this post was submitted on 08 Sep 2025

56 points (65.6% liked)

Privacy

41593 readers

668 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

Is Signal messaging really private? (lemmy.ml)

submitted 2 days ago by harfang@slrpnk.net to c/privacy@lemmy.ml

180 comments fedilink hide all child comments

As Signal get your phone number. Can we considerate this application as private ? What's your thoughts about it ? I'm also using SimpleX, ElementX, Threema, but not much people using it...

Cheers

top 50 comments

sorted by: hot top controversial new old

[–] SusanoStyle@lemmy.ml 10 points 1 day ago (1 children)

Since we are on the topic of signal.. im not tech saviie but i have read lots of blogs and people about how secure is the signal protocol. My question is .. how can i be sure that the protocol is implemented as the open source code shows? Please correct me if im wrong but from what i read on their website the apk they provide has the capability to update itself at anytime. So what stops them to change how it works with an update? is it posible to build the apk yourself and stop the ability to update?

[–] MTK@lemmy.world 8 points 1 day ago (2 children)

Just like any foss project, there some level of trust if you are going with the main distribution. In theory you are correct that not much is stopping them from releasing a malicious update, but because it is open source, soon enough people would notice that either they released new code that is malicious, or that the new version does not match the source code. That kind of scenario is known as a supply chain attack.

Since the code is open, you can literally read it for yourself to see exactly what the apk does. You can also fork it and modify it however you like, just like the creator of Molly did (Molly is a fork of the Signal client that adds some security features)

[–] SusanoStyle@lemmy.ml 2 points 9 hours ago

Thanks for the explanation!

[–] dessalines@lemmy.ml 8 points 20 hours ago* (last edited 6 hours ago) (1 children)

It's a centralized, US-based service running on AWS, that's not self-hostable, requires phone numbers, and you have no idea what code their server is running.

Whether the app you use for it is open source, is entirely irrelevant for them building social network graphs, considering they have your real identity via phone numbers.

If the answer is "I just trust them", then you're not doing security correctly.

[–] MTK@lemmy.world 4 points 14 hours ago (3 children)

It is not as good as a decentralized system, and even though the server is open source, it isn't self hostable (technically in an intranet you could but not easily)

But the signal foundation is a non profit with external audits and a proven track record with law enforced requesting data and getting basically nothing (If i remember correctly they only have your user to phone number relation and the last time you were online)

So although it is imperfect, it is an amazing solution that is almost the only 1:1 competitor to whatsapp/messenger/imessage that is privacy respecting, so I am very grateful for it's existence.

[–] dessalines@lemmy.ml 1 points 6 hours ago* (last edited 6 hours ago)

even though the server is open source, it isn't self hostable

Since its a centralized server that isn't self hostable, you have no idea whats running on their server. Signal even went a whole year once without publishing any server back end code updates, until it raised a lot of hackles so they started adding to it again.

But the signal foundation is a non profit with external audits and a proven track record with law enforced requesting data and getting basically nothing (If i remember correctly they only have your user to phone number relation and the last time you were online)

You have no idea what they give to authorities: in fact with NSL's, its illegal for them to tell you. Signal's response to this is "just trust us".

[–] saimen@feddit.org 1 points 10 hours ago (1 children)

What about threema?

[–] MTK@lemmy.world 1 points 5 hours ago

Just the fact that it costs means that most people won't even consider it, making it very hard to recommend.

[–] TheTux@lemmy.ml 1 points 13 hours ago

100% this, there is matrix, but that was a pain when I used it (this was a few years ago, granted). Signal just works.

[–] MrSulu@lemmy.ml 26 points 1 day ago

Right now, for the wider population, it it a heaven sent option compared to Whatsapp, FB messenger etc. Break those bonds first and keep the wheel turning.

[–] into_highest_invite@lemmygrad.ml 16 points 1 day ago* (last edited 1 day ago) (11 children)

crazy that no one's posted the dessalines article yet https://github.com/dessalines/essays/blob/main/why_not_signal.md

EDIT: just to have it here in case anyone even cares, i put my thoughts on the essay later on in the thread

load more comments (11 replies)

[–] sifar@lemmy.ml 10 points 1 day ago (3 children)

With the phone number, no; and since there's no Signal usage without a phone number, well…. Also, I think somewhere on their website (or some place) they talked about burner phones as if it's a universal phenomena.

Signal has felt "out of place" to me. Odd. It doesn't fit in, doesn't make sense if I think a bit farther about it.

I hope something decentralised comes out of Signal protocol minus the need for a phone number.

[–] sqgl@sh.itjust.works 6 points 1 day ago

SimpleX uses Signal tech AFAIK but without requiring phone number or email address.

load more comments (2 replies)

[–] ganymede@lemmy.ml 11 points 1 day ago* (last edited 1 day ago)

Imo signal protocol is mostly fairly robust, signal service itself is about the best middle ground available to get the general public off bigtech slop.

It compares favorably against whatsapp while providing comparable UX/onboarding/rendevous, which is pretty essential to get your non-tech friends/family out of meta's evil clutches.

Just the sheer number of people signal's helped to protect from eg. meta, you gotta give praise for that.

It is lacking in core features which would bring it to the next level of privacy, anonymity and safety. But it's not exactly trivial to provide ALL of the above in one package while retaining accessibility to the general public.

Personally, I'd be happier if signal began to offer these additional features as options, maybe behind a consent checkbox like "yes i know what i'm doing (if someone asked you to enable this mode & you're only doing it because they told you to, STOP NOW -> ok -> NO REALLY, STOP NOW IF YOU ARE BEING ASKED TO ENABLE THIS BY ANYONE -> ok -> alright, here ya go...)".

load more comments