1. Worst Offender : Facebook Messenger --> spyware for tracking all your activities even in background
2. WhatsApp : Lost trust in it since Facebook bought it, more so with the new terms and conditions. Data is not safe anymore.
3. Telegram : Trust it's privacy but it's proposed business model is also advertisement based so avoiding it.
4. Signal : Best option, there are some sacrifices to be made with lack of contacts and some features but slowly and surely we can turn the tide. Also it's open source funded by a Non-Profit so that gets it bonus points.
Even better is Wire: no phone number required, doesn't access your contacts, free personal accounts available, you can use it on a desktop machine with nothing more than a web browser, when using an installed app you can be logged into three Wire accounts at the same time, source code is open source and has been audited for security, you can set up your own locally hosted (or in your own cloud)... and more I'm probably forgetting.
The fact that it's a "secure collaboration platform" means it doesn't fill the same niche. I don't need a secure collaboration platform to talk with my family or friends.
I'd just like to mention that Matrix (and its most prominent client "Element") sounds similar:
> Even better is Wire: no phone number required, doesn't access your contacts, free personal accounts available, you can use it on a desktop machine with nothing more than a web browser
Same
> when using an installed app you can be logged into three Wire accounts at the same time
Don't know if that's possible with one of the currently existing Matrix-clients. I guess that maybe in the future that would be possible, respectively, doesn't sound too difficult to implement.
> is open source and has been audited for security, you can set up your own locally hosted (or in your own cloud)
Same for Matrix. Not sure about the official audit, but at least France decided to use it as a base for its own governmental chat ( https://matrix.org/blog/2018/04/26/matrix-and-riot-confirmed... ) so I guess/hope that they audited the original software.
Thank you for mention this! I don't know why Wire is not mentioned in thread like this. It is best without meta data collection (such as phone number). You can register with just an email and it is based on the encryption protocol that Signal uses. On top of that, the server is written in Haskell!!! Yes, Signal server is in Java, btw. Which is not bad. And Wire is based in Switzerland, with GDPR in Europe it has better data privacy jurisdictions.
I like and use Element but it definitely isn't ahead in usability. Getting e2e set up for "average" people isn't trivial. Especially if they have multiple devices.
That being said it is the the best long term option in my opinion and I am donating to the organization. Hopefully they can work on polishing the e2e UX.
Encryption in Matrix is shit, and is making me feel foolish about inviting various friends onto Matrix.
I set up my own server using Synapse, and invited about half a dozen other IRL techie friends to join me in there to continue chatting during Covid times.
Considering we've all worked in tech for decades and run our own servers/services, none of us can really work out how the hell it's supposed to work. I mean, after lots of time consuming verifying of devices it kind of works. Except recently, all of a sudden, one of the people in our main chat room can not see the messages I sent from one of my devices. It tells him to get my keys from another session, he has only every used a single device/session. There is no UI that either of us can find to help fix it. We can chat fine in a different encrypted room, or if I use a different device.
I'm not pulling anyone else into the Matrix ecosystem until encryption stops being just so god damn awful.
Can I ask why you didn't just use email? If you wanted a technical challenge you could have setup your own email server. You could also run your own Teamspeak server for video conferencing.
This is the problem with matrix et al. They have to offer something that is leagues ahead of the current baseline, which I'm not convinced they are.
We aren't using email for this, because we wanted a chat room. We aren't using Teamspeak because we don't want video conferencing.
I've been running my own email server for going on 20 years now.
[edit] To add to the above, I use the same Matrix server to chat in various Matrix, IRC and Gitter rooms, and also to host a couple of self-written bots which I use to control a few aspects of my life. Email isn't really a replacement for the things I use Matrix for.
Same experience here but i feel like Element is slowly getting worse. It is starting to use popups for everything and its becoming so annoying my friends are slowly leaving.
Verify this, is this you that.
I think partly its because i am not always on latest version of Synapse so the self-updating clients expect slightly different backends but uff.
It feels like Moxie is right with his anti federation argument. Call me stupid but i am really trying to keep it together but i still cant tell why some of the popups show up or why some sessions of my friends wont decrypt and they show gibberish.
Do you mean about accessing an encrypted chat from multiple devices?
If yes, I was playing with that just this weekend and I did not understand at all how to trust the other devices by using "text" (which "text"? I didn't get anything to type/check/approve anywhere); on the other hand by using the option to use emoji (compare a series of emoji between devices and then confirm) was very simple.
As well finding the link to a group-chat that I just created was not simple (or at least the place where to find it was not obvious).
> That being said it is the the best long term option in my opinion and I am donating to the organization. Hopefully they can work on polishing the e2e UX.
For me the verify by text worked, but you can click on a lot of very similar places and you get different results. For example if you click verify it forces interactive verification. If you click the sessions and then click a session you can verify individual sessions. Of course you can't non-interactively verify a users main key.
I'm also confused why each device is handled separately. I would rather I just share a key around (and ideally it rotates occasionally) and not share what and how many devices I have and what one I am using at the moment.
> but you can click on a lot of very similar places and you get different results.
Aha, didn't notice that, thx!
> I'm also confused why each device is handled separately.
Well, I can understand it more or less (I guess kind of similar to confirming in Whatsapp your multiple open sessions on different devices, to ensure that nobody is using something that you forgot/left behind?), but doing it this way is quite hardcore - on the other hand it could be that the whole thing is deeply embedded in the software's encryption principles/guidelines => it would probably still be ok, but it needs to be explained better, be more clearly accessible.
I guess that having a rotating key (with the software asking from time to time "do you want to accept key jf8k4d9k?") would probably be confusing for non-technical users and would probably generate uncertainty/anxiety/etc... ?
Losing the device is an interesting point. However I think due to the way that cross signing works they could use that device to sign new sessions anyways. They would also have access to key backups so I don't think that case is supported well right now.
For the rotating key it would be automatically signed by the previous key or master key so no user-visible change would be shown.
> However I think due to the way that cross signing works they could use that device to sign new sessions anyways.
So you don't think that if I cross-sign devices A and B, and then I would cross-sign devices B and C, if I would revoke B then C would automatically become invalid as well?
Kind of similar question about "key backups" (to which keys would device C have access to?).
(I honestly did not ever look into all these details - I was hoping that this would be covered by more clever people)
It would make sense but I'm not sure how it is implemented. I can also just imagine revoking old devices because I don't use them anymore or have reinstalled them. In that case I wouldn't want the things it signed to be revoked. (Really just saying don't trust this key for anything in the future, but past things are fine).
Maybe the best solution would be revocation after a date. So you can say "don't trust anything after {time-i-lost-the-device}" or "don't trust anything after {now}" and it does the right thing. However that could be complex to implement correctly in software. Lots of bookkeeping.
Exactly. Very bad name, too techy for the average folk and it doesn't have the same network effect as Signal or Telegram. I disagree that it is ahead of Signal for usability in fact it is still behind.
Although I do praise it for not requiring and collecting my phone number and being a bit more future-proof and decentralised, unlike Signal and Telegram.
But in terms of getting my friends grandmother over it, it completely loses on usability and its name is so confusing to them you just had to also mention the Matrix protocol, when it is just Element. which even that by itself is very ambiguous.
Matrix feels akin to trying to tell my (non technical) friends that they should use HTTPS as their social media site. I think it's technically more capable but trying to explain what you can do, how to get started, or why it's better is a much higher bar than something like Signal.
Absolutely correct, I just did that this weekend: big effort trying to explain all pros vs cons and the its technical background and future outlook, prepared test chatroom, wrote simple instructions to create account and try it out => got ignored, failed miserably, hehe :)
I wish that they would have chosen a different name when switching from Riot to Element because I am just starting to getting used to it. But it is still my #1 option.
I think Element is way behind Signal in terms of usability. The iOS app is the most confusing chat app I've seen, especially if you are using your own servers.
Consider Jami - https://jami.net/ too - you don't even need to share your phone number or email id to use it.
And it has support for nearly all desktop and mobile platforms (with all the features we expect from a messaging client, and more - it is also a SIP client). It is fully open source, and all data is stored on your device.
Signal may be run by a non-profit, but it a non-profit based in the United States. In the US, a non-profit can also be converted into a for-profit business.
I've played with Jami several times because it sounds good on paper but it just flat out failed to work a lot of the time. Messages sent but never received, no indication of why or what was going on. For my uses anyway, IM needs to be above all reliable - when I send a message I need to know the recipient will get it (and in a timely manner, modulo their availability).
Most of my network is on Telegram at my urging because it was the best option at the time, but I'm constantly looking for something better to replace it (as I'm aware of the downsides to Telegram). Currently I'm trialing Element with one of my contacts and I'd say it might be ready if I can get past the initial setup headaches, but Telegram just works so darn well and is so amazingly fast that it will be very hard to get buy-in for people to switch. Most people are overloaded with IM apps already, adding another one is tough unless it can completely replace and deprecate one they're already using. Jami definitely is not that IMO.
How is Signal going to fund their operations in the future if they grow to anything close to the other three in size? Donations? Even if they're a non-profit they still need to keep the servers running.
The Signal Foundation received a zero-interest loan of $100,000,000 by WhatsApp founder Brian Acton which doesn't need to be paid back until the year 2068 or something.
And according to Telegram's Pavel Durov, "A project of our size needs at least a few hundred million dollars per year to keep going." [0]. So future funding sources will be needed if Signal grows to be a big player. It's fine saying they're owned by a non-profit, but even non-profits have bills to pay.
I don't think a project of that size needs that much money.
Exhibit A: The Signal Foundation's tax reports[0]
Exhibit B: The fact that WhatsApp had a very small team and rather low costs, at least prior to its acquisition by Facebook. (I can't find any numbers right now.)
According to this Wired article [0] from last year, the number of Signal users aren't public, but they've had "more than 10 million downloads on Android" and another 40% on iOS. Lets say 20 million downloads in total. Of course there's more now, but we don't know what kind of costs they have now, and I couldn't be bothered looking for more recent figures.
Telegram has close to 500 million active users each month. So of course Signal is not using as much money. The same Wired article mentions that Signal recently had gone from 3 to 20 full time employees, that adds a lot of cost as well.
My point is that I don't think Telegram have spent lavishly or focused on big profits, so it's unreasonable to assume that Signal will be able to do what Telegram does for much less money, so they will also need a new monetization eventually.
Signal is quite good and I use it for person to person. Hopefully with an influx of new users and with that, funding, it can reach feature parity with WhatsApp which is currently much better for groups. WhatsApp and Uber and Lyft etc, are very well crafted applications on iOS. They feel magical. Signal can get there as well, but it will take funding+effort.
I see the opinion that more users will help make Signal reach feature parity but I don't understand why that follows. Unless there is a massive increase in donations but that is largely covered by the 0% interest rate funding from WA founder.
While not a guarantee, the number of donations is proportional to the number of users. Since they can't extort their current users for more money, the only hope for Signal is to get more users.
How come you trust its privacy? Its privacy guarantees are by far worse than those of WhatsApp as Telegram messages aren't even end-to-end encrypted by default.
Keybase is effectively in maintenance mode after being acquihired by Zoom.
If anything, Signal should adopt some of the crypto identity primitives Keybase was known for [1] for persona management that builds on (but still supports) phone DID identifiers. Would Zoom sell or donate Keybase infra to Signal Foundation? That'd be swank.
Keybase showed a lot of promise, but ever since they were bought by Zoom I’ve been hesitant to depend on it. There’s a good chance it’ll be neglected or cannibalized in the future, not to mention the real or imagined CCP influence. Perhaps failure is a self fulfilling prophecy.
I tried signal, matrix, Riot, Slack, Discord, Messenger, Hangouts, and Keybase is by far the best option.
It is in an uncertain place though since Zoom bought them and moved its developers to work on Zoom. There has only been one small update to Keybase since zoom purchased them.
While it's not getting updated I don't have any worries about the reliability of its existing security. It's not perfect but it's pretty mature and feature-rich.
I've been a Keybase user for a couple years now. I started using Signal when it was TextSecure. From Signal Insights 98% of my conversations are encrypted because I pushed Signal hard on friends, family and colleagues early on. I talk to one person on Keybase that refuses to use Signal (not exactly sure their rationale anymore). For some reason I thought Keybase was going to give me the early experience of Twitter, where I was able to interact with people in the same field without having to know them IRL. And while Keybase does recommend I follow / interact with some of those people it feels less attainable to start up a random conversation or jump into a public thread like I did early on with Twitter. To be clear I'm not saying that's Keybase's fault. As for getting non-technical family and friends using Keybase, well... I find that it's not as approachable. I think it is more convenient in some cases (chat history is probably the #1 item), but it's also clearly geared towards people who likely have an idea what PGP is (re: PGP key identity proof, etc). I wish there was something that mashed up the best of Signal, Keybase and Twitter. But at the end of the day I'd probably still use Signal for the majority of direct person to person messaging because of the time and personal effort I've put into getting my circle to use it. The switching cost is too high a bar now to consider anything unless it's exponentially better (and I don't think that exists). I also really don't like the fact that Zoom owns Keybase and can't see myself recommending it much moving forward over alternatives like Element.
I had a contact show up with a super old name that I wanted to update but it was right in all my other apps. Turns out I still had the old name in one of the read only merged contacts from WhatsApp (contact showed up fine in WhatsApp). I had to remove my WhatsApp account clear the app data for signal and resync everything.
WhatsApp became massive before being bought by Facebook and you had to purchase it for $0.99 (or $2,99 it's been almost a decade so I can't remember the exact price). So no, as long as the network effect is there, costing money is not a no-go.
Except it wasn't really enforced. They kinda made you think you HAD to pay, but extends it to another year even if you didn't pay. So it was actually free.
I rate them differently- I can use Facebook and supply minimal real personal information. WhatsApp by contrast demands full access to all my contacts whether they use WhatsApp or not
That has not been true in forever on either iOS or Android, if it ever was.
It is possible to reply to numbers bot listed in your contacts; and apparently it is possible to initiate chats with numbers by using a web api which triggers a platform specific app action.
But you’d be left with phone numbers as identifiers, and at most the user’s self description which is sometimes they name and sometimes just something like “xxx”
Yeah I went through the document. I'm asking on more of a mobile development perspective. The list makes it sound like when I open up Chrome and go to a site, Facebook knows right away.
All of them: Require your phone number to work, and ask for your full address book.
Asking repeatedly for information that is not necessary is a red flag. It is suspicious, to say the least, that Signal is not censored from Apple’s Appstore.
After being in the business world for 30 years, one truism is that business relationships can only be sustained for the long term if the interests of the parties are aligned. All parties need to contribute and all parties need to benefit, and the contributions and benefits need to be commensurate all around.
Social media and their users are struggling because their (our) interests have not been aligned all along. Initially, the services grew by providing great value. They developed equity through size and usage. Interests were not aligned for the long term because they lost money quarter after quarter. Then came the day they needed to convert the equity into revenue.
At that point, the pendulum swung back the other way. The users had given up privacy and publicized their lives to the world and developed habitual (addictive?) use. The user experience deteriorated, '3rd parties' paid for access and insinuated their banners into our feeds. We've become invested in these platforms, in some cases literally by developing primary income from YouTube, Locals, OnlyFans, ...
Clearly, we still don't have aligned business interests.
How can 'Big Tech' and 5 billion Internet users align our interests for the long term?
> How can 'Big Tech' and 5 billion Internet users align our interests for the long term?
This is a fascinating question, I want to see this discussed more. I'll throw some thoughts to get a conversation started:
I would happily pay for big tech company services - if I'm worth $30 a month in advertising revenues, I'm willing to pay $30 to subscribe to the same services in exchange for privacy. I'm convinced that I'm not the only person who thinks like this. I am waiting for a product to come around and service this market.
I suspect it's another micropayment problem. You're actually worth $0.05 in ad revenue (or something like that), but due to payment friction & billing fees you wind up paying monthly Spotify: $10 Facebook: $20 News x4 sources: $40 LinkedIn: $30 HackerNews $5 Various Forums: $50 (etc)
You get the idea- in the end you're paying incredible sums of money for a collection of services that just aren't worth all that much. A conclusion supported by the fact that your use of these services currently generates pennies a day in ad revenue.
We can see this game at play today in news, where you could easily blow $50/mo subscribing to a small selection of decent papers. It's not a big deal if you only had one subscription, but few people read only one paper- or participate in only one social network.
To make matters worse, as seen in the cable industry, paying subscribers by definition have money to spend. This means they are by definition the most valuable advertising targets, which makes the lure of advertising to your subscribers eventually impossible to resist...
While I think this market is definitely there I think the problem is it's the much smaller market so a company isn't going to make a competitive set of services and intentionally alienate the other e.g. 90% of users with it by doing pay only. On the flip side it's been shown that all but a very small fraction of that 10% will use the data sale funded version of these services it's all that's offered.
So it ultimately comes down to "do we create an alternative funding model for that 1 percent of user space" which doesn't seem like much incentive vs trying to find ways to get more more out of the 99% of users.
I think the only way this changes is if that userbase grows significantly, I don't think it's simply been an overlooked/forgotten internet business model.
> if I'm worth $30 a month in advertising revenues
Per service though, are you willing to spend $30/m each for what facebook was, for what twitter was, for what youtube was, for what reddit was, before ads took over? (that's over $100/m on 4 sm sites... now we're getting into medium, tech news sites, gmail, google search, maps, etc. And what about the people who can't afford a $300/m "internet" bill are they just cut out of this brave new world?
Excellent comment. I'd say there are at least three possible answers to the question you pose at the end of it:
1. As another commenter replied, Big Tech will have to start charging market prices for their services.
2. Big Tech will be unable to charge for their services, and the business relationship between them and their users will collapse, taking Big Tech with it.
3. The relationship between Big Tech and its customers will change from a business relationship to something else, where the truism you stated will no longer applies.
One might argue that (3) has already happened, and the "something else" is more like a manorial or totalitarian relationship, in which the interests of the users are irrelevant.
It seems clear that interests can be very aligned where users are paying for their product. It is only when services are "free" where alignment is an issue.
That's a fair comment, but a non-profit that relies on donations (as opposed to selling services to somebody other than me) strikes me as very different than Facebook et al.
It’s a viable model though. WhatsApp had only ~50 employees and already 500m users when it was purchased for ~$20B. They were already profitable on the $1/year after the first year subscription model.
Signal is approaching similar metrics (except it’s supported by a $50m endowment from Brian Acton instead of donations).
It’s easy to say that the mechanics of chat are pretty simple and a global chat service can be maintained by a roomful of engineers, but is the original algorithm-free, chronological Twitter that much more complex? It’s hard to believe there aren’t any other billionaires out there who would be willing to create an endowment securing the perpetual existence of a free social network.
Charging $1 a year like WhatsApp used to wouldn’t be such a bad idea once it got bootstrapped either, since it would make it much harder to run bot armies.
I moved 10 of my non-IT (male, age ~30-35) friends from FB Messenger group chat to Signal. None of them had any problems setting it up, none had any questions during the setup. I just invited them to the group after they created accounts (you can also use an invitation link) and the chat continued on Signal. No one has looked back at FB Messenger and we are not missing any functionality. I am slowly spreading in my circles and so far with only positive feedback.
What is happening here is interesting. Almost like facebook messenger has lost its network effects. Its so easy to install Signal and get setup, and there is a compelling reason to leave Facebook's ecosystem. I previously assumed the network effects were so strong no one could leave Facebook without being a hermit. It turns out people who actually want to contact me will actually bother to install Signal and join me.
I have to. But in this case it's not a social network, I don't care if the rest of world uses WhatsApp. I don't need a "network effect". I am fine when the people around me use it. So I achieved my personal goal and while I am happy if more people will join, it will not impact my own usage.
I think the possibly big letdown at some point might be the non-intuitive or non-existing message backups. Getting started with and using Signal is great but the backup functionality stops me from recommending it to non-technical friends.
Facebook messenger history is online and doesn't need to be thought about. I'm fearing there will be a fair bit of resentment once the non-technical Signal users change devices and realise that all their messaging history got lost in the process.
I've managed to do the same as well - the pushback has been minimal at best. I'm more surprised at how many "X is on Signal!" messages I've received from completely non-technical friends.
I'll probably burn some karma on this, but I have to ask as I'm genuinely trying to form a consistent opinion on these topics and understand better. Given that lots of people on HN are advocating in favor of Parler being deplatformed on the grounds it was used by groups to advocate and coordinate violence, and given that it's not a stretch to imagine that e2e encrypted communication apps like Signal have groups on them spreading "fake news" and "advocating violence" and cannot be moderated, how does one reconcile supporting Signal/Telegram/WhatsApp, but not Parler? What's the fundamental moral or technical difference that makes one ethical but not the other?
Doesn't Telegram have broadcast (channels)? And isn't this a highly requested feature for Signal? This seems to be what will happen to any communication network unless restricted significantly.
I see the stances as very different. Parler is a social media site dedicated to extremism. While I believe in their 1st amendment right to exist (not all speech is protected though) I do not like this group. On the other hand I see companies like Signal and CloudFlare as being neutral. They have taken a position that they choose not to be the arbiters of right and wrong. These companies also aren't dedicated to extremism. I believe that being able to speak freely and make mistakes is an essential part of democracy. A privacy preserving platform protects this idea. If the service is dedicated to the public (aka neutral) then I think this is the right move. Extremists will (and have) congregate on Signal (as they do on WA, Telegram, Twitter, 4Chan, Facebook, etc). I see encryption orthogonal to the issue of extremism. This may make it a bit harder for security to monitor these groups (no dragnets), but if they are mass groups it won't be hard to infiltrate anyways. If a member of the public can get in then why can't someone from the CIA/NSA? It might as well be in clear text. If they can't infiltrate these groups then we have much bigger problems and everyone has been overestimating the power of these organizations for decades.
So to sum up. I highly value privacy and security (especially as we're adding more to the internet. The danger is increasing). But I'm against extremism. It is a numbers game that more public members will gain value from privacy than the dozens of terrorists who will. But it is a different situation if someone creates a space dedicated to extremism.
(I do think this is a very reasonable question to ask though)
Edit: I wouldn't say that Signal will be completely unmoderated. Groups still have admins. But you're right that Signal won't be able to moderate. But this isn't that different from any federated platform.
Thank you for a very reasoned reply. I guess my fear for my karma was unfounded. ;)
Two follow up questions: How do you objectively determine Parler is dedicated to extremism but Signal is not? I think Parler would argue (even if incorrect or insincerely) that they choose not to be the arbiter of right and wrong too, or at least to do so as minimally as possible. Since we can't see into Signal, we don't have any data on the % of messages dedicated to extremism.
"If a member of the public can get in then why can't someone from the CIA/NSA? It might as well be in clear text. If they can't infiltrate these groups then we have much bigger problems".
Isn't that an argument for allowing Parler to stand? It actually _is_ (er, well, was) clear text, and I would be _shocked_ if CIA/NSA weren't monitoring it. Wouldn't we be safer with bad guys coordinating on Parler than on Signal.
I'm not sure of my own position, but I think the fundamental moral difference for those supporting moderation is that if one does have the ability to moderate, then they should have a moral obligation to do so. Technically, there's no central authority that can moderate Signal, so you can't have the moral obligation there.
I don't think there would be a significant proportion of people that would advocate for Signal to become centralized so it would allow moderation by a central authority.
Another perhaps more cynical take is that even if there is hate-speech and other undesirable communication in Signal, it's not seen so people aren't concerned about it. As they say, "out of sight, out of mind." That makes me wonder if expectations would change if people started publishing screenshots of Signal groups with hate-speech. I think they'd be pretty limited to small sizes, so perhaps they wouldn't be as concerning.
The existing platforms work well enough for people who aren’t kicked off of them, or hindered in sharing their views. Liking, caring about, or knowing of the existence of these new platforms is a strong proxy for the kinds of political views that some find easy and safe to hate on.
Engagement inside Signal is with your existing networks and groups, and can only grow iteratively—not virally/exponentially—it’s a chat app. WhatsApp and Telegram do support and encourage broadcast oriented communication, and personally I do associate WhatsApp with misinformation-fueled violence in countries where it’s the first exposure people have to internet-style mass direct communication.
Signal invented new cryptography to justify its existence. WhatsApp scaled chat, SMS-analogous to start, for the world to use. Telegram invented secret ways to MitM chat connections, and wasn’t under US influence. Parler exists to make a political statement in the current US political context.
As Signal has allegedly seen a huge boost in signups since Jan 6, I think this is a very pertinent and difficult question.
The way I see it, Signal will not make it any easier for outsiders to get radicalized (there's no public forum aspect), but once people are already radicalized and connected, it can be used to great mischief. That said, I tend to be liberal on this topic, and I feel the benefits of across-the-board E2E encryption to society outweigh the risks. But it seems likely to me that that principle is about to be sorely tested.
From my point of view, the conversation is more about supporting privacy vs not. I don't think anyone is supporting WhatsApp, specially after the recent news.
I think for the sake of shireboy's question, WhatsApp can be ignored.
shireboy's point seems to be that it seems inconsistent to want moderation in one type of network and not mind not having it in the other. Though, it's possible that the users supporting the moderation are different than those supporting e2e networks.
I believe the support for Signal comes from the privacy it offers from Facebook, et al., and by extension also possibly the government (Snowden, et al.), not because it can be used to coordinate violence.
Just emotions that sacrosanct capitol was breached by fascist Trump's supporters.
That begs the question which platforms were used for organizing BLM riots for months and why there aren't any consequences?
Companies claiming to uphold democracy are the worst offenders if it makes business or idealogical sense yet HN crowd is cheering. Look at how they are willing to suck upto China, Iran, and even Taliban.
Disclaimer: Trump is a unreliable character so I don't like him personally a lot. But cheering up one-sided suppression without looking at the full picture is distasteful.
I have a few family-related whatsapp groups and I've been thinking about asking/moving those groups to signal, but I really can't imagine my parents/sister/friends to understand, nor care about the facebook data issue. After all, they're all on Facebook and all use it.
I don't think I'll ever get to request it, because I'm pretty sure it's going to fail, especially with my parents and other from this age group - having them download another app, signup, etc. will be too complicated.
My family group is all iphone users, so I thought about moving this to iMessage, which feels more possible, but again, I'm not even sure my parents understand the difference between whatsapp and iMessage, as they send me messages on both platform without much logic.
Like everything else "bad" that happens to Facebook, this event won't change much and impact on whatsapp will, unfortunately, not change anything.
Remember when corporates stopped advertising on Facebook? They're all back.
> I don't think I'll ever get to request it, because I'm pretty sure it's going to fail, especially with my parents and other from this age group - having them download another app, signup, etc. will be too complicated.
I moved my whole family to Signal, and its surprisingly easy. It asks for their phone number, name (it's autocompleted) and a pin. You can create a link to your family's group chat so then can join without needing someone to invite them.
Most people's whole family is already using WhatsApp to communicate amongst themselves, especially outside the US. It's not that signal is any harder to use, it's that you now need everyone to unlearn their "Use WhatsApp" behavior, and the only justifications you can give them is "Facebook/Privacy!".
This might work with younger groups who really care about that stuff, but as you move up the age groups you'll start to find people who think "Well I already use Facebook daily, how is this different? Why should I care?", and eventually hit the age group that doesn't know the difference between SMS and WhatsApp, they're all just "messages".
Obviously I'm over-generalizing a bit here, but even if I got my parents using Signal, they'd still use WhatsApp to talk to their friends. My parents' parents are even more locked in. Short of charging a monthly fee, I don't think there's anything WhatsApp could do that will get a majority of folks to actually uninstall it.
I'm in the process of moving family and friends. For my friends who I believe are more than capable of moving, I just said them that I'm leaving WhatsApp, you can still reach me on Signal. Then I block them on WhatsApp, so I don't relapse. Almost all of them have moved across so far. I installed Signal for my mom and then blocked my myself on WhatsApp on her phone, so she's forced to use Signal to contact me. If someone can use WhatsApp they can definitely use Signal. It's more secure and it's cleaner.
For the vast majority of people, WhatsApp works just fine; you’re trying to get them off something they’re comfortable with rather than getting them to use something better than SMS.
I don't like "nothing will happen" as a talking point. "Nothing will happen" because... they cornered the market. They're the only game in town. It's the only way for many people to contact their friends. It's not their fault Facebook is a scummy organization run by a sociopath, they don't really have any options. I don't like this implication that the public is to blame
Comparing Signal features with Whatsapp I have two thoughts:
1. I noticed that Whatsapp allows me to add someone to a call (sort of like upgrading a phone call to a group call). I couldn't find a way to do that with Signal - although Signal supports group calls (that is, calling an entire group at once).
It's a minor feature, but I discovered that I rely upon it quite often.
2. Last year, I attempted to switch from iOS to Android - and I discovered that there isn't a clean way to move my whatsapp messages over. On iOS, whatsapp creates a backup on iCloud, there isn't any way to recover that on Android.
I aborted the attempt to switch to Android only because losing my whatsapp chat history was unacceptable.
Signal currently seems to be just as bad. However, if signal can implement a reasonable way to create backups and recover them across devices and operating systems, it will seal the deal and convince me to permanently delete whatsapp from all my devices.
The problem that Signal has to solve, transfer of new messages to a new phone. Right now the iOS transfer is a whole lot better than the manual android process ( ive heard the former is not fool proof )
Being a house full of Pixel devices and sole IT person, I dont want to be responsible for lost messages when it comes time for a new phone.
Also if your phone is lost or bricked ( either platform ) say goodbye to messages
Moving from Android to iOS, bye messages.
I can move my savvier friends and family over, but the rest will remain on whatsapp where "its easier" compromise works.
I just migrated from a pixel 4xl -> 5 and back with signal.
Nobody noticed, no warnings about encryption keys changing, no problems whatsoever. Took about 5 minutes each time (including googling of the directions).
Just make a backup (with an encryption key), then do a restore (and enter said key). Not as convenient as if it was automatic, but it does seem like a pretty secure approach.
Exactly this. A lot of other messaging apps have this problem (read the App Store reviews of LINE for a sampler of people upset about it), and I find it baffling. Have these devs never lost a phone (or had one break unexpectedly?)
It seems like it should be trivial to back up message history to the cloud.
I love that Signal generally seems receptive to features that users ask for. It's far from perfect, as there are certain features I've seen repeatedly requested that are still yet to be implemented, but over the years that I've used it, Signal has come much closer to a full-featured WhatsApp alternative while taking the harder path of maintaining privacy for these additions.
My personal wishlist:
- Making the app available on F-Droid, either on the official repos or just hosting a third-party one
- Bringing the Android backup solution (encrypted blob) to iOS
- Bringing the iOS backup solution (direct device transfer over Wi-Fi) to Android
- Signup with usernames/emails as an option instead of only verified phone numbers
- A more reliable desktop client, because most of my contacts on Signal (myself included) have experienced syncing issues, message decryption issues, notification issues, etc. I do like that the desktop client is temporarily standalone in that the phone running the app does not need to be available, although I have had to re-connect the two every once in a while so I don't find it reassuring to depend on the desktop client alone.
There is bad blood between F-Droid and the Signal devs. I don’t expect the app to ever appear on F-Droid. Signal’s developers are on record as preferring the Google Play store as the official distribution method, and even downloading the APK directly from the Signal website is something they tolerate only grudgingly.
Plus, some are predicting that forthcoming changes to Android – Google possibly mainstreaming its “advanced protection” model so that phone owners cannot install the F-Droid APK except through enabling ADB and pushing it to the phone from a computer over the command line – will further marginalize F-Droid.
If you browse the F-Droid website they actually mention that it's possible to use the .apk distributed by the developers, if the apk is reproducible. It's cumbersome and requires a lot of goodwill from both the developers and the F-Droid maintainers, but it's not impossible.
The thing is, people using F-Droid are most likely already aware that they can install the .apk directly from https://signal.org/android/apk/ so there's not much to gain (the .apk prompts the user when an update is available too).
Exactly, that was the reason Moxie gave for wanting to avoid F-Droid back in the day. Besides, I hear the .apk one can obtain from signal.org these days comes with an integrated update mechanism, anyway? As much as I am a fan of F-Droid, I really don't understand the criticism here. What advantages does F-Droid provide here?
I give it a couple of weeks before screen shot of "violent" groups on Signal go viral, and the ban hammer will come unless they build a backdoor or remove the end-to-end encryption feature entirely.
M'y guess is Moxie would shut the company down before introducing a backdoor.
Also, if the gov tries to ban it, its just open-soirce software, right? Haven't courts (in the US at least) ruled that code is speech, and therefore protected from government restrictions by the 1st Amendment?
Except I doubt that's how it will work. They just have to get Apple and Google to bow to the pressure again and remove it from the app store. Restricting the first amendment is a lot easier if you can effectively do it without actually doing it officially.
I found a bunch of sticker packs here that were easy to install. There must be a way to import telegram sticker packs, because I see them referenced. https://signalstickers.com
At least for Telegram, there are sub-groups out there that port stickers from other services (e.g, LINE). Hard to imagine that won't crop up for Signal eventually, if not already.
Is there a GitHub issue or someone to make this as a feature request for Signal since it's an open source project? +1 to easy migration features that can allow folks and groups to move from WhatsApp to Signal.
> - UX/UI - whatsapp seems to have a much tailored UI for beginners
How so? UX/UI for beginners is a big priority for Signal, your feedback could be helpful.
I might agree with you for Signal-Desktop: installing another application is always more friction, and it will get out of sync if you don't open it regularly, which doesn't happen with WA since the messages are retrieved from the phone.
One thing I wish signal had is key transparency. How come I can't see my own key hash and my contacts keys? I know they'r trying to keep it simple, but power users should be able to do this.
But you can? Open a conversation -> Menu -> Conversation settings -> View safety number.
Note that the safety number is basically a combination of your and your contact's (DHKE-negotiated) keys and is thus going to be different for every conversation. The reason both keys are not shown separately is that it apparently confused users.
Interesting, and thanks! Normally DHKE is authenticated though with public key cryptography? The way I understand is DHKE establishes a secret... with someone but in order to ensure it was your intended party, not a hostile government, usually a public key signature exchange takes place.
That's correct, it's an authenticated Diffie-Hellman key exchange. I'm not sure why they don't show the actual public keys anywhere but I suppose it doesn't make a lot of sense for the general public and it'd only be confusing.
In fact, the cryptography is even more complicated: The Signal protocol uses a so-called double ratchet algorithm[0] which derives from the session/conversation keys a new ephemeral message key whenever possible (again using a DHKE). This has the added advantage of providing forward secrecy.
They have a feature called safety numbers in the conversation settings. Lets you pull up a QR code and number so you can verify public keys with someone in person or out of band. Then if you hit a verify button which i assume makes the warnings for someone's key changing louder or something like that.
I'd probably switch to (and get friends to switch to) Signal if it supported Android Tablets and had a web app (like web.whatsapp.com). Those items might seem minor but having to always have my phone next to me, even when I'm browsing on my tablet, is inconvenient. Same goes for not being able to login easily to a semi-trusted device via the web (e.g. my work laptop - I don't want to install the desktop client, but I trust it enough to login to a web app, possibly in an incognito window).
It does work on tablets, but its a side load apk, and unlike laptop/desktop it cannot be used as an "adjunct" to your phone: it becomes an independent entity or takes over the entire state.
Does Signal really not run on Android tablets? While you do need to receive an SMS to set up a Signal account, you can receive that SMS on any other device, even a dumbphone.
The desktop client is sadly a bloated Electron app that has to be paired with your phone. Thankfully it's not completely hopeless as the pairing only has to happen once and it doesn't require your phone to be online all the time to work.
So is everyone OK with this big migration to another centralized service that doesn't interoperate?
Imagine if e-mail had been like this. You can't talk to your friends if they have a different provider, and you're not allowed to use your own client anymore.
I want to make my Signal (i.e. my personal cell phone number) public, but I don't want to put my cell phone number up to the internet to open up spam and MITM 2FA SMS attacks. What's the best way to do this?
Burner SIM?
Google Voice number?
Landline service?
Go find a payphone?
The "tied to your phone number" thing is weird for me, both Telegram and Signal.
If you want to change your phone number, how do these platforms handle it? Do your contacts get updated or what? What happens to people with your old number?
If your phone breaks, and you get a new one, how do they handle backups? (My iPhone's WhatsApp backups somehow disappeared when I got a droid.)
These questions are particularly infuriating for digital nomads and people living abroad. I want an inexpensive cheap way to keep my US number I've had for 10 years. I've also heard horror stories that Google Voice (or Fi? Can't figure it out) will shut down your account if you live internationally.
I have a link in the post on how to use a twilio number instead of your real phone number. Signal PINS is the first step to making non-phone number identification work.
I have no idea about phone number changes (I've had the same phone number for 20 years), but my phone broke not terribly long ago and I had to reinstall everything. As I recall, my Signal data came back just fine. Looks like you have to enable it[0], so I assume that's what I did.
> The "tied to your phone number" thing is weird for me, both Telegram and Signal.
Isn't this restriction also applicable to WhatsApp?
I think it’s interesting that not many people here bring up Discord. It’s by far the most challenging competitor for the average user, IMO. Full of features and very easy to use.
Discord imo feels like 10 different spammy chat concert halls (rooms of 50+ people). Feature-wise though it has great group audio chat, and okay(a bit low-quality)-but-immediately-available video chat.
I wish Signal had a setting for alternative media handling.
Guessing that a lot of WhatsApp users like myself rely on the built in media backup to Google Drive.
The automatically, well ordered media stored locally on the phone, with dates received in filenames, is great for people who like to have local media backups.
WhatsApp image folder can also be added to services like the Google Pictures backup.
All those missing features are Signal deal breakers for some people
I love signal, or at least the idea of it. I've been trying to get family onto it and away from WhatsApp for years, and we finally tried this week.
Unfortunately, my messages to the family group are stuck spinning (24 hours now) and I'm not seeing any new messages in the group (and should be). Nightmare.
If anyone knows a fix I'd love to hear it (have tried leaving the group and rejoining, restarting phone etc)
Some months ago Delta Chat [0] trended on HN. I think in a perfect world email based chat would solve a lot of the problems with current apps like Whatsapp or even Signal. But based on Gmail popularity I assume it would just mean that Google would get the data in most cases.
> This is distinctly different than how iMessage and Telegram work because in both of those apps they store your private key.
Does anyone have a moment to explain this one to me? Seems to me you'd of course have to store your own key on the device. And if Apple is storing it themselves... that's news to me and pretty concerning.
iMessage does store a secure key locally on your device which never leaves. The main difference with iMessage is Apple is able to add more signing keys to decrypt the data if they wanted. This is what happens when you add a new device.
In a no-trust model once you sign in on a new device you wouldn't see all of your old messages. Because all of your old messages are decrypted and sent to the new device this is evidence that a new signing key was added to the communication chain.
Apple could also do this to decrypt your messages to give to a government agency or for whatever purposes they want without notifying you.
Which describes that the private keys are generated and held on device.
Now I think this model *may change when you enable icloud messaging, in which case an encrypted messaging key may be stored in your icloud account. So you may opt to have apple store it, but in an encrypted manner that they can't undo.
This part is a bit speculative on my part though, so grain of salt.
I don't have a FB Profile hence don't have the FB App nor FB Messenger, but I do use whatsapp extensively. Do I need to be overly concerned with whatsapp's privacy changes?
I really want to like Signal, just... it's so shitty at times.
Discord and Slack are great. Even Microsoft Teams.
Shitty things about Signal:
1) When you set "Disappearing Messages" it's for any messages that come in after that point. I think it should be for the whole thread. Even though the UX implies it's for the entire conversation, it's really just for messages sent after the setting was changed. Moreover... let's say you change the settings a few times... you have no idea if / when individual messages will disappear.
2) When you delete a message on your phone, it's still on your desktop -- and everyone else's devices. It's really frustrating that if I send a typo, I can't delete it or fix it. Worse, it appears to delete... and being native to Discord / Slack / Teams... I expect it to delete for everyone. They did change message text from "Delete" to "Delete message for me" but even that doesn't even delete across all my devices.
3) You can't edit messages after you send them.
4) Functionality is different on a phone vs a desktop. You can't do nearly as much on the desktop version.
5) It's funky when you change phones. You can't like sync all your old messages from one device to another. It'll pull them on to a Desktop client, but it won't pull them into a new Mobile phone client. Dunno, just bad UX.
6) Signal is still based on phone numbers... I don't trust phone number based 2FA, so I don't really trust Signal to be based on phone numbers either.
But it's not all bad! Some things they added which make it feel less horrible... they finally did add meta data previews for URLs. That was nice. They added ability to give tapbacks / emjoi responses, and "reply" to messages. I think all this in the last year or so. They're working on it... but like it still feels like they're aiming for shitty old cell phone text messages as what they are trying to replace... I wish they were aiming for Discord / Slack / Teams as those platforms have really done a great job with chat.
By far, the platform with the most improvement was Microsoft Teams. They had this wonky Skype For Business who knows hybrid approach. And they had a lot of the same issues around messages not being synced between devices. They fixed that in the last 18 months. I've been using Signal since Snowden, but in my opinion Signal still has a long way to go before it's something I would actually want to use to chat with friends.
> 1) ... you have no idea if / when individual messages will disappear.
There's a small clock between the sending date and the (double) tick which indicates just that.
Also, I think it's recent, but if you select a message then click the 'i' (information) at the top there's a countdown that says exactly in how much time it disappears.
> 4) Functionality is different on a phone vs a desktop. You can't do nearly as much on the desktop version.
Which features are you missing on the desktop version? They seem to have implemented calls recently, I'm not sure what's still missing. I mostly write text messages though, so I wouldn't know.
> 5) It's funky when you change phones. You can't like sync all your old messages from one device to another. It'll pull them on to a Desktop client, but it won't pull them into a new Mobile phone client. Dunno, just bad UX.
Is it better with e.g. WhatsApp? You have to transfer the backup files anyway, right? If you're on Android it should boil down to transferring the backup files, just like with WhatsApp. It does suck on iOS from what I've read.
> 6) Signal is still based on phone numbers... I don't trust phone number based 2FA, so I don't really trust Signal to be based on phone numbers either.
Phone numbers are a problem, but they're on a good track to get rid of them while still providing the same privacy. In the meantime, I don't think it's a security risk if you have a random pin.
If you compare Signal with Discord, Slack and Microsoft Teams, Signal will never win on features. AFAIK these are not E2EE and they don't really try to reduce the metadata or even data known by the servers. Basically a feature vs. security trade-off.
> There's a small clock between the sending date and the (double) tick which indicates just that.
Cool, I see it now. But there's still no way to change it. In Snapchat, when I set the time it impacts all messages in the conversation. It'd be nice to have the timer impact all messages in the conversation, it's weird how it is set at the conversation level but doesn't apply to all messages in that conversation.
> Which features are you missing on the desktop version?
Create new group. Invite friends. Change your avatar. Change group avatar. Literally had to text myself a picture from my Macbook to my Phone so I could use it as my avatar. Oof. Windows Desktop version vs iOS app version. MacOS version I dont't think is any better.
Found another annoying thing... two actually. "Mark as unread" is device specific, not message specific. Also under the little info on each message there's a button "Delete Message" but again it's not a real delete, it just impacts the device -- all the other places they said, "Delete message for me" so they know it's confusing to just say "Delete" and not have it actually delete the message for everyone.
> It does suck on iOS from what I've read.
Good it works better on other platforms, but yeah it really sucks on iOS. Get a new phone, and you have to be re-added to groups.
> If you compare Signal with Discord, Slack and Microsoft Teams, Signal will never win on features.
Why? Doesn't seem like it'd be impossible to sync all messages across all devices. Doesn't seem like it'd be hard to allow for deletion of sent messages. It's not peer-to-peer, and they keep all the messages on the server... when you turn on Signal Desktop it goes and retrieves the messages for you going back quite a ways. They just need to sync between devices.
I currently have Hangouts/Messenger/Telegram and Signal all connected via bridges to Matrix. I pump all my Facebook/Messenger/Hangouts traffic in my browser through a VPN to the server where the bridges are hosted so Google/Messenger won't flag them for security.
This took a couple of tries of logging in outside of the proxy to FB, getting the security warning and then switching back to the proxy with the same cookies so FB/Google algos learn the IP is safe. Hopefully when I move, if I keep all those same rules in place (using FoxyProxy for Firefox or Chrome-based browsers) and turning off location on my Android device permanently (will also move to a PinePhone soon), I can make it difficult for Google/FB to know my location after I move from my current city.
Singal and Telegram are great because they have standard APIs that make it easy for a Matrix Bridge. For FB and Google I have to trick them, which makes them hostile to developers and tech people. We've had to do this for years with libpurple plugins as well:
1. Worst Offender : Facebook Messenger --> spyware for tracking all your activities even in background
2. WhatsApp : Lost trust in it since Facebook bought it, more so with the new terms and conditions. Data is not safe anymore.
3. Telegram : Trust it's privacy but it's proposed business model is also advertisement based so avoiding it.
4. Signal : Best option, there are some sacrifices to be made with lack of contacts and some features but slowly and surely we can turn the tide. Also it's open source funded by a Non-Profit so that gets it bonus points.
Reference: https://9to5mac.com/2021/01/04/app-privacy-labels-messaging-...