> We built Change Number using the foundation of more exciting features to come.
Surely this is referring to the ability to use a non-phone number ID, which they've hinted at before [1]. Looking forward to that, only because I know many others are!
I think the real question is what "usernames" will look like. There were hints dropped that this could be stronger than a typical username (like what HN has). I took a poll on reddit[0][1] to see what people wanted. I was rather surprised at how many wanted strong anonymity. I expected that the top choice would be the weak anonymity, where people just have an alternative to phone numbers. But I think if that's what Signal was rolling out then it would have been here already. So I hope they make anonymous communication available to everyone. I don't expect strong anonymity in the initial rollout, but I hope that is what they are working towards.
As I see it, there are three aspects to protected communication: privacy (no one sees what you're saying), anonymity (no one sees who's communication), and censorship prevention (no one can shut down communication). If we get strong anonymity in Signal then that is 2/3 and would be a great leap forward for free speech _everywhere_. I expect censorship prevention to be the hardest of these to tackle, even with decentralization.
> I think the real question is what "usernames" will look like. There were hints dropped that this could be stronger than a typical username (like what HN has).
Yeah I'm a little upset about this. It is just set up for birthday problems. I'd be happy if it was you handing out a random string or 1-time code and then you pick a username per chat. But a global username identifier isn't anonymous (not any more than a phone number anyways) and I do not believe is a good solution.
Yeah this is in the poll what I call medium anonymity. Honestly I think this is a great step. Even if I don't trust Signal, it is a much better step than the weak anonymity stance.
So choose an identifier that does not... identify you. Or choose not to have a username. I assume that that will be an option, since Telegram has it as well.
Actually there are two main problems I'm referring to. You identified one of them. If I want to stay anonymous, I'm really asking how to compartmentalize chats and groups of people. We have different identities with different groups and use different names with them.
The other problem is actually the act of sharing a username. If my username is "godelski" then yeah, I can share it on HN and Reddit where I use that username. But now I've deanonymized myself to friends and family who can see that username through Signal. Alternatively, if I have a username "not_godelski" then how do I get in contact with someone on HN while maintaining anonymity? If I use share it under this account then those two names are linked forever and that deanonymizes me. I can't create a new account just to share that name because those groups know me by that name. If I can have an infinite number of usernames, that solves the problem, but this isn't practical (even 5 usernames would be problematic and requires a lot of cognitive load, which is antithetical to Signal's philosophy).
There's also a third problem I don't care as much about but I'd assume Signal does. And that's naming collisions. NYT has a Signal number that allows whistleblowers to contact them. What's stopping me from creating the username NYT_Whistleblower and becoming a honeypot?
Edit: Lots of people are saying you can't share contact without revealing your identity. Does a 1-click link not solve this issue? If I post a signal.me/#one-time-code/jdjkerfe2r3rfwseffre5ge5g then I don't see how that would reveal my identity. (I'm also not a fan of "you can't". I can understand this being unsolved, but it feels like there are solutions to this problem)
> Alternatively, if I have a username "not_godelski" then how do I get in contact with someone on HN while maintaining anonymity?
You can't, and I don't think that's a surprising outcome. If you have a non-anonymous identity on one platform, and link it to your anonymous identity on another, then that latter identity is no longer anonymous.
You just can't really mix your anonymous and non-anonymous worlds without de-anonymizing the latter. That's kinda a fundamental property of how anonymity works, isn't it?
There's always going to be tradeoffs when you're dealing with online anonymity.
On the far anonymous end you've got 4Chan style anonymity, no permanent or any ID at all. Keeping track of individual people is nearly impossible. Conversations are chaotic and hard to follow. Pretty solid privacy.
I guess the next step up would be per conversation/thread/group whatever ID, you trade a small amount of privacy for improved conversation, privacy is still pretty good, a poor choice in username or username reuse could prove to be privacy risks.
I guess next up from that would be something like forum style usernames, like hn or reddit where it's persistent across the entire platform, but still doesn't have to be linked to anything permanent or 'real'. It increases the privacy risk again because now, your conversation history can be tracked across time. This does make it easier for more permanent connections to be made between users but does make it easier for sensitive details to be leaked depending on the user's behaviour.
Up from there you start getting into IDs that are linked to real world information about a user. This provides some pretty obvious privacy risks.
Ids linked to phone numbers are a strange case of trying to take an ephemeral ID that in todays world can change quite regularly and use it as a source of info for an ID based on real world information.
Also worth explicitly mentioning SSB-style cryptographic “implicit identity”.
Connecting consists of exchanging public keys (which can be global per person, or compartmentalized per contact/conversation).
Rather than a central server relating messages to the right peers, there’s a global feed where you attempt to decrypt everything and the ones which succeed are obviously addressed at you.
The benefit here is that not even a central server operator like Signal can trivially tie messages or chat identities to peers.
I guess this gives you privacy (for the price of 7e9x-ing your compute/bandwidth effort), but only until you loose control of the private key. Then you get deanonymised completely, don't you?
> There's also a third problem I don't care as much about but I'd assume Signal does. And that's naming collisions. NYT has a Signal number that allows whistleblowers to contact them. What's stopping me from creating the username NYT_Whistleblower and becoming a honeypot?
That's easy; you want an internal identifier for Signal accounts that is unrelated to display name. This is already routine in most places including Discord.[1] Nothing stops you from creating the username NYT_Whistleblower, but that won't be what the NYT advertises to potential whistleblowers.
> Alternatively, if I have a username "not_godelski" then how do I get in contact with someone on HN while maintaining anonymity?
Well, you can't. Revealing your identity necessarily involves losing your anonymity, and I don't understand how you think those two actions could be theoretically separated. If you want to share your Signal identity with someone who only knows you as "godelski from HN", then once the sharing is accomplished they will know that "godelski from HN" and "godelski from HN's Signal username" are the same person. So will anyone who was allowed to watch the sharing.
Perhaps what you want is a single buffer account, where you tell people on HN to contact your buffer account (openly identifying it with yourself), and then you use the buffer account to reveal the identity of your actual account?
[1] Note that there is a tension between having a unique identifier by which Signal knows who you are, and the need for participants in two group chats not to be able to notice that your two usernames in those two chats belong to the same person. Discord is failing at this. To be part of a group chat at all, someone is going to have to have an identifier for you; if you want to maintain cross-chat anonymity, you'll need to be able to generate disposable identifiers that you can give to chat admins.
> I don't understand how you think those two actions could be theoretically separated.
Suppose Signal generates a one-click (or even temporary) link. I can share that link that'll connect. That can accomplish the same thing as a signal.me address. Onetime links are definitely a thing. I'm sure people that know more can share even more creative ways to accomplish this. Someone has to have some fancy ZKP method for initiating contact.
> Perhaps what you want is a single buffer account
I think I covered this in my "infinite accounts" above.
> [1]
Seems to be more easily solved by letting me specify a handle at the per-chat level.
> Nothing stops you from creating the username NYT_Whistleblower, but that won't be what the NYT advertises to potential whistleblowers.
Seems you're passing the buck. Making it a "not my problem" issue and I think this is a big enough problem that it would make platforms like NYT wary of using such a system.
> Seems you're passing the buck. Making it a "not my problem" issue and I think this is a big enough problem that it would make platforms like NYT wary of using such a system.
How? So you've got your account with a display name of "NYT_Whistleblower". Now... how does somebody else find it by accident?
I'm sure you can be creative enough where you can read between the lines and determine a valid username that is a near clash and someone might accidentally use that name instead.
> Edit: Lots of people are saying you can't share contact without revealing your identity. Does a 1-click link not solve this issue? If I post a signal.me/#one-time-code/jdjkerfe2r3rfwseffre5ge5g then I don't see how that would reveal my identity.
Well, if you're under attack, the 1-click link will reveal your identity to the first person to click on the link. But that's entirely different from what you're asking for, which is to reveal your identity to a specific person designated by yourself, regardless of who sees your link first.
The reason people are telling you you can't reveal your identity while staying anonymous is that those are opposite concepts. But if you're not trying to preserve your anonymity against the same person you want to reveal your identity to, you're on the much simpler problem of communicating in a way that is resistant to eavesdroppers. You don't need anything from Signal; you need an encrypted channel of communication with your counterparty.
> Well, if you're under attack, the 1-click link will reveal your identity to the first person to click on the link.
That's true, but much easier to defend against. Since you can talk in a semi-synchronous manner and we can have a high _probability_ that the correct person will be be the one clicking on the link.
So if it works:
Godelski: Hey, let's chat on Signal, my link is signal.me/#one-time-code/jdjkerfe2r3rfwseffre5ge5g
Thaumasiotes: Great!
If it doesn't work:
Godelski: Hey, let's chat on Signal, my link is signal.me/#one-time-code/jdjkerfe2r3rfwseffre5ge5g
Thaumasiotes: Hey, link seems bad
While you're right that there are no guarantees, I don't think that's true for any system. There's only probabilities. Obviously there are other ways to do this along the same lines. I can have a global link that has infinite links (e.g. one I could place under my HN profile) that I can only have there. These strings are much easier to generate than usernames given that with higher entropy you don't have the same likelihood of a birthday clash.
I'm not saying that communicating without revealing your identity isn't a challenging problem. But there are clearly some versions that reveal _more_ than others. Maybe there's no perfect system (I'm not smart enough to know) but there's clearly better ones than others. Standard usernames seems to just be throwing your hands up and giving up.
> you're on the much simpler problem of communicating in a way that is resistant to eavesdroppers
> Godelski: Hey, let's chat on Signal, my link is signal.me/#one-time-code/jdjkerfe2r3rfwseffre5ge5g
> Thaumasiotes: Hey, link seems bad
Sure, that interaction degraded gracefully. But your identity was also permanently compromised; it doesn't make sense to focus on how easy it was for me to say "hey, that didn't work". The reason the link went bad is that you disclosed your identity to someone you were specifically trying to keep it a secret from. This is an unforgivable flaw in the protocol.
>> you're on the much simpler problem of communicating in a way that is resistant to eavesdroppers
> We already have that. It's called E2EE.
Well, no. E2EE is the answer to resisting one particular eavesdropper. What you're trying to get at is called "public key cryptography", the system whereby two strangers can establish a secure channel without relying on an already-existing secure channel. E2EE has nothing to say about establishing secure channels; it just refers to the concept of using one.
Here's the system you actually want:
Godelski: Hey, let's chat on Signal, what's your PGP public key?.
Thaumasiotes: My PGP key is yyyyy.
Godelski: [encrypted for yyyyy: Here's how you can find me on Signal]
But notice that Signal doesn't participate in this exchange. Nor can it. I'm not on Signal, as far as you know; your messages to me have to use some other medium.
> But your identity was also permanently compromised;
Only if I accepted the request. Clicking the link would presumably act the same way as a contact that you don't know. It asks before you accept. So I can wait till you respond.
It seems like you don't want user id as much as you want searchable user aliases (or persona ids). Basically, a private id (linking your clients), where there are multiple public persona ids for "searching" and adding people to conversations.
Users in conversations are linked by (private id and the persona id at creation), where messages get sent between the clients.
Meanwhile, people (or rather private ids) get added to conversations by using the publicly searchable personas (i.e. any globally unique string). Then for the life of that conversation, the persona is sticky. You could even add multiple personas from the same user to the same conversation if that is necessary. For some the persona id could be phone numbers, full names, online aliases, emails, etc.
People can then hand out different personas depending on the context.
It is unfortunate that they seem to be going for user created username. I’d rather have something like ~hkopy-vnhyt randomly generated and given to users with option to try for another randomly generated username if they didn’t like the first.
I clicked around a bit trying to find out who creates and runs Session.
And of course it's built by someone pushing a new crypto currency. That made me really really sad.
That's because it's essential to providing incentives to the operators of the nodes where messages pass through. I know it's fashionable to hate on crypto because crypto but please try and see it from a utilitarian basis.
Session has a lot of cool things going for it. They managed to solve the problems of P2P (high battery life number one) with these incentivised traffic passing nodes. They improved on TOR and you can already use the fruits of its invention for general traffic.
The big problem as I see it is the team is all Australian. They'll need to find a way to pass stewardship to the community in time.
i'd expect it to be much like imessages/facetime on apple products. it can use an email username or a telephone number. the telephone number predominates (because it also does sms/mms), but either can be used on any apple product.
I wouldn't expect that. A goal of allowing usernames will likely be to let people remain completely anonymous. Linking your Signal account to an email address doesn't work for that. Even if you create a throwaway email account somewhere, it'll often be traceable back to you somehow.
Wait, is the idea I can go to signal on some library computer and send a message to whoever I want anonymously?
Because that's a pipe dream.
First of all, you can't monetize it, and, unfortunately that is a non-starter. I can't see people throwing money at this, with the implications. Secondly, assume I want to contact the same anonymous person again. They have to somehow easily prove they have access to that username.
Even 4chan had a mechanism for this. Assuming you don't shield your IP, or you move between locations between, at least the service knows that, and that isn't anonymous.
A pre shared key off a one time pad only proves that someone has the same pad.
I think anonymity isn't achievable. Secure is more important. I talk to someone a lot, I want that secure. I don't really care if anyone knows we're talking, just whether they know the content.
Hosting your own metal somewhere helps with that. You'd obviously notice a warrant or whatever.
> A goal of allowing usernames will likely be to let people remain completely anonymous
> Even if you create a throwaway email account somewhere, it'll often be traceable back to you somehow.
I'm surprised to hear you say this considering your completely opposite stance in response to a comment of mine. I don't see how a throwaway email is any less anonymous than a username. In fact, I see it as more anonymous since I can generate these on the fly whereas I can't do this with usernames.
ah yes, i didn't mean to imply an email address specifically, just that the other username would be mostly equivalent, if slightly inferior, to the phone number.
i'm really glad that they're moving away from phone number as identity, and hopefully to fully anonymous, which they've rightly been criticized about up until this announcement.
> Surely this is referring to the ability to use a non-phone number ID,
They are promising this for years and years, I hope this time is real. Specially if we don't need a phone number to create an account: that's just incompatible with privacy.
They're great compared to the alternative of simply storing a plaintext register of every pair of communicating parties on the server, which is how other messengers work. What's "good" about phone numbers is that they're tied clientside to a "buddy list" that everyone already keeps --- their contact list. They don't want phone numbers on the merits of phone numbers.
They're also critical to getting people to move from WhatsApp.
Next time when Facebook pulls something user-hostile (e.g. monetization with ads, yet another privacy policy change for the worse, ...) some people will simply install Signal. If they use phone numbers as (an) identifier, two people who do this independently can immediately switch to Signal.
If A convinces B to switch, and C convinces D to switch, B and D can now talk to each other, reducing the pressure to keep WhatsApp as more and more of your friends are reachable on Signal. Even if you're using WhatsApp in addition to Signal, with phone numbers as identifiers, you're no longer contributing to the network effect that makes it painful for your friends to switch from WhatsApp to Signal.
Given that network effect is what makes or breaks messengers, phone numbers as the primary identifier are the only reasonable choice.
> Next time when Facebook pulls something user-hostile ...
In my opinion with or without FB putting anything more hostile people are moving, in drones, to Telegram. I see regular people (non-tecchies at all) in my friends' circle joining Telegram regularly.
I'm not saying TG is better than Signal but I think TG's userbase is many orders of magnitude bigger than Signal's.
These trends tend to be "local" to some extent. Sometimes country based, but I've heard of cities where different schools had different messengers (back in the ICQ/MSN etc. days). In the end, people use what their circle of friends uses.
In Switzerland for example Threema is popular. In many countries you still can't really exist without Whatsapp. In China, Wechat. In Taiwan I believe you use Line if you want to have any friends (or reach businesses). In the US, iMessage with a fallback to SMS is popular, while it's rare in Europe because the SMS fallback would bankrupt you due to per-SMS charges.
This decision seems pretty crazy to me, especially on the cell phones where a lot of apps require phone book access to function, and there is generally no way to give a different view to different apps.
I understand that Signal wants to be blame it all on users, but the practical consequence of their design is that the moment people want to talk to a single person on Whatsapp, they give out Signal contact list to Facebook.. and the moment they start using Google's backup, they give out Signal contact list to Google.. and if they ever buy a new phone, they share Signal contact list with whoever wrote migration tool for their data. And there are tons of other random apps which all require contact list access...
From the privacy standpoint, Signal having contact list would be better. At least then, I'd have a single party to worry about, instead of dozens.
Back when signal was getting started, using the contact list to bootstrap buddy lists and reduce adoption friction was definitely the right decision. Now they are more established, they can offer the username only version for the %2 that will actually benefit from it. And now that %2 has the cover of a large established user base to blend in as noise.
You have to remember, signal is about E2EE security for EVERYONE, not just nerds. There will imperfect solutions along that path, which also means things like no federation. Signal is very much about being effective vs about being 'right' and ineffective, because when you are king, you can start being right and effective.
Signal having the contact list means that they'd be subject to legal (and extralegal) process to obtain the entire contact list for everybody using the service, which is untenable for them. Again: Signal is not Discord or WhatsApp; these are different services with different primary objectives.
Because the app constantly prompts for contact-list access, Signal's software-on-device definitely has the contact list.
And, that software regularly re-sends that encrypted list to Signal's servers' SGX enclaves for their contact-discovery protocol.
So whether or not Signal, or some entity near/around it, "has" the contact list is a matter of how much users trust Intel™ SGX® (as well as the chain of processes that deliver/update the Signal software on-device.)
I haven't kept up with what they're doing so grain of salt on this, but I think this is incorrect.
What they're moving towards is a design that looks like what Apple did with their HSM quorum system. The contact information we're talking about is encrypted clientside, but with (usually) a memorable pin. Without countermeasures, memorable PINs are very easy to attack; SGX allows them to artificially limit guesses. As a user, you retain a security dial on this: you can use a more complicated passcode than a 4-digit pin if you don't trust SGX.
Obtaining the whole database Signal maintains gives you ciphertext that you need to mount attacks on user-by-user (and to make those attacks, you'd have to break SGX). It doesn't simply give you the plaintext SQL database other messaging systems collect.
AFAIK they don't encrypt the contact list, they hash each number and send a few bits of the hash to the server. The server replies with a few possible hashes it knows about, so the client can reason that "if the hash I was asking about is in that set, the user I want to talk to has Signal installed".
> Because the app constantly prompts for contact-list access
AFAIK, it prompts at first, maybe a few times, but then stops.
> Signal's software-on-device definitely has the contact list
Definitely not required at all. Signal can use its own contact list.
> that software regularly re-sends that encrypted list to Signal's servers' SGX enclaves for their contact-discovery protocol
The SGX enclaves are not for contact discovery. Contact discovery worked long before Signal implemented the SGX enclaves.
As I understand it: The SGX enclaves store a crypto key that Signal adds to the user's password, to enable data migration: Users tend to choose weak passwords; if Signal truly wants their data to be secure, strong passwords aren't realistic. Their solution is ingenious (IMHO): 1) Append a random key to strengthen the password chosen by the user. 2) A locally stored key would be a big problem for data migration, such as lost phones; the key would be lost too, and thus all the user data. 3) Therefore, they store the key centrally, as securely as possible (in the SGX enclave). That does make the key more vulnerable, but if you choose a strong password then it's irrelevant - the attacker needs to defeat both the key and your password. You can also disable this backup feature if you like. Some reading (partly because I might misremember a detail or two):
I am not sure how Signal backups work or that user contacts, encrypted, are backed up to the SGX enclave. Where does it say that?
> So whether or not Signal, or some entity near/around it, "has" the contact list is a matter of how much users trust Intel™ SGX® (as well as the chain of processes that deliver/update the Signal software on-device.)
Again, if you choose a strong password then you only need to trust yourself, and I think you can disable it altogether.
> AFAIK, it prompts at first, maybe a few times, but then stops.
It's been re-prompting me for years. If there's a time it stops, I haven't found it.
> I am not sure how Signal backups work or that user contacts, encrypted, are backed up to the SGX enclave. Where does it say that?
You're talking about backups. I'm talking about contact-discovery, wherein the client regularly sends (hashed versions of) all the phone numbers from your contacts (if you've shared them with the app) to Signal's servers, to let you (& them!) know you're both on Signal. How else would you think the notification you get when someone in your contact list joins Signal is generated?
Signal's claim that these oft-repeated intersection operations leave no permanent records on their servers seemed (last I looked deeply) based on the SGX attestation: that your list is encrypted such that only the trusted code will process it. If Signal, or hackers, or Intel Corp, or the "Intel Community" can compromise SGX's guarantees, they can decrypt & log the full set of phone numbers uploaded.
So again, it reduces to how much you trust Intel™ SGX®.
(Also note that even if you do trust SGX, someone you've never met can, by having your phone number in their contacts, receive a notification when you join Signal. And separately from any SGX-mediated threats, a persistent attacker with privileged views of your devices' network traffic – such as via an ISP or mobile carrier – can get, via the volume & timing of traffic to and from Signal's servers, a pretty good idea of who you're talking to.)
Could you provide documentation of that version of how Signal operates? You can see the links from Signal and Matthew Green that I supplied.
> I'm talking about contact-discovery, wherein the client regularly sends (hashed versions of) all the phone numbers from your contacts (if you've shared them with the app) to Signal's servers
If they are hashed, why do you need to trust anyone?
Note it relies on SGX for privacy. (Anything they did earlier may have involved even more trust of Signal Inc's servers.)
Hashes across the (tiny!) space of all phone numbers are easy to reverse via brute-force.
But also, again: how do you think Signal is able to notify you when any phone number in your contacts – even if you're not in theirs! – first joins Signal?
If one wants to avoid having contact list on server, they don't have to force everyone to use government issued and fully controlled identifiers. They can do local contacts storage, and use emails... or even random numeric identifiers (anyone remembers ICQ?).
I think novok is right in their uncle comment -- the decision to force people to use phone numbers, with all the related privacy problems, was to increase adoption. And we should be upfront on it: "Yes, Signal could have made things more private if they would allow usernames/emails/UINs... but instead they decided to force phone numbers to get market share as fast as possible. Yes, this means millions of people are forced to share the Signal contact list with Facebook and Google, but it was worth it -- look we have 40 million users now!"
There is nothing wrong with reducing user's privacy in order to get more market share. But let's not claim that this was for users' benefits.
Wait—when you're using Signal, it resorts to using your whole-phone contact list when, say, you want send a direct message? That would be... not great UX, with my personal use of my phone contact list (mostly for people I barely ever message, contacts I'd never message but want to have a phone number and/or address down, or relatives who don't/can't use anything but SMS)
That's doublespeak. They want phone numbers on the merits of phone numbers being how people's private identities have been registered with their contacts. And no, that's not a great alternative, it's a huge negative.
> They're great compared to the alternative of simply storing a plaintext register of every pair of communicating parties on the server, which is how other messengers work.
> They don't want phone numbers on the merits of phone numbers.
I thought they were pretty vocal about wanting to use phone numbers to save people from the pain and despair of having to enter their friends' usernames into Signal, a pure UI concern.
The server needs to store each pair of communicating parties if it wants to announce presence information like AIM did. But that's unnecessary for a phone-based messenger - everyone is always "present" at all times.
Also, Signal envisions (or envisioned) contact lists as a foundation for a distributed, secure, private social network, under end-user control. It's an obvious solution once you think about it (a signal of brilliance).
... Signal began by using the social graph that already lives on everyone’s phones: the address book. Rather than a centralized social graph owned by someone else, the address book is distributed and user-owned. Additionally, having the social graph already on the device means that the Signal service doesn’t need to store a copy of it. Any time someone installs or reinstalls Signal, their social graph is already available locally.
I can assure you that most people do use phone contact lists for their intended purpose. I’m not sure what your comment is trying to get at other than being argumentative for whatever reason.
Do you have data on that, or are you just asserting that your personal experience is more universal than their personal experience?
I don't think they're totally off-base: I haven't used my phone contact list for personal contacts for most of the last decade. It's just a collection of work contacts that I don't trust enough to add anywhere I actually talk to people.
I'm sorry but do you need data for common sense? Is WhatsApp one of the biggest messaging platforms where people don't talk to their close friends and family? You think discord or other mediums are more popular than iMessage and WhatsApp?
I mean, I guess I do? I'm legitimately unsure if I'm in some weird bubble where no one uses WhatsApp or you're in a bubble of unusually high usage. But it's been a small enough part of my life that I'm not even fully sure what the connection is. It uses your contact list as well?
In today's individualized, algorithmic online world, it's safer to assume you're in a weird bubble until proven otherwise. My Twitter/Facebook/whatever feed is totally different than yours. Everyone still has a Facebook account (though; noticeable dip in Q1) and Snapchat is still wildly popular.
Is any of this stuff more popular than actually calling people? How are people calling? Memorize phone numbers? I'm completely stumped about how someone could use a cellphone for a decade without using a contact list.
I don't even have my friends' phone numbers. If I want to call a friend I do it on my desktop using Discord. Before like 2016 we would call using Skype instead.
This is fascinating. I feel like an anthropologist so have lots of questions.
Do you have multiple Discord servers or just one for all your friends?
Roughly how old are you and are you a student or in a job or something else? What country or region?
When you meet a new person you want to stay in contact with, how do you do so?
Do you use only Discord with friends or do you also add them on eg Facebook or Email or any other communication system?
In my world (employed, UK, middle aged) at work generally we use Slack (kinda like you’re using Discord in a way), shifting to phone numbers when you know people well for non work stuff.
Everyone else I meet, the assumption is to exchange phone number and use WhatsApp - exceptions would be iMessage or Signal sometimes. Or email or Twitter in business circumstances.
I'm turning 32 this year, and I've honestly never used phone calls as a way to talk with my friends (outside the quick calls that texting replaced.) When I changed my phone number a few years back I told like 5 people, all family.
We had AIM and message boards pretty early, but no dedicated phone lines. By the time cell-phones became ubiquitous, we had cars and could just actually hang out. And by the time we all moved apart, voice chat services were good enough to just hop back to the old chat model.
Discord works by keeping a serverside database of which people are talking to which people, which is, to a serious adversary, the most valuable single piece of information the service can cough up. Discord is much, much more convenient than Signal, and that's good. The services have different goals.
How is Discord more convenient? I don't mean the question critically, but I wonder what a sophisticated user sees in Discord when Signal seems, to me, as convenient as texting and calling.
Discord has your full chat history in a conveniently searchable server side database. When new people join a channel in your discord server, they call see the full chat history so they can get fully caught up.
You can use discord on multiple devices at the same time without the devices needing to directly sync with each other (because the state is stored on the server).
Except (unless something has changed very recently) you can't backup/restore your chat history to a new desktop client... Security over general usability.
Discord keeps your friend information on their servers. This is, like tptacek said, exactly what Signal is trying to prevent. If servers get seized by the Feds, they don't want to needlessly reveal who's contacting who for everyone.
It's about storing as little personal information as they can.
Not only do they keep your friend information on their servers, they maintain a copy of every single message you've ever sent via Discord. Their service is the antithesis of private communications.
Can you request deletion of these? I've never really thought about that before (I don't use discord that much anyway other than hoping on some channels occasionally to help beginners to rust and c++. I guess I'm not giving away too much there :)
Are you really going to request that deletion after every single sensitive conversation? That seems dumb. Also, are those deletions tracked? Like, do they say User A requested their conversation with User B and User C be deleted so that Mr Fed can still see that A B and C had that conversation?
There's just so so many places to get tripped up by keeping data rather than just routing bits and never storing them.
I was thinking more like "Hey discord, please delete all my old data from your databases, everything" not doing it after every "sensitive" conversation.
Question: do you use Signal? If yes, are you backing up/syncing your contact list? If yes, are you worried about Feds coming for your backup/sync provider?
If that happens, that's not a disastrous thing. That means one person reveals who they're talking to in general, not just on Signal. It doesn't mean that the millions of Signal users all lose that privacy.
But no, I don't use Signal. I just think it's strange how some people can't seem to wrap their head around any of the rationale for this when it's the most transparent thing in the world. Do I like it? No, but it's ridiculous how some people pretend to be incapable of critical thinking in order to talk about how it's horrible. If something is actually horrible, being deliberately obtuse isn't needed.
I don't think you are getting it -- I am not talking about single user.
Whatsapp has 2 billion users, and they are pretty open that they upload entire user's phonebooks to Facebook-owned servers. We know Facebook is not worried much about privacy, so I am pretty sure that this data can be subpoenaed, sold and so on. If you care about privacy, you probably want to install something else, like Signal.
But you know what happens if you cannot get all of your friends converted at once, so you keep Whatsapp around? It will keep sending your contact list changes to Facebook, just at it is designed to.
Let me repeat this: you worry about metadata, so you want to chat to a friend via Signal. But the moment you add them, this is reported to all other apps including Facebook's Whatsapp. And there is no way to opt out of it.
How can people not notice this? How can any company call themselves "privacy friendly" and do this stuff?
I haven't historically— multiple rounds of old flip phones and early Android devices with zero migration story made me wary of overly investing in anything on-device.
However, the current wave of phone-number-tied messengers (WhatsApp, Signal) have definitely pushed me in that direction.
TextSecure, Signals name before re-branding started out doing only SMS encryption. Sending messages over data started earlier if I remember correctly. I think that must have been almost 10 years ago
I would much prefer a one time randomly generated GUID myself that can be used to transfer to new phones or just trash if you want a full reset on your signal contacts. Obviously 2FA like TOTP or similar to change it.
They mainly used numbers so they could leverage the social graph of phone contact lists. That way they didn't need to store any social graphs on their systems.
To me, it shows that whatever agent is pushing signal adoption has seen the writing on the wall and is trying to get ahead before the tide changes and they have to hit some other developers with wrenches.
I hope they don’t implement it broken like Telegram’s.
If a person has your number in the contacts then your username and phone number are automatically merged together even if you were conversing to that person using your username from your perspective. That’s such a safety nightmare.
> Why would supposedly secure communicator use actual phone number as identifier is beyond me.
It's pretty simple - user friendliness and sign-up friction.
Signal's main market is not us HN user tech bros who want (pseudo)anonymity. It's main market is closer to regular people, the same people who are fine with using WhatsApp or Facebook messenger or whatever, with their phone number.
They also want it to be as easy as possible for new users to sign up. Simply enter your phone number and boom you have a signal account. With email the sign up process is not insanely difficult - but its still more steps than phone signup for the regular person.
Doesn't explain why _only_ phone numbers are (currently) supported. Having phone numbers as the default or even asking permission to import your contacts would have been fine-ish if it was also possible to register using another anonymous method like email...
One counterpoint to using phone numbers: In China mobile phone numbers are almost universally enforced as your digital identifier because it makes surveillance extremely easy for a government while making it relatively hard for platforms themselves. Registering for a phone number mandates an ID check at the point of the service provider. This means that with a phone number based login, (1) you can be largely anonymous to platforms as you can have > 1 phone number, (2) you have 2fa built in automatically, but also (3) that the government can easily figure out who owns what accounts because your accounts are directly linked to your phone(s) and your phone(s) directly to you.
It would be a great step forward if Signal moves towards alternate verifications that don't involve phone numbers...
Signal started off as a secure SMS replacement. Also, they mainly used numbers so they could leverage the social graph of phone contact lists. That way they didn't need to store any social graphs on their systems.
Keybase got it right before Zoom acquired them. They decoupled identities from your account data. Basically they allowed you to claim identities via a dozen or so different things they supported (email, phone, twitter, github, domain names, public pgp keys, etc.), and then prove that you owned it by posting some token, sending a message,. Which would then associate the identity with the account. The more identities you claimed, the stronger the proof that you were you.
Taking a new device into use was as simple as authorizing it from one of your existing devices. All the data would sync over and be encrypted with a device specific key locally. And you could disable that key from any of the other devices.
Too bad that company more or less failed. They never really figured out a business and the zoom acquisition looked more like an acquihire than a long term commitment to the product. But it's a good design that is worth copying.
This was why I started using Signal in the first place. I could replace my SMS app with Signal and immediately gain the advantages it offers for my friends that were also on it or willing to switch. Over time, more have switched to it and the network grows but I don't miss out with those who won't switch for whatever reason.
Aren't Slack and Discord also tied to your email? I think HN and Reddit are better examples (although some dark patterns do push you towards associating with your email)
Spam protection is hard. Forcing to use phone numbers is a "easy" protection against spam. It's harder to get thousands of SIMs than thousands of usernames.
> I understand that startups are scared that they won't be able to build up userbase from scratch but come on! Discord and Slack did it.
I don’t use slack but the few times I tried to use discord it always said something suspicious was going on and asked me for my email (needless to say I immediately closed the window) I wasn’t using vpn, only my default ublock and Firefox built in track blocking.
Email is okay to me because you can actually own one.
Phone numbers though are terrible because they're tied to countries, their security depends only on your carrier, you can't run your own carrier to take it into your own hands, and sending SMS costs money. Also the underlying interconnection networks like SS7 aren't secure at all and rely on trust.
Unfortunately, you do not own your email address either.
TLDs are managed by governments or government-adjacent organizations. Domains are managed by the TLD manager. Email addresses are managed by the domain manager.
I've never had a phone number or a domain name taken from me, but I've heard of more cases of the latter than of the former.
There are now those custom TLDs that are not managed by a government-related organization. Your domain is managed by whoever you registered it at. You can transfer your domain between registrars too. Your email address is managed by you because you control the domain. You can use someone else's email service with your domain, or you can host your own. You can switch between one and the other without anyone noticing.
I've heard stories of how a US carrier issued a replacement sim card to a fraudster. I've also heard stories of how a Russian carrier intercepted someone's SMS messages to break into their Telegram account.
But unless you operate the TLD, you do not "own" your email address. Donuts can choose to cancel your domain registration, or to hand it to someone with a more compelling trademark claim, etc. Legal niceties vary by jurisdiction, but at the end of the day you "own" nothing but a contract where you are the subordinate party.
SIM swapping is a big problem, but that is more equivalent to DNS hijacking of your domain than to the concept of legal/contractual "ownership" or rights to operation.
But semantics aside, the important question is how easy would it be for a malfeasant to interfere with your quiet enjoyment of your public identifier (phone number or email address). SIM swapping is way too easy. Domain hijacking isn't hard either, and sometimes one attack can leverage the other.
I'm not sure if it's great. It just lets you communicate without endangering valuable resource that your phone number is.
> Can you send SMS to a regular number with this?
Why would it do that? Every phone has perfectly good sms app.
What would that even mean? Using sms as a transport layer? Or making messages passed through internet look like pseudo sms messages to someones phone number?
Thanks for the reminder.
The idea was to use signal with a degoogled phone. It would be great if signal could send SMS without the cell network. There are places and devices, without cell connections.
It's the network itself that is limiting this, since SMS was designed for intra-network communication - so the sender needs some kind of network ID.
Something like Google Fi can provide a web-based client for your SMS (which works on any device and doesn't require cellular) because they know your virtual SIM and can emulate it as needed. But I don't see how Signal could pull that off.
If I remember correctly, Signal was first explained to me as a secure SMS app. That is it stores your SMS's more securely than the stock apps did... and if you were messaging somebody who also used Signal, then you'd be upgraded to an end-to-end encrypted message.
That said, now I'm on iOS, it doesn't let me do that, so I only use it for contacts with Signal.
To avoid splitting one's messaging threads between two different apps.
> Every phone has perfectly good sms app.
Eh, I find the default Android SMS app to be lacking. I can't organize threads or mark messages as unread. You know, basic stuff that email apps figured out a long time ago.
First, it would be great to be able to send SMS messages without using the cell network, just through internet. Then you could use computers, tablets, etc.
As far as I know only textplus/nextplus allows that, but it had become very buggy, and definitely not secure.
Also you don't need a cell number to communicate with people through the cell network.
You're confusing privacy with anonymity. Privacy is people not being able to read what you are writing. Anonymity is being... anonymous, unknown. Signal is keeping your conversations private but they are not keeping your account anonymous.
You chose your username here and in most other places.
You can even change it easily on many platforms.
Your username doesn't require you to show your ID and have your calls tapped and traced towards your person.
The problem I'm seeing here with the responses is that people are only thinking of "one move." That first move is creating a anonymous username. Yay. Easy. Now here's the problem. How do I share that while staying anonymous? What conditions do I need? If I can only have one username for all of Signal, does that create a bigger problem? There's a few more "moves" for you and these are what I'm looking for answers to.
Maybe you do, yes. And maybe you're happy with an alternative with usernames where the server keeps the list of your contacts. Or maybe you are not, and you will want an alternative where you need to rebuild your contacts list every time you install the app.
But some people are happy messaging people based on the phone number, because everything else is too cumbersome. Different people have different threat models, and one chooses the best UX for their threat model. For millions of people (maybe not you), apparently it is Signal.
Sure - that's why Signal is for secure communication between individuals who have some level of trust. There's nothing stopping your interlocutor from leaking all of the messages you send to them, what's the big issue with them having your number?
> Sure - that's why Signal is for secure communication between individuals who have some level of trust.
If I have this level of trust with someone they are about at level of adding them as a friend on Facebook. Who knows, I even might invite them on Facebook sooner than I decide to give them my phone number.
> what's the big issue with them having your number?
Seriously? With my number you can harass me endlessly with phonecalls, text messagers, registering for various services that will harass me basically forcing me to abandon this phone number and notify all of my valuable contacts of the number change.
Hell, they might even plaster town with my number with advert saying "Win 50$ in Chewbaca noise contest by subitting your best attempt at that number." as one creative asshole did to some poor girl.
> There's nothing stopping your interlocutor from leaking all of the messages you send to them
That way less of a problem if I haven't doxed myself in those conversations. All he will publish is some conversations he had with someone.
>If I have this level of trust with someone they are about at level of adding them as a friend on Facebook.
Yes that's exactly what Signal is for. Talking to people you would otherwise talk to on facebook messenger but you rather not have facebook engineers be able to read your personal conversations.
The fact that my number is registered to my legal identity? In my country, and I think in most countries, it's not legal to sell a SIM without checking and recording the buyer's legal ID.
This is fine, but signal still doesn't tell you when the person you're sending to has uninstalled signal. Instead, your messages go into ether and you think the person is ignoring you. It blows my mind they haven't prioritized this. https://github.com/signalapp/Signal-Android/issues/11164
Applications can't determine when they're uninstalled. Or, not reliably anyway, and not while following platform guidelines. So the question becomes how to tell uninstalled vs left in a drawer, powered down, while on vacation.
They just have to tell you if a message isn't received after a day or two. This is already exposed via the check marks, so it's just something they have to amplify with a notification.
Or when you start writing a message to somebody, if they haven't read the last couple messages signal could make that obvious. Etc. Lots of easy fixes.
They can just say the message wasn't received. They don't have to say it was uninstalled. Just loudly tell me things aren't working like I expected. That's all this takes.
There are multiple anecdotes in this thread, on HN, that people missed that. All GP is asking for is better UX making it more obvious, because being able to check is something other than knowing to check and how to check.
I don't see why that matters? (Especially given that Signal has far fewer users and presumably higher attrition than those other platforms.) If things can be better, than it would be great if they were.
This is bad design. Why excuse bad design? When I send a text message and it doesn't arrive, my messaging app lets me know. With Signal, this is a step backward.
Yea, it seems like this is the most information they could give you without violating the addressee's privacy by revealing whether they have uninstalled the app. I suppose it could be worth it if, when the message remains undelivered for a while, Signal added an explicit note to that effect so the sender doesn't misunderstand.
Yes, exactly this. All that's needed is to tell senders when a message wasn't received after X hours.
You don't have to figure out if the user uninstalled. This also happens if they get a new phone and don't re-install on it, so relying on uninstalls wouldn't work anyway.
Uninstalling doesn't send a notification to signal.org, I've previously messaged a few people without getting a response, later realizing they never got it because they switched phones and stopped using Signal without pressing the "Delete Account" button in Signal settings. The workaround is to have the user install+register again, then press delete.
> Signal must be actively working on your phone to make changes to the account. Register to see these options for your number. Deletion requests are not accepted outside of the registered app because there is no way to accurately verify whether or not a number is truly associated with the requester.
Yes, I expected as much: most users who stop using Signal (because, say, their friends use something else) are more likely to either just stop using it or uninstall the app, without explicitly deleting the account.
Another pain point for me: when I send an SMS to someone, I expect to get replies on SMS not on Signal. Don't try to replace SMS. It's just really annoying to have half the conversation in the text messages app and the other half in Signal app.
It's been promised for years, but you still can't use a second phone as a linked/secondary device. As a result, it is literally impossible to have the same signal account on two iPhones. Since they already support using an iPad as a linked device, this would require little more than changing a flag and a recompilation. Maybe they have their reasons, but all they keep saying is 'soon'.
I think this is could be a rather complicated feature. It's easy if your second phone is just a linked device like iPad or desktop client, but I imagine this might be very confusing for users. Now you have two phones with signal installed, but one has fewer features and if you lose the main device, you're screwed. This is unexpected for most users.
On the other hand, if the second phone should have the same capabilities as the first one, key management suddenly gets extremely complicated. For instance, each device has to be able to revoke others; what happens if the revoked device had granted access to three other phones, are they revoked as well? Can a device revoke it's "parent" device? And so on. I imagine they avoid this while they can.
> but you still can't use a second phone as a linked/secondary device. As a result, it is literally impossible to have the same signal account on two iPhones.
That's not how that works. If you sign up for Signal with the same number on multiple iPhones, for example, only the last one will still be connected. The iPhone app only supports being the primary device. There can only be one primary device per account.
I stopped using Signal, along with my adult tech-oriented friends, when we all had bad experiences migrating our accounts to new phones. That plus the phone number requirement, intrusive contacts integration, and the weird crypto side projects killed my interest in Signal entirely. My friends and I use Discord now.
Discord is not end to end encrypted, and Discord, along with whoever buys them, will receive the complete plaintext message history of all of your conversations with those friends.
But for a lot of purposes, encryption really isn't that important. Most friend groups isn't a group of journalists and their sources discussing state secrets. The privacy from end-to-end encryption is a nice-to-have, but I'm not even sure if it's worth the inherent inconvenience for most friend groups.
How do friend groups deal with members who might want to drop a potentially controversial in future viewpoint, let alone a politically charged opinion?
Any use of a non-e2e service as a replacement for an e2e service basically means either self-censorship or recklessness. The data is not going away, and if context changes can implicate everyone involved.
Yup, and I don’t care. If I ever organize a protest I’ll do it on Signal, or another end-to-end encrypted platform. For daily banter I’ll use whatever a majority of my friends prefer. That’s currently Discord for the above-mentioned reasons.
You know that. It's unlikely that all of the rest of the people who join Discord because "all of their friends are on it" that your presence there influenced know that, and in many possible future scenarios, you and others' presence there directly contributes to the harm that may befall them as a result of their loss of privacy thereby.
It's also impossible to effectively self-censor in the present for potential content-based threats in the future.
Discord also bans certain entire domains from being sent as links in DM, as an antispam measure, and requires in their ToS that people give up their civil rights to join. It's not polite to ask friends to submit to third-party censorship of private conversations just to talk to you.
So some algorithm somewhere will eventually try to parse five years of shitposts and memes between me and my friends and try to figure out what it can advertise to me based on it, I can't say I'm even mad
I have nothing to hide because I recognize the intentions and limitations of different platforms. Discord is a gaming chat platform and I post and act accordingly there. I don't understand why I should be entitled to privacy on a free chat platform hosted with someone else's money.
Can you explain this a bit more? Am I correct in understanding that you feel it hurts you when your contacts find out that you have signal installed, hence why signal shouldn't do it? What is the impact of someone who has your phone number knowing you are available over Signal?
Are there communities out there where someone being on signal is a red flag?
> What is the impact of someone who has your phone number knowing you are available over Signal?
Don't know about Signal, but Whatsapp does the same thing (advertise to your contacts that you have a whatsapp account) and I find it extremely offensive.
Context: I am an ardent anti-whatsapp activist, thus I don't have a whatsapp account. This activism has created quite a stir in my family and made a lot of people angry, yet I stick about it. I have forced many of my close family and friends to use a different communication channel with me, and I have lost the contact of quite a few acquaintances. When my dad died a few months ago, her wife needed to talk to me (and I needed to talk to her quite a lot). She was not really in the mood for listening to my techno-activism platitudes, and I was not in the mood to perform them, so I had to open a whatsapp account. Since all the people who I had forced to stop using whatsapp to talk to me would have felt alienated by this at this point, I needed to take a new phone number to talk to my stepmom via whatsapp.
This is a concrete example of why advertising the fact that I have a whatsapp account is an extremely annoying anti-feature. I'm sure there are similarly legitimate reasons for disliking the same feature in Signal. In any case, for a platform that has the privacy of users as one of its main tenets, this is a clear-cut case of anti-privacy feature. I can imagine reasonable people avoiding Signal precisely for this.
> Are there communities out there where someone being on signal is a red flag?
Absolutely. Outside of the tech industry, people have a "reason" for using Signal. My wife remarked one day that one of her coworkers (a plant operator) suddenly appeared on Signal. I mused that he is probably cheating on his wife. She found out a few weeks later that my hunch was correct.
Other people I've seen on it I've been able to deduce that they're using it for drug purchases (simply by process of elimination, nothing else made sense) even when I didn't already know they were into recreational drugs.
In some circles, Signal is used just for general conversation. But in most, it's not. So being on it is a pretty strong signal that you're doing something 'important' on it...and usually its easy for friends and neighbors to narrow down what that is.
You're not wrong, but if we care about privacy isn't that an association that we need to break? Wanting to live in a society where people can have secrets ought to be reason enough to use technology that keeps yours.
And then there's my mom, she's on a grandfathered mobile plan that charges her $1 every day that she sends any text messages. I got her on signal so she didn't have to pay the $1 when she texts me. She got her whole church music group to switch for the same reason.
Why does it need to tell everyone I have a Signal account?
Adobe doesn't tell everyone that I own Photoshop.
Gmail doesn't tell everyone that I have a Gmail email.
PornHub doesn't tell everyone that I subscribe to their premium account.
Why the fuck does Signal need to? Broadcast should be off by default, on by opt-in.
It doesn’t send the number to them - Signal don’t get the contact list from your phone. It uses a very clever private contact discovery protocol.
The reason their phone has to know is so that they can then message you. Otherwise there would be no way to message people - a phone has to know who is on Signal to be able to do that.
While the notification could be off by default, since the phone necessarily has to know when your contacts are on Signal for the app to function, it is being transparent about the privacy situation.
It could be as little as "everybody does it, let's do it too" or they actually thought about it. By signaling to contacts that somebody installed Signal they make it more likely that those contacts use Signal to communicate instead of any other system. It helps the growth of Signal.
Adobe and PornHub don't have the contacts list. Google likely does but maybe they are restrained by privacy laws.
There are subcultures that are not widely accepted where this is an issue. Take the furry subculture as an example. You might not want your family or college pals to see your furry profile picture and pseudonym, but you also might not be aware of the implications of using a messaging service where the primary ID is your phone number. Many people hand out their phone numbers permissively, as historically, they weren't very "personal" on their own - save for identifying your real name. For many people, having/juggling multiple phone numbers to maintain distinct identities is beyond their technical expertise and simply won't happen in most cases (especially on Telegram, where VOIP numbers are prohibited).
I don't know precisely how Signal does things, but I know this can be an issue on Telegram - and I assume they work similarly. I can see a lot of reasons folks might not be fans of phone-number-as-ID, especially when it alerts folks that you've joined, or gives folks who merely possess your phone number an easy way of viewing your profile details.
I think the first quality E2EE messaging service that provides users an alternative to phone-as-ID could give Telegram/Signal (not that the former is necessarily E2EE) a serious run for their money among privacy-conscious users and members of fringe communities.
Signal doesn't advertise a profile. It advertises a phone number - everything else is data you have locally. It will send a profile picture if you set one but that's it.
Does it advertise your username? If I don't have the name of the contact, will Signal share my username or does it just say "this number in your list has joined signal, and here is their profile?"
Nice. Sounds like the same rules apply to profile pictures as well. That feels like a step in the right direction, but it still means that by having family/coworkers/college buddies/etc in your contacts, they can see your profile picture and username. I know this can be a sticking point for some. It would be great if Signal introduced finer-grained privacy controls so it could appeal to an even wider audience.
You can download leaked phone numbers of millions of ppl and add them to your phone's address book (iOS limits contacts to 50k). I don't think this is very secure.
> among privacy-conscious users and members of fringe communities
Sure, but this is realistically a tiny group, and development effort is probably better spent making the 99% that don't fall into this category happier rather than prioritizing features needed for the 1%.
Either you don't understand how Signal works vis a vis phone numbers, or you're expecting something unreasonable.
The behavior which is reliably objected to by someone on HN, every time Signal is mentioned, is that the app sends a user an alert when someone in their contacts list is on Signal.
Phone numbers are the only resolution mechanism in Signal. Should that change? Separate question.
Having someone's phone number is by definition a way to contact them. Registering for Signal is by definition agreeing that anyone who searches for your phone number can send you a message on Signal.
What is the privacy violation in pushing awareness of that affordance? What about pull-only is better?
Signal does what I want it to here, and my trouble understanding why someone would be ok with everything about Signal except the push notification on join to people who have your number is genuine.
It's easy for me to understand why people don't like that a phone number is inherent to Signal, don't much care for it myself. But it's unrelated.
Whether or not I use Signal is private info, which is separate from my phone number info. Signal is mixing the two as if it was the same.
A username kinda restore that, but it could be taken a step further and ask for a secret token when adding contacts. That way you know exactly who has you in their contact list, and this token could be revoked (equivalent of blocking the person).
At least personally, the privacy violation is most clear if you are not part of a community that uses encrypted messaging by default (nearly everyone I know who uses SMS/FB messenger). The fact that someone I know has downloaded Signal then reveals that they now care about using encryption, which usually has the very obvious inference that they are involved in activism/have journalistic sources/other more nefarious activity that they care about encrypting. You can usually figure out which it is if you know anything else about that person. I would not know this if Signal didn't push the information to me, since I am not going to constantly search my entire contact list to find this info.
Like people you don't want to have contact with but have your old number being remained that you exists and starting to annoy or harasser you again.
And pleas don't respond with "you could just block them" that not in line with how the psych of many, especially vulnerable people work.
Also pleas don't respond with "you can just change your number", for many people changing their number is hard which again for some vulnerable people can mean it's basically impossible.
Sure it's not a "my whole live will be messed up because of it" feature, but it easily can be very very unpleasant.
Like as an harmless example I know someone who completely changed their live and do not really want to have contact with anyone from their old circle of friends (not because of them being bad people, but because of the memories this includes). But they are to polite and insecure to outright block them, similar changing the number isn't an option for them. And guess what happened recently Signal told me: Hy person X joined Signal. I knew better then to contact them, but I wouldn't be surprised if this caused them quite a bit of distress/discomfort.
Anyway, I'm fine that people which have my number can write me over signal, or that their app knows when the number is changed, to warn if the old number is used and hint at you when you try to contact the old number. I'm not happy about Signal (and others) actively telling everyone "Hy this person did [join|change number]". It's unnecessary and for some people harmful.
Yeah, those announcements on Signal and Telegram are super-annoying and awkward.
You draw the attention of people with whom you have perhaps decided to let the relationship cool, and suddenly: "Hey, [YOURNAME] is here! Remember him? And how you have unfinished business? Why don't you message him right now?" :-(
This is outright ridiculous. I refuse to get into most "social" networks for this type of crap and now this practically confirms me I should never get into these crappy centralized IM networks.
How do you reconcile this with the ability to see, when you start to message someone, if they're using signal?
Can't a person who wants to know if you are on signal do so simply by starting a message to you?
Are you suggesting that simply making this less convenient on the client will somehow discourage someone who is determined to figure this out about you?
That's exactly what happen to my SO and I can see how this can be an issue to many people. The unexpected and unwanted convo with a particular person happen just because he had mobile number saved in phone's address book and despite of not giving Signal access to contacts, the presence of SO was announced.
That would be a really nice option now that you mention it. Like a "fresh start" where you could pick who can actually see that you're on signal especially with a new number/phone. Lots of people are often a negative in your life.
I never understood using phone # as a permanent ID. phone numbers change (heck, I effectively have 2 whatsapps, because I have a US phone # and an international phone # because of this).
ID shouldn't matter to most users (it can be hidden behind the scenes). Phone # is great for looking up the ID, but users should be able to remap it at will.
Example:
register with your phone #. This generates a new ID (you don't know or care about it). If you have to login from a new device, that doesn't have the ID stored, can you login with your phone #, but all this does is look up the ID and uses that ID to try and then authenticate you.
If someone wants to find you, they use the phone number to look up your ID. Once its looked up and mapped, the phone number never needs to be used again.
If I change my phone #, all I have to do is update the mapping of phone # -> id (i.e. add a new entry, remove the old entry). Anyone contacts who have me already, will not be bothered by this (they only care about the ID, which they already have). new "contacts" will also behave correctly, as I no longer have that phone #, so it shouldn't be able to be used to find me (it might be someone else's # now).
Users would be able to move phone #s and their existing contacts would be able to follow them. New telephone users would be able to get recycled old phone #s without getting messages from the old owner of number's contacts (assuming they had previously contacted).
the only places I see people think this might fall down (but I think are wrong) is
1) if the same user creates a new id with the old phone #. However, the solution seems pretty simple, you just need a way to invalidate the old ID (i.e. never to be used again) and force the contact to get the new id for the phone number.
2) what happens when a user moves devices. i.e. they might have to redo the mapping of phone # -> id. However. at its worst, this is no worse than the current system (which effectively does that update on every single message). In practice, there are ways to move data between devices which would just move the mappings with it (examples being a cloud cache backup, the ability migrate data from device to device, or probably other ways as well).
Signal stores your contact list on your phone (and not on their servers). Unlike other devices, people typically only have one active phone at any time, which means that your contact list on your phone can be your contact list on any linked device (its primary, they're secondary).
If they didn't anchor to something that they knew you only had one of, then it's not clear which of your devices should be authoritative. The alternative is to store your contact list on their servers, but they don't do that because they aren't confident that they could do so in a way that keeps your contacts hidden from somebody who gained access to their servers.
Often, letting an adversary know who you associate with is just as dangerous as letting them know what you say to those people. Having your phone number be the key means that metadata security comes down to whether you lock your phone instead of whether the bad guys can get a warrant to compromise Signal's servers.
It's a worse user experience, but I can understand not wanting to be responsible for the bad things that happen when bad guys map a target's social network.
Mobile telephone subscriptions passed global population 7 years ago.[1] More than 1 phone is not so unusual.
End to end encrypted messages are harder than end to end encrypted contacts. Using phone numbers encourages people to use their phone's contacts app. Most people have theirs connected to Google or Apple. If they have other devices especially.
To your first point, if you have two phone numbers then you're probably keeping them separate for a reason, and so their contacts should be kept separate by the app too.
As for your second: what are the "ends" you're taking about with this "end to end encrypted contacts" idea?
Certainly, a contact list has to be visible at the device--otherwise it's useless. Where else would you want it to be visible?
It would be nice if it didn't require a phone number. My daughter doesn't have a phone, but I would still like to use Signal with her when she's on a wifi-connected iPad.
Regarding your specific issue: You could get your daughter a VOIP number, which can run as an app on the iPad. VOIP numbers can process text messages too, which should enable Signal's confirmation message.
It's very easy; you could have it up and running in an hour, possibly. Here are market leaders for small business, and I presume they would handle consumer accounts. In my very limited experience, I had the best experience with RingCentral.
* RingCentral: Softphones only (i.e., applications on a computer), IIRC - no hardware handsets.
* Nextiva: In my one experience, the sales culture as a bit of a hustle, but it worked out.
* 8x8
* Star2Star: Don't know much about them; maybe medium-to-large business only.
This is an important addition. My request list would be from easier to harder:
- Strong anonymity
- Offline and cloud encrypted backups that can be imported to the new IDs (also potential monetization source)
- Secondary IDs per user and one off IDs, with the nature of said IDs communicated to the other party (primary, secondary permanent, one off). Of course it could create problems but with a proper blocking mechanism within signal (e.g. block one off IDs and secondary IDs from unknown numbers) by default would be seamless.
-Mobilecoin usage seamless across IDs, retaining anonymity
>If you’re getting a new phone, but keeping your old number, you can use our end-to-end encrypted device-to-device transfer on Android or iOS to carry your contacts and chat history over to your new device
Is there a way to export chat history into HTML or other file? I want to re read my chat sometime later.
I respect this position, but it is notable that this project and its goals are different from all other blockchain projects. The private messaging is meant to be an intrinsic part of this blockchain for transactions and to provide a platform for applications that rely on the private messaging properties to provide services.
As an example, one of the next applications I am working on with it is voting (a continuation of my PhD research). You can do things with this that you can't do anywhere else because you've got hundreds of untrusted, uninterested nodes, changing the threat model in a very important way. Unfortunately, I'm not aware of any other way to incentivize that without some form of payment system, which is why it is intrinsic to this chain.
It is fundamental to safe and fair commerce to be able to not be tracked in the ways we care about folks not being tracked. I want to do things like read my news subscription without them being a data vampire that tracks how long my eyes hover over each paragraph of every story then sells that to some advertiser. I also don't want my credit card company selling my purchase history to some government that then uses that information to decide if I am allowed to enter their country 15 years from now.
In other words, the project is not trying to be a slower, less private version of a credit card. We do not want to be just another privacy coin or utility for some pre-existing internet service and, unlike other mixnet projects, our goal is a much more ambitious resistance to global adversary threat model. We want to enable folks to do things over the internet with similar properties and experience as buying milk from the corner store with real money. We might not get there, but that's my vision for what we are trying to achieve.
Yup. For those who don't know that is David Chaum's quantum-resistant messenger and he's an OG cryptographer (and he's mentioned in Bitcoin's original whitepaper, funnily enough).
> Full disclosure: I work on the infrastructure behind it.
Oh cool... I ran a node for many months during the beta (from home, fiber optic at home). I'm busy atm so I'm not running anything anymore but I do really hope that a real secure messenger that doesn't leak metadata left and right, and which uses advanced cryptography, shall eventually prevail.
In years of browsing desktop-focused websites on my phone, this is the first website that lags at 2fps while I try to use it. High-end Samsung phone from ~2 years ago (second hand) so cpu power definitely isn't the issue. It also goes back up the page randomly if I scroll a certain way, maybe it tries to lock the view to a certain region rather than in between?
No idea what's going on with that site but I can't check out your project. I'd be interested in a ~two-sentence description of what it's like and how it's different. E.g., is it using the Signal protocol without phone numbers? It so, how's it different from Wire? If not, what does it use, custom protocol? Does it have a description I can look up elsewhere?
It protects metadata using a mixnet and the E2E encryption for authenticated channels uses post quantum cryptography(SIDH) to establish symmetric keys. The infrastructure is run by 3rd party node runners and there's an open source API for other applications in addition to the messenger being open source.
I'm not having issues with the website, but I will raise it with the web developers to see if they know what's happening.
It protects metadata using a mixnet and the E2E encryption for authenticated channels uses post quantum cryptography(SIDH) to establish symmetric keys. The infrastructure is run by 3rd party node runners and there's an open source API for other applications in addition to the messenger being open source.
How is this handling usernames? I understand doing this is actually hard if you want them to replace the issues that are carried with phone numbers (i.e. being able to connect with an identity through cross referencing). And of course, birthday problems.
First come first serve right now. Identity is based on keys generated on device and the usernames are based on a network service which I expect we will decentralize (i.e., set up your own like e-mail).
I also don't see usernames as really being that anonymous. Like even if I make a username there that's "notgodelski" if I share that username here on HN then I haven't done anything to keep myself anonymous. All it does is trades one PII for another (phone number for username).
I'm also curious about scaling and collisions. Not only do you have a birthday problem with normal usernames, but what about special classes? Why do I not take all "nyt" and similar usernames to honeypot the actual NYT's contact?
Agreed that usernames aren't exactly anonymous, which is why the platform doesn't require one to use and you can share your QR Code directly instead. I think the mobile apps might force registration with user discovery (this is an active argument i've been having...) but it's not designed to be required.
It's not fully baked, but my expectation is that it will work similarly to how the .eth, namecoin, and other systems work, where you'll be able to register a user discovery service on a blockchain which the clients will recognize and use for searching. In this model, NYT registers "nyt.xx" and "rcarback" pops up in the interface as "rcarback@nyt.xx". As it stands, we've rolled out a basic version with a single central user discovery point for now.
How can I use this without a phone or phone number at all? If I am concerned about privacy, why would I give them that access and information when it's not necessary for the service? Surely they are only trying to gather information on their users. Whether it's being sold, breached, or used for ad targeting, I am not interested. It comes across as a scam.
I cannot take seriously any claims made by the company or its employees / owners. None of it can be used as evidence of their goodwill or what they do with my data. They have an interest in deceiving me.
I don't think it's so nefarious... phone numbers were just the easiest way for them to create a portable social graph without requiring users to re-discover if anything changed. Plus, it looks like this move is going to push them in a direction where phone numbers won't be required (as they've indicated previously is in the works).
Ok, but now that it's not tied to phone numbers anymore why do you still need one to sign up?
And why has this been "in the works" for years? It's certainly not that hard to implement. Many less capable and mature messengers work without a phone number.
It is still tied to phone numbers; you can now just change which one.
It's hard to implement it in a privacy-preserving way. Many other messengers of similar scale implement it by storing your social graph unencrypted on their servers.
They're working on usernames, but what's the privacy concern around using your phone number? Is it to be pseudononymous?
My use case for Signal is friends and family, and it was easy to get everyone onboard because we all have each other's phone numbers already and didn't need to build a new list of contacts. It's a drop-in Android-compatible replacement for iMessage.
> what's the privacy concern around using your phone number?
My phone number identifies my country, my address and my real name - even if I restrict the listing, it's tied to my credit card. It's tied to a sim card with separate geolocation data to the GPS tracking Google does; even if I active signal from eg a pine phone, the number is tied to a 4g base station.
Ed: and its tied to my current place of employment, too.
None of this is needed/wanted for my signal identity (for me or signal).
I could go out of my way to acquire a pseudonymous phone number, but I guess I'd have to be able to use it somehow - which seems pretty hard to keep anonymous. At the very least I'd probably have to pay for it.
Signal should be able to do better than PGP and five mix master hops of 90s-era anonymous email...
Or you get the old problem of those needing actual secure communication using terrorist@phreak.suspicious.net.ru and using signal just for "other" stuff..
Ed: note that this mostly about connecting with people on signal that otherwise might not have my number, than about (almost) random people that have my phone number discovering that I'm on signal.
Personally I don't have a privacy issue with it per se but I have two phones, one is data only sim and I can't use signal on that device with their current model. I guess because the device is a "phone" whatever that means. If they do away with this reliance on phone numbers hopefully we could get something more flexible that allows me to use it on "phones" without phone numbers.
If I'd be a spying agency I'd do just that - develop "secure" app that would collect unique identity of every user. Verified phone number is a perfect unique ID.
"Just give your phone number to us, and don't worry, we won't share it with anyone!".
That exactly what Signal does.
Until they allow user-created ID's with no link to any identity - the above concern stays.
But a phone number isn't supposed to be secret, it's supposed to be given to people to contact them. I don't see the nefarious use here. Can they determine I'm a Signal user? Sure, but they can get that from IP address, App/Play Store installs, etc.
In many countries the government and the company that you register the number with need to know who you are (or can deduce it from the place where you are connecting).
Yes, but people in those countries can buy a US VoIP number from a US vendor for $2 and use that as their Signal number.
You don't need to use a GSM number, and you don't need to use the country code in which you live. The fact is, mostly anonymous phone numbers are available on the internet for use with Signal, and Signal (correctly) does not discriminate on country code or "type" of number. Any number that can receive phone calls or texts will do.
There are indeed countries that want to tie phone numbers to strong identity, but you can simply get a second number from a country that's not so hellbent on restricting access.
The number you're logged in to in Signal on a phone does not need to be the same number of the SIM card inside that phone. You can use any number you wish.
Genuinely interested: can you elaborate on what metadata the matrix servers have access to? Say, don't they know who I am writing to, when and which groups I belong to?
Signal does not, and that's guaranteed by the client code (i.e. no need to trust anything on the server for that).
You can't. Every engineering choice is a compromise. I don't know why everyone assumes that these choices are always malevolent. I guess you can just not use it? Lots of us use it everyday without issues. If you want something that suits all your needs there are PLENTY of libraries out there for you to throw together your own adhoc distributed encrypted messenger. I have done it a couple of times myself just for fun.
Check out Wired; it's a signal clone, but they don't require phone numbers (just emails) and it seems to be built a lot better in many ways (e.g. allowing multiple accounts on one device).
Using phone numbers as identifiers for encrypted messages is the core feature of Signal. It was marketed from day one as a drop in SMS replacement. Initially it even used SMS as the transport for encrypted messages. It was literally called "TextSecure". This is why I have always found the attacks on it using phone numbers to be amusing.
With a phone number, the contact graph can be on the phone. With usernames, the contact graph has to be stored on their servers.
They were forced to store (encrypted) information on servers anyway, since client-side contact matching didn't end up scaling, which is why stuff like this and usernames are now being developed.
Their new security strategy now relies on decryption being done by client-attested code on SGX enclaves, so that the server still doesn't have access to the plain-text contact graph.
All of this took a huge amount of time to come up with, and you can see the progress if you read their blogs or forums.
> With usernames, the contact graph has to be stored on their servers.
Are you suggesting that there isn't a contact graph on their servers? How exactly do they route from one user to another? It's certainly not P2P.
If you are suggesting that we should trust them just because it could work without them storing who I've contacted, you are mistaken. The whole point of private messaging is to obviate the need for trust. The code should be auditable/open source, and everything on the server should be either transparent, or assumed to be compromised. They certainly do send your contact graph to their servers, and whether they say they discard it or not is irrelevant. In the context of privacy, you must assume your data is persisted once it is behind a curtain you have no visibility into.
They only started sending your contact graph after adopting SGX. Before that the matching used to happen client side through a bloom filter.
They can theoretically rebuild a contact graph by finding everyone you’re talking to, but that’s a small subset of the contact graph created by contact matching.
The code is open source and SGX literally means that the client attests that the code on the server matches what it’s expecting.
How do we know the closed source version of signal on the app stores is using the same MRENCLAVE as the one from the open source server?
Also, my understanding as to why a contact graph is needed at all is because signal wants to increase their virality. Couldn't we forgo this unnecessary feature? Signal could generate a long enough key locally, and if you want to add another signal user, the client could send it automatically to a contact through SMS. The client on the other side could automatically read the key through SMS and add the contact. Or the user could manually send the key through any mechanism they wanted.
A third note, trusting SGX assumes that 1. it has no bugs, and 2. it has no backdoors, 3. Signal server code has no bugs, 4. Signal server code has no backdoors. The first two of these are not strong guarantees, especially considering that it's not open source, intel doesn't have a great track record, and nation state actors have been involved in weakening these sorts of features in the past. At least with the Signal server code you can audit it.
You've hit upon the limits of Signal and other messengers.
The version on app stores is not a closed source version. However it is a binary, and there might be questions on build reproducibility. I do not know the answer to this nor the answer to your MRENCLAVE question.
Virality is because of their philosophy - their first goal is to end mass surveillance, not provide custom software for preventing individual surveillance. The quicker everyone in the world is using E2E, not only is there less mass surveillance, contact discovery leaks zero additional information at that point.
Concerns with SGX are real - but it remains the state-of-the-art - your criticism assumes that the competitors do any better, at this point they do not. They have traditional backends or are as flawed. Signal is doing the hard work on researching solutions at this point, the others are not as close.
> Signal could generate a long enough key locally, and if you want to add another signal user, the client could send it automatically to a contact through SMS. The client on the other side could automatically read the key through SMS and add the contact. Or the user could manually send the key through any mechanism they wanted.
This is what happens when contacts verify each other through QR codes on Signal. But this mechanism does not solve your problem nor are you solving the problem Signal wanted to solve - minimizing data on servers. Even with keys, servers still has to route messages, and with your solution they'll have to maintain a user database.
I have heard that one of Signal's goals are mass adoption, so it's presumed that some compromise is required to make this happen. I hope they continue to push the envelope toward more transparency. This was an enlightening and educational discussion. thank you.
Can people please choose an appropriate title when posting. "You can change your number" makes sense in the context of signal.org but makes little sense on the front page of HN. The RSS feed doesn't even include the domain for context.
signal.org is part of the context of the title, since it's displayed right next to it. Therefore, by your argument (which I think is correct), the title does make sense on the front page of HN.
This website has an extremely awkward policy about titles that makes it so if you don't use the original title people get angry. The policy though just doesn't make sense, sadly, as the concept of titles is audience-specific (and even movies or books, which might feel more organized, sometimes have different audiences in different markets). FWIW, I did connect it together as I saw "(signal.org)" and that was sufficient for me in this specific case.
It feels like the policy doesn't make sense because people only notice the cases they don't like. The cases where it works just fine, which are the vast majority, go unnoticed. That's by design, because it keeps things relatively smooth and happy, but it has this weird side effect that the annoyance cases build up like mercury in the 'policy' corner of the brain.
Worst yet, the title edits that would annoy people if HN had a different policy (and they would be legion) go uncounted because we don't allow them to happen in the first place. Such a regime would be much less smooth, because for each title edit you (i.e. anyone) happened to agree with, there would be a lot more rubbing you the wrong way.
The fundamental principle here is that on HN, being the one to submit an article confers no special right to interpret or frame it for others. We want the articles to speak for themselves, and we want the front page to be as accurate and neutral as possible ('bookish', to use PG's old word for this). Misleading titles and clickbait titles get in the way of that, so the HN guidelines ask submitters to change those. Otherwise not.
Threads are so sensitive to initial conditions that the power to rewrite a title is literally the power to reframe the entire discussion, and therefore control it. On HN, we want the author of the article (or creator of a project) to have that power, not the submitter. That really is fundamental—it's the reason why HN's front page is the way it is, and therefore the reason why HN is the way it is. To change it would be to mess with the DNA of this place and would soon lead to a completely different forum. Maybe a good forum, but not the kind that HN is trying to be.
(I don't mind if you ignore this and I don't mind if you hide this or whatever. But I have thought about this specific issue in the context of this site quite a bit for almost a full decade now, and I feel like I have something interesting to contribute to your thought process given your response.)
FWIW, I think this is an unfair characterization of my complaint. Yes: I can and would (and once in a blue moon even do) make this complaint "as a user" of Hacker News, and you can certainly claim that I only notice the places where it is bad and am failing to notice all the places where it is good. I assure you: I understand this well enough to make your argument for you against me as a user and I agree we can bicker back and forth about whether this is a good idea without it mattering much. (I do think you are wrong there also, and I think that you are incorrectly associating one property of your platform you are tasked with defending as somehow being center of it, but that is again a separate argument we could have.)
However, what I think you are missing is that, when you are making arguments about content in general across this website and how most cases work, you are doing so from the vantage point of the moderator and have--in my eyes--become blind to the plight of publishers, some of whom run into this policy not every now and then but on every single post they are involved in due to their medium or other constraints of their audience. While on average it is maybe not so harmful, it disproportionately negatively affects some content that the readers of Hacker News do seem to greatly value more than other other content.
If you primarily publish changelogs or summary pieces (both of which can get a lot of play on Hacker News... but only for one subsection, not the whole article), publish to mailing lists or forums (where the titles are often under someone else's control or abnormal to use at all; we see a lot of great content these days on Twitter, and I would use it more often were it not for Hacker News and its title policy), or even technical articles on smaller blogs designed for closed audiences that would find a title for a "general" audience off-putting, you become permanently trapped in what to you is a disregarded corner case.
> On HN, we want the author of the article (or creator of a project) to have that power, not the submitter. That really is fundamental...
I am thereby very glad (though also quite a bit sad) you said this (and might have not bothered to respond had you not, btw), because I am an author making this argument first and foremost on behalf of my work as an author, and I feel this power dynamic issue deeply (on reddit, every now and then someone is egregious with an edit... and sure it might feel to you that that is a problem as you remember when it was a problem, but the vast majority it goes unnoticed ;P). And yet, I claim the policy as used and enforced isn't giving authors the power you might think they are being given, because--as I had indicated--the concept of titles is not anywhere near as well-defined as you make it out to be, and so as an author I think this policy is actually poorly designed.
About a decade ago I seriously got into a (quick, but so very memorable) argument with someone on Hacker News about the title of one of my own articles, one which--in its medium (Google+)--should not actually have a title. The article did have an official title that was used everywhere the article was linked, but it wasn't part of the article due to its medium. I think that was probably the first day I got angry at the policy, and it was "top of mind" as it was itself an article about policies (real name policies) that disproportionately affected certain users but are defended by moderators because it works for the majority... that was itself running into issues on another website due to a different policy with a similar kind of inherent design flaw falling into a similar blind spot (though of course the real name policy is much worse, I do want to make clear; that said, permanent unique user names are almost as bad, and Hacker News has those).
Over the years, then, I came to the point where I actually feel a need to give advice to people publishing content so it can be "Hacker News compatible", and that advice generally harms the person's "usual" audience :(. In particular: you need to publish things only on mediums that support titles (or if you must, add a title; yes: if you publish content on Twitter, if it might get linked by someone to Hacker News, I guess you need to dedicate part of your thread to give the thread a "title"), with "boring titles" for a general audience, with a separate top-level URL for each and every single topic.
BTW: I want to expand on the "boring titles" part of that. The best titles to choose in most contexts--and I am not saying that is true of Hacker News, as that is but one of many venues--are often "editorialized", because they are designed to be catchy and memorable and create a strong hook for the reader, who shares context that you have due to being part of your audience. And yet, Hacker News has a quirk in their policy whereby, if an upstream title is editorialized, then the author suddenly isn't supposed to be given the power. If you were consistent on that front I might find the policy more sympathetic.
As a local politician who pays careful attention to this kind of editorialization, I see this dynamic play out a lot with the local newspaper: the news articles in their print edition have highly editorialized titles designed to even be "misleading", while their online version?... not so much. That is because their audience in the physical paper is different from their audience on their site, the latter of which more often being random people linked to one post. One that was so memorable it has stuck with me for many years: online it said "UCSB Acquires Dublin’s, Precious Slut Property", while the paper copy said "UCSB Buys Precious Slut" (which doesn't even have the same meaning, but we get what they are after and it is funny).
And so after a full decade of dealing with this over and over again, I now find myself thinking about it every single time I publish anything anywhere. And it sucks: I spend most of my time on this website in this community (which I will note I absolutely do not believe is reliant on this policy to function any more than Facebook is reliant on a real name policy), and yet I also resent it deeply due to a rule that--at least in its exact implementation (which I bet could be fixable with minor changes)--almost no one in my circle thinks is a good idea: we just tolerate it because of network effect lock-in. I don't think I have published anything anywhere in the past decade without having to decide how to placate this policy. The best idea I have come up with so far is to use User-Agent detection tricks to give people on Hacker News a different title than anyone else, in my attempt to actually feel like I am in control as the author (which I clearly don't currently feel I have).
Thanks for writing this! I don't think we're as far apart as it seems. For example, in cases like this, we often bend the rules, very much for the reasons you mention:
If you primarily publish changelogs or summary pieces (both of which can get a lot of play on Hacker News... but only for one subsection, not the whole article), publish to mailing lists or forums (where the titles are often under someone else's control or abnormal to use at all; we see a lot of great content these days on Twitter, and I would use it more often were it not for Hacker News and its title policy), or even technical articles on smaller blogs designed for closed audiences that would find a title for a "general" audience off-putting, you become permanently trapped in what to you is a disregarded corner case.
We're trying for a global optimization here—interesting content, free of sensationalism to the extent possible. We're not bureaucrats trying to enforce little rules. Always the intent is to be a spirit-of-the-law place, not a letter-of-the-law place [1]. If you've got content that you feel is great for HN but whose title doesn't fit the cookie cutter, you're always welcome to email us at hn@ycombinator.com. Our goal is also for HN to feature the best content, where 'best' means most interesting to the community. (Of course, there's also often a tension between what an author feels is great content vs. what the community (or moderators as a proxy for the community) feel is great content. That aspect is unavoidable, given how scarce frontpage space is.)
It's true that baity titles work better for attracting enough quick upvotes to make HN's front page, but then one of two things typically happens: either readers (who there are far more of) see the bait, go "WTF is this doing on HN" and flag the submission; or, moderators notice the submission, see that the article is good, and replace the title with something more accurate and neutral. That's not such a bad thing in practice. Some good content does surface that way.
If the original title is too vague, hyperbolic or long, i will use a better title from another website. But normally it's just confusing for people who expect one headline, to find a different one. Generally company blog headlines fall into the category of "extremely vague" and need improving.
HN guidelines forbid changing the title. I proposed changing this once, but the post didn't get traction. There was more traction for that years ago though. https://news.ycombinator.com/item?id=26300126
I often change titles on submissions. Making them shorter for instance. I also do change some to provide more context that the original source didn't.
An article has only 15 minutes in /new to attract enough votes. Sticking with a crappy title nobody will click on wastes everyone's time. Obviously don't go full clickbaity.
Not on the RSS feed without me doing some jiggery to extract it from the link and render it in my reader somehow. But overall this isn't the worst example because it is on their own domain - often it'll be on a medium domain or something that provides no useful context.
I'm fairly sure that medium is treated specially, along with github, twitter, substack, and a few others, in that subdomains are displayed for those platforms.
Certainly this list isn't complete, and just as surely the moderators are open to adding to that list as contenders enter the ring.
This is a great feature, well done for adding it! However, I'm a bit puzzled as to why seemingly easy bug fixes aren't addressed. There's a longstanding issue with Signal not recognizing that the phone is in a landscape orientation when taking photos, so they're rotated by 90 degrees. I opened an issue[1] and it got closed with a related-but-not-exact workaround.
This impacts everyone who takes photos on Android with Signal, it's not a niche problem. It seems like an easy fix, and I'm perplexed that it doesn't get prioritized. Ah well, can't complain too much about a free product.
Signal is eating up 11GB of my iOS space. There is no way to clear it without completely uninstalling and reinstalling. And then the problem just resets and grows again.
It’s a ridiculously consequential bug and they don’t seem motivated to even comment.
Signal keeps all downloaded media locally until you delete it.
They don't have the resources to store files on the cloud, even encrypted, and don't appear to have taken WhatsApp's approach of backing up unencrypted media and messages on user's third-party cloud services like Google Drive and iCloud.
You can mitigate this by having disappearing chats (current longest self-destruct time is 4 weeks), or by going to Settings->Data and Storage->Review Storage and deleting the largest files.
This isn't a great UX design, as users are not informed there is a problem, or how to solve it.
Whatsapp can be configured to not save all the cat photos and memes to your library by default. You can still save the really good memes yourself if you want. Signal should just copy that feature.
Also, what good is secure encryption if i have to give out my phone number?
> Also, what good is secure encryption if i have to give out my phone number?
Actually how could you possibly deliver secure messaging if it doesn't work with simple identifiers you already have like your phone number? Everything should be secure, that's Signal's thesis.
This reminds me of the people who were convinced HTTPS should only be used for "important" stuff that "needs to be secure" like banking and so it's wrong to have HTTPS on your blog, or news site, or whatever.
> Actually how could you possibly deliver secure messaging if it doesn't work with simple identifiers you already have like your phone number? Everything should be secure, that's Signal's thesis.
It's tying my Signal identity to my phone number. To speak in US terms, you're safe from your comms being intercepted by the KGB, but now you're a person of interest to the CIA :)
Signal also has other issues on iOS, like the lack of message backup/restore which exists on the Android version.
Every time I upgrade my phone I have to reformat & disable iCloud lock and hand in my device before I get a new one. So Signal's workaround of having two phones side-by-side to transfer is a non-starter. (Also useless if you happen to physically lose your old phone.)
How about listening to a message in portrait, accidentally moving your phone to landscape, and then having the playback stop and lose position in the audio stream. Or how about losing voice recordings constantly? Seriously? I'm baffled at their priority list. Whoever is directing these efforts is asleep at the wheel. The frustration factor using this app in iOS is so goddamn high.
Myself and another geeky friend tried to get out non-geeky friends away from messenger and whatsapp (well, at least get them to use Signal, talk to us via it and perhaps migrate, baby steps).
Despite a really good uptake, some didn't make the move and it's definitely fragmented some of our online groups (makes it more interesting when physically catching up though, silver linings!). I'm not sure throwing yet another messaging platform would help.
I totally get the fragmentation, I asked in some techy groups if they prefer matrix, signal, wire, anything. Virtually nobody knows anything but telegram (because we were currently on tg) and facebook messaging systems. So I made a choice and now the tg side is dead and the new platform is missing some people... yup fragmentation at work.
But at that moment a choice for a new system was made, it's not so much about doing yet another move right after the previous and fragmenting it further. Any particular reason you didn't try Wire in the first place, if you don't like the phone number requirement?
Exactly. Why on earth is it so hard or difficult for Signal to do just that?
Regardless, I don't know why they are pushing in a somewhat unregulated, volatile cryptocurrency that will be used by extremists, terrorists and the like who in no doubt will not only use it to fund their activities and will be sitting in their group chats but now they can change their phone numbers to hide even further?
The road to hell is been paved with good intentions. Hasn't it? But at least Wire does not still require a phone number, nor does it have silly cryptocurrencies in their product for pump and dump purposes.
How about no ph number and only UUIDs- You send a msg that only personA can decrypt - but you broadcast the encrypted message to all contacts /+ random UUIDs ... So signal doesn't know who it was intended for exactly, and only personA gets the information. Of course you'd want the app to only alert users getting the broadcast once a received comm is successfully decrypted, otherwise discard.
It's clearly a lot higher data overhead, but that'd acheive phone numberless accounts without signal knowing 100% A is talking to B.... Only that 'A' might be talking to 'B'..Or C..or D.. Or sending decoy msgs intended for nobody.
Settling for phone numbers on a privacy based messenger because it's too hard to do an alternative implem is a cop out I feel. What do you think of the above proposal?
Yes, signal would manage that. This is still more privacy preserving than a phone number because the the public key isn't attached to your identity in the way a phone number is. You'd still need to getAllContactsPubKey()->encr(PersonAKey)->SendToAllContacts
So signal knows you requested all your contact pubkeys, that you sent a duplicate broadcast to all contacts, obscuring who it was intended for... that could be 0-n of m persons.
What's a universal thing to the portable device that everyone has got in their pocket? I agree it's sucky and really there could be better ways, should be something none trackable and perhaps offer opt-in discovery via phone book.
Have the option of decoupling it entirely from the phone.
The government can track you a lot easier than pinging via signal btw. A lot easier!
Surely this is referring to the ability to use a non-phone number ID, which they've hinted at before [1]. Looking forward to that, only because I know many others are!
[1] https://www.reddit.com/r/technology/comments/kt91qk/comment/...