The Hobbyist

From what I understand, sealed sender is implemented on the client side. And that’s what’s in the github repo.

It’s unfortunate that you react like this. I don’t claim to be an expert, never have. I’ve only been asking for evidence, but all we get to are assumptions and they all seem to stem from the fact that allegedly the CIA has indirectly funded Signal (I’m not disputing nor validating it).

The concern is valid, and it has caused a lot of distrust in many companies due to the Snowden leaks, but that distrust is founded in the leaks. But so far there is no evidence that Signal is part of any of it. And given the continued endorsement by security experts, I’m inclined in trusting them.

Are you implying that Signal is withholding information from the Californian Government? And only providing the full extent of their data to the government?

This comes back to the earlier point that there is no proof Signal even has more data than they have shared.

They have to know who the message needs to go to, granted. But they don’t have to know who the message comes from, hence why the sealed sender technique works. The recipient verifies the message via the keys that are exchanged if they have been communicating with that correspondent before or else it is a new message request.

So I don’t see how they can build social graphs if they don’t know who the sender if all messages are, they can only plot recipients which is not enough.

If you open the latest instance, from August 2024, you will find a California government request, for a number of phone numbers.

The second paragraph of that very page says:

Once again, Signal doesn’t have access to your messages; your calls; your chat list; your files and attachments; your stories; your groups; your contacts; your stickers; your profile name or avatar; your reactions; or even the animated GIFs you search for – and it’s impossible to turn over any data that we never had access to in the first place.

They respond to the request with the following information:

6. The responsive information that Signal possessed was:

a. REDACTED: Most Recent Registration: 2023-01-31 T19:42:10 UTC; Most Recent Login: 2023-01-31 T00:00:00 UTC.

b. REDACTED: Most Recent Registration: 2022-06-01 T16:30:01UTC; Most Recent Login: 2022-12-12 T00:00:00 UTC.

c. REDACTED: Most Recent Registration 2021-12-02T03:42:09 UTC; Most Recent Login: 2022-12-28 T00:00:00 UTC.

The redacted values are the phone numbers.

That is the full extent of their reply. No other information is provided, to the government request.

Signal absolutely can does provide social graphs, message frequency, message times, message size.

Do you have anything to back this up?

and requires phone numbers (meaning your real identity in the US).

This gets shared a lot as a major concern for all services requiring a phone number. It is definitely true that by definition, a phone number is linked to a person’s identity, but in the case of signal, no other information can be derived from it. When the US government requests data for that phone number from Signal, like they occasionally do, the only information Signal provides them with is whether they do have a signal account and when they registered it last and when they last signed in. How is that truly problematic? For all other services which require a phone number, you would have much more information which is where it is truly problematic, say social graph, text messages, media, locations, devices etc. But none of that is accessible by Signal. So literally the only thing signal can say is whether the person has an account, that’s about it. What’s the big deal about it? Clearly the US government already has your phone number because they need it to make the request for Signal, but they gain absolutely no other information.

Get what you are trying to say but both are still encrypted. They simply aren’t end to end encrypted. So the messages are private.

You explain exactly why messages are not private: if they are not end-to-end encrypted, by definition Telegram can read all the messages. That’s exactly what end-to-end is meant to protect against. So in that aspect, Signal truly is private and Telegram maybe, if you activate their private chats but I’ve not seen security experts praise their algorithm, compared to their regular endorsement for Signal.

I’m not convinced having a specific ruling targeting just tiktok would be a good move. I think I understand and side with all the reasons they are doing it: be it privacy, security and more. But they should not uniquely apply to tiktok, but to all apps. If suddenly there’s a Russian app, or a Nigerian app or a swiss app, any which for whatever reasons has security and privacy concerns, they should all be held to the same standards. Me no like double standards.