is not end to end encrypted.


Android's messaging app does much the same thing.

My preference would be that Apple drop SMS support from Messages all-together and market it as an iOS only communication method. People with iPhones would then have to pick some alternative, perhaps they would use Signal or perhaps something else.

I already have to install a handful of applications to talk to all of my friends and co-workers, at least I wouldn't have to continue to use SMS.


As an iPhone user, I am happy with messages and do not want it to drop SMS support. Note Apple created iMessage way before RCS even existed. iMessage works well and I am happy with it.


It's interesting that you mention that you like it having SMS support; do you only use this function to message Android phones? In my experience, the iPhone people I know are consistently annoyed by me and my SMS messages.

IMHO, RCS isn't a solution to anything since it still requires phone carriers to adopt it. A quick check of the internet indicates that many of these phone carriers are actually charging more to send RCS messages than SMS, making it a non-starter all around.

Maybe Google could create an iMessage-like (internet only) alternative for Android... Although it still wouldn't work with the actual Apple iMessage protocol unless Apple adopted it. IMHO they'd have better luck getting companies like Apple to interoperate if it was pre-installed and worked on all Android phones.


My phone runs Android, I'm pretty much forced to use SMS in order to communicate with anyone who uses an iPhone and that's most of my family. While it can be argued that iMessage provides a good enough experience on an iPhone for most people, I have wondered if they are the one thing keeping SMS alive.


> I have wondered if they are the one thing keeping SMS alive.

Absolutely they are. Most of my friends and family are Pixel users and we all communicate using RCS. If Apple would just support the modern replacement for SMS (which includes end to end encryption), iPhone users would be much safer and would have a better experience.


I really dislike iMessage, but somehow Google has managed to deliver an even worse alternative with RCS:

It apparently just doesn't work with dual-SIM phones, requires a phone number and an active plan with a supported operator (at least iMessage lets me use an email address!), the multi-device story is non-existent, to just name a few.


> For P2P communication. SMS is alive and well for B2C messaging, most importantly for 2FA OTP delivery, but also as a first line of defense against spam/bot account creation.

In Brazil, businesses use Whatsapp to communicate with consumers. You order pizza and book doctor appointments over whatsapp


> stubbornly use iMessange.

Personally, I prefer it over downloading yet another client, dealing with additional credentials, wondering about who can access my messages, and so on and so forth…

And all that just to message the handful of people that I know who use <popular in other country third party app>.


If only someone would release a universal protocol that the app's native messaging apps could utilize to eliminate the need for these 3rd party messaging apps. Oh, right, it's called RCS and Apple refuses to support it.


RCS is anything but universal. It requires the explicit cooperation of mobile phone providers, which makes it a non-solution in many scenarios – including usage on any device that happens to not be a phone.

RCS is exactly what it says on the box: A modern successor to SMS. That does not make it a good modern instant messenger.


Apple announced today they are going to support RCS https://9to5mac.com/2023/11/16/apple-rcs-coming-to-iphone/

RCS is better than SMS no doubt but lets not pretend it is on the same level as iMessage. Lack of end to end encryption alone makes RCS a dated standard


Good news, Apple just announced they'll start supporting RCS next year.

https://www.techradar.com/phones/iphone/breaking-apple-will-...


I see that you feel strongly about RCS, but as far as I know even some of the bigger US carriers dont support the universal profile on all the Android devices they offer. So maybe you’ll get your wish some point after carriers align on RCS.


RCS the “universal protocol” is not end to end encrypted.

Google has made some proprietary extensions to RCS to support end to end encryption but this is not the same thing.


> Oh, right, it's called RCS and Apple refuses to support it.

No one wants to support it. Even telecoms don't want to support it.


Telecoms don't even want to roll out all of the infrastructure they get paid by the government to, I don't know that their willingness to do anything is a point I'd try to stand firmly on.


Exactly, so how on earth does Google think that it is a good idea to put them in charge of running the infrastructure powering the future of instant messaging?

Any chance at all it has something to do with the fact that they've acquired an RCS infrastructure provider that they can sell to telcos?

https://jibe.google.com/


Someone has to run it. Logically, the obvious party to do so the carrier providing network access to the device, which also has a recurring billing relationship with the user from which to recoup its costs, and that the user knows to contact when they have issues. As a standard ostensibly replacing SMS, and coming out of the GSMA, it's also pretty obvious it'd be biased toward a carrier-centric solution.

There are a couple other options of course, but I am not sure they are better:

* Fully federate this, a la Matrix or XMPP. I really wish this was a practical option, but without legislation I doubt any company wants to go willingly in this direction. Even if they did, it'd be difficult to contain spam at scale. It also creates 'first contact' issues; love it or hate it, the general public seem attached to the idea of phone numbers and it seems to work relatively well and unambiguously. It is also the most technically complicated and most brittle and unpredictable for users.

* Phone / OS maker operates it for their devices. You don't seem to want Google running things, so this seems markedly worse than what they have actually done which is give you options (most people can at least choose a carrier, and carriers can choose implementations). It's unclear how operating costs are recouped here, especially for low-end devices. Does this lead to feature stratification? I hope not, but probably. It's a global single point of failure, both from a technical point of view as well as a policy/jurisdiction one (can $country LE subpoena my records because the company operating the service is ${country}an - or perhaps merely operates in $country, for example?). Also unclear how users are 'found', but maybe it's a bit easier than in a fully federated system.

* Phone / OS maker partners operate the service, giving users a few choices. Not really sure why anyone would go in for this, but it's basically the same as if the phone maker operates it.

None of these are great options, but I think the carrier is probably the least-bad one. You have an agreement with them. You have the legal protections offered in your home jurisdiction, with clear jurisdiction over the whole thing. They already have a ton of data on you and access to your traffic. You have a neck to wring if the service doesn't work properly.

They really should have standardized E2EE though, not including it is ridiculous.


Literally nobody wants RCS except Google and a handful of HN commenters. It’s so unwanted that Google had to scrap their original plan of making the carriers host the infrastructure and do it themselves, because the carriers didn’t give a shit.

(And even Google doesn’t really have any love for RCS, they crawled back to it as a fallback plan with their tail between their legs when their own proprietary lock-in messaging apps didn’t work out. Which makes their attempts to shame Apple into adopting it pretty hilariously disingenuous.)


> It’s so unwanted that Google had to scrap their original plan of making the carriers host the infrastructure and do it themselves, because the carriers didn’t give a shit.

To be fair, that wasn't Google's plan, that was the GSMA's plan. GSMA created the RCS spec, failed to get more than a handful of their members to use it, and kind of abandoned it to the wolves. For reasons I don't quite understand, Google decided it'd be a good idea to take it up, and then push it harder than any of their previous messaging services; but it's not like they came up with it.


> with their tail between their legs when their own proprietary lock-in messaging apps didn’t work out

For what it's worth, they've worked tirelessly to ensure their failure.


> only someone would release a universal protocol

Nobody wants this. Universal access means universal access for spammers. iMessage won over SMS because of cost and spam filtering.


> Nobody wants this.

Not nobody.

> iMessage won over SMS because of cost and spam filtering.

Really? I've never used imessage.


> Not nobody

Within the scope of messaging network effects, nobody.

> Really?

Yes. iMessage spam is rare and stamped out fast. Open protocols tend to have spam problems the moment they begin scaling.


I think I understand your comment, since iMessage isn't SMS, but defaults to SMS for those not using it.

There are opensource self hosted solutions like BlueBubble that allow reasonably secure communication through iMessage to the other chat platforms on desktop/Android etc. I have zero affiliation, but I know others who happily use it. There are also less secure and paid solutions I can't speak to.

https://bluebubbles.app/faq/


For the purpose of 2FA and account registration let’s view it as a tax for fraud prevention, where the real value in SMS is in verifying someone’s identity rather than transmitting messages


If SMS actually worked for this purpose, it would be acceptable. However, SMS provides no guarantees about: 1) If it actually gets delivered 2) If it is delivered to the intended recipient 3) 1 and 2 without anyone reading or tampering the message while in transit

Now, even if stars align, your SMS ends up on a route where nobody is mitm-ing or hijacking it, the telco systems work and it gets delivered, it is STILL not a guarantee of identity. It simply verifies that you have somehow got access to a particular phone number.


Just because consumers get unlimited SMS doesn’t mean businesses get that. The telcos are ruthless about extracting their pound of flesh at business rates.


Phone numbers have become the de facto version of "Internet stamps" for identity verification.

They are near-ubiquitous on a per-user level, but hard to accumulate without significant cost. (Unlike email addresses.)

But the down side is that phone verification tends to be on a per-service level. So, for instance, Signal incurs these costs when they verify their users, and every other service incurs these same costs when they verify _their_ users.

There are a number of businesses out there that are trying to act as clearinghouses, where they verify the users once, then allow the users' verified profiles to be confirmed by multiple services.

I wonder if any of those could be used to reduce these "registration" costs.


> but hard to accumulate without significant cost

Varies heavily by region. The shop opposite my house has ~50 SIM cards on the shelf, for £0.99/ea.


Phone number verification is used to verify the user's registration intent, so not really.


"Sign in with $Clearinghouse" could bring you to a page that prompts whether you want to share a user ID or the phone number, as required, with that service.

The clearing house verifies you only once, or once a year, instead of every time. If the clearing house were to be a nonprofit, perhaps even set up by Signal themselves to spread costs with similar services, that has to be cheaper.

It also gives users confidence that only a randomized user ID was shared, so it won't be used for cross-service correlation and tracking, if the service didn't actually need your phone number but only some identifier.


A Flow:

> Service A => User: Please Enter Your Phone Number and Email

> Service A => Clearinghouse: Please verify phone number XXX wants to sign up for an account with us

> Clearinghouse => User (SMS): Please respond with the Email you used at signup to confirm you want an account with Service A

Later...

> Service B => User: Please Enter Your phone number and Email

> Service B => Clearinghouse: Please verify phone number XXX wants to sign up for an account with us

> Clearinghouse => User (Email): Please verify you want an account with Service B

Not saying it's great (providing email twice is annoying), but it's something.


This does not reduce the overall cost, it just shifts it to the clearinghouse. Who pays the clearinghouse so that they can cover their own exorbitant SMS costs?


You miss the crux of it: the second time onward the clearing houses uses email to authenticate the previously-SMS-verified account.


The clearinghouse may not have the user’s most recent email address, which is common amongst non-tech people. My mom and aunts have lost many email addresses this way and forcing them to use an older email would cause many issues.


The app has to ask for email/phone to begin with (see step 1), if the email doesn't match then phone would be used as fallback, or potentially as a "Didn't Receive Code?" gesture.


A service that requires a telephone number simply shouldn't be called an Internet service. It can't be used purely over the Internet.

Telephone numbers are fundamentally incompatible with privacy. Signal's leadership knows this, but they don't appear to care.


I really wonder why it’s so expensive to run. I always hear things about scaling but I used to run a top 500 alexia website and it was just a php app running on a mutualized offer for $5/month. Lots of manual caching though but still.

My wild guess is that either the stack is not really optimal (last I heard it was java) or they do other costly things at scale (sgx?)


I guess, then the question is how real time was the website. Was it as real time as supporting, instant messaging, voice/video calls etc


Oh I forgot that signal is not just about forwarding messages. I’m wondering how much the VOIP costs.


FTA: "Signal spends around $2.8 million dollars per year on bandwidth to support sending messages and files (such as photos, videos, voice notes, documents, etc.) and to enable voice and video calls."


Don't forget media!


> the stack is not really optimal (last I heard it was java)

how's java relevant here?


Java in theory and in synthetic benchmarks: damn near as lean and mean as C.

Every actual Java project: “oh, did you want that memory and those cycles for something else? Yeah, sorry, I need them all. Why no, I’m not actually doing anything right now, why do you ask?”


In this case we don’t need to speculate at all. Signal is open source. Back when I was at Twilio we even did some at-scale experiments with running Signal. The intensive parts have absolutely nothing to do with Java because the server logic is relatively simple. The hard parts of Signal are the database storage/retrieval and the encryption.


100% true in my experience. Literally anything else is far better when it comes to bloat, including C#, RoR etc.

Increasing the Java heap size just makes it so that when garbage collection eventually hits, it causes an even more massive slowdown across the entire application.


You can't send an sms yourself like you can an email. Instead of setting up a server, you have to work with a telco provider (an aggregator specifically). Any SMS service eventually hands off to one of these. Many SaaS SMS providers are just frontends for legacy telco services. They charge insane fees because they can, that is all there is to it.

Sending mass email is still difficult. Its probably easier to pay a provider than set up and establish reputation for yourself. But they don't charge near the rates. Last time I compared rates it was something like 10x-100x to send an sms compared to an email, but it has been a while.


> Many SaaS SMS providers are just frontends for legacy telco services.

I worked on an automated SMS marketing system back in the day so I have seen this in action, at scale. This would be stuff like "text LAKERS to 12345 for Lakers updates"- we didn't handle the Lakers but we did handle many sports teams. Though I wasn't privvy to the financial side, I got the sense that the per-text cost ended up being manageable at scale, but this is because we were one organization who would apply the rules onto our own customers, and if we failed to do so properly we risked losing the interconnects to the various carriers. We typically used a single contracted "aggregator" service which provided a unified API for the carriers. When I left, we were using OpenMarket.

When you have a self-service SaaS offering such as Twilio, the per-text costs are going to go up because the barriers for sending unwanted texts (or fail to follow the rest of the rules mandated by the TCPA) is so much lower, and Twilio has to address that organizationally which adds cost.

Additionally, Twilio does not purchase short codes (ie 12345) which means its harder for the carriers to track bad behavior across their network. There is an initial cost (fairly high) to acquiring a short code, though you can also share short codes across customers in some cases. Acquiring a single short code and sending all messages from that short code would likely reduce costs.

I would love to see more detail from Signal about what sort of SMS interconnection they are using, because directly connecting with an aggregator instead of a SaaS offering (if they haven't already) could save a lot of money, and they are definitely at the scale that would allow for it. And given that they only use it for account verification and are a non-profit, it seems likely they could get a good deal since the risk of TCPA violations is effectively zero.


Yeah, aggregator is a very industry specific term, so I just merged into teclo provider. But yeah, all the issues with short codes, national laws, and reputation, makes it very complex. I worked at a company like Twillio that had contracts with different aggregators across the world, and sold a platform to manage SMS interactions. They added a layer to make ensure customers respected opt-out keywords, or opt-in for specific countries, so it would help manage TCPA (and other) violations. I imagine this helped keep costs down. We would definitely fire customers for trying to get around the safeguards.

I was on the support side, so I just saw when it went wrong, which was a lot.


> Additionally, Twilio does not purchase short codes (ie 12345) which means its harder for the carriers to track bad behavior across their network. There is an initial cost (fairly high) to acquiring a short code, though you can also share short codes across customers in some cases. Acquiring a single short code and sending all messages from that short code would likely reduce costs.

Twilio offers short codes, but short codes are country specific, and the costs for sending to the US are low anyway < ~ $0.01/message for most services, lower with volume; IIRC, short code messaging costs were half, but then you've got some overseas destinations where it's $0.10/message and that's real money.


Maybe they should flip it on its head - get a thousand? Ten thousand? numbers that can accept SMS and tell people to "text 473843 to this number" to verify.


It's usually even more expensive to support receiving messages than sending them, beyond keywords like Unsubscribe. If you want any sort of threading its going to be extra. Also its extra for dedicated shortcodes. When you get an SMS from a random shortcode, there might be multiple companies using that code, but they mix the pools enough that its unlikely you will receive two messages from two companies from the same code. Also shortcodes are usually country/region locked. So if you want to international support, you need to buy shortcodes in multiple regions, and different regions have different telco laws. On top of that, provisioning is very manual compared to the modern cloud.

I supported a marketing platform for a while, and it was so much easier to send an email than an sms.


SMS sender isn't generally something you can trust. If you get the SMS directly from the carrier that's responsible for the number, and you have reason to trust their SMS sending to verify the sender, then yes. But in countries with number portability, you still need to pay to lookup the carrier responsible for a number.

And you'll need to maintain ingress numbers in all the countries you support, and maybe numbers per carrier, depending, and you'll need to tell the user the right number to text to ... it's a lot, and it might not work well or might not save much money.


That's in fact how iMessage does phone number verification. It works really poorly internationally.


how is that in any way comparable? it's not about java vs php


Java is likely the most optimized part of the stack.

Many startups move up to the jam when there is little else that has optimized performance and efficiency like the jvm for 20-30 years.

Of courses this is a moot conversation if you’ve never used Java at scale. Apple and others are Java houses.


Java is entirely performant if you treat it right, and many of the problems with GC in J8 are fixed in later versions.

You can push Java very far.

Of course you can also write horribly ugly code in it.


You can write horribly ugly code in most languages.

But the secret of JVM existing as an option is eventually learned by most who scale.


I did my part to help reduce costs by switching to the decentralized alternative, Session.[0]

Bonus: Session does not demand users' phone number. Also no bundled cryptocurrency.[1]

[0] https://getsession.org/

[1] https://www.stephendiehl.com/blog/signal.html


> Also no bundled cryptocurrency.[1]

It seems like Session relies on Oxen's network, so while there is no inherent coin it is blockchain backed.

> Session’s onion routing system, known as onion requests, uses Oxen‘s network of Oxen Service Nodes, which also power the $OXEN cryptocurrency. Check out Oxen.io to find more information on the tech behind Session’s onion routing.

https://getsession.org/faq#onion-routing


Cool, glad to hear about this - However, it is still coupled to a cryptocurrency (https://oxen.io/) even if not bundled wechat-style


I think simpleX[0] is a better choice at this point with all the recent issues around oxen: not coupled to any crypto, no user ids, can host your own servers if need be, etc

[0] https://simplex.chat/


And as a bonus Session has the best line ever: "Send (encrypted) Messages, not metadata".

They've given Signal quite the fork.


Session depends on the Loki blockchain, so I dispute point 1.


I don't consider Session to "bundle" the Loki blockchain or the Oxen network in any sense.

Here is more information about what I meant when I used the term "bundled".

https://www.techopedia.com/definition/4240/bundled-software


> we can rent server infrastructure from a variety of providers like Amazon AWS, Google Compute Engine, Microsoft Azure

Moving off cloud services to lower-cost provider like Hetzner, Vultr and DigitalOcean might provide a lot of cost savings.

I also imagine they're using managed SMS services from one of these clouds, and moving off them to a combination of local SMS gateways in each country can also further reduce costs (and in one case I've personally observed, by upto two orders of magnitude). This obviously pushes a lot of complexity on Signal's side, but is usually worth it.


Any idea what prevents Signal from using cheaper alternatives?

Edit: I meant moving off cloud to Hetzner, Vultr, DigitalOcean.


In business, you get what you pay for. Cheaper hosting might raise more issues that need to by handled by your employees, who also are expensive, and also the organization's focus gets disrupted. The hosting company / cloud vendor has an enormous economic advantage, with access to the entire hardware and software stack, the engineers who built it, people whose full-time job is operating it. Often it's cheaper to pay more for better.

As I have to explain about open source, 'Free is only free if your time is worth nothing.' (And I use a lot of FOSS, it just not always the solution.)


>Free is only free if your time is worth nothing

This is the worst take in technology. The main value of FOSS is freedom, not time or money savings. For many people freedom is more valuable than either.

Also, FOSS and managed aren't mutually exclusive.


As I understand it, you have to often use multiple gateways based on which one is cheaper and can deliver your message to the recipient, and also take care of handling retries in case one gateway fails. This is not something you typically want to handle if you're not aware of it, and the process of having to talk to each vendor and figure out their limitations is tedious.


There's a lower bound on what these services can charge in the form of interconenction fees charged by the mobile service providers delivering the messages.

In the US, that's effectively zero due to the US phone infrastructure largely using a shared-cost model, but in most other countries which use "sender pays", these fees can be significant.


DO, at least, has bad peering agreements that will cause you noticeable, unfixable (if you stay on DO…) persistent problems at large enough scale.


I use Hetzner, but they have a bad rep for killing services that attract too much attention, e.g. DMCA requests


So ... hire staff to manage that complexity?


Might not be cheaper at scale and truly globally.

The loaded costs should have the numbers run.

It would be a fascination under the covers look with signal.


They probably already have that staff for GCP, Azure, AWS?


Out of interest, their top vendor costs on their 2021 form 990:

$7m Twilio

$4m Microsoft

$3m AWS

$1.3m Google

https://projects.propublica.org/nonprofits/organizations/824...


Just wondering, are they relying on these big name cloud providers (AWS/Azure/GCP), known for predative traffic and storage pricing? Have they considered cheaper providers such as Backblaze B2 for storage and Hetzner/OVH for servers? The fees for storage, server and bandwidth could be cut by 80% if they did that.


Sounds like a great case to get the fuck away from SMS and phone numbers.

But hey, they still want your whole address book, and announce you're on signal to everyone else on signal.

The whole "secure" thing is a joke. Its all linked to your identity via your phone#.



Signal actually jumps through quite a few hoops in order to let you and your contacts are on Signal without Signal actually having access to a copy of your whole address book. It's even mentioned in TFA.

I do agree about being linked to your phone number - doing it that way means not considering a lot of people's valid threat models. They are working on moving to usernames, though. It's in beta now.


> Signal actually jumps through quite a few hoops in order to let you and your contacts are on Signal without Signal actually having access to a copy of your whole address book. It's even mentioned in TFA.

It doesn't say how it works. If Alice's phone can tell whether her contact Bob uses Signal without Alice and Bob doing any sort of a priori cryptographic exchange, why couldn't Signal itself do whatever Alice's phone is doing?


They want the address book because if you don't have engagement promotion features like that, there is no way to ever become remotely popular in the chat app space.

Why is the security a joke? The data is e2e encrypted, and isn't related to a phone number in any way after registration. Do you know of a better way of combining privacy and anti-abuse measures? If you don't offload identity checks to telecom providers during registration some bad actor will immediately create a million accounts and send millions of spam messages and destroy the slim chance of this type of app to exist for free.


> They want the address book because if you don't have engagement promotion features like that, there is no way to ever become remotely popular in the chat app space.

Intentionally ignoring the fact that Signal splatters your phone number to everyone else is a humongous problem. And you can even put your phone number block in your address book, and it'll tell you everyone who has Signal. This happens all the time, with Signal servers leaking all of this metadata.

And doing "engagement promotion" is what companies do to sell more shit. So, exactly what are they "selling"?

>Why is the security a joke?

Metadata, pertaining to communication patters and to whom matters just as much as what's being said.

And that metadata, like "your phone number" and "contact's phone number", and "when data is being sent to/from" is that metadata.

> The data is e2e encrypted,

> and isn't related to a phone number in any way after registration.

Bullshit. I see new people hopping on signal fairly regularly. If that was true, it'd be a simple verify-once-and-delete. It aint.

> Do you know of a better way of combining privacy and anti-abuse measures?

I reject your claim of "privacy", with regards to metadata.

Secondly, Tox has an alternate way to handle this, by allowing any number of accounts not tied to anything. Sure, it's a SHA256 id, but who cares. There, its secure AND anonymous.

Basically, I look at Signal as "better than SMS, but not much". It's basically a way to keep the phone company from scanning messages.


I wish their justification for dropping SMS capability from their Android app to move away from phone numbers was a little more transparent about the obvious cost aspect rather than solely sticking to the patronizing "we're saving insecure messaging users from themselves" messaging they had. I found it pretty obnoxious. I think people generally get "valuable nonprofit + huge expense = not-sustainable = bad."


> their justification for dropping SMS capability from their Android app ... was a little more transparent about the obvious cost aspect

I'm not following. Signal gets stung for the registration SMS costs because they send the SMS to the user. They don't pay when one user sends an SMS to another user. If you send an SMS, you're the one who pays.

(I didn't realise they were moving away from phone numbers. Don't they they stay mandatory when PNP comes along?)


It's a lot more nuanced than that: https://news.ycombinator.com/item?id=33258684


It would be great if that was what was in their announcement.


Why is it that SMS is so damn expensive? (or more specifically, what is it about Twilio et al's businesses that makes them cost so much?)


When you control access to the customer you can charge people a lot. Just like Apple can take 30% primarily because they’re the gatekeeper to iPhone users, telecoms are gatekeepers to their users so they can charge you a lot to text them. You don’t really have a choice. L


In the US, shafting customers as hard and fast as you can is the current business model. What are they going to do? Move to 1 or 2 remaining competitors with the exact same business model?


Most of that cost is literally coming from sms outside the us though. The rates for us sms are much lower than almost anywhere else.


I'll have to do some research here. Prices in the US for bandwidth, phone services, etc. are insane.


Nothing just profit and existing system access costs set by the incumbents.


> Signal pays more for delivering verification SMS during sign-up, than for all other infrastructure (except traffic) combined. Wow, that sounds excessive.

Particularly when the phone requirement is the biggest weakness in Signal.

Getting rid of it will make it substantially cheaper to operate and much more private. Win-win.


I wonder if you could do something clever such that you can have people volunteer their SIM for sending 2FA?


Funny, because that's the reason I can't use Signal - I don't have a phone number.


In case one isn't aware, you can get a $1/month throwaway phone number from Twilio for that purpose.


That's a neat workaround for the people that can figure that out, but doesn't change the underlying problem for the majority of users at all.


Majority of users don't have phone numbers?


I'm referring to the majority of users not having (or wanting to use) phone numbers.

Some of these will be willing and able to pay $1/month to Twilio for a workaround, but most probably won't.


Aren't these VoIP? Almost every service blocks VoIP numbers for sign ups these days, but perhaps Signal is an exception.


They work with Signal, Facebook, etc. Sometimes you have to try another one to get it to work.


What's it cost to be an SS7 peer for a year? Could they spin up their own "phone company" for the purpose of delivering SMS verification and nothing else, cheaper than they're paying someone else's markup?


What's expensive isn't (just) the technical infrastructure, it's termination/interconnection fees charged by the destination mobile networks.


Huh, I knew those existed for voice calls, didn't realize they applied to SMS too. Makes sense, though.


is there any way they can reduce that cost?


Yeah, decouple Signal user identity from the phone number.


This will probably never happen. One of the reasons WhatsApp blew up is because using a phone number as your source of identification means there's much less friction in the signup flow. No username/password to create and your social graph is already there in your contact list.

My mom was able to get our entire extended family on Signal without my involvement, which is a testament to how easy that is.


They also blew up because it was also quite decent SMS app, so you just had to install Signal and use it instead of your default SMS app. All your messages are there, you can continue to communicate exactly like you did before, except that now, if the other person also has Signal, your messages are encrypted.

They stopped doing that (and I uninstalled Signal as a result), so they can also stop with the phone number thing, in fact, it would make more sense than with the current situation where Signal needs a phone number but doesn't use it (except for registration). I could even reinstall Signal if they do this.


They're already working on it: https://www.bleepingcomputer.com/news/software/signal-tests-...

Not whether that's a good idea is more debatable; you're not wrong about discoverability.


Those are in addition to the phone number, but it will still require a phone number under the hood.


In the short term it will, and quite possibly in a long-term also, but if you were going to fully make phone numbers optional, I'm pretty sure this is the first step you would take. At the very least it sure looks like they're starting to build the possibility.


Nobody is demanding them to stop supporting phone numbers as identifiers/verification methods.

I'm not mad at all if somebody prefers using their phone number and not having a password for a service – just give me the option to use my email address and/or a username.

There are too many "phone number only" services out there these days.


Usernames are currently available in beta, the post I was replying to wondered if SMS verification could be removed because it's expensive.


> Nobody is demanding them to stop supporting phone numbers as identifiers/verification methods.

Plenty of people are, and for good reasons.


Why not both?

If I want discoverability, let me provide my phone number.

If I want privacy, just assign a random identifier.


It has nothing to do with friction...


Phone numbers are the easiest login for people, especially in a world where not everyone has an email address.

I know this will invite comments about usernames. I would like usernames a lot too.


If only it was possible for a service to support both!


I know, too bad that possibility was only possible in the past and not with todays technology.

The knowledge of how to do this has forever been lost. Hopefully archaeologists can reconstruct it one day.


Which might be said to increase privacy. I suppose there's something to the point about combating spam. But surely there are other ways to do this, right?


Getting rid of phone numbers would make anonymity easier, but it wouldn't affect privacy. Signal is explicitly private but not anonymous.

In most countries, you can get an anonymous phone number anyway.


Send them via whatsapp. A lot of online services give an option to send OTP via whatsapp along with SMS/Email.


As far as I understand, this is even more expensive than SMS in many cases due to WhatsApp's B2C messaging fee structure.

It's also not a great idea to make sign-ups for an instant messaging service contingent on having an account with another, competing service.


All things considered. Pretty impressive how cheap it is to run given the adoption of the Signal.


Second time around benefits too, and the guest time was pretty efficient in WhatsApp too.


The cloud tax is crazy (especially bandwidth). Pretty sure Signal has reached the scale where they would be cheaper by building their infra, maybe starting with the most expensive (storage + bandwidth), and then doing others.

SMS is (unfortunately) core to the product, so I'm not certain how they could make it cheaper, while retaining the same properties (user+pass registration would be a nightmare for spam and change the UX).


Is it not that they’re buying something resistance as well by buying from large infra providers if big adversaries like state actors start pushing hard?

I also think SMS and phone numbers are core, but they must provide a way to communicate without use of phone numbers being kept completely separate from phone numbers even when registration is needed using phone numbers.


The usernames are coming (alpha was announced), but it won't reduce cost since the account is still phone number-based.


Anyone know much does it become worth it to build your own? They spend around $3-4m on storage and bandwidth


> millions upon millions of new people suddenly switched to Signal in January 2021 after WhatsApp updated their Terms of Service

From a footnote of the article. Maybe this is why they've stayed with "infinite scale, infinite costs" (commonly known as "cloud") so long? Surely at some point this is worth considering though, I would also be curious where that point lies

Virtually anyone, also when spending only 100 euros/month on server providers, can save a large percentage of costs by taking it in-house. There might be a gap where you need dedicated personnel and it's briefly cheaper to outsource before you grow and it inverts again, but generally if you've got a stable service then this is nearly always worth it

Maybe a hybrid, where new users onboard onto cloud and they buy hardware for expected loads (i.e. current users), would be the most cost effective. I wonder how hard that is to combine the two worlds, but anything that requires more than one server already has that sort of communication going on so there shouldn't be any real blockers. Maybe the two types of infra add costs/risks again and that's why one rarely sees this setup?


I know AWS - and I would guess the others too - discourage hybrid by setting the egress traffic costs to extreme levels


I found that with the bandwidth and storage that my company was using on the cloud, we could get ROI in under 2 months by building a server and running it in house. Now we've scaled up to a dozen servers but it's still just a handful of computers in a closet that saves us $50k/mo in cloud costs. It was dirt cheap to slap together and scale up incrementally.


Data centers cost billions. Signal, and pretty much everyone else who isn't already in the data center business, is far away from breakeven on that.


There are several steps between using AWS and building a datacentre.

- Using similar services from cheaper cloud providers

- Renting VMs

- Renting whole servers

- Renting rack space + power

- Renting larger spaces (many racks, or part or all of a whole floor)


The small ISP/phone/cable company I worked for in high school had a data center. Maybe 20 racks. It was pretty damn reliable (old-school phone infra techs knew how to make shit stay “online”). I guarantee it wasn’t above the single-digit millions to build, inflation adjusted.


That example of your small telecom company isn't really relevant here, is it? Signal needs to work well for people around the world.


You can serve tens to hundreds of millions of messaging clients with data centers (plural) that don’t cost billions, even collectively, to build.


You don't have to buy a data centre... You can lease space in an existing facility for almost nothing.


I'd prefer a federated solution, but XMPP doesn't yet have decent support for group chat that doesn't depend on being connected. https://xmpp.org/extensions/attic/xep-0369-0.1.html is still experimental.

Bravo to Signal for being easy enough for my family to use!


Fwiw, I've seen users suggest hybrid approaches. Interestingly it could reduce some of the costs they list here and looks like a route one could take to slowly build towards a fully or hybrid federated system instead of jumping straight there. But I am unsure how much the community likes the idea and judging by that last post it doesn't seem like the mods do. But this one takes note as two users were willing to place a bounty on the feature request

https://community.signalusers.org/t/signal-airdrop/37402


Matrix fixes that issue (and also the issue of the server your group chat is hosted on disappearing). It has plenty of other issues, of course.


What about Matrix?


I've tried a few times. It always felt... clunky?

I tried Element. UI felt slow, I was unable to find notifications in scrollback. Clicking the notification button would take me to random messages.


There are very many clients lighter than Element.


I just checked https://matrix.org/ecosystem/clients/

I'll try FluffyChat, thanks!


I tried it. It looks nice, but audio/video calls didn't work at all between two FluffyChat clients.


I remembered another issue with Matrix.

Signal and XMPP (via Quickly) have a simple phone number based signup workflow that my family have grown used to.

My family are not happy on having to remember/use passwords/keys. That's a shame, but is ultimately a constraint I have to deal with when persuading them to install/use an IM app.


Replying to myself... looks like some Matrix homeservers support OpenID-style login. That's probably fine for family.


>Privacy

That’s a very bold statement from an app that still requires a phone number using a broken protocol (gsm) to “verify” your identity and authenticate it, sim swap attacks can be carried out by kids these days. Also, don’t expect privacy when you are using a proprietary OS like iOS or one full of Google services that also have proprietary firmware drivers, they (the adversaries) don’t need to even decrypt these “privacy apps” when it’s easier to access the backdoor-ed OS or hardware, but enjoy the illusion in the meantime.


I'm always intrigued by people that have this POV. Security and privacy are not binary for fucks sake. Improvement on the status quo is great and Signal improves a hell of a lot.

Not to mention that half of your comment is non-issues.


there's a big social cost to trying to get others to use Signal, and it's not worth it if the advertised features don't work as advertised..

that said I stopped using Signal years ago because of basic deliverability being less reliable than SMS.. I switched back to SMS so I could communicate reliably with a loved one during an emergency when Signal randomly stopped letting me respond to messages, and I won't pay the social cost twice of trying to convince contacts to use it after having to abandon the service when I really needed it.

Actually between Element and Signal and the differences between their usability as advertised versus the reality of using them with non-technical users, I've used up all of my social capital for convincing people to use "better" networks and mostly just use SMS/RCS now.


I understand that. Signal has put in a lot of work since I started using it fulltime and is much more reliable now than it was just 2-4 years ago. The only time I've had issues now is when I'm backpacking in areas with spotty connection. SMS delivers quicker and is more reliable.


Right, so instead of 20 entities tracking you for example now you 18.. the false sense of privacy is far more dangerous than knowing your messages are not private (Like when Tucker Carlson used Signal thinking it was private to find later all his messages were not, regardless if it was a bugged app or an OS, the false sense of privacy is worse, he probably won’t texted those on iMessage for example). Same argument you can see with “vpn is private and we keep no logs because you can trust us!” plus it can be defeated with browser fingerprinting, or paying a hefty price for this “top private email” provider when the recipient doesn’t even use any privacy settings or anything let alone email as a protocol is not meant to be private, it’s all a business model, and the gullible buys it, you “have” to trust that Signal server is not backdoor-ed in real time, and as the old rule in security, if you can access the physical hardware you can in theory access anything in there, you don’t know the hardware is used there, is there any memory injection exploit that get activated after the so called audits? You can’t know, you have to trust that.


I'm honestly interested in what your solution for private communication is that will also get mass adoption among hundreds of millions of users. (And it's definitely not running your own XMPP server and getting everyone to switch to Linux phones).


It's Matrix.


People should be aware that Signal may be able to provide good e2ee and methods to make reading your messages or calls a challenge, they don't do to enough to obfuscate. Therefore censors can identify who is using signal and even block it. https://github.com/net4people/bbs/issues/63

Privacy tools can make you stand out. Unless methods are used to obfuscate your data.


Has anyone tried setting up their own Signal server? Be cool to do this, and then give all your friends the ip for truly private messaging.

https://github.com/signalapp

Seems like all their stuff is open source.


Which app would they all use and from where would they get it? Signal does not (intentionally) support the official app using other servers or the platform itself supporting federation. [1]

[1]: https://signal.org/blog/the-ecosystem-is-moving/


This can be a premium feature. Run your own server and for a little bit of money you can configure your client to use an alternative server. Client code is what make it private and secure, so you want to use their verified client even with your own server.


This makes sense and in the same time it doesn't. You're supposed to pay to use your infra, not theirs?


Offering self-hosted servers would probably just degrade the security guarantees of Signal if people misconfigure them. Doesn't seem to be worthwhile for the Signal foundation to run into this risk of undermining their own reputation for a niche user base who cares about self-hosting.


> Doesn't seem to be worthwhile for the Signal foundation to run into this risk of undermining their own reputation

It's a bit too late for that. They undermined their reputation when they started permanently keeping sensitive user data in the cloud (like a list of every person you contact), and then again when they refused to update their privacy policy which lies to users about their data collection practices, and then again when they killed off the ability to get both "secure" communications and unsecured SMS, and then again when they started adding weird cryptoshit nobody asked for. Signal seems to be telling people as loudly as they can not to use/trust them.


In my mind, the whole point of using Signal is that I don't have to trust the server. Why would it matter who hosts the server if we can trust that the clients' communications are E2E encrypted?


unlikely the people i want to talk will bother setting this up


And the people those friends want to talk to. And the friends of those friends.

To have self-hosted chat services, you either need a niche enough service that you'll never have two parties that would want to talk to each other while being on different servers, or federation. Signal chose the former, so here I am with eight communication apps on my phone.

Maybe the next best thing could be to support multiple servers, like how email clients let you fetch data from more than one email provider, if they're so worried about federation inhibiting their ability to control the ecosystem that they plainly won't go there and hold speeches about how harmful that situation would be. Then we could have self hosting and also Signal wouldn't have to care about federating with my self-hosted server.


Layer it on top of something like Matrix, then?


I mean the idea would be you download the app but use my server instead of of the default ones.


I would pay for a few signal features: 1. encrypted backups or backup integration of my chats, photos and videos. 2. business features (backup, directory integration, search)

I have not used: 1. voice and video

Incredible that SMS costs so much. I wonder if it's worth it because it _saves_ so much in spam and other sorts of fraud or bad behavior?


I have some good news: go into the settings and turn on encrypted backups. The clients also all come with a search function, even if it only matches against start-of-word (which includes URLs, so you can't search for domain names which regularly bothers me).

Directory integration, as in, importing a vcard with everyone's phone number into your device such that you can tap on anyone's name and message them on Signal if they've got Signal installed?


>: go into the settings and turn on encrypted backups.

Fair warning: It will...bloat. It usually keeps 3-4 copies of most recent backups in the folders you select and if you send a lot of photos, imagine it eating tens of gigabytes of storage just for backup.

(My current backups are 9.75 gigs each, approx 3 of them)


The backup option is Android-only.


O.o TIL. That's weird, apple users already have plenty of lock-in and own-data-inaccessibility, but so maybe they figured they clearly don't care? Weird as heck either way

Then what I can recommend is installing the desktop client on a server somewhere and reading its sqlite-like (but with some flaky encryption extension) messages database


Understood, $7 CAD per month are heading your way since I use Signal quite a bit.


I started paying for Signal when they rolled out the subscription feature at the $5/mo plan and after reading this post, I just moved to the $10/mo plan because of how much I value this service since I use it every day. I hope other users subscribe if they are able to do so.


Wish they provided some numbers of actual messages, type etc. per day. Seems like a good game plan would be.

1) Get off the major cloud providers that charge insane egress fees. 2) Remove SMS verification. A simple solution might be the app gives you a code and then you dial in to them and punch in the code to them. Like a reverse voice based authentication. 3) Remove voice and video calling for non donating users. 3) Remove media texting until both users allow a p2p connection. 4) Remove no contact list message hosting for non donating users.

Lot of unpleasant trade offs there. But I would rank having a text based private messaging app as the top feature. Everything else is a "very" nice to have. I applaud what they are doing and the sacrifices that have been made so far.


Removing essential features like voice/video calling for non-paying users would be a terrible choice IMHO. This is a communication app, which means it is only useful if others use it too.

And how are you going to convince others to pay for Signal when there are many free alternatives, including WhatsApp, which most people already have and while not as privacy focused as Signal, does have end-to-end encryption. If Signal makes people pay for voice calls, they will simply use WhatsApp, regular phone calls, or whatever is free and popular at the moment.

The success of Signal came from being very low friction, privacy is the "nice to have" feature, at least for most users. But add friction and they will look elsewhere, Signal is not WhatsApp, it doesn't have enough of a critical mass to keep users on its network.

All that will remain will be a small core of cypherpunks and people who really have something to hide. This is bad because one strength of Signal is that it is a mainstream app, making it hard to single out "interesting" people compared to those who just use it because their geek friend told them to and they like the shade of blue.


Valid but if there is no model that is sustainable then who cares if its successful? Some trade offs will have to be made. How can they keep going if the vast majority of people don't pay? They don't have the model of "ok we are going to flip and monetize after we get to X mass". Its like a growth startup but with no end game plan.


Call to donations, ads, pre-mined cryptocurrencies, selling cosmetics, premium features no free service offers, partnering with other organizations, etc...

They already do some of these, and some are less popular than others, but the key is to keep the essential features free and easy.

On Discord for instance, a free account is enough to cover all of most people needs, but you get a little extra by paying a subscription, and it is enough for Discord to be worth billions. Maybe not the perfect example since Discord has a critical mass, but no one wants to leave just because they don't have premium features (larger uploads, higher resolution streaming, flashy emoji) for free.

For Signal, it seems like just calling for donations is enough. They have a good image, so they can do that. It can actually be a solid business plan, look at Wikipedia, they get more than $100M a year doing that despite the controversy.


About the SMS verification, it depends on the goal. If the goal is to verify a phone number, you can't trust the _sender's_ address in the phone network.

So, you can't trust the address in the "From" on an SMS or the "From" of a phone call.

That means a voice call to Signal would not work to validate phone numbers.


Good point, I guess we are proving why the resorted to using numbers in the first place. Unless you have a verification point that includes a "charge". Indirect or direct, your platform gets flooded with spam/bots. Does anyone have ideas of how this problem can be solved while also preserving privacy?

Problem: A system that enforces a monetary penalty to prevent sign up abuse while also not tying a users identity to said system.

Without doing some pain in the a crypto stuff it seems like there are no easy solutions other than the #


You can charge for SMS. You send a message to signal, charged at an amount to cover the return message which contains a code.


does the dial-in suggestion work? Seems like spoofing phone numbers is trivial, while spoofing numbers for inbound SMS is harder.


> Get off the major cloud providers that charge insane egress fees

At on demand prices, yeah. But companies of sufficient demand can enter into volume discount programmes.


> Get off the major cloud providers that charge insane egress fees.

And run their own DCs? Cool, they'll just need a lot of upfront capital aaaaaand they're back in the "need money" boat. Except more so.


There's a ton of options between paying premium cloud prices on egress and running your own data centers.


Signal is centralized, expensive, and desperate.

It results in decisions like this:

1. MobileCoin premines 250m coins

2. Moxie is paid for being on their board

3. Moxie directs non-profit Signal to integrate MobileCoin

4. MobileCoin offers 50% of their premine for sale.

5. Signal/Mobilecoin news spikes price to $60

This is why we need decentralization.


"Registration Fees: $6 million dollars per year." "the registration fees that cover the delivery of verification codes during the sign-up process to help verify phone numbers and prevent spam accounts"

Can you please change Signal to not require a phone number? Requiring a phone number makes me question Signal's privacy. Looks like it can save $6 million dollars.


I am imagining a donate page in the app that incorporates this willingness to be public about the costs.

It offers a way to configure a recurring donation for whatever amount and whatever schedule you want. $100/year for instance, but as you slide the slider or enter a number, it shows you if that number leaves Signal in deficit, covered, or surplus, if all other users who are currently paying anything paid this much.

Instead of just trying to suggest an amount with no explaination of what it means, is $5 still leaving them starving? is $5 5x more generous than needed? You still get to use it for free. But if you are of a mind to be one of the ones chipping in to keep it alive, you see exactly what is the right amount.

When 10k people are paying for 10m other people, that "covered" amount may be pretty high, apparently 5x what the average donater is currently paying. (article says it's 20% of total)

But with that little bit of non-repulsive non-abusive game theory, just honest information but presented in an immediate way, a lot of those other 10m users would start to chip in, and the covered amount would come down. Some users will say, well, I can swallow 5x what I was paying, and others can just leave their donation level in the red. But I think a lot more people would go from 0 to a few bucks if they could see exactly what it means and know that it wasn't a waste.

Maybe the donate function could even have a setting track the current covered value automatically so that your bill automatically comes down as other people start adding to the pool.

Also have it display the 3% or more transaction fee overhead going to the debit card and other payment processors, to show right there graphically how much you're wasting by paying a small amount monthly vs a large amount yearly. Everyone always hides that but I say show it prominently.


Total salary bill: $20m. 50 staff so average salary: $400k. I'd be happy with $200k USD - that's more than I get paid in my country at current exchange rates.


I've actually posted Signal's tax return before, but a great thing about US nonprofits is the tax return is publicly available from the IRS website: https://apps.irs.gov/pub/epostcard/cor/824506840_202012_990_...

The last one available is from 2020, though. They tend to lag a few years behind. They're required to report key employees plus top-five compensated who aren't "key." Brian Acton and Meredith Whittaker both earn no salary at all. Their COO got $290 in 2020. Moxie Marlinspike and their top five developers/managers were all in the 400-600 range.

I'm sure they pay well (don't have much choice if you're going to be based in San Francisco), but I highly doubt 400 is an average salary. The expense being reported is total cost of employment, which includes FICA taxes paid by the employer, 401k matches, and probably most notably healthcare, but all benefits and in-kind compensation.


> The expense being reported is total cost of employment, which includes FICA taxes paid by the employer, 401k matches, and probably most notably healthcare, but all benefits and in-kind compensation.

This is incorrect, reportable compensation on a 990 is the amount in box 5 of the employee's W-2, which does not include health insurance, taxes, etc.

https://www.irs.gov/charities-non-profits/exempt-organizatio...


Probably includes taxes, social security, health insurance, etc


I lost interest in Signal when they started shilling a cryptocurrency that they had invested in. I really want a trustworthy replacement to Whatsapp but if I'm going to shill an app to people I know, it can't be something that has connections to investment fraud.


I would say that is the only mistake they have done during their existence.


Paying over 100 USD per 1 TB of data transfer is just stupidly expensive. That's insane pricing...


There they go, saying Whatsapp is using their tech without proof they haven't tampered with it. Doing propaganda for proprietary shovelware.


Every thread that Signal is mentioned, we relish this comment :)


Guess who created WhatsApp.


I've loved Signal. It's been the only consistent way I've been able to send and receive high-quality pictures and videos at all. It's been the only way I've been reliably able to send texts when I'm in an area with poor reception, which is frequent.

The privacy is nice and it's been simple and easy to use.

I hope they stick around. Everyone likes to bash more privacy oriented companies if they aren't absolutely 100% perfect in every single way, but IMO perfect is the enemy of good and Signal has been very good.

The hardest part has been convincing people to use it, and if I have to get people to jump to another one it'll all just fall apart.


> Everyone likes to bash more privacy oriented companies if they aren't absolutely 100% perfect in every single way, but IMO perfect is the enemy of good and Signal has been very good.

Signal has not been good. The absolute least we should expect from any "privacy oriented company" is that they're honest and fully transparent about the data they collect and store, and Signal is none of that. Since they started collecting and forever storing sensitive user data in the cloud they've refused to update their privacy policy to alert people to that data collection.

If you advertise your service to human rights activists, journalists, and whistleblowers whose freedom and/or lives are on the line you owe it to them to be extremely clear about what their risks are by using your service, but Signal outright lies to them in the very first line of their privacy policy.

This isn't "perfect being the enemy of good" this is either a massive dead canary warning people not to use/trust Signal, or it's completely immoral and irresponsible.


Every single time I've seen Signal asked for data in a court case, they've basically handed back a unix timestamp of when the account was created and said "that's all we have". Or it was last access time, I could have misremembered.

Either way, that seems quite good to me.


You're right, that's how it used to be. They still have pages on their website bragging about times when they didn't have anything to turn over because they didn't keep any of it. A while ago that all changed. They started collecting and forever storing in the cloud the exact data those requests were asking for. Lists of everyone you've been contacting, along with your profile data (name, phone number, photo).

https://community.signalusers.org/t/proper-secure-value-secu...

If you're a Signal user and this is the first time you're hearing about this, that should tell you everything you need to know about how trustworthy Signal is.


The technical info in that community form is a few notches too technical, I work in a different knowledge base.

If someone broke down what the timeline was, what new info is being stored that wasn't before, how that is known, and how Signal has responded, etc, then that would be useful.

I'll admit it doesn't seem great. Phone number I understand, but name and contacts are more concerning.


There's a good article on the topic here: https://www.vice.com/en/article/pkyzek/signal-new-pin-featur...

Note that the "solution" of disabling pins mentioned at the end of the article was later shown to not prevent the collection and storage of user data. It was just giving users a false sense of security. To this day there is no way to opt out of the data collection.

There's a lot more information about it in various places, but Signal went out of their way to be as confusing as possible in their communications so it caused a lot of people to get the wrong idea (see for example https://old.reddit.com/r/signal/comments/htmzrr/psa_disablin...)

The forums were in an uproar for months asking Signal to not start collecting data or at least give people a means to opt out. Here's a good thread with links to a bunch of the conversations people were having at the time: https://community.signalusers.org/t/mandatory-pin-is-signal-...


I know it's unpopular to say this on here but Signal will never be popular as long as they don't add basic features that all other messaging apps have.

- If you lose your phone or it no longer boots, all your messages are irretrievably lost. There's no way to create backups on iOS. Why the hell can't I enable iCloud backups? I know it breaks privacy in some ways but let me choose the trade off. Put a giant warning if you have to.

- The desktop app is awful and requires signing in again all the time. See the Telegram Desktop app for how to do it better. In my opinion it should be the gold standard for desktop messaging apps

- Desktop app keeps losing message history

As long as Signal treats all messages as if they're so important that even super spies should not be able to read them, and as a result, goofing usability in a way that standard features don't work, I 100% understand that the majority of people won't use it.


I admire Signal and everything they do. Basically Software-as-Charity, for the greater cause. Now knowing this charity is actually millions drives me nuts. I hope the less expensive solution can be achieved in decentralization of the whole thing. Im sure it is possible to sustain it ourselves as a public service forever if everyone involved will have to pay with his personal computing resource - just like we are able to sustain decentralized finance now. And of course - the idea of a phone number as identity is very much flawed and unsustainable on itself, hopefully Signal team will be able to break through this problem as well


When will they finally get their donation box working properly (including not showing "weird" symbols, when Google is not informed about my visit by loading fonts from them)? Tried multiple times to donate, but I am unwilling to sacrifice my privacy for donating to a messenger that is supposed to protect my privacy. Once they get that donation box fixed, they stand a good chance to get my donation. Just like the Internet Archive, that still has broken donation box when Google fonts is not loaded ...


2 ideas to limit costs: Make it a 2 tier plan: free tier is text and images only, paid tier adds audio/video calls Remove the need for phone number verification

I'd be happy to pay 10 bucks a year for Signal.


They do that and everyone moves to WhatsApp or Telegram. Your comment ignores the whole private chat app landscape.


I find this surprising:

> As a small nonprofit organization, we cannot afford to purchase all of the physical computers that are necessary to support everyone who relies on Signal while also placing them in independent data centers around the world. Only a select few of the very largest companies globally are still capable of doing this.

Signal may be “small,” but they’re spending plenty on this. Registration is expensive and hard to do without using one of the large expensive providers. But there’s $7M for servers, storage and bandwidth. These are comparatively easy: servers and storage (especially for a service like this where availability for the substantial majority of the data is not terribly important) come in nice pre-manufactured boxes that can easily saturate 10Gbps and can store quite a few TB at very very high IOPS. [0]. And the forwarding model isn’t very latency sensitive - several hundred ms for most users is fine, and sending media via Signal is quite slow regardless. So having many points of presence doesn’t seem terribly important. I bet that two small colocated facilities could cover all of North America quite nicely.

Bandwidth costs outside the cloud world, at least in North America, are comically cheap compared to the major clouds.

[0] A service like Signal ought to need relatively little processing compared to bandwidth and storage for the data plane. AWS and the like may not have a particular good match in their catalog for this use case.


I wish I could use signal without a phone and phone number. Otherwise it is useless to me.


Is it possible to self host signal? Can signal move towards a model like the fediverse where the software development is decoupled from the hosting costs?


They are actively working against self hosting, which is why I want matrix to succeed and signal to die


I donate to signal, and use it frequently. But I would much prefer for the app to simply charge users rather than beg for donations. Even better would be to charge users in a way that reflects the costs.

For instance, maybe verifying a new number over SMS should cost $0.10 if that's going to make up 14% of the operating costs.

Begging for donations to subsidize excessive use by other users just doesn't seem sustainable.


> I donate to signal, and use it frequently. But I would much prefer for the app to simply charge users rather than beg for donations.

Hard disagree. If you charge, the number of people who will use it shrinks by several magnitudes, and then you lose your network effect, you lose the ability to get your less technically inclined friends to install it.


I would certainly prefer the donation begging - chance of getting family and friends to use it with an upfront cost: 0.


How are you going to charge users $0.10? Micropayments is a huge unsolved problem.


Buy 50 invite codes for $5


Yes, let’s tie every user of this privacy-focused messaging platform to a credit card number.


P2P alternatives are less convenient (always on to deal with notifications, adding contacts typically requires extra steps, etcetera), but the difference in costs is abysmal. In any case, it's been years since I've tried to make my social circles move to any of those platforms (Briar, for example). It's a losing battle.


> Signal spends around $2.8 million dollars per year on bandwidth to support sending messages and files (such as photos, videos, voice notes, documents, etc.) [...] At current traffic levels, the amount of outbound bandwidth that is required to support Signal voice and video calls is around 20 petabytes per year (that’s 20 million gigabytes) which costs around $1.7 million dollars per year in bandwidth fees just for calling, and that figure doesn’t include the development costs associated with hiring experienced engineers to maintain our calling software, or the cost of the necessary server infrastructure to support those calls.

20 petabytes per year is around 5000 Mbps only for audio and video calling. So 5000 HD video calls all year round.

Signal is known for the large bandwidth needed for calling but that sounds too much and not really scalable in the future.


Paying 2.8m for 20pb of bandwidth is two orders of magnitude more expensive than it needs to be. You pay significantly more using cloud hosting providers rather than dedicated server resellers. I would recommend signal consider just renting dedicated servers from providers like OVH for their voice relays.


While I would be willing to pay a fee to use Signal, most people won’t and then Signal would turn into a deserted landscape full of privacy nerds who only talk with each other. On the other hand, being better at soliciting donations more often would be more helpful. I’m a regular Signal user and didn’t even know I could donate.


I thought this was an article explaining how they move out of the cloud and saved millions using bare metal servers.


> millions upon millions of new people suddenly switched to Signal in January 2021 after WhatsApp updated their Terms of Service.

https://archive.ph/wbF3T


Support for Signal development supports all privacy-oriented software and systems, because Signal is open source.

The Signal Protocol already is an industry standard. What other Signal development - either the components, the code, or the concepts - are used by others?


The only issue I'm aware of is that The Signal Protocol is only really defined in Signal's GPL'd code. So it's almost impossible to write a clean room implementation (e.g. Wire tried and ultimately failed. they ended up also GPL-ing their library).


It's used by many major services, such as WhatsApp. How could it be that hard to define and implement?


I feel like investing in p2p approaches and having people donate spare server capacity might be better. For example, relay calling was p2p in the original Skype and worked well. Apple private relay is a similar concept whereby there are two intermediaries to make things private. It gets trickier since in mobile land you can’t run servers really, but I feel like the Signal population has enough spare capacity to offload bandwidth and stuff and could be an easier sell than “please give us money”.

For the sms verification, I feel like forcing the requester to do some bitcoin mining for you could potentially pay for itself.


As a counterpoint imagine instead if the cost of messaging went from $50 million per year to the even more lean $0 per year.

Messaging operations are expensive because they need servers to route your traffic. They need to route your traffic to navigate around the restrictions of IPv4 NAT. In a world of IPv6 there is no NAT (but firewall restrictions still apply).

I have created a relationship model that solves for privacy without need for third party servers and then routes messages based upon that model, but it’s limited by IPv4.


Signal should be able to bring in some revenue other than donations. Premium features that don't compromise the privacy? Premium stickers? Extended emojis only if one paid $1 etc.?


If you really wanted to talk to somebody in a "non-decryptable" fashion, could you set up like a channel that encrypts itself with a ton of different encryption methods, keys, etc. (encrypted payloads inside each other)

Signal encryption is its main feature (I think) and how easy it makes it (abstracts handling key transfer and all that), I'm just trying to think through... if I wanted nobody to read what I was saying , would I use an app/target as popular as Signal or something homegrown?


You don't need multiple security protocols (and in fact that is almost always a bad idea). You just need one good protocol and a way to securely exchange the keys. What signal solved for the most part is the secure key exchange.

If you want to talk to one person, you can give them a USB key in person with a set of crypto keys and then use that to encrypt your messages over any transit method and it will be secure.

The hard part is the key exchange.


It's a bit off topic, but I've wondered the same.

We could stack a hundred layers of encryption algorithms, and if just one of them works, then the whole stack is secure.


You could, but you'd be adding complexity to solve a mostly non-existent problem. Security is rarely broken because the algorithm itself is broken. It's usually because one end has a key logger or other vulnerability. Or they are literally storing the unencrypted text in an unencrypted data store after reading it.

In the meantime, the added complexity adds new places for errors.


Yep, people who think about messaging security as a problem of sending data from one computer to another are missing a huge part of the attack surface. To fully understand the entire problem set, we need to consider the entire pathway from one human's brain to another.


I think the biggest risks for most people are going to be around key management, social engineering, and exploitation of terminal devices (i.e. if somebody has compromised your device running signal and can observe the message before encryption or after decryption).

More layers of encryption doesn't really solve those problems.


lots of drug traffickers went with something homegrown (Anom), which turned out to be an FBI front. they'd have been a lot safer sticking to Signal. and you can audit the Signal client's source code, which is enough to verify its secrecy.


They could use a free plus subscription model for really pro features, like “extra privacy”, “faster sending speed”, “create bigger group rooms”, these are bad features but you get it


As soon as there is “extra privacy” for a premium, I would ditch Signal immediately. It’s either provate and secure or it’s not. Certain things cannot be half measured.


Not having to rely on a phone number would be extra privacy.

They are stuck with SMS though because it's a costly... signal that prevents spam.

(Sounds like an opportunity ??)

But then this might solve the funding issue for them, but being tied to most payment systems would only somewhat improve the situation for the users.

I understand now why they dabbled with cryptocurrencies (Monero having proved that these can be anonymous short of having NSA levels of computing power ?). I haven't been keeping up, how did that work out ?


Or the extra privacy could be the current misfeature where you can't properly sync messages across devices. No reason to ditch over that?


I would pay a subscription fee if only to get back SMS capabilities.


Maybe I'm the only one here but this so-called "transparency" in the form of a single blog post doesn't instill much trust in me. I have been an avid Signal user since the TextSecure days and still recommend Signal over any other messenger. However:

- There were times (e.g. during the introduction of MobileCoin) when the Github repositories hadn't seen any update for months, while they were still releasing new app versions on a regular basis. Heck, last time I checked there were not even public changelogs for any of the apps. Calling Signal "open-source" is a stretch at best.

- The Signal team time and again has failed to react to criticism of the usage of Intel SGX, or of how they completely messed up the introduction of the Signal PIN. And let's not talk about MobileCoin. Yes, being "open-source" or "nonprofit" doesn't imply they need to ask their users for permission or respond to every complaint. However, a minimum amount of openness and debating critical features in public would go a long way here.

- I would like to see some transparency regarding the overall foundation and corporate structure, beyond just silently filing form 990 years with significant delay. For instance, it seems Brian Acton can elect and dissolve the entire board just by himself[0, 1]?

Long story short, before donating to Signal I'd like to see a proper and continuous commitment to transparency, not just a once-in-time blog post.

[0]: (German) https://www.spektrum.de/news/mythos-signal-licht-und-schatte...

[1]: https://projects.propublica.org/nonprofits/organizations/824...


appreciate their transparency, but boy do their devs make a lot of money. their 2 highest paid engineers make around $750k USD yearly. I guess if that's competitive good for them, I'm mostly jealous.

https://projects.propublica.org/nonprofits/organizations/824...


I just tried donating at https://signal.org/donate/

It seems that with uBlock origin enabled in Firefox, I was unable to fill out either of the 2 donation forms on the page. It wouldn't let me fill in my Name in the first form, nor would it let me enter a custom amount in the 2nd form.

Disabling uBlock origin seems to resolve.


"We estimate that by 2025, Signal will require approximately $50 million dollars a year to operate—and this is very lean compared to other popular messaging apps that don’t respect your privacy."

Kind of Exaggeration to say that the other popular messaging apps don't respect your privacy.. all of them do, some more, other less, just not all of them have it as their main feature.


I always wonder what is the level of safety of Signal fron state level actors. Signal uses telephone numbers as user IDs + sends those verification SMS. Also 50 employees? So how many are monitoring the infaratructure 24/7 (on a side note, a project with 50 employees is probably still better than those with thousands - what do those people even do).

If the data leaks somehow, telephone number as ID sounds very bad.


> As a small nonprofit organization, we cannot afford to purchase all of the physical computers that are necessary to support everyone who relies on Signal while also placing them in independent data centers around the world.

This is really the crux of the problem. ~$3M of servers per year is more than enough to start purchasing hardware, I wish there were easier ways for people like me to participate and help Signal on the cheap.

As someone who participated in the builds they complain about being expensive (and ignoring their , I don't think it's a function of centralization or "troubling" as much as it is practical. Meta, Google, etc all have many billions they could be saving if they could figure out how to make it cheaper too.



I know they have a Paypal account but I can't find a link via their site. I found https://www.paypal.com/US/fundraiser/charity/3675786 on Paypal, but I'm not sure it's legit.


Ok, have they decoupled my identity from my phone number yet?

I mean, to donate to them I'd have to use it. I don't need another WhatsApp.


almost, usernames and phone number privacy are in testing now


That’s only phone number privacy from other users. Registration would still require a phone number, which is what GP seems to be unhappy about.


I don't see the point of all that encryption when the ends of a conversation are tied to publicly available info like a phone number.

Do you think $SECRET_POLICE will care that they can't decrypt my messages when they know I have exchanged said messages with a known dissident's phone number?

$SECRET_POLICE doesn't do innocent until proven guilty.