We have court evidence Signal doesn’t collect it. https://signal.org/bigbrother/ shows they only collect the UNIX timestamps of when you registered and the date of when you were last seen online.
In general, you can not be sure the server is running the same exact piece of code as the one that’s visible on GitHub. Thus, the most useful thing open source server provides, is continuity in case the service itself goes down. The next useful thing is, it allows independent parties to check for code smell and bugs that might also be present in what’s running. The point being, any malicious code would not be pushed to GitHub but that’s not the only class of problems in the code.
Now Signal does provide something called remote attestation, which is a proprietary technology built over Intel’s Software Guard eXtensions (SGX). I’m not sure if that accounts for all of Signal’s server-side code, but at least partially, the client can verify what the server is running, provided the attacker hasn’t lifted the private keys from Intel CPUs signing the code. This Defcon video looks into similar hardware attack and you’ll learn it’s not a trivial thing to pull off, but also probably not impossible for nation states. So it’s a pretty good defense against anything but FVEY.
Well not quite, sure, it’s a technical capability that is designed into the system, but it’s again, an internal policy decision to keep that technical implementation at play, and since SGX is proprietary, your client can’t independently be sure of what’s happening on server side. SGX (if it applies in this case) sort of protects you, but again only if the signing key remains protected. With end-to-end encryption, you wouldn’t want Intel to have centralized trove of keys that could decrypt every message you send. So privacy by design boils down to client side protections, where the open source lets you check mechanisms that protect you, and where you don’t have to trust anyone.
SimpleX is a bit tough nut in that the walk doesn’t currently match the talk. I wrote about this in this post in another thread.
The tldr is, SimpleX says it has no identifiers, when they mean it doesn’t add identifiers; They don’t care about your router gluing its IP-address to the TCP header and leaking it to the server. And since the entire public server infrastructure runs under two VPS providers (Akamai and Flux), it’s fifty-fifty, if your peer connects to the network via same VPS provider, that can perform end-to-end correlation attacks and put together communication logs. SimpleX is not disclosing this properly in their threat model, and they’re not linking to the threat model on the front page.
The only good part is, SimpleX has decent Tor Onion Service server mechanism. In the post above I said
So SimpleX is easy to configure to function like #2. You just install Tor, enable proxy, and set the client to enforce use of Onion Service servers. So two settings. Cwtch is better as it’s always using #3.
But since SimpleX by default is none of these three, I wouldn’t call it anonymous or metadata-private.