And then it spams all of your contacts who have Signal installed, without asking your first.
And it shares your phone number with everyone in your contacts who has Signal installed.
And then when you scream ARE YOU FUCKING KIDDING ME and delete your account and purge the app, guess what? All those people running Signal still have your phone number displayed for them right there in plain text. Deleting your account does not delete the information that the app shared without your permission.
So yeah. Real nice "privacy" app you've got there.
I'm going back to Facebook Messenger, where at least the privacy failings are obvious.
PS: If you suddenly find yourself in possession of my phone number, please don't share it, with anyone, ever. SIGH.
As you see in the comments below, the developers vehemently deny they are sharing your phone number with people who didn't already have it. I'm willing to accept that they're not lying about this, but let me clarify what I saw with my lying eyes:
- I installed Signal. I allowed it to access my contacts.
I started getting "Hello" messages from people in my Contacts. This is the point when I learned that (however you want to spin it) they had been notified that I joined this network.
I was not informed beforehand that this was going to happen. That's fucked up.
To be clear: when an app says "we don't share your contacts with anyone" and then 30 seconds later, people from your contacts start messaging you because they got a notification -- it's pretty reasonable to assume that something fishy is going on.
I installed this app because I wanted to communicate with one or two particular people. I did not want to wave a big flag saying HEY EVERYBODY HERE I AM. If the flag-waving is non-optional, then that should be made abundantly clear before one activates the account.
This kind of behavior reeks of the sort of spammy boosterism that is endemic on every social network these days: the priority is on building the network. Self-promotion comes first. Get the users, invite invite invite, work that network effect, user experience comes second.
- One of those people who sent me a "hello" message said, "Hey, I seem to have your phone number now, and I'm pretty sure I didn't have it before."
So maybe they were wrong, and they did have my number previously.
That's why I asked another friend who has been using Signal for a while if this was for real:
Is there anyone in your Signal address book with a number who has never messaged you or given your their phone number?
Yes. There are a few people I've never messaged, and at least one whose phone number I didn't know I had.
So maybe they were wrong too.
Then I saw this:
@autolycos: I can verify. I joined Signal and got the number of an army buddy I only had email addresses for.
And then I saw this:
@uplevel_payload: I greeted a colleague via Signal w/o warning and really freaked them out. I only had their professional email prior to.
So maybe those people, and various others on Twitter reporting the same unsettling discovery, are all wrong, too.
There seem to be an unsettling number of people suffering this same delusion, though, huh?
Then I deleted my account and deleted the app. I asked a friend if that had made me disappear from their list.
No. No it did not. So that's fucked up, too.
Then I made this irritated blog post. It's true that I did not take a month to do a full audit of their source code first. I made an inference from what I saw with my lying eyes, plus confirming anecdotes from several other Signal users.
Because they say so, I can accept that Signal isn't leaking your phone number to people who don't already have it, but it sure seems like it is, and these perceptions matter, especially for a purported privacy app.
It's seems especially hinky when this phone number (mis-?)discovery immediately follows that bit where they say "we don't share your contacts", which hinges on a precise reading of the word "share", because your contacts sure do get a notification anyway.
Update, 2018: Subsequently.
OMG that graphic. Now I want to hate Signal too just so I can re-use it.
Make sure to tell the folks at EFF, who recommend Signal in their Surveillance Self Defense kit. This is the exact opposite of what you would want.
Hooray for walled gardens.
The people who truly need the Surveillance Self Defense Kit already assume they are being watched. Signal is about keeping sensitive messages out of the hands of interceptors, nothing more, nothing less.
Metadata about contacts IS a sensitive message.
If it makes you feel any better I can't find you in my signal contacts so maybe it's finally gone of the system?
And here comes the glad-handing where their tech support says this is all by design, and the user should have known better.
Yeah. I should have known better than to install this app.
That it does this has always been known, and is well documented. And I tell everyone I recommend Signal to that it does exactly this, and they shrug, and install it anyway.
That's because people have been beaten into learned helplessness by scummy companies like Linkedin (whups, MS) and Facebook.
Anyway, that's enough from me. Don't want to get involved in a tennis match here.
Where is it documented that Signal sends your phone number to everyone in your address book? Signal simply doesn't do this.
Signal doesn't have any "profile" information at all beyond what is in a user's address book, and the phone number is the index into that. So it doesn't even make sense that Signal could do this, because it would have to somehow communicate to the remote party that Jamie's phone number corresponds to the name "JWZ" in their address book. But how would Jamie's phone even know that the name "JWZ" is in their address book? Or reference how to associate Jamie's number with that name?
Ok. I've got a main phone and a spare phone, both in each other's contacts. I had apparently installed Signal on the main phone a while ago, but hadn't activated it, so I activated it, and saw that my Signal knew how to reach half a dozen friends (and the phone's Contacts list has cute little logos.) Then I installed Signal on my spare phone, and activated it, and it showed that it knew how to Signal-message my main phone. My main phone still didn't show that it knew how to Signal-message the spare phone, but when I found Refresh in the menus, then it knows.
Then I uninstalled Signal from the spare phone, refreshed Signal contacts on the main phone (it didn't notice spare had disappeared, but I didn't see any way to DE-register a phone number from Signal, so I couldn't test what happened if the other phone wasn't in Contacts. Reinstalled Signal on the spare, sent a message to main. Over on main, it says the two messages I sent after uninstalling Signal were "unread" (hmm, does Signal know which messages were read? Scary!), and told me it had a new message from Spare with an unrecognized safety number, and did I want to accept the new one (reasonable UI.)
> "Ok. I've got a main phone and a spare phone, both in each other's contacts."
I'm not exactly sure what it is you're trying to test, but at no point does merely installing Signal mean that anyone didn't already know your phone number learns your phone number. That's what this article is claiming, which is simply false.
> "it says the two messages I sent after uninstalling Signal were 'unread' (hmm, does Signal know which messages were read? Scary!)"
Those are delivery receipts, not read receipts. Not sure why either would be scary.
I'd interpret "unread messages" as indication that the messages haven't been read; if they're just delivery receipts, I'd much rather be told "undelivered" if that's the case.
But it's a threat model thing. Lots of people know my phone mobile number; it's been spammed around the Internet for decades, and in many countries, the cops can find out all the active phone numbers even more easily than "Heather from Account Services" can. For some people and some applications, burner phones are a reasonable response to that threat. For traditional journalists, "cops know you're using Signal" is just a given, but for their sources, "cops know you're using Signal" may be a serious risk, just as it's a problem in the jealous husband case.
Moxie, that's spurious. Signal presumably isn't telling Alice and Bob the text description from the Contacts, but it's telling both +1-111-111-1111 and +222-2222-2222 that they both have Signal on their phone. That information is important even aside from whether Alice's contacts list Bob as "Bob that Bastard" and the Cops list Alice as "Alice the Anarchist". (Also, Signal has enough access to your Contacts list that it could send that information if it wanted to, but so does any other SMS app.)
Signal does appear to send "hey, 1-111-111-1111 is on Signal now!" indications to everyone who has me in their contacts list who has Signal, or maybe it's everybody in my contacts list who has it.
If it only did that as part of the "Invite friends" function, that wouldn't bother me.
If it only did that if I set the "Paranoia Level" setting to "Low" or "Medium", but not "High", that wouldn't bother me (though having the Paranoia Level default to "Low" would.)
If I understand what Moxie said earlier, the way this actually works is: every single Signal user periodically says to the Signal server, "here are (hashes of) all of the phone numbers in my contacts, which of these are registered with Signal?" Same effect, different mechanism.
My friend recommended Signal to me, told me this would happen, and I did not install it. Perhaps your friends are the kind of people who don't care, or they simply just shrug and say "that sounds cool" and don't ever install it.
You have someone else's phone number in your contacts database, and you're upset that now they get to see yours?
Do you give your phone number to all your contacts? I certainly don't. Most of my contacts are email-only, in any case. And even then I don't give out my main email address to more than a dozen people or so.
I work on Signal, and we agree! Which is why we don't do what Jamie is saying we do.
I'm not Jamie, but, yes! People send me their phone number for me to call them up about business matters all the time. That doesn't imply I want them calling me.
> "And it shares your phone number with everyone in your contacts who has Signal installed."
Jamie seems to be misinformed. Signal does not send your phone number to anyone, and the Signal service has no stored record of your contacts. If someone already knows your phone number, they see that they can contact you via Signal. Your phone number isn't "leaked" to anyone.
The source for the clients and server is public, anyone can verify this is true:
That makes much more sense.
How does Signal use the phone number as an index without exposing it to end users? Is the mechanism outlined anywhere besides in the source code?
Is the lookup only done at install time when the phonebook contacts are uploaded?
Does signal periodically upload phone numbers to see if there's a new match in the directory?
It looks like participation in the directory is optional?
It's outlined in their "Difficulty of Private Contact Discovery" post from 2014. Unfortunately the blinded bloom filter approach doesn't scale, so what Signal uses is inherited from TextSecure and not RedPhone. So, hashed phone numbers are communicated to the server and intersected there to do public key introduction. I doubt this is substantially different from the iMessage architecture (although Signal also allows out-of-band safety number comparison). As the blog post says, private set intersection is a hard problem.
This does not entirely surprise me. I am similarly pissed off about a particular quirk of Telegram which does something similar to expose your # to others, completely unnecessarily.
This does not entirely surprise me. I am similarly pissed off about a particular quirk of Telegram which does something similar to potentially expose your # to others in communities you admin, completely unnecessarily... albeit only under far more limited circumstances.
It completely blows my mind that they find this acceptable. I installed Signal, and suddenly got a message from someone whose number I didn't even have in my phone, he only had mine (fortunately it was someone that wasn't really a big deal). But consider this scenario: a wife in an abusive relationship is looking for a way to talk to people without her abuser knowing. If she installs Signal and he already has it, then he will automatically get notified when she installs it. So much for secret communication. This can be worked around with Google Voice, but for the non-technical user that isn't exactly straightforward.
Signal is about making private communication simple. By design, we want anyone who already knows how to send you an SMS message to be able to easily send you a Signal message instead. Signal doesn't "leak" your phone number to anyone in your contacts; only people who already know your number can contact you on Signal.
I think the situation you describe is more complex than what you've outlined. What we've seen over and over again is that in times of crisis, people use the tools they already have. Whether it is a riot, a revolution, or a moment of emotional trauma, people turn to their existing social networks on their existing communication platforms. Those are not moments where people stop to, for the first time, carefully and thoughtfully evaluate the software they are running on their phones through hours/days of research.
If there's one thing that the entire "internet freedom" space has learned over the past decade, it's that the project of enabling private communication in those moments of crisis requires making private communication a default part of everyone's normal day to day experience.
That's what we're building, both in our own app and by working with others (WhatsApp, etc) to incorporate our software into their apps. It won't work to build something that people can install, we have to build something they already have installed.
By design, we want anyone who already knows how to send you an SMS message to be able to easily send you a Signal message instead. Signal doesn't "leak" your phone number to anyone in your contacts; only people who already know your number can contact you on Signal.
I think the situation you describe is more complex than what you've outlined.
For the record, I agree that it's not exactly "leaking" anything to anybody that doesn't already have it. My example, however, is not hypothetical. I have a friend who is on a family plan with her controlling/abusive husband, so any time she texts someone he has the CDR information, and if he had Signal and she installed it, she would have no way to keep him from knowing that (without the Google Voice hoop-jumping). I understand what you're saying, but I think there should at least be an option during installation to disable letting all of your contacts who are also on Signal know that you've joined, and, moreover, it should be the default to not notify. Everyone I know that uses Signal that I've talked to this about agrees that it's, quite frankly, creepy and antithetical to the whole privacy aspect.
> "For the record, I agree that it's not exactly "leaking" anything to anybody that doesn't already have it."
That is what this entire blog post is claiming, so I'm glad we can agree that Jamie is simply wrong here.
> "I understand what you're saying, but I think there should at least be an option during installation to disable letting all of your contacts who are also on Signal know that you've joined"
In the "jealous husband" scenario you've outlined, I think that would only be more dangerous. If the "jealous husband" is suspicious enough to install Signal just to see if their spouse is on it, they could just as easily attempt to send their spouse a message once a day in order to determine whether they are on it. Providing such an option would only incorrectly set people's expectations.
> "and, moreover, it should be the default to not notify"
We agree that the answer is almost never more options. PGP is our guide for what not to do here.
Let's consider the UX for such a change. Someone installs Signal, taps "compose," and is shown a blank screen. There's no way to know who you can contact on Signal, so you have to build an entire social network from scratch. You slowly make connections, and in the mean time you correspond over SMS with hundreds of contacts even though you both have Signal installed and just don't know it. Most people would uninstall as soon as they saw that blank screen, but for some reason you stick with it.
Then, one day, you lose your phone. You walk down to the phone store, get a new one, and install Signal. You tap "compose," and.... are shown a blank screen. You have to start all over, from scratch.
But wait, that's not how snapchat works, right? You have to build a social network there, but once you've done it, you don't have to rebuild it every time you reinstall the app. How is that possible, where does all that data live? On snapchat's servers.
So these are the options as I see them:
1) Not usable, privacy preserving: A blank screen that requires you to build a social network from scratch every time you reinstall or get a new phone.
2) Semi-usable, not privacy preserving: A blank screen that requires you to build a social network from scratch, but it's durable in plaintext on a server.
3) Usable, privacy preserving: A screen that shows you which of your existing contacts you can communicate with on Signal, nothing stored on a server.
We've chosen #3.
> Everyone I know that uses Signal that I've talked to this about agrees that it's, quite frankly, creepy and antithetical to the whole privacy aspect.
Our objective with Signal is to develop something that feels just like a normal messenger, but is privacy preserving. To the extent that people are shocked by how well contact discovery works and assume that something fishy must be going on (like the entire subject of this blog post, which is just wrong!), I feel like we've done our job too well.
What I definitely take away from all of this is that we need to do a better job of communicating what is actually happening so that people don't misinterpret the functionality.
> If the "jealous husband" is suspicious enough to install Signal just to see if their spouse is on it, they could just as easily attempt to send their spouse a message once a day in order to determine whether they are on it.
You have an odd definition of "just as easily". :-P
It's a scale problem. For the jealous husband, depending on how many people they're jealous about, it's easy to send yet another text while they're busy being obsessive. For a cop with a few suspects, it's pretty easy. For a cop or spook agency with millions of suspects, it's more work. (Of course, since Signal is open source, they could write an automated system to check all the numbers, if Signal's servers don't rate-limit messages.)
The obsesive husband case is bogus. You don't want to use your existing phone at all in that scenario.
Thank you for taking the time to explain. I see where you're coming from, but for me I (and I know I don't represent the entire userbase) would prefer the "blank screen" scenario, or at least the option/ability to start from scratch every time.
What I definitely take away from all of this is that we need to do a better job of communicating what is actually happening so that people don't misinterpret the functionality.
At the very least. I pay more attention than most to what I'm installing and what it wants to do, and I was caught completely off guard by Signal combing my contacts.
Yeesh. If you want secure messaging that's disconnected from your phone number, there are options - good ones, even. In open-source-land, there's Zom and Conversations. There are great reasons and threat models to want that -- but these systems don't scale quickly.
"Monty, I mean Moxie, I'll take what's behind door number 1."
If I were to install your app, it is not with the intent to join a party chat line. I would have in mind specific people that I want to communicate with, and I would have whatever contact information needed to make your app work, or I would choose a different communication tool. I definitely would not want the fact I was using the app to be broadcast to anybody else, and I'm sorry you can't see that.
Going back to Alice and Bob, their phone numbers AND THE FACT THAT THEY ARE USING SIGNAL should be treated as shared secrets.
Just the existence of this hashed central database of users phone numbers, leave alone what you are using it for or how heavily salted it is, is an architectural problem.
AND its back-ups.
Hashing aside, the Signal API has the ability to ask "Is this phone number in the database?" You don't need a search warrant. There are less than 10M possible phone numbers in each area code. Even with rate limits, probing them all is highly practical.
Whether your phone number has ever signed up for Signal must be considered public knowledge. That is kind of uncool.
W. T. F.
One of my past colleagues did something similar years ago:
I've been harping on Signal for a while, but the reality is, if you design any "secure privacy aware" comms system atop SS7, you're basically given an incredible amount of metadata over to organizations which already actively spy and have CALEA legislation to facilitate such things.
In other words: you're lying to yourself and your users.
"Helping" WhatsApp isn't helping either FWIW. WhatsApp exhibits extremely similar behavior in this regard. To paraphrase a friend:
"If you share a photo on WhatsApp it gets sent out as a message to everybody in your contact list! It also sends along a message that says, 'what do you think?'"
I sort of wasn't surprised to read such behavior from WhatsApp given that Facebook acquired WhatsApp especially since Facebook exhibits the same spammy "invite everyone in your Gmail/Yahoo/etc. contacts?" upon sign up.
It should come as little surprise that Facebook Messenger also utilizes parts of the Ratchet/Axolotl that Moxie has worked on in TextSecure/Signal/RedPhone.
It is galling that despite pretty clearly worded complaints, and corroboration from multiple individuals Moxie continues to attempt to take the high ground here. Moxie, you have displeased users, accept that this is not a behavior that they want nor should expect from a privacy conscious application.
(If only this blog had a feature to edit posts like the BBSes from the 1980s.)
You are assuming that "users" are a coherent single group. There's a bunch of people that benefit from securing their mobile chats more than they lose by leaking their use of Signal (even more so for Whatsapp and FB messenger that are harder to malign as suspicious to use).
Um, please don't put words into my mouth, I was co-sysoping BBSes before SMTP was even a dominant protocol online (remember UUCP? I do!), I am well aware that users come in many different forms.
However, when it comes to the sorts of users who care about encrypted communication, certain elements of privacy become a lot more important.
There is a select subset of users, who know a lot about this who are articulating, quite clearly here, some design choices with RedPhone/Signal/Axolotl/Ratchet (as well as other protocols derived from such, like Facebook's Messenger).
To write those specific users off, is fundamentally not respectful at a minimum, and an affront to rationale well reasoned criticism, with corroborated peer reviewed evidence. Pointing to source code repositories, does not fundamentally change the reality of the observed behavior in Signal as it currently stands either, moreover anyone choosing to take such code and fork it to remove such functionality, will fracture the protocol even further, reducing adoption. Albeit, that might be a really good thing in this instance.
You can call them crazy and paranoid, but hey: those are precisely the sorts of individuals who tend to actually give a flying fuck about this sort of thing in the first place.
Do you think an average user cares about security, privacy, encryption, etc. in the first place?
Do you think they care about how others have already demonstrably created graphs from SS7, and that only recently is the FCC looking into how that protocol would also benefit from end to end encryption in some circumstances? (citation: https://twitter.com/matthew_d_green/status/846893026836340738)
It is an uphill battle to even garner widespread attention and adoption as Signal and WhatsApp has in the face of organizations such as the FBI et al quite publicly advocating for governmental "backdoored" encryption standards with far too little resistance.
Here's a reality check: the government via the NSA et al already has legislation in place to eavesdrop on many forms of communication. I personally was sitting in front of SS7 packet sniffers as my first job out of college. Heck, I am even an Alcatel Certified HLR Technician! Perhaps you've heard of Edward Snowden's information on eavesdropping apparatus as well? There are some who speak out, there are very few who actually do anything to make things better for any users. I am not saying that Moxie is not at least trying to make things better, indeed, on the whole he is quite responsive to bug fixes.
Others think that the bar could be set higher, I concur.
There are lots of users, some of them are bad actors and do not have everyone's best interest in mind. Quite a lot more than you may care to contemplate as it turns out.
I tend to respect jwz's track record with speaking out about privacy issues, and in this instance and in others, it seems to be corroborated, and Moxie is being awfully deflective with the criticism. I don't think that is merited in this instance. This is not a damnation of Signal on the whole as far as I can tell, but hey, y'know, some end to end encrypted protocols don't have any contacts features, for precisely these reasons. It's not that 3rd party eavesdroppers can't create such bloom graphs of interrelationships between communicating parties, but that raises the bar a bit to the sorts of people who can do such things. Those people are also out there, they present at conferences, some of them are brilliant, they're probably also being paid a lot, and building such technology for the NSA, BBN, et al already. They're writing TLS stripping MITM software for firms like Bluecoat and more.
Moxie is of course free to do as he pleases, I am currently underemployed earning about as much as I did working for my dad over the summers in high school. I would love to be earning more, I see Open Whisper Systems has open requisitions even, I've even met Moxie personally. But y'know, I just haven't had the heart to even apply, because at least from my past vantage point in professional realms in this sector, and knowing other world renowned cryptographers who have been programming in this realm for decades, the entire protocol would probably need to be torn down and built from a lower layer as a starter.
Thank goodness there are other protocols that those who know how to compile software can and do use!
For more widespread layperson users though, I doubt they even see this as an "issue" in the first place.
Those same users, probably couldn't give a flying fuck if encryption were ROT13.
I am not such a user, perhaps you are?
Signal is, by design, about making private communication simple. If you already know someone's number, it's not supposed to be a secret if they use Signal. Just the opposite, if you know how to send someone an SMS, we want to make it as easy as possible to send them an encrypted Signal message instead.
Having Signal installed on your device does not automatically mean that you're a certain type of person. Millions of people use Signal from all different demographics: the Trump transition team used Signal, and the Hillary campaign used Signal. Local police departments across the US use Signal, and BLM activists use Signal. Edward Snowden uses Signal, and FBI agents use Signal. Journalists use Signal, politicians use Signal, corporate executives use Signal, lawyers use Signal, doctors and hospitals use Signal, millions of ordinary people who saw what happened to their Yahoo email accounts use Signal.
We publish all government requests we receive, as well as our responses, online. Here is what they get: https://whispersystems.org/bigbrother/eastern-virginia-grand-jury/
I'm genuinely sorry that you installed Signal thinking that people who already knew how to send you a text message would not be able to see that they could send you a Signal message. It's not our intention to deceive anyone. We'll make some changes to the install language in order to make that more clear.
It kind of does, actually. I think the term is "person of interest".
You would be doing your users a favor by making it explicit exactly what information is going to become public once you complete your registration with the app, because if there's one thing all of the comments here make clear, it's that lots of people don't find it obvious, and lots of people have different opinions than you do about what is and is not a big deal.
1) Once you click OK, everyone in your contacts who uses Signal is going to get a notification, by name, that you are now using Signal.
2) More broadly, anyone who has your phone number in their contacts -- even if you do not have them in your contacts -- is going to get the same notification.
3) The fact that you have installed Signal on this phone number will become public knowledge to anybody, because the list of all phone numbers that have installed Signal is effectively public.
4) It is not possible to use Signal without accepting this. Denying Signal access to your contacts does not prevent these exposures.
5) You claim that Signal never shares your phone number with people who don't already have it, so you should make that claim clearly and explicitly up front, too.
Again, you may argue that none of these things is a big deal, but reasonable people might disagree and choose not to accept that exposure if they knew about it ahead of time.
> It kind of does, actually. I think the term is "person of interest".
For sure, there are people like that of many different demographics who use Signal. They use WhatsApp, SMS, Snapchat, and FB Messenger too I'm sure. And just like WhatsApp, Snapchat, SMS, and FB Messenger, there are also millions of perfectly uninteresting people that use Signal.
> 1) Once you click OK, everyone in your contacts who uses Signal is going to get a notification, by name, that you are now using Signal.
I'm sorry to harp on this, but it's just not true. If you don't want to look at the source, we can very easily set up a reproducible experiment, and as I've outlined elsewhere in this thread, it doesn't make intuitive sense.
> 2) More broadly, anyone who has your phone number in their contacts -- even if you do not have them in your contacts -- is going to get the same notification.
Yes, this is true. Anyone who currently knows how to communicate with you via SMS is going to see that they can communicate with you via encrypted Signal messages instead.
> Again, you may argue that none of these things is a big deal, but reasonable people might disagree and choose not to accept that exposure if they knew about it ahead of time.
I'm working on changing the registration text so that it is more clear people who already have your number will be able to see that they can communicate with you via Signal. I'm sorry you were surprised that this is the case.
Yup. If you're a known journalist, you're already a Person Of Interest, so being known to have Signal is ok. If you're a source who wasn't a Person Of Interest, and live in a police state, it's a problem. OTOH, if you're a source who's a Trump staffer, having Signal isn't a problem, but having a known journalist in your Signal Contacts might be.
Hahahaha, "Your use case doesn't fit in my business model."
Congratulations on remaining conceited, in the face of valid, well-articulated constructive criticism!
"Sorry I'm not sorry."
With all due respect Moxie, you're not a domestic/intimate violence or stalking expert. You should try consulting with one. On my iPhone I have people blocked but we still know our respective numbers. They learned long ago that they weren't getting through to my phone and buggered off to new and exciting prospects. How thrilled was I when I started suddenly getting unwanted messages because a few of these people saw they had a new avenue of contacting me. This reinvigorated their interest in harassment and now I'm dealing with the fallout. Thanks, Signal. It would have been nice to have avoided this problem.
What if the jealous husband just happens to use Signal to converse with other people? (going by the theme of making Signal widespread)
That’s almost as privacy-endangering as using the non-published email address to retrieve the Avatar from Gravatar …
I wouldn't call this "creepy," I would call it Bad Design. This shows that Signal has a central database of every number that has ever used the service, and compares that database to all of the user's contacts database, and apparently does this continually, looking for matches.
Two words: "Search Warrant."
Well - taking Moxie at his word (and he's provided links to the source on github, so that seems reasonable), what Signal collects is "truncated SHA256 hashes" of phone numbers.
A quick google suggests anyone who's got enough money for 8 modern GPUs can get around 23GH/s for SHA256 in Hashcat. That means you could reverse this out to phone numbers by hashing every possible 10 digit number (which is an entire country's worth) in under half an hour. Add every valid country code and you're still only looking at a day or two to compute everything. (Or it seems you could do it at maybe half that speed on AWS with a 2.16xlarge for ~$0.85/hr at spot prices...)
So yeah - if you can hit Moxie with a warrant and an NSL - ypu've effectively got the entire social graph. (But I guess from Moxie's POV - those guys can get that from the Telcos anyway, and they'll hand over _more_ metadata too - probably without the need for pesky warrants or probable cause...)
Yeah, Moxie wrote about that issue three years ago here. Sounds like it's an unsolved problem.
And there's the crux.
Moxie's "unsolved problem" isn't how to manage privacy properly, the very first line is the giveaway: "Building a social network is not easy." The problem Moxie is trying to solve (that quite likely genuinely is intractable) is "Building a privacy protecting social network with viral growth", where the problem our host thought Moxie was trying to solve (reasonably, given Signal's marketing) was "Building a privacy protecting messaging system".
I notice that the words "social network" do not appear anywhere on the Whispersystems homepage, nor in any of the readmes for their git repos, it's all about their "messaging app" and "simple private communication with friends".
I bet _very_ few of the people reading "Use TOR, Use Signal. Use a VPN." message think they're signing up for another social network...
"Social Network" means a LOT more than "Facebook, Twitter, Snapchat". You have a "Social Network" link with your grandmother, even if she is not online. Users of a chat platform are most certainly part of a social network, even if it doesn't look like one.
The only way to surmount this problem is a long game: if everyone is using some sort of private chat of this kind by default, then we all have plausible deniability. This doesn't help the abused wife today, unfortunately. To be honest, the only thing that might is a burner phone, and that comes with its own issues.
One thing I'm somewhat curious about is whether Whisper watches for people trying to retrieve the full list of Signal users by claiming to have every number in their contacts. I mean, not all at once, but large batches of numbers over and over.
Yeah, I immediately thought of this scenario: a local PD builds a small database of contacts, maybe setting up a discreet Google ID or something, made up entirely of their local persons of interest. Using that Google ID as the user of a burner Android, install signal and whatsapp and snapchat and telegram and fb and everything that works this way, and see who uses what, map relationships, etc.
@moxie I have gotten a group message on Signal from a number I didn't recognize along with 5 or 6 other recipients. The sender was clearly trying to see who on a list of numbers was using Signal and wouldn't identify themselves.
Sigh - Unfortunately, Moxie's assertion is equivalent to "If you really want THAT much detail, you need to read the code so the discussion will make sense. It's HERE on Github." which is perfectly reasonable. It's just lots of work :-) I'm assuming that the Github code will include some of what WhisperSystems's servers do (though APIs may be enough to tell that.)
(Some examples of "THAT much detail" would be "what are the hashes salted with", etc., so you can get estimates of how effectively an attacker can do the hashes themselves or need to send queries to the API servers, how much an NSL or theft of the servers' data changes that, etc.)
You don't get the graph. You only get the nodes, not the edges.
Moxie, can you clarify which direction the notifications go?
Our usual players, Alice (who doesn't have Signal yet, but has Bob in her Contacts), Bob (who has Signal, and has Alice in her Contacts), and The Cops (who put Alice in their Contacts), have mutually uncomfortable relationships.
Alice installs Signal. Does Signal tell Alice "now you can use Signal to message Bob"? (Good?) Does Signal tell Bob "now you can use Signal to message Alice"? (Maybe Bad?) Does Signal tell the Cops "Hey, Alice has Signal now!"? (Ugly.)
The middle case is the dodgy one. Alice may or may not want Bob to know she has Signal. There's also the question of whether notification is proactive (so the Cops find out right away when she installs it), or reactive (so they only find out if they try messaging her, which is a more secure but less convenient way of scaling.) (There's also the non-reactive approach, like sending a text message to a land-line and not getting an error message back.)
Does Signal tell Bob "now you can use Signal to message Alice"? (Maybe Bad?) Does Signal tell the Cops "Hey, Alice has Signal now!"? (Ugly.)
Speaking from experience, yes to both. I got a message on Signal from someone who had my number when I didn't have theirs (your "ugly" scenario), and after I was already on Signal I got a notification from a friend when she installed it (and she got notified that I was on there) ("maybe bad").
I couldn't tell for sure from my experiments (because I forgot to remove Main Phone from the Contacts list on Spare Phone before installing Signal on Spare Phone), but it looks like after I killed everything and reinstalled a couple of times, it looks like the Bad case does apply, but the Ugly case probably doesn't. (As Moxie says, the Cops can still try messaging Alice every day to see if she's got Signal, and it'll confirm that she does.)
Anyone with your phone number can contact you on Signal. Signal does not send your phone number to anyone unless you explicitly send them a Signal message. Registration notifications aren't ever "transmitted" by anyone in any direction at all, they're locally generated.
See for more: https://www.jwz.org/blog/2017/03/signal-leaks-your-phone-number-to-everyone-in-your-contacts/#comment-172746
Yet somehow, when I installed Signal on my main phone, it was able to tell me that N of the people in my Contacts list have Signal. So somehow it's either talking to a server and asking about those N phone numbers, or else it's sending a message to each of those N phone numbers, neither one of which is what I would call "locally generated".
Signal periodically transmits truncated SHA-256 hashes of your contacts to the server, which returns the intersection against an in-memory set.
When Jamie complains that people did not immediately notice he was no longer a Signal user anymore, this is why. It took some time for everyone's clients to complete a new intersection. We weren't able to immediately tell them, because the Signal service doesn't have the data and because we don't want the Signal clients to do exactly what it is he was complaining about.
At no point does your phone # get transmitted to anyone that doesn't already have it, which is what this blog post claims.
Well now it's 17 hours since I deleted my account and the app, and my Signal-using friends tell me that my number is still visible in their Signal list. So apparently the check for "joined" happens almost immediately, but the check for "deleted" takes its own sweet time.
It's the exact same mechanism, happens every 6 hours. If you deleted the app without deleting your account, neither iOS or Android give us a hook for that, but we should eventually get feedback from APN or GCM if people subsequently message you.
If you uninstalled without unregistering and don't want to wait for that, you can unregister online here: https://signal.org/signal/unregister
If you did unregister and your friends still see you as a registered Signal user after "refreshing" their contacts in Signal, then that's a bug. If that's the case, you have my email (and my phone number!) and I'd be happy to help look into it offline.
Yes, I did unregister before deleting the app.
"Unregister" doesn't appear to be anywhere in the Android version, or if it is, it's well hidden. (This is Android 5, with Signal 4.1.0 installed today from Google Play.)
Isn't the obvious fix for it to instead hash pairs of numbers? Concatenate my number with the number of the contact I want to know about (in some canonical order which can't be that fiddly but is probably slightly harder than just numeric), and then only if the hash of this concatenated pair matches does either party know that the other party has Signal installed. This way both parties already need to have each other's phone numbers.
But this would create a full cross reference set on the Signal Servers and would actually broadcast of who knows about whom as well. Without having a cross reference set, you're have just what the client is supposed to have.
In privacy sense, they don't differ, as you can extract the same information. However, the one with single hash scales better.
Wait. When I send someone a Signal message, they get my phone number?
The interesting question, I think, is: if they don't know your number, but you know theirs, can you know whether they have Signal installed or not? I would really strongly hope the answer is that no, you can't, because otherwise it would be really easy to establish if people you are interested in surveilling are using Signal or not, and that would be bad.
Yes you can, because the Signal API apparently includes the ability to make the query, "Does this this phone number have Signal installed?" That's the mechanism by which all of your contacts get the spammy "so-and-so is now on Signal!" message. That also means it's probably practical to simply probe every phone number in your target area codes and get the whole list.
OK, so if that's the case then I think there should be a warning somewhere saying that, if you really do have anything to hide, rather than just wanting to pretend you do like most of us, then you really should not install signal on your phone because the bad people can tell whether you have it without querying your phone in any way, and installing it is going to be a huge sign over your head saying 'this person has something to hide'.
In particular people who live in regimes where 'having something to hide' translates into 'ending up buried in a pit' should really, really go nowhere near this thing.
Moxie himself answered on this topic already, but I just can't leave this logical nonsense without a reply.
1) Anyone has his or her privacy to protect, not just POI
2) Signal is for encryption, not for using a hidden channel, nobody knows of
3) If you're already doing anything interesting for officials, they'll have plenty of angles to get to you. Knowing that you use signal, will not help them crack the encryption.
Don't be stupid. What you are saying is that if the bad people already know about you then knowing you use Signal doesn't let them know about you: that's wrong in at least two ways. Firstly what if they don't already know about you? Might it then be a good idea to reduce the number of flags you hold up saying 'I'm interesting'? Secondly how do you think people decide whether someone is interesting or not? They don't do it by some one-bit-mind boolean thing because if they did that then everyone would be interesting: they do it by scoring them, and 'using Signal' is a really nice way of increasing that score.
And yes, there are lots of people, me included, for whom Signal is just fine: did I say anything else?
I think there is just a design mistake to a) use the phone number (not controlled by the user) as identifier and b) to use a centralized server. The future is about distributed or at least federated systems.
You should really try a modern xmpp client like chatsecure or conversations.
In the abusive relationship example, she really wouldn't have anything to gain from Signal that she wouldn't gain from WhatsApp or Facebook. Unless the abuser also happened to be an NSA analyst.
Jamie, did you see Open Whisper's response to you on Twitter? https://twitter.com/whispersystems/status/845864527669280768
... aaand of course I scrolled further up my Twitter TL and saw the conversation. I have to admit, I'm convinced by their explanation; what do you think of it?
This is the first thing I noticed about Signal when I installed it on 09nov2016. It's the first thing everyone notices; it's hard to miss. When it happened, I took a look at Signal's protocol and verified that they are not sending any identifying info to the server and therefore presumably also not sending any identifying info to other users. We can all agree on that much, right? The question is, are there still other ways that Signal's behavior here can do bad things? I lean towards no but am not sure, and have been following this conversation here and in VB's tweets with interest. I hope Open Whisper is doing the same and not just repeating the part everyone agrees on.
Could this be related to iOS pulling possible contact info from emails, etc? Such as when you receive a call from someone not in your contacts, but that included their number in an email signature block and it says "maybe from John Smith" or something like that?
It asks first, it doesn't add those automatically. And it may not surprise you to learn that my phone number is not in my .signature.
Ah yes - sorry I didn't explain the theory very well - sorry about that.
Was thinking that there is some correlation in the contacts DB, and, if as Moxie explained, the correlation is done on the other end, the "confirmed" or "potential" contact item may not be clear via the API.
Fully expected your # was not part of the .sig, just that if iOS (again, on the other end) ever saw your # associated with the contact record, it may be presented to Signal as "related".
There seems to be disconnect between what some people expect from Signal and what it actually aims to provide. Its encryption is custom tailored to thwart state surveillance; nothing about automatically sharing contacts impedes that function, and in some ways encourages it. In my case, I'm a journalist based in Vietnam. My dissident sources (and myself, sometimes) are under government surveillance and communicating with them digitally requires the utmost care or else someone could end up a political prisoner. By showing contacts around, Signal makes communications easier for me since I know automatically who is using bulletproof encryption and who isn't.
If you're sensitive about people even knowing that you're using Signal in the first place, your concern isn't the one that the service was ever aiming to address. Signal is about keeping hackers away from your messages, not your contacts away from the fact you use the same app.
If you're sensitive about people even knowing that you're using Signal in the first place, your concern isn't the one that the service was ever aiming to address. Signal is about keeping hackers away from your messages, not your contacts away from the fact you use the same app.
And after reading Moxie's responses, that is clear now (I even understand why they do it the way they do, but I still strongly disagree with it being the default (and only) behavior). However, it's not an unreasonable leap to lump both of those issues under the umbrella of "privacy" and then be surprised and dismayed to find out that's not the case.
For this case I use Threema, you can use it without your phone no and have to add all your contacts manually if you chose it. It's also encrypted.
Yes, after reading your comment, the link Jon Poskanzer posted and Big's reply to my first comment, I see now that this is an app I would never want to touch my phone.
You are a person in a bad place, and I'm glad Signal is helping keep people safe. However, I personally don't see myself fitting into this usecase.
jwz is the last person I would call technically illiterate, so if he was tripped up by this, I would not think it was his fault.
Actually I think this particular issue is only noticed by the technically/cryptographically literate.
Yet another good reason to avoid social networks.
I installed Signal. It asked to access my contacts. I was worried about the exact sort of problems that Jamie ran into, so I denied it. This has made the app unusable. On opening, it prompts for access to my contacts and won't let me use it without it.
An ostensibly privacy-preserving app that only works if you don't use the privacy-preserving tools that your platform provides. sad trombone
Early versions of Signal/iOS were able to function without access to your contacts. I was able to choose a person I wanted to communicate with, manually add their number to Signal, and send a message.
Several layers of concern here:
1. It's not cool for all my Signal-using contacts to be informed that I'm now using Signal. But hey, perhaps that's not the social movement/business model for me.
2. It's very uncool that I don't get a choice over that before it happens. A dark pattern would be better than no option, here.
3. It's extremely uncool that I don't even get to know that it's about to happen, so I can choose to bail out.
This articulated agenda to rope users into Whisper's concept of social interaction displays a level of contempt for user motivation and agency on par with Facebook's practices. I'm disappointed in Whisper Systems, and in Moxie.
Signal does upload the address book.
There was a PR to LibreSignal resolving that issue: https://github.com/LibreSignal/LibreSignal/pull/35
Everybody can check that it is doing so.
that's what I really liked about LibreSignal, I was able to selectively choose to which numbers in my address book LibreSignal had access. Unfortunately, LibreSignal was discontinued and I really wish that Signal incorporates the same feature! Not everyone might mind uploading their address book to the Signal servers, but users should have the option to decide for themselves what they want, e.g. disable the complete addressbook upload (and choose WebSocket only...).
For those concerned about CALEA, subpoenas/search warrants, and how much data is stored, see this article.
I suppose Bleep avoids this? Too bad it isn't Open Source.
Signal looked interesting a few years ago until I discovered this was basically an intentional feature. So I wound up not using it. Helpfully, they discuss the possibility of this feature on their blog:
I don't think people should use a privacy software written by people who start talking about how they are missing out on "cool" privacy-destroying features.
You seem to have the sense of that article backwards.
What would be good is if all of your contacts got linked up in the Android contacts app. You could go there, click on someone, and see their phone number, E-Mail, Twitter handle, Signal identity, WhatsApp identity, etc, all listed together.
The problem is that the way that the Contacts Provider is implemented, this data basically becomes accessible by every other app populating this data; and the same issue exists for the Calendar Provider.
They're saying that we'd see lots of cool stuff if Android properly isolated this stuff.
Go build your own and TRUSTABLE using this library https://www.owasp.org/index.php/OWASP_Off_the_record_4_Java_Project
As far as I can tell, the phone number hashing happens in the signal library, in SignalServiceAccountManager.createDirectoryServerToken(). This is used, for example, by the getContact() function to check if a phone number is on Signal.
Here is the relevant part of the implementation:
MessageDigest digest = MessageDigest.getInstance("SHA1");
byte token = Util.trim(digest.digest(e164number.getBytes()), 10);
String encoded = Base64.encodeBytesWithoutPadding(token);
The problem is of course that this means it's fairly trivial (say a compromised signal server) for an attacker to create a rainbow table of the possible phone numbers in the region, country or world, depending on the available resources. This, then, makes it possible for an attacker to actually guess the phone numbers from those hashes.
I've made some experiments: a rainbow table for all of north america would take less than 3 days to generate on this machine (Intel i3-6100U, using only one core). The resulting file would be around 460GB. After generating about 0.23% of the table (about 4M phone numbers), about 800 collisions were found in the first 10 digits of the hashes, which is a 0.002% collision rate. This doesn't say much of course, but it would still make the rainbow table very efficient. I haven't evaluated how probable are collisions with the given prefix at the theoretical level.
That said, I haven't seen anything in the Signal source code that would confirm (or deny) that Signal would share previously unknown phone numbers between users. What is sent is a hashed version and the two reports from Twitter users saying that phone numbers were linked were addressed by OWS staff: in both cases, there were other possible explanations, mostly concerning third party contact sharing services like Google+ and other storage mechanisms.
The Signal source code is pretty well laid out and was audited by third-party firms in the past, at least twice. While both reviews focused on cryptographic primitives, the latter did review the whole Signal library, which includes the above code and did not find significant issues. I would therefore conclude that the "phone number leak" can be explained by some other entity than Signal. I am not saying it did not happen, from a user perspective, but that people were simply not aware that their phone numbers were already leaked through some other mechanism by another third party than Signal, which we can hardly blame OWS for.
It is true that contact discovery, the way it is implemented by signal, favors more the development of the network than the privacy of the users. But it's a double-edged sword: either you make something "super-secure" that never reaches critical mass and sees limited adoption because it's too hard to use and discover other users (e.g. OpenPGP, Pond, XMPP and plenty of others) or you compromise on certain security properties and try to reach more massive adoption.
I think the latter is a laudable goal: for too long crypto-geeks have focused on making tools for themselves and ignoring the vast majority of the population. It's about time someone fights for the users...
Moxie said upthread it was SHA-256, not SHA1, but that looks like the right code fragment. Maybe he mis-remembered.
I have no pity for people who jump on every new fashion or gadget.
That's a really good story.
I get Moxie's point. This functionality makes sens to let the average user use Signal as „easy“ as other common messengers.
I also get Jamie's point. There are users not wanting that.
Well, a trade-off between functionality (easy to use) and security doesn‘t occur for the first time in IT-history (e.g. noscript in TorBrowser: default „off“, reading html-mails in your mailclient: default „on“ ...). „Simple“ (?) solution: Let everyone decide. Default: Moxie's way. For more advanced and privacy concerned users: opt-out.
(People with the need for more privacy/anonymity: Signal is not the messenger of choice anyway. Use a different one.)
Am I missing something?
Just about everything.
On the registration screen there is a message saying "Powered by twilio". I did a bit of research, and it seems, the Signal server uses twilio to actually send SMS, which also implies, that the phone number is sent to a third party, at least during registration. If this is true, any one who can eavesdrop on the communication to twilio or get this data from their servers, could in theory compile a list of registered signal users. I did not find more information on that (specifically because twilio's conference is called SIGNAL), so it would be great if someone else could deny or confirm these findings.
When i saw they implemented anonymous gifs into signal i where out, this was clear indication of a wrong path in development.
Telegram does the exact same shit, and I was as pissed off about it as you are with Signal. Sad, that those who shout "security" and "encryption" the loudest, care the least about privacy.
I signed up for an account, and within minutes I had a dozen of "Hi, so you are here now as well!" messages from people who were the main reason for migrating away from other messengers. It seems TG notifies anyone who knows my phone# (through whatever means at all, legally or not) that I've signed up for an account.
I talked to TG support, and they confirmed this is working as intended and can not be opted out of. I hoped Signal would be a better alternative, but it seems it isn't. Thanks for your review.
I got added to a signal group and received the phone numbers of members i did not yet meet in person.
I'm going to guess that Moxie's response to this would be one of:
1: They must have magically been in your contacts already; or
2: That's impossible, you made it up; or
3: If someone sends a Signal message to you and 6 other people, you get to see all 7 phone numbers, and that's fine because SMS does this too. Signal holds "what SMS does" as the gold standard for privacy maintenance, so goal achieved?
For those having the above problem, you should probably get a new phone number before signing up to such a service. And do not give it away.
For those having a reading comprehension problem, the point is that services that leak information about you, such as your phone number or whether you have installed the app, should clearly disclose that before doing so, since any reasonable person would assume that a "security" application would not do something so egregious.
Just uninstalled Signal after reading this. The bigger issues I had with it were (1) it doesn't work with mightytext, and the Signal syncing mechanism doesn't work very well, and (2) I don't know anybody else that uses it, so I was basically using it as a glorified SMS app.
But what a steaming pile... this was the last straw. The response from their staff makes it seem like either it is designed to operate this way, or you are wrong. Nowhere did I see an acknowledgement of an issue. Surely if I wanted a contact to know I was using signal I could send them an invite on my own?
I wanted to add that while I find the idea of end-to-end encryption somewhat appealing, giving all those cold-calling, walk-in, weasely salesmen (whom I don't want my company to have anything to do with, and only save their number so I can block it) my contact info mwould be a disaster. Signal falls down in oppressive capitalism where keeping contact info private is just as important as the communiques themselves. At least facebook (because signal wants to call themselves a social network now) lets me control who is in my friends list and blocked list.
Any body test: swisssafe or safeum lol looks much better