This.
I didn't know much of the insides of Signal. But, When WhatsApp decide to go in bed with FB to share my contacts and usage, one of the alternatives I explored was Signal. Threw it out the moment it asked for ownership of my contacts (no way to opt out). I for one am not going to trust a guy's pinky promise to be good with my contacts and meta-data.
If I'm going to give up the convenience of reaching anybody by WhatsApp, it is going to be at least worth it in the sense of privacy.
Still hoping for a GNU project that garners enough interest to be technically strong, and used universally. One can dream.
I doubt you'd want to use it if it didn't use your contacts, though. Not many people are prepared to deal with a whole separate set of contact ids for the sake of a small amount of arguable extra privacy.
It's entirely possible for Signal to work with contacts and yet not transmit address books to OWS. I sketched out a protocol for doing so awhile back: https://news.ycombinator.com/item?id=11289223
So people could use their address books securely if they wanted — if OWS would allow them.
If I want someone I don't know yet to reach me, I expect them to Google search my phone number/email to make initial contact.
For those I already established initial contacts with, I'd like an account on a service that knows practically nothing about me other than my username(like coolkid654) and lets me send messages to others(coolkid655).
Given the state of data leaks[data snooping by the Gov or anyone else], and spam, it wouldn't be a terrible idea for someone to have a username that they reveal to only the people they trust(are worth). More like a Blackberry key.
If packaged well, and made to look 'cool', it could even catch on and everybody would create one(or many).
Sure, most won't right. But clearly in this thread some people are willing to do that and I'm not convinced that there is a large burden/cost to signal to allow this.
The problem for me is that my contact list of Signal users is quite small (1 or 2 people) and everyone else isn't using it. I don't see the reason to allow Signal access to that list of people "Just in case" they decide to. It's incredibly unlikely bordering on near impossible.
This isn't the golden bullet of reasons that it should be this way, but the fact that in design Signal has made the choice to force access to contacts to me, says one of two things.
1. We haven't thought about cases outside of our own experience and expressly reject those as being outside of the market we're interested in. "You're not the user we're looking for."
2. There is value/commoditisation in that contact list that signal is interested in and this is the price to play in their system.
The problem is that either of these two options run pretty counter to the idea of secure privacy focused messaging client designed to be seperate from the user.
People's value of privacy is nuanced enough that making broad scoped decisions like this can run afoul of their expectations. Considering that Signal is aiming itself at the privacy conscious (Over-conscious in a lot of instances I'm sure), it's very weird that they would forgo this obvious affordance of information.
There could be two separate versions, one for paranoid users, one for those who don't care. The number of permissions Signal app requires is scary. It gets almost full control over your phone including reading SMS messages.
> The number of permissions Signal app requires is scary.
This is exactly why I'm shying back from recommending Signal to my family. I taught them that the equation "permissions = bad" generally holds, so Signal would look like spyware to them, even if every single permission turns out to be justified for some reason.
I've personally reached the conclusion that software isn't enough for this, though: it is people who choose to flog your data and it is money that buys it (think FB and WhatsApp). In my view a collectively owned version of something like Signal would offer protection from what is termed corporate surveillance by allowing people with skin in the game to directly influence decisions on things like privacy policies and development roadmaps. I've sketched this in a bit more detail here: https://news.ycombinator.com/item?id=12881917
If I'm going to give up the convenience of reaching anybody by WhatsApp, it is going to be at least worth it in the sense of privacy.
Still hoping for a GNU project that garners enough interest to be technically strong, and used universally. One can dream.