I agree with Signal here and love their commitment. Strangely (to me) they do 'recall' things in other ways:
* They have a message retention setting, 'Disappearing messages'; it works on message correspondents' devices too (if Ali sets Disappearing messages' to '1 day' for the chat with Barry, and then texts Barry, 1 day later Signal deletes the message on both Ali's and Barry's devices).
However, 'Disappearing messages' applies only to text messages. For every voice and video call, Signal retains a record of the date and time and the participants, and Signal saves it on the devices of each participant. Beyond a doubt, Signal's developers are well aware of the value of such metadata - as valuable as call content, in different ways - and the need for confidentiality (if you aren't familiar with that particular issue, I promise that every security professional is).
I'm shocked that they do it. What about a human rights dissident who is arrested - or whose phone is stolen - their phone won't show any sign of the text messages but it shows everyone they called and when, implicating all those other people and putting them at risk, and also evidence against the phone's owner. And even if they are disciplined and manually delete each of those records - afaik you can delete each call record one at a time - the other call participants' phones still retain the records. There is nothing someone can do to protect themself.
Better security here doesn't seem hard to implement. Also, I think having different settings for text messages and for voice/video calls makes retention settings more confusing for users. Many will believe they are safe without realizing the risk of this metadata - they trust the experts at Signal to understand these things and keep them safe - and many will assume everything disappears. Just have one setting for all data and metadata in the chat.
* Also, afaik if you delete the entire correpondence with someone - delete their entire chat history and delete them from the Signal address book - Signal retains information on them, such as settings for that chat. It seems that an attacker could identify all the deleted correspondents; again, there's no way to protect yourself.
> Better security here doesn't seem hard to implement.
You seem to assume it would be very simple to implement this — how do you come to this conclusion? My priors would suggest that the vast amount of effort that went into the Signal protocol renders low-hanging fruit regarding privacy fairly unlikely.
The GP is actually right here, Signal keeps the call log in the message history (deleting the call entry from the message history deletes it from the call log), but the disappearing messages setting doesn't get applied to the call log.
It's weird to see a bunch of messages, a call, more messages, and a day later the messages around are gone, but the call remains in the history. They could have just applied the disappearing messages settings to the call entries too, as it would be natural to do, and this problem wouldn't exist.
I don't think it's malicious, because what the server knows is independent of what the UI shows, but it's a very odd UI issue that does reduce privacy.
They keep it in the UI, therefore I assume in the database as well. If you delete a call entry in the message history (like you delete a message), it gets removed from the "call history" tab as well.
> vast amount of effort that went into the Signal protocol
If it requires protocol development, I'd agree. I expect - knowing no more than Signal's blog posts - that it has two components:
* Local database: These records need a retention period column, somehow - however they implement it with text messages. That seems straightforward.
* 'Distributed retention' - implementing the retention period setting on the remote devices of other call participants. I expect they would do it the same way they do with text messages, and I would guess it's just a field in a packet somewhere; e.g., establish a secure connection and then in the call's initial packet,
It can use usernames now. I don't have any of my Signal contacts in my contact list, and I can't see their phone numbers any more since they introduced the usernames. Not sure if by digging in the database files I could extract the numbers or not.
Ok, now where are Signal's servers hosted? You're not safe for any secret police from those countries and countries friendly to the hosting countries.
> It's never used after that (unless you want to use it).
As in there's no way to accidentally leak your phone number to your contacts on, say, a new installation that comes with the option to make it visible by default?
Edit: You are making one uninformed assertion after another. Stop making endless errors and just look up these things at signal.org. They are very open about it.
> Ok, now where are Signal's servers hosted? You're not safe for any secret police from those countries and countries friendly to the hosting countries.
Signal is very open about what information they collect, which is all they can produce: a phone number, and "the date and time a user registered with Signal and the last date of a user’s connectivity to the Signal service".
> As in there's no way to accidentally leak your phone number to your contacts on, say, a new installation that comes with the option to make it visible by default?
Is there? What are you claiming, and based on what? There are infinite speculative security risks.
* They have a message retention setting, 'Disappearing messages'; it works on message correspondents' devices too (if Ali sets Disappearing messages' to '1 day' for the chat with Barry, and then texts Barry, 1 day later Signal deletes the message on both Ali's and Barry's devices).
However, 'Disappearing messages' applies only to text messages. For every voice and video call, Signal retains a record of the date and time and the participants, and Signal saves it on the devices of each participant. Beyond a doubt, Signal's developers are well aware of the value of such metadata - as valuable as call content, in different ways - and the need for confidentiality (if you aren't familiar with that particular issue, I promise that every security professional is).
I'm shocked that they do it. What about a human rights dissident who is arrested - or whose phone is stolen - their phone won't show any sign of the text messages but it shows everyone they called and when, implicating all those other people and putting them at risk, and also evidence against the phone's owner. And even if they are disciplined and manually delete each of those records - afaik you can delete each call record one at a time - the other call participants' phones still retain the records. There is nothing someone can do to protect themself.
Better security here doesn't seem hard to implement. Also, I think having different settings for text messages and for voice/video calls makes retention settings more confusing for users. Many will believe they are safe without realizing the risk of this metadata - they trust the experts at Signal to understand these things and keep them safe - and many will assume everything disappears. Just have one setting for all data and metadata in the chat.
* Also, afaik if you delete the entire correpondence with someone - delete their entire chat history and delete them from the Signal address book - Signal retains information on them, such as settings for that chat. It seems that an attacker could identify all the deleted correspondents; again, there's no way to protect yourself.