back to article Signal boost: Secure chat app is wobbly at the moment. Not surprising after gaining 30m+ users in a week, though

Signal is experiencing a partial outage as tens of millions of netizens flood the free secure messaging service. Texts sent via its iOS and Android apps are delayed or not getting through at all; we've had very mixed results using the platform today. On the desktop side, our vultures have struggled to pair their phones with …

  1. This post has been deleted by its author

  2. Anonymous Coward
    Anonymous Coward

    Myeah, amateurish programming and all that...

    1. diodesign (Written by Reg staff) Silver badge

      Oh, hi Mark

      1. Claptrap314 Silver badge

        You owe me a new keyboard...

      2. Anonymous Coward
        Anonymous Coward

        Hi Chris!

        Not the same AC as above (as you know) but I wonder if the site biting the hand that feeds IT would care at one point to clear up the discrepancies between public statements by those involved with the Signal venture and the public record?

        I had a long post which I just sadly lost in a computer crash (I should have put the fans back in), but briefly, what I know:

        Signal is an application and service provided by Quiet Riddle Ventures LLC, founded in California by Michael Benham, which nowadays goes by the nautical name of Moxie Marlinspike (he actually made that his legal name four years ago). The guy jumped to internet "fame" by publicising a flaw in the SSL implementation used by Microsoft (and KDE). The flaw was known beforehand, he might have accidentally rediscovered it or just decided to take credit for it, I don't know.

        After that and a couple of other SSL implementation curiosities (note: nothing in the actual cryptography), he kept his attention grabbing habit with Googlesharing, a proxy that purported to anonymise your search queries so that Google couldn't get your data (but he could, though he forgot to mention that). The site got shut down by Gandi when they noticed that he had provided fake WHOIS and contractual details.

        Then he got an interest in instant messaging and created the first version of Signal, called Red Phone, which was sold to Twitter about ten years ago.

        With the money from the sale, he hired a couple of devs and started working on Signal (I don't know if the guy can code or how good he might be at it).

        Eventually, Brian Acton (the junior partner in the Whatsapp venture) got involved. He set up a foundation, of which he is the sole member, to which he issued a promissory note for US$105M. It pays for the development and operational costs of the Signal service. Its burn rate is around $8M to $10M per year (see the foundation's tax filings for exact figures), which mostly go towards paying Twilio (SMS service) and Amazon AWS (hosting service) bills, as well as the seven or so developers that Quiet Riddle Ventures had as of a couple of years back. I expect they're a few more now as a former associate of Acton, a recruiter, also set up shop literally a couple of doors away from Quiet Riddle.

        Crucially, the foundation pays for the bills but it does not own Signal. That is owned by Benham himself through his company. Bizarrely, at one point they were using the name Open Whisper Systems as the supposed entity behind the startup, but there never was a legal entity of that name neither in Delaware nor in California, as far as I'm aware.

        In summary, we have two guys who have helped develop and sold instant messaging applications to Big Tech players retracing their footsteps with another startup. Nothing wrong with that. But I find their sales pitch incredibly dishonest: their service is literally identical to Whatsapp and offers the same exact degree of privacy (or lack of it). Everything indicates that they are planning to make an exit in 5-10 years (judging by the foundation's capital and its burn rate) and that their product is their siloed, non-anonymous (that's why the need for a phone number) audience.

        Honestly, I think the Register could do a good job of digging a little bit more into this and presenting the real story, as it were, instead of just rehashing press releases and copying Twitter posts. Sooner or latter someone will.

        PS: I also do not understand why this is presented (such as in this article's headline) as a "secure chat app" when it is neither more nor less secure than say Whatsapp.

        1. This post has been deleted by its author

        2. FlamingDeath Silver badge

          Never underestimate...

          A Hipster

          The “Oooooohh shiney” feeling they get, is too much for them to just ignore, and when they see the flocks of humans moving in a single direction, FOMO sets in and they’re practically ejaculating over themselves at this point

          Seen it before many times, and will carry on seeing it well into the future

          1. Twanky

            Re: Never underestimate...

            '...they’re practically ejaculating over themselves at this point

            Seen it before many times, and will carry on seeing it well into the future.

            Ergh. Mind bleach please.

        3. Zakhar

          Exactly! Why do people take for granted statements of "privacy" when the first thing those "apps" do is ask for your mobile number.

          1. censored

            Because...

            That phone number isn't linked to a name, a location, a username or any other kind of indentification

            1. Valheru

              Re: Because...

              Reverse lookup of personal details by using a phone number is Hard?

              I estimate it is a hardlink for 99% of active numbers.

            2. Anonymous Coward
              Anonymous Coward

              Re: Because...

              > That phone number isn't linked to a name, a location, a username or any other kind of indentification

              Yes it is. Anyone (such as yourself, or Signal Messenger LLC) can buy that info, quite inexpensively, from any of a number of data brokers such as Venntel, Predicio, Sygic, Complementics, etc., etc.

              If you have ever installed Signal, the company (yes, company) behind it can, by getting a subscription from one of the above vendors, know exactly who and where you are, in almost real-time. Even if you have subsequently uninstalled the application.

              By the way, those companies sell their data to government and security agencies too: https://www.wsj.com/articles/house-investigating-company-selling-phone-location-data-to-government-agencies-11593026382

              1. Ken Moorhouse Silver badge

                Re: Yes it is.

                Arguably stolen phones would be in demand because they come ready supplied with an identity already configured on them.

              2. Anonymous Coward
                Anonymous Coward

                Re: Because...

                But how do those (ugh) "data brokers" know who a phone number belongs to?

                In civilised countries (ie, not the USA), the only company which ought to know who a mobile phone number belongs to should be the user's mobile network itself (and, in the case of PAYG SIMs, they might not even know that).

                Although, I guess with Android and iOS, at least, the phone number inevitably gets linked to your respective account id (which could still maybe be a pseudonym, or could it?). Hmm, but still, if it's somehow legal for Google/Apple in the USA to leak your phone number + registered identity to (other) data harvesters, that's sleazy as hell, and something that hopefully nations who do have strong privacy laws to protect their citizens' rights (and strong privacy organisations) should be taking an interest in...

                1. doublelayer Silver badge

                  Re: Because...

                  There are several mechanisms that can be used, each with dubious legality at best.

                  1. The mobile companies sell it to them. This is often not legal, but doesn't get investigated. Even the U.S. holds this to be illegal, but although it has been documented repeatedly, nobody with the authority did anything more than complain.

                  2. When a phone number and name are supplied to businesses, the businesses package up the data and sell it. "Brokers" purchase the databases, cross-reference for accuracy (or refrain from cross-referencing for size), and sell the result on. This is illegal under the GDPR, but may not be in other countries. It might get investigated in Europe if they ever decide to get moving on that, but the businesses which do it often don't advertise that and the people selling the databases are usually sketchy places which don't disclose their sources.

                  3. When a phone number and name are supplied to businesses, the businesses don't sell it to anyone but also don't secure it properly. Someone breaks into their system and leaks the data, and others find the leak, add the data into their database, and sell their database. As long as it's not them who did the hacking, they're on slightly better legal footing. Still, it's not exactly condoned, so they still stay low-profile.

                  Other methods of collection are available.

    2. mmm_yeah

      I mean, it’s been more than a year and their “Unregister From TextSecure” form is still broken.

  3. Anonymous Coward
    Anonymous Coward

    Err what's the business model here?

    1. Michael

      not to be a business

      From the signal website: "Signal is an independent nonprofit. We're not tied to any major tech companies, and we can never be acquired by one either. Development is supported by grants and donations from people like you."

      1. This post has been deleted by its author

        1. This post has been deleted by its author

          1. Doctor Syntax Silver badge

            Re: Also Frank Colon 780th Military Brigade, Fort Meade

            Well, we all know what emerges from the colon.

      2. Anonymous Coward
        Anonymous Coward

        Re: not to be a business

        Signal Messenger LLC, a Delaware entity with a presence in Mountain View, California.

        https://www.signal.org/legal/

        Now someone is going to come along to say they must have forgot to update the legal page.

    2. Anonymous Coward
      Meh

      Err what's the business model here?

      Firefox? Wikipedia?

  4. BrownishMonstr

    What's better? Signal or telegram?

    1. Anomalous Cowturd
      Thumb Up

      Signal.

      Never used Telegram, but Signal has improved massively in the last couple of years.

      In years of use, today is the first time it has failed me. No video of the grand-kids for me today.

    2. MiguelC Silver badge

      Telegram has over 500 million users and, although a bit slow sometimes, has been able to cope pretty well with the recent increase in users.

      Privacy wise, Signal offers a better basic solution, as Telegram only offers end-to-end encryption if you explicitly star a "secret chat" and chats are stored on Telegram's servers while Signal says it doesn't keep chat centrally, they're only kept on users phones.

      Feature wise, Telegram had a nicer interface (and more emojis, if that's your thing) and offers a larger file transfer capability than Signal does.

      In the end, it all depends on your own contact list. My own experience shows a 5 to 1 contacts ratio between WhatsApp and Telegram, and again 5 to 1 between Telegram and Signal.

    3. DuncanLarge Silver badge

      > What's better? Signal or telegram?

      Signal, Telegram rolled their own crypto, Signal uses standard, protocols that are actually being researched for vulnerabilities and further development by the crypto community. Also as Telegram is not open source, nobody can start doing that on telegrams use of crypto, we know HOW they do it, they described it openly and even then the old addage of "don't roll your own crypto" rang the warning bells.

      If you don't care about licensing and security and only about numbers then Telegram wins.

    4. Aussie Doc
      Windows

      Optional stuff here

      Yes.

    5. Chris G

      I have been using Telegram for two or three years now and find it useful. Where I live the signal is too crappy for VOIP but it sends messages and photos flawlessly.

    6. NonSSL-Login

      Depends on what you want. Short version, if you just want basic secure chats with friends or some groups, use signal. If you like all the bells,whistles and pretty stuff + more functionality and not so worried about security/nasty threat actors, use Telegram. There is nothing to stop you using both and getting the best of both worlds.

      Signal is encrypted with end to end and does some neat tricks to store any data it has to in a way that signal can't read it itself. Its great as a replacement SMS program but obviously only msg's send from other signal users will be encrypted so it relies on more people on it to be more useful as an encrypted SMS replacement.

      Signal only recently introduced groups and while the feature is pretty basic, it works just fin for group chats. Encrypted voice calls work ok too as long as you have a decent data connection.

      Telegram isn't as secure by default as Signal (doesnt encrypt one to one chats unless you manually set it as a private chat) but has more features. Lots more animated stickers/icons if you like that kind of thing in your chat but where it stands out is the extra things you can do with it, especially in group chats. Polls, bots that do things. An API so you can create your own bot/do your own thing which relates to whatever interest you have.

      Telegram has introduced some features Signal had like messages that delete after however long you set. Good for security in case someone got psychical access to your phone to read your messages but also as a way of keeping your phone and chat clean.

    7. Anonymous Coward
      Anonymous Coward

      > What's better? Signal or telegram?

      There may be other options, such as your own XMPP server with OMEMO-enabled clients followed by some other distributed XMPP server with OMEMO-enabled clients. Comms and use of the 'net doesn't have to be only via centralised guardians.

      Jabber (xmpp) is extensible too, and allows voice and video chat, fully end-to-end multi-user chat etc.

      1. Anonymous Coward
        Anonymous Coward

        The fact that the gentleman posting the only long-term viable solution got downvoted says much about the sophistication of the audience here. :(

        1. Martin an gof Silver badge

          Why is roll-your-own a more viable long-term solution than Signal?

          M.

          1. Anonymous Coward
            Anonymous Coward

            Roll your own? Care to explain? Apologies if I misunderstand but your question sounds like "why bother with email when there is GMail".

            XMPP is an open, extensible (hence the "X"), and battle-tested (literally!) protocol that is implemented in hundreds if not thousands of solutions (starting with Whatsapp itself).

            Whatsapp, Facebook, various game developers, and Apple (and Google and many ISPs back in the day) managed to successfully run XMPP based solutions for millions of users. This guy's "roll your own" messaging service doesn't seem to have been quite as resilient.

            I won't mention the advantages of there being an actual specification for the protocol and a process for getting extensions into and out of it, etc.

            1. Martin an gof Silver badge

              Bear in mind that I'm more of an interested user rather than a hard-core hacker here, but if XMPP is just a protocol, you need to find a messaging app which uses XMPP - or create your own - before it's of any use for anything much. All the names you have mentioned are no-go in this scenario for various reasons. Some years back I did look at Jabber, but I wasn't in a position to spend the time on it back then.

              I get that XMPP is in some ways a secure, extensible replacement for email, but unless the people you wish to communicate with also have a client which talks XMPP it's not much use. Simply saying "install Signal" is easy in the same way that "install Twitter" is easy, whereas "well, here's a list of XMPP clients, you might find one you like" may be one of the reasons fewer and fewer people are using email on a personal basis these days - compared with messaging apps, email isn't easy for Jo Public.

              Anecdotal, I know, but I am struggling to think of more than three or four of my friends who actually use traditional email, that is a "client" on their device for personal emails (as opposed to work), rather than simply relying on webmail.

              That said, I'm going to set aside some time in the next week or three to audition some XMPP clients and look into adding an XMPP server to the Pi that runs my email server. Any suggestions for Linux and Android clients?

              M.

              1. Captain Hogwash

                Android: Conversations (or forks Conver6ations, Pix-Art)

              2. Anonymous Coward
                Anonymous Coward

                I also recommend Conversations for the Android client. On the server side, a couple of years ago, i tried out Ejabber, Openfire and Prosody and choose Prosody for the lightweight resource requirements (no Java) for my Raspberry Pi 3B+, then serving 6 users alongside a Nextcloud install serving 2 users.

                Downside - file sharing within group chats are quite limited - pictures, emojis and stuff work just fine but video transfers only work within person-to-person chats and only if they aren't too large.

                1. Anonymous Coward
                  Anonymous Coward

                  > video transfers only work within person-to-person chats and only if they aren't too large.

                  Just tested. That's not correct (and it wouldn't make sense for it to be, as the video is just another file served via HTTPS).

              3. Anonymous Coward
                Anonymous Coward

                > Simply saying "install Signal" is easy in the same way that "install Twitter" is easy, whereas "well, here's a list of XMPP clients, you might find one you like"

                Install Quicksy.

              4. Anonymous Coward
                Anonymous Coward

                > email isn't easy for Jo Public.

                Nothing is easy for those who don't make an effort. Writing isn't easy. Maths isn't easy. Moral dilemmas aren't easy. That's why we learn. A person who does not know who to use a computer in 2021 is functionally illiterate, and unless they suffer from a mental or physical disability, that is their choice.

                We must not make it acceptable or justifiable for illiterate by choice Joe Public to say "I won't do it because it isn't easy".

                1. Martin an gof Silver badge

                  (taking a slightly Devil's Advocate stance here...)

                  We must not make it acceptable or justifiable for illiterate by choice Joe Public to say "I won't do it because it isn't easy".

                  Sorry, but we're already there. For most people under 30, and many older ones these days their personal computing device is a smartphone. Not a tablet, not even a laptop and certainly not a desktop. Some people don't even bother with a fixed line internet connection (unless they want to use Netflix on their TV or get it as a bundle with Sky or Virgin), which is a double-win because if you have a mobile phone, why would you want a landline?

                  Why do you think laptops have been in short supply these last 10 months? Because people didn't already have one, or had an old laptop that couldn't cope with Zoom, Google Classroom or Teams. Or maybe they had just one "family" iPad, but two school age children. One of the biggest selling categories (anecdotally)? Chromebooks. Schools' biggest headaches? Online lessons really don't work very well on a smartphone and "live" online lessons eat data allowances like Billy Bunter asked to guard the headmaster's birthday cake by a trusting cook, so vast numbers of laptops - mainly Chromebooks - and large numbers of 4G modems have been handed out because many pupils only have access to a smartphone, and some only have access to the internet via that phone. Up until now it hasn't been a problem.

                  I digress. Current WfH requirements aside, for the vast majority of what Jo Public wants or needs to do "online", a smartphone is sufficient and a Chromebook is luxury. Web mail is sufficient for setting up shopping accounts, receiving password changes or communications from school and is very convenient because it can be accessed anywhere with nothing more than a username and password. You might read your Gmail in a client on your phone because it all gets set up for you when you switch the thing on, and that's brilliant because it means you don't miss the important message from the Amazon delivery driver if you are not actually sat at the computer.

                  [Further digression: Who needs a camera or a way of storing digital photos and videos locally when they have a smartphone with instant upload to some cloud service or other. One person I know ditched her PC, where she had been keeping her photos, because she decided an iPad was sufficient. If she takes a good photo she'll send it to Vistaprint or Moonpig or whoever and stick it in an album, old-style! If the digital versions go missing somehow, she doesn't really care, but I have been on the wrong end of calls from acquaintances of "all my family photos from the last year are on this SD card which I accidentally formatted", so perhaps there's something to be said for cloud services.]

                  Ever wondered why you never receive properly-formatted, well-reasoned, gramatically correct and interesting emails from your friends these days? It's because they are writing them on their smartphones using those useless onscreen keyboards which are more suited to quick-fire instant messages. They are only emailling you because you don't use TwitFaceWotzaGram.

                  Instant messaging is taken care of with any one (or all) of the (probably pre-installed) usual suspects, and for everything else you use the pre-installed web browser, i.e. Chrome or Safari.

                  It's only the likes of us who persist with "proper" email clients, who would rather run our own "clouds", who are willing to spend the time and effort to choose the best software for the task rather than simply accept what you are given because "it just works" and who get really cross when flippin' work email sends Javascript from about two dozen different domains*, all of which actually belong to Microsoft, and Teams takes an age to load because it has to be responsive and look pretty, rather than just downloading a few k of text-based emails. I think my point about XMPP has been ably demonstrated above - everyone has a favourite client, and running a server isn't a trivial task.

                  Hurumph.

                  M.

                  *through experimentation I have found that not all the JS is necessary. For example, once you have got to the login page (I think it's three domains before that, depending on whether you have dialled up office.net, office365.com, any of several other Microsoft domains or come in via your organisation's redirection page) there are two further domains trying to run JS, they're called something like msauth.net and msftauth.com, but only one (either one) is actually necessary to get you logged in. In Teams, if you only want to read email, there's no need to allow JS to run from the two (I think) Sharepoint domains, which are where the calendar lives, and so on.

              5. Claptrap314 Silver badge

                How did a conversation talking about secure encrypted chats get derailed to talking about Android?

                1. doublelayer Silver badge

                  "How did a conversation talking about secure encrypted chats get derailed to talking about Android?"

                  Doesn't seem all that derailed to me, but the progression was like this:

                  1. Signal has some downsides.

                  2. XMPP lacks some of those downsides.

                  3. XMPP has multiple clients so may be harder for nontechnical people than Signal, which has one.

                  4. If you were going to choose one to recommend, that runs on Android, which would it be?

                  I don't see people talking about Android in any other sense than what software you'd run on it for secure comms. Since the conversation was already about software for secure comms, and since Signal runs on mobile devices, I don't see anything off-topic.

                  1. Claptrap314 Silver badge
    8. This post has been deleted by its author

    9. Charlie Clark Silver badge

      Horses for courses. Telegram is more user friendly, has excellent desktop apps, and scales brilliantly: it has some of the largest groups on the internet and has recently added audio calls to groups: this makes it much more interesting for me than, say, Zoom. There is some concern about ownership and location of servers: data does get stored on their servers. That said, it's extremely resilient, which is why it's being used in Belorussia to coordinate protests and Russia gave up trying to block it. There are also some concerns about encryption, especially with data being kept on the servers, but at least it doesn't leak telephone numbers like WhatsApp does.

      Signal was designed for security which meant it is less user friendly than others but that minimal data was stored on their server. For example, until recently, you couldn't administer groups or have group calls because groups were essentially chains of bilateral chats. They have since done some very interesting research on zero knowledge group management which means that even you control the server you don't know who belongs to which group. In addition, they have have added support for group audio and video calls (up to 10), which is about all you can do without a server-based solution. The software has been peer-reviewed and the server has survived several subpoenas with Signal demonstrating how little information about users they can provide.

      It's probably worth noting that there are other options such as Threema (costs € 4 one-off, developed and hosted in Switzerland and partly financed by a for suits version), which does not require a telephone number, and Wire, which has also had its software peer-reviewed.

      Personally, I use Signal, Telegram and Threema for different groups. Interoperability would be great but prepared to use the right tool for the job and share as little compromising information as possible whatever the network, because even if you know the information can't be intercepted, you can't always be sure who's on the other end nor what they do with it.

  5. aidanstevens

    I can't stand Signal. It's riddled with problems:

    - clunky app

    - can't set different alert tone for personal messages and group messages

    - rubbish desktop client, can only leave groups or mute people via mobile app

    - messages sometime fail for no reason, especially in large groups

    - more that I can't think of off-hand

    Obviously the Signal protocol is solid because WhatsApp are able to implement it really nicely.

    Telegram has the best feature set in my mind and the UX is SILKY smooth, plus doesn't have irritating group size limits like WhatsApp.

    The Signal changelogs are witty, though!

    1. Spacedinvader
      Thumb Down

      fine here

      what's wrong with a ding?

      desktop for a phone app? meh, discord usually doesn't ding phone if desktop app is open.

      probably the 30m+ people signing up :|

      ?

      1. matthewdjb

        Audio notifications. How quaint.

        1. KarMann Silver badge
          Paris Hilton

          Looks like at least two commentards haven't seen Star Trek Ⅳ.

    2. DuncanLarge Silver badge

      > can't set different alert tone for personal messages and group messages

      Do people still do this? I thought that was a thing people played with when camera phones with midi ringtones came out. Seriously, I have never been able to figure out how to set different notifications for specific apps on most of my recent phones, they just have ONE sound, and options for enabling or disabling the permission for that app.

      1. Stoneshop

        different alert tone

        I would want one particular Signal group and a few individuals to have alerts, but it's all or nothing.

        So, nothing.

      2. VBF

        What an odd thing to say! Have you not looked in the individual Apps Settings pages, or Androids's Settings > Sound?

        I have unique notification tones on my Nokia 6.1 (Android 10) for each of:

        2 different Gmail accounts (standard Mail app)

        Calendar (standard Calendar app)

        Incoming call (my chosen MP3 file)

        SMS -Incoming Messages you can choose from about a dozen tones

        Alarm sound

    3. Anonymous Coward
      Anonymous Coward

      @aidanstevens "I can't stand Signal. It's riddled with problems"

      The solution to those problems is for you to donate a little (and perhaps send a bug report or feature request) so that Signal knows there is real demand from users, and can try to do something about it. Have you?

      I know they have a rich sugardaddy now, but until pretty recently they were bumping along with a skeleton staff, which is why development had been (relatively) slow.

  6. Anonymous Coward
    Anonymous Coward

    Have WhatsApp halted the "privacy" change?

    Rumours have they've halted the change, I saw it from a usually reliable lawyer (OK, I've not counted my fingers) but it was linked to apple.news which I don't access.

    1. Woodnag

      Re: Have WhatsApp halted the "privacy" change?

      It won't be halted. It will be delayed.

    2. JimboSmith Silver badge

      Re: Have WhatsApp halted the "privacy" change?

      They're so panicked in India Facebook/WhatsApp have taken full page adds out in newspapers.

      https://www.reuters.com/article/india-facebook-whatsapp/whatsapp-scrambles-as-users-in-big-indian-market-fret-over-privacy-idINKBN29J146/

      It goes on about privacy and the security of messages but reeks of begging people not to switch/join other services to me. The delay will be to try and reassure users before they all naff off to Signal/Telegram.

      1. quxinot

        Re: Have WhatsApp halted the "privacy" change?

        Ahem.

        HAHAAHAHAHAHAHAHAHA.

        Thank you for sharing that.

    3. Anonymous Coward
      Anonymous Coward

      Re: Have WhatsApp halted the "privacy" change?

      According to the article, it has been delayed in order to "help everyone understand our principles and the facts."

      I think we already understand their principles well enough, which is why people are jumping.

      1. Doctor Syntax Silver badge

        Re: Have WhatsApp halted the "privacy" change?

        It probably translates as "get used to the idea". I suppose one problem for them will be that those who've already left won't bother going back for a few months and once the delay's over there'll be a whole new wave.

        1. Psmo
          Gimp

          Re: Have WhatsApp halted the "privacy" change?

          Google's usual play:

          Roll out the changes, protests ensue

          Rollback, then try again a few months later with cosmetics changes, further protests.

          Roll out a different solution with the changes baked in, migrate everyone across.

    4. Mage Silver badge
      Black Helicopters

      Re: Have WhatsApp halted the "privacy" change?

      But didn't they secretly combine much WhatsApp info not long after acquisition? Yet again a major company lies to get take-over approval.

  7. Chewi

    I did wonder why 4 somewhat unrelated people among my contacts suddenly appeared on Signal within 24 hours. When one of them mentioned Elon Musk, it suddenly made sense. They are comprised of 2 physicists and 2 business leaders!

    To put that in perspective, that's about the same number of new users I'd seen in the previous year. I've been using it for a while. It could be better in places but it's certainly not bad and it's long been my default SMS app.

    1. DuncanLarge Silver badge

      I have been doing the same.

      I found out about signal before it was named signal, knowing that there was a very low chance I'd ever see anyone else use it I have been using it as my default SMS app for the last 8 years. Simply because I prefer having signal read my sms's rather than the default app. Not for privacy reasons, but back then there were many security vulnerabilities in android surrounding SMS and MMS and the default app was the usual target.

      1. Anonymous Coward
        Anonymous Coward

        > back then there were many security vulnerabilities in android surrounding SMS and MMS and the default app was the usual target.

        Which was good, because if they had targeted signal (text secure as it was back then) all they had to do was read the Android logs, as a plain text copy of every message was being dumped in them. Guess how the 'respected "cryptographer"' reacted? https://github.com/signalapp/Signal-Android/issues/127

    2. Anonymous Coward
      Anonymous Coward

      I respect Mr Musk for his marketing and business acumen and for being, so I understand, a competent engineer, but honestly, is taking advice via Twitter post really a good idea?

      Though some business owner in Texas says thank you all very much:

      https://www.cnbc.com/2021/01/08/elon-musk-boosts-signal-app-signal-advance-stock-jumps-1100percent.html

      1. Anonymous Coward
        Anonymous Coward

        re: I respect Mr Musk

        You are a pedo-guy. Respect that.

    3. Mage Silver badge
      Black Helicopters

      Lack of ethics and trust

      I was a bit disturbed when I realised that the Email Client on Android is really a shell on gmail and all the credentials for the pop3 or imap are actually being used on a google server.

      So then I looked at the only SMS client on most Android phones and read about it. Google Messages. Maybe best replaced by Signal or a dedicated SMS application.

      Google can't be trusted. It's time they were forced to divest of Android. They don't do wardriving (WiFi) when doing Street View because (a) They were caught. (b) With Android, Chrome and Chromebook they don't need to.

      Google are not trustworthy enough to own Android, Chrome and Chromebooks.

      Zuckerberg isn't trustworthy enough to own any Apps. Or even Facebook.

      We have a problem.

      1. Anonymous Coward
        Anonymous Coward

        Re: Lack of ethics and trust

        You are aware that the messaging application mentioned by this article insists on using Google Cloud Services? And it calls itselflets itself be called "secure".

      2. Anonymous Coward
        Anonymous Coward

        Re: Lack of ethics and trust

        If you don't like the fully-Googlified version of Android (and I don't blame you), and you don't want to go iOS (about which I still have some doubts, relating to Apple's increasing enthusiasm for you to copy everything to iCloud rather than back things up locally under your own control), possibly the (awkward to search for) de-Googled privacy-focused eOS fork of Android might be worth a look?

  8. Dan 55 Silver badge

    GDPR

    It seems European area (EEA and UK) users will not have their data shared with other Facebook companies, and I've read the net effect of this is no change European users. So far it seems nobody's done a before and after privacy policy diff to confirm this (this is something Facebook should be providing anyway to assuage fears).

    But if this is true then it's a spectacular own goal from Facebook, there've screwed up the communication so much there's a stampede of privacy-minded European users leaving for other platforms for no reason at all.

    1. JimboSmith Silver badge

      Re: GDPR

      But if this is true then it's a spectacular own goal from Facebook, there've screwed up the communication so much there's a stampede of privacy-minded European users leaving for other platforms for no reason at all.

      Oh it would be poetic justice if Facebook had holed WhatsApp below the waterline with this. I'm actively trying to persuade family and friends to use Signal not WhatsApp and will shunt WhatsApp onto another phone for work use.

      1. Yet Another Anonymous coward Silver badge

        Re: GDPR

        Our corporate IT have banned Whatsapp - uncertainty of what happens when our spied-on-by-facebook accounts are used to message with our protected-by-gdpr European colleagues

    2. Pseu Donyme

      re: net effect of this is no change European users

      Since I haven't given Facebook (or big tech in general) the benefit of doubt for years I'd assume they are trying to push something significant for European users as well. Otherwise it wouldn't make sense to push what amounts to no change with the obvious risk of an exodus if only because of the dick move of threatening termination of service to those not accepting the new T&Cs itself. (Btw, the weasel worded pr as in the shared information not used for marketing to European users begs the question of what exactly is it used for then).

      Also, I wonder if what just happened to the embarrassment-in-chief has had an effect: if Facebook (and others) can do this to a sitting US president known to be very litigious - without comeback - they can do this to anyone on a whim i.e. it is best not to rely on Facebook (or the others) for anything important. Don't get me wrong: muting the EIB seems well warranted given the obvious potential of trouble much, much worse still and and if anything should have come sooner, it is just that there ought to be some sort of principled way for this sort of thing.

    3. Mage Silver badge
      Facepalm

      Re: GDPR

      Facebook ALREADY shared the data between all their companies and harvests via the scripts on the default website icons.

    4. Charlie Clark Silver badge

      Re: GDPR

      That's what I thought too but Johannes Caspar the Hamburger Data Privacy Commissioner, and in this role one of the leading lights in Germany, considers the changes problematic and the matter will be referred to the Irish Data Privacy Commissioner.

      Based on what I've seen over the last week it looks like that, in Germany at least, WhatsApp has blown it. Lots of people are popping up on the other services and it's probably only a matter of time until the network effect sets in as "influencers" drag their users with them to other platforms.

      There are other currents: Corona protesters have long been using Telegram groups and channels; and recent developments in America are pushing people onto alternative platforms.

    5. fuzzie

      Re: GDPR

      An analysis of the T&Cs changes were done and discussed in this HackerNews thread

      * https://news.ycombinator.com/item?id=25685446

      WhatsApp is technically correct that message and call content remain private and encrypted. What is happening is that businesses which host on Facebook will now also be able to have encrypted conversations with users. In order for that to work, the users encryption keys have to made available to these third parties. In addition, more meta data is being collected and shared with "Facebook Companies" and hosted third-party vendors. The "Facebook will read my messages" scare, I believe, is largely unfounded, but it is a sign that Facebook is becoming much more aggressive at monitising WhatsApp.

      My view is they want to turn WhatsApp into WeChat, i.e. the one app in which you spend you entire day. See WhatApp Pay, UPI payment integration in India, forthcoming Reliance online shopping platform integration. Spot the direction? For none of those do they need to read your messages or listen in to your calls, but there's an absolute goldmine in meta data there.

      That's also why they're so panicky in India, because it's their proving ground and stepping stone.

      Also, there are different demographics between Facebook and WhatsApp. Facebook is losing its shine and becoming for "old" people. Integrating WhatsApp likely brings Facebook a large demographic who might not/not longer be active on Facebook. WhatsApp users are looking at incoming Facebook and thinking it's going to merge into Facebook or Messenger and are running. Watch this space, but I bet the same is heading to InstaGram soon enough.

      1. Dan 55 Silver badge
        Thumb Up

        Re: GDPR

        Thanks for the link, I got as far as converting the before and after privacy policy to text but didn't get much further.

  9. Anonymous Coward
    Terminator

    It's been obvious for days

    that this was happening. I've seen more of my contacts appear on Signal in the last week than existed on it previously, by a factor of several. Of course, the mere fact that this kind of contact discovery happens automatically is a weakness, but we're not allowed to talk about that.

    Still, nice to see Facebook blow both their feet off.

    1. JimboSmith Silver badge

      Re: It's been obvious for days

      Signal have a very detailed post on contact discovery here https://signal.org/blog/private-contact-discovery/ which talks in detail about how they've tried to keep it as anonymous and secure as possible.

      1. Anonymous Coward
        Big Brother

        Re: It's been obvious for days

        I've read that article and in fact been a bystander in various discussions about what's wrong with Signal's contact discovery.

        What is wrong with it is, in outline, this: let's assume I'm someone who is interested in whether a bunch of people I'm interested in are using Signal. These people don't know me, because I'm, perhaps, working for the FSB and they're ... the sort of people the FSB might be interested in. And I might be a bunch more interested in them if I find out they're using Signal.

        I do know their phone numbers because I can extract them from the phone operators (perhaps with money, perhaps with pliers). So, I add them to my contacts list, and run Signal. Now I know which of them are using Signal, and they don't know I know, because I'm not in their contacts list.

        Signal's social graph discovery goes to elaborate lengths (and more elaborate lengths since 2017) to protect its users from Signal and anyone who might compromise their machines, and totally fails to protect its users from bad actors who can, like anyone else, use Signal.

        In the discussion I was a bystander to, Moxie's answer was basically a bunch of obfuscation followed by 'yes, that's right, we don't care', which I think tells you everything you need to know.

        One good thing about the current tide of people installing Signal is that, now, 'has (or has had) SIgnal on their phone' correlates far less well with 'is a person of interest' than it once did. So Signal is achieving some kind of security through popularity. But that's very far from being a defence: the mechanism it uses lfor contact discovery leaks sensitive information, where that sensitive information is 'is, or has been, a Signal user', and it does this by design.

        The solution to this is simple: users need not to be identified by information which can easily be tied to them by other means. This, for instance, is what Threema does: your ID on the system is not your phone number, your email address, or anything, it's a random string. Contact discovery is now much harder (there are options to make it easier by leaking information equivalent to what Signal leaks, but that's an option, which is off by default).

        Note I'm not trying to push Threema (I don't even use Threema, because I don't, in fact, have anything to hide), but it takes security a lot more seriously than Signal does: I wouldn't be using Signal if I actually had something to hide.

        1. Captain Hogwash

          Re: It's been obvious for days

          Everyone has something to hide. Not everyone realises this or knows what it is until the failure to hide it bites them.

          1. Anonymous Coward
            Terminator

            Re: It's been obvious for days

            Yes, of course. That's why I'd have said I didn't use Threema even if I did. Which I don't, of course: all of the secret communication with my network of agents is done by one of my many numbers stations.

          2. Mage Silver badge

            Re: It's been obvious for days

            Cardinal Richelieu?

        2. ThatOne Silver badge

          Re: It's been obvious for days

          > 'yes, that's right, we don't care'

          I think that's a valid answer, and one I'm personally satisfied with. Fact is the discovery feature is useful for finding if someone in your general contact list uses Signal. "General" as in "job, family, friends", not necessarily "fellow conspirators" or "gang members".

          Where we apparently disagree is that I don't think using Signal is a clear sign of being a criminal*. But for those who fear it might be, they can simply opt out of the discovery, can't they?

          * Most people I know who use it (me included), don't use it because they have big secrets to hide, but simply because they don't want to share their lives with Facebook.

          1. Anonymous Coward
            Big Brother

            Re: It's been obvious for days

            Where we apparently disagree is that I don't think using Signal is a clear sign of being a criminal*.

            The example I gave was specifically meant to be one where the people who were using Signal are not criminals (other than as defined by a state which regards most domestic violence as not criminal...), but who do have something to hide from said state.

            But for those who fear it might be, they can simply opt out of the discovery, can't they?

            No, they can't. By not allowing Signal access to your contacts, you can make it so that you won't find other people, but you can't make it so other people can't find you. To do this would need either a 'this number is not discoverable' flag or, much better, for the system to use a random ID to which, optionally, a phone number and other information could be attached (which is what Threema does). They didn't do either of those things.

            And that's the problem I have with Signal: it's a fine app, but they market themselves (look at the quotes on their front page) as something that they really are not. That is, in my opinion, deceptive. They also could have been something much more serious but they chose not to be: why did they do that, I wonder?

            1. ThatOne Silver badge

              Re: It's been obvious for days

              > The example I gave was specifically meant to be one where the people who were using Signal are not criminals

              Okay, point taken. I was using a rhetorical shortcut, please replace "criminal" with "person of interest". :-)

              .

              > you won't find other people, but you can't make it so other people can't find you

              Hmm. Interesting, I never though about it that way.

              .

              > why did they do that, I wonder?

              "Never attribute to malice something which can be adequately explained by stupidity"... I haven't visited their site for years, but back at the time (program name was different), their selling points were IIRC just "good encryption" and "we don't sell (meta)data". Given the competition back then was nearly non-existent, I guess they didn't think it through. *shrug*

        3. Down not across

          Re: It's been obvious for days

          The solution to this is simple: users need not to be identified by information which can easily be tied to them by other means. This, for instance, is what Threema does: your ID on the system is not your phone number, your email address, or anything, it's a random string. Contact discovery is now much harder (there are options to make it easier by leaking information equivalent to what Signal leaks, but that's an option, which is off by default).

          There is nothing stopping you from getting a PAYG SIM, register to Signal with that (which is when your unique identifier is generated) and then swap back in your regular SIM. You real number will not be visible to Signal or other Signal users.

          1. Anonymous Coward
            Anonymous Coward

            Re: It's been obvious for days

            Please tell me you're not being serious. Why should you have to do that for what, if we were to believe the headline, is supposed to be a "secure" application?

            1. This post has been deleted by its author

            2. Down not across

              Re: It's been obvious for days

              Oh, I know its not exactly perfect, and would be nice if there was an alternative.

              My point was that if the visibiltiy that you are Signal user is a problem, there are ways around it as it doesn't have to be tied to you real phone number. Communication itself is secure and seems to work well. I still prefer it to anything coming from MZ. Haven't tried Telegram as I'm not a fan of home grown crypto.

              1. Anonymous Coward
                Anonymous Coward

                Re: It's been obvious for days

                > I know its not exactly perfect

                It's not exactly perfect?

          2. doublelayer Silver badge

            Re: It's been obvious for days

            There is nothing stopping you from getting a PAYG SIM, register to Signal with that (which is when your unique identifier is generated) and then swap back in your regular SIM."

            There are several things that could stop you.

            "getting a PAYG SIM,": Some countries don't have a way to anonymously get mobile service. You have to supply identification when you do it. If you're hiding your identity, providing your ID on a second SIM may be an even bigger red flag for the automatic find-possible-person-of-interest database. Even if it isn't flagged, the number can be traced to you if they want to. That doesn't help you much does it?

            "register to Signal with that (which is when your unique identifier is generated) and then swap back in your regular SIM.": This brings up several problems.

            First, mobile companies usually collect IMEI numbers when you connect with a new SIM. You could then cross-reference those to figure out which numbers the device in question has been used with. While some of the time, a device will change SIMs because it's been sold to someone else, database entries indicating "Used number 1, started using number 2, started using number 1 again" are pretty conclusive about what you did.

            Second, what happens if you have a number registered with Signal, someone else gets the same number because you've canceled the corresponding account, and tries to put that on Signal? I don't know, but I suspect something breaks. In order to prevent that, you might have to hold on to the number for quite a long time. That's inconvenient and could be expensive. I've been looking at how to keep a number reserved without using it frequently, and the companies usually want to charge me a maintenance fee or impose a "must use every three months or we cancel for you automatically" clause.

            These things might not be dealbreakers. I use Signal, with my phone number, and I don't care whether people know that I do. They can't read my comms; that's good enough for me. Signal has to balance the concerns of people who don't think that with the difficulty of running a system without phone numbers as identifiers. If their decision is that they don't care, that's a viable decision.

        4. Anonymous Coward
          Anonymous Coward

          Re: It's been obvious for days

          > In the discussion I was a bystander to, Moxie's answer was basically a bunch of obfuscation followed by 'yes, that's right, we don't care', which I think tells you everything you need to know.

          Indeed, that has been that twat's modus operandi ever since his Googlesharing days.

        5. Twanky

          Re: It's been obvious for days

          There's a huge difference between "this is more 'secure' because FB can't track you so easily" and worrying about FSB (other TLAs are available) tracking you so easily.

          If you want to use an easily accessible, secure messaging service that the 'authorities' can't routinely intercept then Whatsapp is probably fine. If you're worried about Facebook and the like tracking your every social interaction then anything else would be better. If you're hoping to frustrate state-level snooping then I doubt anything you can download from the Play Store is going to be a complete solution.

          1. Anonymous Coward
            Big Brother

            Re: It's been obvious for days

            It's not about state security: that was just my example. Here's another one: someone is in an abusive relationship and needs to be able to talk, privately, with a lawyer / the police / whoever. So they install Signal ... and half an hour later get beaten to death by their abusive partner who was notified, by Signal, that they had installed Signal.

            Now you could say that, well, they should have just used WhatsApp (on the assumption that they already had WhatsApp), but perhaps they believed the line in the app-store about how 'Signal's advanced privacy-preserving technology is always enabled' and didn't realise what it actually meant.

            And, again, that's my problem with Signal: it's fine for what it does. It could, however, easily have been much better and it is an interesting question as to why they chose not to make it better (which might be related to what their game plan is if/when Signal gets really popular: how are they intending to fund the infrastructure?). And it is marketed very deceptively indeed: so deceptively that many people simply don't understand the security problems around contact discovery.

            That, in my book, is very much not OK. Even less OK is the idiot fanboys who surround it (I don't think you are in that group!)

            1. ThatOne Silver badge

              Re: It's been obvious for days

              > talk, privately, with a lawyer / the police / whoever

              I get your point but still, quaint old-fashioned voice phone would be the best choice here.

              You use Signal (or similar) if you fear your communications might be hacked by entities capable to do that, or to simultaneously communicate with several people. None of those applies in your example. IMHO your best bet to bypass an abusive spouse would be simply using a public phone while shopping/getting the children from school. Your spouse won't tap every telephone in the area, but on the other hand it is always possible (s)he has installed some kind of surveillance software on your smartphone, and in this case no amount of contact obfuscation will save you.

              Just saying.

              1. Claptrap314 Silver badge

                Re: It's been obvious for days

                I doubt I've seen a "public" phone in the last decade.

                I have managed to borrow a phone at a retail shop several times, however...

            2. Anonymous Coward
              Anonymous Coward

              Re: It's been obvious for days

              > Even less OK is the idiot fanboys who surround it

              It's amazing isn't it? The guy lies through his teeth and gets away with it like nothing has happened (until the day he gets caught, and he will).

        6. Nifty Silver badge

          Re: It's been obvious for days

          Until this Facebook/WhatsApp debacle Signal users were a small minority, either techy or wanting better privacy for a strong reason.

          Now it could be anyone so the 'persons of interest' will suddenly be hidden in a crowd. Delicious irony there.

    2. Chris G

      Re: It's been obvious for days

      It would be even better if FB blew both of its feet off while they are still in its mouth.

  10. BenDwire Silver badge
    Facepalm

    Dammit, the Muggles have found us!

    I used to love Signal, as only the people I wanted were on there. It's worked fine for over 2 years now, but today it all goes TITSUP* because my niece told me that "Elon sent them". Quote:- And I would have gotten away with it too, if it weren't for you meddling kids!

    * Total inability to sign up proles

    p.s. I just made a donation because I think they need a few more servers!

    https://signal.org/donate/

    1. Anonymous Coward
      Anonymous Coward

      Re: Dammit, the Muggles have found us!

      Who did you just donate to? The one-man foundation with $105M in the bank, or the Delaware LLC that hires and markets the service, or the California LLC that owns the IP?

  11. Anonymous Coward
    Anonymous Coward

    For the win!

    Having no friends means I have escaped the online social media privacy shit, again.

    WooT

  12. sanmigueelbeer
    Coat

    El Reg,

    Please do not give Donald any more ideas.

  13. Pascal Monett Silver badge
    Thumb Up

    Moxie Marlinspike is part of Signal ?

    Say no more, I'm in.

  14. Nate Amsden

    why phone number required

    I installed signal again just now to verify the experience. First thing it wants me to do is send me a text message. it also wants access to contacts. So i deleted it. I don't use the other apps mentioned in the article either.

    I think i tried it a couple years ago with one of those virtual burner phone services but it didn't work.

    I don't get why they don't have an email sign up option. I assume if you never grant access to contacts you can manually add your friends.

    I do have line installed. It too wanted a phone number to install. Account was created while i was overseas with another phone and local sim. I decided to install it on my newer phone in 2019 and it wanted a sim card too. Also didn't work with virtual phone texting i think. So i bought a prepaid sim. Used it to register the app then switched back to email authentication and removed phone rights from the app and changed back to my normal sim.

    With signal i think(memory is hazy this was a while ago), i did the same process only after verifying I could not find any way to switch to email authentication. So i nuked it before removing the prepaid sim.(possible i am confusing signal with another chat app in this situation i tested at least a couple)

    I used the line chat app with nothing but wifi on a dedicated phone for 2 years and it worked fine( it had a sim originallywhen it was installed). I can search for friends by thier username in the app or if they are with me in person i think there is a QR code function take a picture with the app and it adds the friend.

    Are there chat apps (make it simple) that work from signup on a wifi only device? I just think if you're really concerned about privacy then you'll want the option to use a dedicated device on wifi. ( cheaper than maintaining a prepaid sim ongoing). Before I moved line to my main phone if i traveled i took both phones and used tethering.

    I couldn't find any last i checked.

    I wouldn't be surprised if signal is more "secure" than line i just don't want to give them my phone number. So i don't use it. I'd like to though have heard good things.

    1. Anonymous Coward
      Anonymous Coward

      Re: why phone number required

      > Are there chat apps (make it simple) that work from signup on a wifi only device?

      Yes, of course. Any XMPP client such as Conversations or one of its many forks. You can register in-band providing nothing more than a username and a password and you can choose your provider or run your own server if you're so inclined.

      You get end to end encryption using either the same flawed¹ algorithm as Signal or OpenPGP, voice and video calls, and all the rest. You can even use Quicksy (a Conversations flavour) if you miss the "give me your phone number" experience (a lot of people seem to take it for granted that you *must* give someone your phone number in order to chat, so you can just point them to Quicksy rather than waste your time trying to educate the polloi).

      It was never really trendy, except for a short period in the 00s, but it reliable, resilient, adaptable, independent and time-tested.

      ¹ Breaks availability, authenticates devices not users, trivially defeatable by downloading the keys from the target device.

    2. Anonymous Coward
      Anonymous Coward

      Re: why phone number required

      Use Threema: it doesn't use your phone number. It isn't free however.

      1. Ken Moorhouse Silver badge

        Re: Use Threema: it doesn't use your phone number. It isn't free however.

        Presumably the method of payment can effectively be used to track identity, if required.

    3. Charlie Clark Silver badge

      Re: why phone number required

      Phone numbers and SIMs make sense on mobile devices and are used only to set things up. You can read the Signal docs about what they use, and why. Access to contacts is local only and purely for convenience, it's not a requirement.

      But there other options: neither Threema nor Wire require mobile numbers to use. Threema even has different levels of trust depending on how well contacts know each other.

    4. Anonymous Coward
      Anonymous Coward

      Re: why phone number required

      Try Session, it does not need a phone number.

      A bit raw, but decent enough.

      Of course not many people on it, or there might be, hard to tell without Contact Discovery :-)

    5. Fruit and Nutcase Silver badge

      Re: why phone number required

      On Android, it is possible to use Telegram with the (Phone) [Contacts] permission denied...

      That will prevent the app from doing a wholesale slurp of the [Contacts] on the phone to send to the Telegram servers for contact synchronisation/automated contacts. I only want Telegram knowing the phone number of the people I want to contact on Telegram.

      When the app is started for the first time, it will request the required permissions - deny [Contacts].

      In the Telegram app, use [Add Contact] (icon on bottom right in the contacts page). If the other party is registered with Telegram with the number you enter, the operation will be successful.

      Looking at the source code for the app around the area where it attempts to read the Phone Contacts, it is coded to fail that operation gracefully if the permission is not set.

      https://telegram.org/apps

      https://github.com/DrKLO/Telegram

  15. Spacedinvader
    WTF?

    It's that bad that....

    "Amid the ongoing evacuation from WhatsApp, the Facebook-owned biz has pushed back its privacy policy change to May rather than February. "

    My Dad (68, mechanic not a tech guy) just told me this! Bridge has been burned, the ships going down :)

  16. Henry Wertz 1 Gold badge

    Uh-huh

    "It's now going to use the extra time to address people's concerns and "help everyone understand our principles and the facts.""

    Uh-huh, good look trying to explain to people why they should not care about privacy and should give Facebook all their private info.

    I'm pleased to see there are enough that do care about Facebooks info-slurp and having some privacy to have 30 million flee in days.

  17. Anonymous Coward
    Anonymous Coward

    You are the product

    They want your contacts and PI

    This is how the virus survives

    This is how they make $$$$$

  18. JWLong

    I Don't understand

    When I want to talk to someone I just call them on my phone.

    Just because I want to speak to them doesn't mean I have to,or want to look at them.

    How many people have forgotten that it's called a telephone for reason.

    1. Paul Crawford Silver badge

      Re: I Don't understand

      Call costs?

      Sure you might have X free minutes for a limited amount of calls in your country, but if you make VoIP calls overseas to avoid the usurious fees that some countries impose (or the ~35p per photo by MMS in UK) then you can start to see why folk like the functionality of WhatsApp.

      Just not the slimy business practices of them now FB has the tentacles in.

  19. Joe Gurman

    With crazy Trump followers losing other platforms and heading for encrypted comma, is it ironic that this app bears the same name a a glossy Nazi WW II propaganda magazine?

    1. ThatOne Silver badge

      > the same name as

      On the other hand, if you start avoiding all words which have been used in a bad context, you'll end up communicating with inarticulate grunts.

      You can't ████list all terms once misused...

      1. Claptrap314 Silver badge
        Pint

        You earned this --->

  20. Twanky

    Who?

    Signal has been recommended by big names in tech like Edward Snowden...

  21. Anonymous Coward
    Anonymous Coward

    The exodus should really have happened in 2014

    That's when facebook acquired WhatsApp.

  22. Rich 2 Silver badge

    Signal compromised?

    I read a couple of weeks back that someone had found a weakness in Signal. But since then I've not been able to find any more information, or even any independent comment on this.

    Anyone got any idea?

    1. Anonymous Coward
      Anonymous Coward

      Re: Signal compromised?

      FUD?

      If it were indeed true they would had fixed it by now, and we would all know about it. It's not like they'd lose money for having messed up.

      This sounds clearly like a classic attempt to discredit Signal, pick your culprit among the companies and organizations who would profit from people not using it. "Classic" because the innocent "I've heard that..." isn't categoric enough to trigger a serious reaction, so it just keeps sowing FUD. Back in peoples' minds remains an entry like "Signal is unsafe, isn't it?".

    2. doublelayer Silver badge

      Re: Signal compromised?

      Could it be this? A company claimed to have developed new ways to do something really easy, realized it was embarrassing, and took their own post down? The BBC repeated it incorrectly, so that might explain where you heard it. Seems to fit the admittedly few details in your recollection.

  23. Anonymous Coward
    Anonymous Coward

    The weakest link breaks the chain

    The weakest link breaks the chain.

    Tech 'maker' Naomi Wu, whom some Reg readers might recall, has started to raise concerns on Twitter, that, although Signal might be secure, is there a potential weakness in it (and, by implication, other messenging apps) if the smartphone's keyboard software can't be trusted, and might be sending keypresses off-device, perhaps especially if an alternative keyboard has been installed (such as, for example, easier Chinese input)? Perhaps that 'feature' might be "only" to add words to the custom autocomplete dictionary for the user (but, in a security conscious world, that should surely really only be stored locally), but, a list of words that the user is interested in? I can well imagine Google wanting to slurp those for advertising keywords (at the very least!), and for them possibly not being the only ones...

    Potentially unforeseen, or perhaps foreseen, consequences? The problem once you really start to consider security "all the way down" is that it quickly becomes a real headache (similar thoughts about the keyboard and OS had also crossed my mind), and who/what can you trust at all...?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like